From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 04:17:40 +0000 (+0200) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aad26c58f20f9605f97a635a28e18df08655748c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch arm-do-not-select-have_rust-when-kasan-is-enabled.patch bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch kvm-arm64-restore-por_el0-access-to-host-el0.patch kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch mshv-add-a-missing-padding-field.patch netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch rust-x86-support-rust-1.98.0-target-spec.patch soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch tee-shm-fix-shm-leak-in-register_shm_helper.patch tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch --- diff --git a/queue-6.18/accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch b/queue-6.18/accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch new file mode 100644 index 0000000000..1c17aabef3 --- /dev/null +++ b/queue-6.18/accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch @@ -0,0 +1,42 @@ +From dd1311bcf0e62f0c515115f46a3813370f4a4bb1 Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Fri, 29 May 2026 13:58:42 +0200 +Subject: accel/ivpu: Add bounds checks for firmware log indices + +From: Andrzej Kacprowski + +commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream. + +Add validation that read and write indices in the firmware log buffer +are within valid bounds (< data_size) before using them. If +out-of-bounds indices are encountered (from firmware), clamp them to +safe values instead of proceeding with invalid offsets. + +This prevents potential out-of-bounds buffer access when firmware +supplies invalid log indices. + +Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c") +Cc: stable@vger.kernel.org # v6.18+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/accel/ivpu/ivpu_fw_log.c ++++ b/drivers/accel/ivpu/ivpu_fw_log.c +@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct v + u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0; + u32 log_end = READ_ONCE(log->write_index); + ++ if (log_start >= data_size) ++ log_start = 0; ++ if (log_end > data_size) ++ log_end = data_size; ++ + if (log->wrap_count == log->read_wrap_count) { + if (log_end <= log_start) { + drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name); diff --git a/queue-6.18/accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch b/queue-6.18/accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch new file mode 100644 index 0000000000..c734c46969 --- /dev/null +++ b/queue-6.18/accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch @@ -0,0 +1,42 @@ +From fb176425837693f50c5c9fc8db6fbb04af22bd0a Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Fri, 29 May 2026 14:08:41 +0200 +Subject: accel/ivpu: Add buffer overflow check in MS get_info_ioctl + +From: Andrzej Kacprowski + +commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream. + +Add validation that the info size returned from the metric stream info +query is not exceeded when checked against the allocated buffer size. +If the firmware returns a size larger than the buffer, reject the +operation with -EOVERFLOW instead of proceeding with an incorrect +buffer copy. + +Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") +Cc: stable@vger.kernel.org # v6.18+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ms.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/accel/ivpu/ivpu_ms.c ++++ b/drivers/accel/ivpu/ivpu_ms.c +@@ -282,6 +282,13 @@ int ivpu_ms_get_info_ioctl(struct drm_de + if (ret) + goto unlock; + ++ if (info_size > ivpu_bo_size(bo)) { ++ ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n", ++ info_size, ivpu_bo_size(bo)); ++ ret = -EOVERFLOW; ++ goto unlock; ++ } ++ + if (args->buffer_size < info_size) { + ret = -ENOSPC; + goto unlock; diff --git a/queue-6.18/accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch b/queue-6.18/accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch new file mode 100644 index 0000000000..0a9cc5515c --- /dev/null +++ b/queue-6.18/accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch @@ -0,0 +1,39 @@ +From d9faef564438d1e4579c692c046603e7ada7bdf4 Mon Sep 17 00:00:00 2001 +From: Andrzej Kacprowski +Date: Mon, 1 Jun 2026 18:16:43 +0200 +Subject: accel/ivpu: Fix signed integer truncation in IPC receive + +From: Andrzej Kacprowski + +commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream. + +Fix potential buffer overflow where firmware-supplied data_size is cast +to signed int before being used in min_t(). Large unsigned values +(>= 0x80000000) become negative, causing unsigned wraparound and +oversized memcpy operations that can overflow the stack buffer. + +Change min_t(int, ...) to min() as both values are unsigned and can be +handled by min() without explicit cast. + +Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages") +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Andrzej Kacprowski +Reviewed-by: Karol Wachowski +Signed-off-by: Karol Wachowski +Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ipc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ivpu/ivpu_ipc.c ++++ b/drivers/accel/ivpu/ivpu_ipc.c +@@ -276,7 +276,7 @@ int ivpu_ipc_receive(struct ivpu_device + if (ipc_buf) + memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf)); + if (rx_msg->jsm_msg) { +- u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg)); ++ u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg)); + + if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) { + ivpu_err(vdev, "IPC resp result error: %d\n", rx_msg->jsm_msg->result); diff --git a/queue-6.18/arm-do-not-select-have_rust-when-kasan-is-enabled.patch b/queue-6.18/arm-do-not-select-have_rust-when-kasan-is-enabled.patch new file mode 100644 index 0000000000..cc5298e385 --- /dev/null +++ b/queue-6.18/arm-do-not-select-have_rust-when-kasan-is-enabled.patch @@ -0,0 +1,44 @@ +From 84a0f7caafc679f763d3868635837e22bb89651a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 11 May 2026 17:02:44 +0900 +Subject: ARM: Do not select HAVE_RUST when KASAN is enabled + +From: Nathan Chancellor + +commit 84a0f7caafc679f763d3868635837e22bb89651a upstream. + +When KASAN is enabled, such as with allmodconfig, the build fails when +building the Rust code with: + + error: kernel-address sanitizer is not supported for this target + + error: aborting due to 1 previous error + + make[4]: *** [rust/Makefile:654: rust/core.o] Error 1 + +The arm-unknown-linux-gnueabi target does not support KASAN, so avoid +saying Rust is supported when it is enabled. + +Cc: stable@vger.kernel.org +Fixes: ccb8ce526807 ("ARM: 9441/1: rust: Enable Rust support for ARMv7") +Link: https://github.com/Rust-for-Linux/linux/issues/1234 +Signed-off-by: Nathan Chancellor +Reviewed-by: Christian Schrefl +Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -134,7 +134,7 @@ config ARM + select MMU_GATHER_RCU_TABLE_FREE if SMP && ARM_LPAE + select HAVE_REGS_AND_STACK_ACCESS_API + select HAVE_RSEQ +- select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 ++ select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 && !KASAN + select HAVE_STACKPROTECTOR + select HAVE_SYSCALL_TRACEPOINTS + select HAVE_UID16 diff --git a/queue-6.18/bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch b/queue-6.18/bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch new file mode 100644 index 0000000000..5087061f82 --- /dev/null +++ b/queue-6.18/bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch @@ -0,0 +1,47 @@ +From 5c65b96b549ea2dcfde497436bf9e048deb87758 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 16:54:23 +0800 +Subject: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend + +From: Yuqi Xu + +commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream. + +Existing advertising instances can already hold the maximum extended +advertising payload. When hci_adv_bcast_annoucement() prepends the +Broadcast Announcement service data to that payload, the combined data +may no longer fit in the temporary buffer used to rebuild the +advertising data. + +Reject that case before copying the existing payload and report the +failure through the device log. This keeps the existing advertising +data intact and avoids overrunning the temporary buffer. + +Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:GPT-5.4 +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sync.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -1725,6 +1725,11 @@ static int hci_adv_bcast_annoucement(str + /* Generate Broadcast ID */ + get_random_bytes(bid, sizeof(bid)); + len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid)); ++ if (adv->adv_data_len > sizeof(ad) - len) { ++ bt_dev_err(hdev, "No room for Broadcast Announcement"); ++ return -EINVAL; ++ } ++ + memcpy(ad + len, adv->adv_data, adv->adv_data_len); + hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len, + ad, 0, NULL); diff --git a/queue-6.18/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch b/queue-6.18/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch new file mode 100644 index 0000000000..0de1e1ed9e --- /dev/null +++ b/queue-6.18/bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch @@ -0,0 +1,128 @@ +From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Thu, 21 May 2026 10:45:17 -0400 +Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig + +From: Michael Bommarito + +commit dd214733544427587a95f66dbf3adff072568990 upstream. + +net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR +signaling packets up to the channel MTU and dispatches each command +without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer +within radio range can send a fixed-channel CID 0x0001 packet that is +larger than MTUsig and contains many L2CAP_ECHO_REQ commands before +pairing. In a real-radio stock-kernel run, one 681-byte signaling +packet containing 168 zero-length ECHO_REQ commands made the target +transmit 168 ECHO_RSP frames over about 220 ms. + +Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can +force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling +packet containing packed ECHO_REQ commands. + +Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and +reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP +carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched. + +The Bluetooth Core spec wording for MTUExceeded says the reject +identifier shall match the first request command in the packet, and +that packets containing only responses shall be silently discarded. +Linux intentionally deviates from that prescription: silently +discarding desynchronizes the peer because the remote stack never +learns its responses were dropped, and locating the first request +command requires walking command headers past MTUsig, i.e. processing +bytes from a packet we have already decided is too large to process. +We therefore always emit one reject and use the identifier from the +first command header, a single fixed-offset byte read. + +The unrestricted BR/EDR signaling parser and ECHO_REQ response path both +trace to the initial git import; no later introducing commit is +available for a Fixes tag. + +Cc: stable@vger.kernel.org +Suggested-by: Luiz Augusto von Dentz +Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com +Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com +Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com +Assisted-by: Claude:claude-opus-4-7 +Assisted-by: Codex:gpt-5-5-xhigh +Signed-off-by: Michael Bommarito +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/l2cap.h | 1 + net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 47 insertions(+) + +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -33,6 +33,7 @@ + /* L2CAP defaults */ + #define L2CAP_DEFAULT_MTU 672 + #define L2CAP_DEFAULT_MIN_MTU 48 ++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */ + #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF + #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF + #define L2CAP_DEFAULT_TX_WINDOW 63 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5651,6 +5651,15 @@ static inline void l2cap_sig_send_rej(st + l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); + } + ++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident) ++{ ++ struct l2cap_cmd_rej_mtu rej; ++ ++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED); ++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU); ++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej); ++} ++ + static inline void l2cap_sig_channel(struct l2cap_conn *conn, + struct sk_buff *skb) + { +@@ -5663,6 +5672,43 @@ static inline void l2cap_sig_channel(str + if (hcon->type != ACL_LINK) + goto drop; + ++ /* ++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR ++ * signaling channel has a fixed signaling MTU (MTUsig) whose ++ * minimum and default is 48 octets. Section 4.1 says that on ++ * an MTUExceeded command reject the identifier "shall match ++ * the first request command in the L2CAP packet" and that ++ * packets containing only response commands "shall be ++ * silently discarded". ++ * ++ * Linux intentionally deviates from that prescription: ++ * ++ * 1. Silently discarding desynchronizes the peer. The ++ * remote stack never learns its responses were dropped, ++ * so any state machine waiting on a paired response ++ * stalls until its own timer fires. ++ * ++ * 2. Locating "the first request command" requires walking ++ * command headers past MTUsig, i.e. processing bytes ++ * from a packet we have already decided is too large to ++ * process. ++ * ++ * Reject every over-MTUsig signaling packet with one ++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's ++ * reason field is what tells the peer that the whole packet ++ * was discarded; the identifier value is informational, so ++ * we use the identifier from the first command header, a ++ * single fixed-offset byte read. ++ */ ++ if (skb->len > L2CAP_SIG_MTU) { ++ u8 ident = skb->data[1]; ++ ++ BT_DBG("signaling packet exceeds MTU: %u > %u", ++ skb->len, L2CAP_SIG_MTU); ++ l2cap_sig_send_mtu_rej(conn, ident); ++ goto drop; ++ } ++ + while (skb->len >= L2CAP_CMD_HDR_SIZE) { + u16 len; + diff --git a/queue-6.18/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch b/queue-6.18/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch new file mode 100644 index 0000000000..01e9149cf8 --- /dev/null +++ b/queue-6.18/drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch @@ -0,0 +1,89 @@ +From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001 +From: Joonas Lahtinen +Date: Wed, 10 Jun 2026 09:03:14 +0300 +Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset + +From: Joonas Lahtinen + +commit d21ad938398bca695a511307de38a65889e3b354 upstream. + +sg_page() returns struct page pointer not (void *) so the scaling +of pread/pwrite is wrong for phys BO and wrong parts of BO would be +accessed if non-zero offset is used. + +Last impacted platform with overlay or cursor planes using phys +mapping was Gen3/945G/Lakeport. + +Reported-by: Matthew Wilcox (Oracle) +Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free") +Cc: # v4.5+ +Cc: Tvrtko Ursulin +Cc: Simona Vetter +Cc: Jani Nikula +Cc: Rodrigo Vivi +Signed-off-by: Joonas Lahtinen +Reviewed-by: Tvrtko Ursulin +Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com +(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c ++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c +@@ -17,6 +17,17 @@ + #include "i915_gem_tiling.h" + #include "i915_scatterlist.h" + ++/* Abuse scatterlist to store pointer instead of struct page. */ ++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr) ++{ ++ sg_assign_page(sg, (struct page *)vaddr); ++} ++ ++static inline void *__get_phys_vaddr(struct scatterlist *sg) ++{ ++ return (void *)sg_page(sg); ++} ++ + static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj) + { + struct address_space *mapping = obj->base.filp->f_mapping; +@@ -57,7 +68,7 @@ static int i915_gem_object_get_pages_phy + sg->offset = 0; + sg->length = obj->base.size; + +- sg_assign_page(sg, (struct page *)vaddr); ++ __set_phys_vaddr(sg, vaddr); + sg_dma_address(sg) = dma; + sg_dma_len(sg) = obj->base.size; + +@@ -98,7 +109,7 @@ i915_gem_object_put_pages_phys(struct dr + struct sg_table *pages) + { + dma_addr_t dma = sg_dma_address(pages->sgl); +- void *vaddr = sg_page(pages->sgl); ++ void *vaddr = __get_phys_vaddr(pages->sgl); + + __i915_gem_object_release_shmem(obj, pages, false); + +@@ -138,7 +149,7 @@ i915_gem_object_put_pages_phys(struct dr + int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj, + const struct drm_i915_gem_pwrite *args) + { +- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset; ++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset; + char __user *user_data = u64_to_user_ptr(args->data_ptr); + struct drm_i915_private *i915 = to_i915(obj->base.dev); + int err; +@@ -169,7 +180,7 @@ int i915_gem_object_pwrite_phys(struct d + int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj, + const struct drm_i915_gem_pread *args) + { +- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset; ++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset; + char __user *user_data = u64_to_user_ptr(args->data_ptr); + int err; + diff --git a/queue-6.18/hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch b/queue-6.18/hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch new file mode 100644 index 0000000000..3c531c1a20 --- /dev/null +++ b/queue-6.18/hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch @@ -0,0 +1,87 @@ +From 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af Mon Sep 17 00:00:00 2001 +From: Anton Leontev +Date: Thu, 4 Jun 2026 19:59:38 +0300 +Subject: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf + +From: Anton Leontev + +commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af upstream. + +netvsc_copy_to_send_buf() copies page buffer entries into the VMBus +send buffer using phys_to_virt() on the entry PFN. Entries for the +RNDIS header and the skb linear data come from kmalloc'd memory and +are always in the kernel direct map, but entries for skb fragments +reference page cache or user pages, which on 32-bit x86 with +CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page +phys_to_virt() returns an address outside the direct map and the +subsequent memcpy() faults on the transmit softirq path, which is +fatal. + +Map the pages with kmap_local_page() instead, handling two properties +of the page buffer entries: + + - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity, + not a native PFN. Reconstruct the physical address first and derive + the native page from it, so the mapping stays correct where + PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages). + + - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN + grouping in the page buffer array"), an entry describes a full + physically contiguous fragment and pb[i].len can exceed PAGE_SIZE, + while kmap_local_page() maps a single page. Copy page by page, + splitting at native page boundaries. + +The copy path only handles packets smaller than the send section size +(6144 bytes by default); larger packets take the cp_partial path where +only the RNDIS header is copied. So entries here are bounded by the +section size and a copy is split at most once on 4K-page systems. On +!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and +no mapping work is added. + +Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path") +Cc: stable@vger.kernel.org +Signed-off-by: Anton Leontev +Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -965,12 +966,22 @@ static void netvsc_copy_to_send_buf(stru + } + + for (i = 0; i < page_count; i++) { +- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT); +- u32 offset = pb[i].offset; ++ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) + ++ pb[i].offset; + u32 len = pb[i].len; + +- memcpy(dest, (src + offset), len); +- dest += len; ++ while (len) { ++ struct page *page = phys_to_page(paddr); ++ u32 off = offset_in_page(paddr); ++ u32 chunk = min_t(u32, len, PAGE_SIZE - off); ++ char *src = kmap_local_page(page); ++ ++ memcpy(dest, src + off, chunk); ++ kunmap_local(src); ++ dest += chunk; ++ paddr += chunk; ++ len -= chunk; ++ } + } + + if (padding) diff --git a/queue-6.18/kvm-arm64-restore-por_el0-access-to-host-el0.patch b/queue-6.18/kvm-arm64-restore-por_el0-access-to-host-el0.patch new file mode 100644 index 0000000000..a357f31117 --- /dev/null +++ b/queue-6.18/kvm-arm64-restore-por_el0-access-to-host-el0.patch @@ -0,0 +1,35 @@ +From cbaffe843a942c0d3102e0f9bce0e72b029b2594 Mon Sep 17 00:00:00 2001 +From: Joey Gouly +Date: Thu, 4 Jun 2026 11:54:34 +0100 +Subject: KVM: arm64: Restore POR_EL0 access to host EL0 + +From: Joey Gouly + +commit cbaffe843a942c0d3102e0f9bce0e72b029b2594 upstream. + +CPTR_EL2.E0POE was being cleared in __deactivate_cptr_traps_vhe(), which meant +that any accesses to POR_EL0 from host EL0 would trap and be reported to +userspace as an Illegal instruction. This would happen after running any VM, +regardless if it used POE or not. + +Signed-off-by: Joey Gouly +Link: https://sashiko.dev/#/patchset/20260602155430.2088142-1-maz@kernel.org?part=1 +Link: https://patch.msgid.link/20260604105434.2297268-1-joey.gouly@arm.com +Signed-off-by: Marc Zyngier +Cc: stable@vger,kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/include/hyp/switch.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/hyp/include/hyp/switch.h ++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h +@@ -183,6 +183,8 @@ static inline void __deactivate_cptr_tra + val |= CPACR_EL1_ZEN; + if (cpus_have_final_cap(ARM64_SME)) + val |= CPACR_EL1_SMEN; ++ if (cpus_have_final_cap(ARM64_HAS_S1POE)) ++ val |= CPACR_EL1_E0POE; + + write_sysreg(val, cpacr_el1); + } diff --git a/queue-6.18/kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch b/queue-6.18/kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch new file mode 100644 index 0000000000..3006f6867b --- /dev/null +++ b/queue-6.18/kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch @@ -0,0 +1,63 @@ +From 8618004d3e897c0f1b71d9a9ab860461289bb89a Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 29 May 2026 20:35:39 +0200 +Subject: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying + +From: Sean Christopherson + +commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream. + +When marking a page dirty, complain about not having a running/loaded vCPU +if and only if the VM is still alive, i.e. its refcount is non-zero. This +will allow fixing a memory leak for x86 SEV-ES guests without hitting what +is effectively a false positive on the WARN. + +For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page +across an exit to userspace, and typically unmaps the page on the next +KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM +needs to unmap the page when the vCPU is destroyed, which in turn triggers +the WARN about not having a running vCPU. + +Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN, +as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons; +suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But +loading a vCPU during destruction is gross (ideally nVMX code would be +cleaned up), risks complicating the SEV-ES code (KVM would need to ensure +the temporarily load()+put() only runs when the vCPU isn't already loaded), +and is ultimately pointless. + +The motivation for the WARN is to guard against KVM dirtying guest memory +without pushing the corresponding GFN to the active vCPU's dirty ring, e.g. +to ensure userspace doesn't miss a dirty page. But for the VM's refcount +to reach zero, there can't be _any_ userspace mappings to the dirty ring, +as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if +userspace had a valid mapping for the dirty ring, then the vCPU file and +thus the owning VM would still be alive. And so since userspace can't +possibly reach the dirty ring, whether or not KVM technically "misses" a +push to the dirty ring is irrelevant. + +Reported-by: Michael Roth +Cc: stable@vger.kernel.org +Reviewed-by: Michael Roth +Signed-off-by: Sean Christopherson +Message-ID: <20260501202250.2115252-15-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3527,7 +3527,8 @@ void mark_page_dirty_in_slot(struct kvm + if (WARN_ON_ONCE(vcpu && vcpu->kvm != kvm)) + return; + +- WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm)); ++ WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) && ++ !kvm_arch_allow_write_without_running_vcpu(kvm)); + #endif + + if (memslot && kvm_slot_dirty_track_enabled(memslot)) { diff --git a/queue-6.18/kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch b/queue-6.18/kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch new file mode 100644 index 0000000000..936c7a93c4 --- /dev/null +++ b/queue-6.18/kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch @@ -0,0 +1,79 @@ +From f041dc80de4abbdd0909d871bf64f3f87d2350ff Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 29 May 2026 20:35:41 +0200 +Subject: KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA + +From: Sean Christopherson + +commit f041dc80de4abbdd0909d871bf64f3f87d2350ff upstream. + +Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that +the free/unpin path can be reused when freeing a vCPU. + +Opportunistically add a WARN to harden KVM against stomping over (and thus +leaking) an already-allocated scratch area. + +Cc: stable@vger.kernel.org +Reviewed-by: Tom Lendacky +Reviewed-by: Michael Roth +Signed-off-by: Sean Christopherson +Message-ID: <20260501202250.2115252-17-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -3540,20 +3540,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm * + if (!svm->sev_es.ghcb) + return; + +- if (svm->sev_es.ghcb_sa_free) { +- /* +- * The scratch area lives outside the GHCB, so there is a +- * buffer that, depending on the operation performed, may +- * need to be synced, then freed. +- */ +- if (svm->sev_es.ghcb_sa_sync) { +- kvm_write_guest(svm->vcpu.kvm, +- svm->sev_es.sw_scratch, +- svm->sev_es.ghcb_sa, +- svm->sev_es.ghcb_sa_len); +- svm->sev_es.ghcb_sa_sync = false; +- } ++ /* ++ * If the scratch area lives outside the GHCB, there's a buffer that, ++ * depending on the operation performed, may need to be synced. ++ */ ++ if (svm->sev_es.ghcb_sa_sync) { ++ kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch, ++ svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len); ++ svm->sev_es.ghcb_sa_sync = false; ++ } + ++ if (svm->sev_es.ghcb_sa_free) { + kvfree(svm->sev_es.ghcb_sa); + svm->sev_es.ghcb_sa = NULL; + svm->sev_es.ghcb_sa_free = false; +@@ -3633,6 +3630,8 @@ static int setup_vmgexit_scratch(struct + goto e_scratch; + } + ++ WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free); ++ + if ((scratch_gpa_beg & PAGE_MASK) == control->ghcb_gpa) { + /* Scratch area begins within GHCB */ + ghcb_scratch_beg = control->ghcb_gpa + +@@ -3654,6 +3653,8 @@ static int setup_vmgexit_scratch(struct + scratch_va = (void *)svm->sev_es.ghcb; + scratch_va += (scratch_gpa_beg - control->ghcb_gpa); + ++ svm->sev_es.ghcb_sa_sync = false; ++ svm->sev_es.ghcb_sa_free = false; + svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg; + } else { + /* GHCB v2 requires the scratch area to be within the GHCB. */ diff --git a/queue-6.18/mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch b/queue-6.18/mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch new file mode 100644 index 0000000000..673c7eb0c7 --- /dev/null +++ b/queue-6.18/mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch @@ -0,0 +1,195 @@ +From 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e Mon Sep 17 00:00:00 2001 +From: Wupeng Ma +Date: Fri, 22 May 2026 09:03:05 +0800 +Subject: mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison + +From: Wupeng Ma + +commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e upstream. + +Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can +trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock +when racing with a concurrent unmap: + + thread#0 thread#1 + -------- -------- + madvise(folio, MADV_HWPOISON) + -> poisons the folio successfully + madvise(folio, MADV_HWPOISON) unmap(folio) + try_memory_failure_hugetlb + get_huge_page_for_hwpoison + spin_lock_irq(&hugetlb_lock) <- held + __get_huge_page_for_hwpoison + hugetlb_update_hwpoison() + -> MF_HUGETLB_FOLIO_PRE_POISONED + goto out: + folio_put() + refcount: 1 -> 0 + free_huge_folio() + spin_lock_irqsave(&hugetlb_lock) + -> AA DEADLOCK! + +The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop +the GUP reference while the hugetlb_lock is still held by the hugetlb.c +wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released +the page table mapping reference, folio_put() drops the folio refcount to +zero, triggering free_huge_folio() which attempts to re-acquire the +non-recursive hugetlb_lock. + +Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper +into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the +folio_put() at the out: label so the folio is always released outside the +lock. + +[akpm@linux-foundation.org: fix race, rename label per Miaohe] + Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com + Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com +Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com +Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()") +Signed-off-by: Wupeng Ma +Acked-by: Oscar Salvador (SUSE) +Acked-by: Muchun Song +Reviewed-by: Kefeng Wang +Acked-by: Miaohe Lin +Cc: David Hildenbrand +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Naoya Horiguchi +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 8 -------- + include/linux/mm.h | 8 -------- + mm/hugetlb.c | 11 ----------- + mm/memory-failure.c | 19 ++++++++++--------- + 4 files changed, 10 insertions(+), 36 deletions(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -156,8 +156,6 @@ long hugetlb_unreserve_pages(struct inod + long freed); + bool folio_isolate_hugetlb(struct folio *folio, struct list_head *list); + int get_hwpoison_hugetlb_folio(struct folio *folio, bool *hugetlb, bool unpoison); +-int get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared); + void folio_putback_hugetlb(struct folio *folio); + void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int reason); + void hugetlb_fix_reserve_counts(struct inode *inode); +@@ -423,12 +421,6 @@ static inline int get_hwpoison_hugetlb_f + { + return 0; + } +- +-static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared) +-{ +- return 0; +-} + + static inline void folio_putback_hugetlb(struct folio *folio) + { +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -4089,8 +4089,6 @@ extern int soft_offline_page(unsigned lo + */ + extern const struct attribute_group memory_failure_attr_group; + extern void memory_failure_queue(unsigned long pfn, int flags); +-extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared); + void num_poisoned_pages_inc(unsigned long pfn); + void num_poisoned_pages_sub(unsigned long pfn, long i); + #else +@@ -4098,12 +4096,6 @@ static inline void memory_failure_queue( + { + } + +-static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared) +-{ +- return 0; +-} +- + static inline void num_poisoned_pages_inc(unsigned long pfn) + { + } +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -7838,17 +7838,6 @@ int get_hwpoison_hugetlb_folio(struct fo + return ret; + } + +-int get_huge_page_for_hwpoison(unsigned long pfn, int flags, +- bool *migratable_cleared) +-{ +- int ret; +- +- spin_lock_irq(&hugetlb_lock); +- ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared); +- spin_unlock_irq(&hugetlb_lock); +- return ret; +-} +- + /** + * folio_putback_hugetlb - unisolate a hugetlb folio + * @folio: the isolated hugetlb folio +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1956,20 +1956,19 @@ void folio_clear_hugetlb_hwpoison(struct + folio_free_raw_hwp(folio, true); + } + +-/* +- * Called from hugetlb code with hugetlb_lock held. +- */ +-int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, ++static int get_huge_page_for_hwpoison(unsigned long pfn, int flags, + bool *migratable_cleared) + { + struct page *page = pfn_to_page(pfn); +- struct folio *folio = page_folio(page); ++ struct folio *folio; + bool count_increased = false; + int ret, rc; + ++ spin_lock_irq(&hugetlb_lock); ++ folio = page_folio(page); + if (!folio_test_hugetlb(folio)) { + ret = MF_HUGETLB_NON_HUGEPAGE; +- goto out; ++ goto out_unlock; + } else if (flags & MF_COUNT_INCREASED) { + ret = MF_HUGETLB_IN_USED; + count_increased = true; +@@ -1985,13 +1984,13 @@ int __get_huge_page_for_hwpoison(unsigne + } else { + ret = MF_HUGETLB_RETRY; + if (!(flags & MF_NO_RETRY)) +- goto out; ++ goto out_unlock; + } + + rc = hugetlb_update_hwpoison(folio, page); + if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) { + ret = rc; +- goto out; ++ goto out_unlock; + } + + /* +@@ -2003,8 +2002,10 @@ int __get_huge_page_for_hwpoison(unsigne + *migratable_cleared = true; + } + ++ spin_unlock_irq(&hugetlb_lock); + return ret; +-out: ++out_unlock: ++ spin_unlock_irq(&hugetlb_lock); + if (count_increased) + folio_put(folio); + return ret; diff --git a/queue-6.18/mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch b/queue-6.18/mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch new file mode 100644 index 0000000000..a4ee529303 --- /dev/null +++ b/queue-6.18/mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch @@ -0,0 +1,49 @@ +From b837e38c255dd9f8b53511d52e87f1fda32b3dfe Mon Sep 17 00:00:00 2001 +From: Inochi Amaoto +Date: Thu, 21 May 2026 15:21:20 +0800 +Subject: mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation + +From: Inochi Amaoto + +commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream. + +The previous clock uses roundup_pow_of_two() to calculate the core +clock frequency. It does not meet the actual hardware meaning. +The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)". + +Fix the clock divider calculation. + +Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface") +Signed-off-by: Inochi Amaoto +Reviewed-by: Gabriel Somlo +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/litex_mmc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/litex_mmc.c ++++ b/drivers/mmc/host/litex_mmc.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite + struct device *dev = mmc_dev(host->mmc); + u32 div; + +- div = freq ? host->ref_clk / freq : 256U; +- div = roundup_pow_of_two(div); ++ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U; + div = clamp(div, 2U, 256U); + dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n", +- freq, host->ref_clk / div, div); ++ freq, host->ref_clk / ((div + 1) & ~1U), div); + litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div); + host->sd_clk = freq; + } diff --git a/queue-6.18/mshv-add-a-missing-padding-field.patch b/queue-6.18/mshv-add-a-missing-padding-field.patch new file mode 100644 index 0000000000..f8cdab78ad --- /dev/null +++ b/queue-6.18/mshv-add-a-missing-padding-field.patch @@ -0,0 +1,35 @@ +From 48fcc895403cc97aa6c776cb65e6aa11290c0b44 Mon Sep 17 00:00:00 2001 +From: Wei Liu +Date: Thu, 23 Apr 2026 17:26:26 +0000 +Subject: mshv: add a missing padding field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wei Liu + +commit 48fcc895403cc97aa6c776cb65e6aa11290c0b44 upstream. + +That was missed when importing the header. + +Reported-by: Doru Blânzeanu +Reported-by: Magnus Kulke +Fixes: e68bda71a2384 ("hyperv: Add new Hyper-V headers in include/hyperv") +Cc: stable@kernel.org +Reviewed-by: Easwar Hariharan +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + include/hyperv/hvhdk.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/hyperv/hvhdk.h ++++ b/include/hyperv/hvhdk.h +@@ -72,6 +72,7 @@ struct hv_vp_register_page { + + u64 registers[18]; + }; ++ u8 reserved[8]; + /* Volatile XMM registers (HV_X64_REGISTER_CLASS_XMM) */ + union { + struct { diff --git a/queue-6.18/netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch b/queue-6.18/netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch new file mode 100644 index 0000000000..3d37dbb3fc --- /dev/null +++ b/queue-6.18/netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch @@ -0,0 +1,45 @@ +From c7d573551f9286100a055ef696cde6af54549677 Mon Sep 17 00:00:00 2001 +From: Davide Ornaghi +Date: Wed, 10 Jun 2026 12:39:13 +0200 +Subject: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register + +From: Davide Ornaghi + +commit c7d573551f9286100a055ef696cde6af54549677 upstream. + +NFT_META_BRI_IIFHWADDR declares its destination register with +len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to +two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does +memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and +leaving the upper 2 bytes of the second register as uninitialised +nft_do_chain() stack. A downstream load of that register span leaks +those stale bytes to userspace. + +Zero the second register before the memcpy so the full declared span is +written. + +Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support") +Cc: stable@vger.kernel.org +Signed-off-by: Davide Ornaghi +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/nft_meta_bridge.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c +index 7763e78abb00..219c40680260 100644 +--- a/net/bridge/netfilter/nft_meta_bridge.c ++++ b/net/bridge/netfilter/nft_meta_bridge.c +@@ -64,6 +64,8 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr, + if (!br_dev) + goto err; + ++ /* ETH_ALEN (6) is shorter than the destination register span (8) */ ++ dest[1] = 0; + memcpy(dest, br_dev->dev_addr, ETH_ALEN); + return; + default: +-- +2.54.0 + diff --git a/queue-6.18/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch b/queue-6.18/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch new file mode 100644 index 0000000000..fd21a774b3 --- /dev/null +++ b/queue-6.18/netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch @@ -0,0 +1,43 @@ +From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Wed, 27 May 2026 13:57:50 +0000 +Subject: netfilter: nft_tunnel: fix use-after-free on object destroy + +From: Tristan Madani + +commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream. + +nft_tunnel_obj_destroy() calls metadata_dst_free() which directly +kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets +that took a reference via dst_hold() in nft_tunnel_obj_eval() and +are still queued (e.g. in a netem qdisc) are left with a dangling +pointer. When these packets are eventually dequeued, dst_release() +operates on freed memory. + +Replace metadata_dst_free() with dst_release() so the metadata_dst +is freed only after all references are dropped. The dst subsystem +already handles metadata_dst cleanup in dst_destroy() when +DST_METADATA is set. + +Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Reviewed-by: Fernando Fernandez Mancera +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -702,7 +702,7 @@ static void nft_tunnel_obj_destroy(const + { + struct nft_tunnel_obj *priv = nft_obj_data(obj); + +- metadata_dst_free(priv->md); ++ dst_release(&priv->md->dst); + } + + static struct nft_object_type nft_tunnel_obj_type; diff --git a/queue-6.18/rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch b/queue-6.18/rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch new file mode 100644 index 0000000000..08c89af28f --- /dev/null +++ b/queue-6.18/rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch @@ -0,0 +1,67 @@ +From ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Wed, 27 May 2026 18:18:07 +0000 +Subject: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES + +From: Alice Ryhl + +commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream. + +Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the +uwtable annotation for functions, but not for the module. This means +that compiler-generated functions such as 'asan.module_ctor' do not +receive the uwtable annotation. + +When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot +failures because the dwarf information emitted for the kasan +constructors is wrong, which causes the SCS boot patching code to +patch the constructor in an illegal manner. Specifically, the paciasp +instruction is patched, but the autiasp instruction is not. This +mismatch leads to a crash when the constructor is called during boot. + + ================================================================== + BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90 + Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1 + +Specifically the faulting instruction is the (*fn)() to invoke the +constructor in do_ctors() of the init/main.c file. + +Once the fix lands in rustc, this flag can be made conditional on the +rustc version. Note that passing the flag on a rustc with the fix +present has no effect. + +[ The fix [1] has landed for Rust 1.98.0 (expected release on + 2026-08-20). + + Thus add a version check as discussed. + + - Miguel ] + +Fixes: d077242d68a3 ("rust: support for shadow call stack sanitizer") +Cc: stable@kernel.org +Link: https://github.com/rust-lang/rust/pull/156973 [1] +Reported-by: Bo Ye +Debugged-by: Isaac Manjarres +Debugged-by: Sami Tolvanen +Tested-by: Isaac Manjarres +Signed-off-by: Alice Ryhl +Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com +[ Adjusted link and comment. - Miguel ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -63,6 +63,9 @@ else + KBUILD_CFLAGS += -fasynchronous-unwind-tables + KBUILD_AFLAGS += -fasynchronous-unwind-tables + KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n ++# Work around rustc bug on compilers without ++# https://github.com/rust-lang/rust/pull/156973. ++KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=uwtable:u32:2:max) + endif + + ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y) diff --git a/queue-6.18/rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch b/queue-6.18/rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch new file mode 100644 index 0000000000..7a8a9d8383 --- /dev/null +++ b/queue-6.18/rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch @@ -0,0 +1,121 @@ +From 4a44b17406cb5a93f90af3df9392b3a45eb336fb Mon Sep 17 00:00:00 2001 +From: Alice Ryhl +Date: Thu, 7 May 2026 11:14:42 +0000 +Subject: rust: kasan/kbuild: fix rustc-option when cross-compiling + +From: Alice Ryhl + +commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream. + +The Makefile version of rustc-option currently checks whether the option +exists for the host target instead of the target actually being compiled +for. It was done this way in commit 46e24a545cdb ("rust: kasan/kbuild: +fix missing flags on first build") to avoid a circular dependency on +target.json. However, because of this, rustc-option currently does not +function when cross-compiling from x86_64 to aarch64 if +CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS +contains -Zfixed-x18 under this configuration. Since that flag does not +exist on the host target, rustc-option runs into a compilation failure +every time, leading to all flags being rejected as unsupported. + +To fix this, update rustc-option to pass a --target parameter so that +the host target is not used. For targets using target.json, use a +built-in target that is as close as possible to the target created with +target.json to avoid the circular dependency on target.json. + +One scenario where this causes a boot failure: +* Cross-compiled from x86_64 to aarch64. +* With CONFIG_SHADOW_CALL_STACK=y +* With CONFIG_KASAN_SW_TAGS=y +* With CONFIG_KASAN_INLINE=n +Then the resulting kernel image will fail to boot when it first calls +into Rust code with a crash along the lines of "Unable to handle kernel +paging request at virtual address 0ffffffc08541796". This is because the +call threshold is not specified, so rustc will inline kasan operations, +but the kasan shadow offset is not specified, which leads to the inlined +kasan instructions being incorrect. + +Note that the -Zsanitizer=kernel-hwaddress parameter itself does not +lead to a rustc-option failure despite being aarch64-specific because +RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when +rustc-option is evaluated by the kasan Makefile. + +Cc: stable@vger.kernel.org +Fixes: 46e24a545cdb ("rust: kasan/kbuild: fix missing flags on first build") +Signed-off-by: Alice Ryhl +Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com +[ Edited slightly: + - Reset variable to avoid using the environment. + - Use a simply expanded variable flavor for simplicity. + - Export variable so that behavior in sub-`make`s is consistent. +Signed-off-by: Greg Kroah-Hartman + + This matches other variables. - Miguel ] +Signed-off-by: Miguel Ojeda +--- + Makefile | 3 ++- + arch/x86/Makefile | 4 ++++ + arch/x86/Makefile.um | 8 ++++++++ + scripts/Makefile.compiler | 2 +- + 4 files changed, 15 insertions(+), 2 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -603,6 +603,7 @@ KBUILD_RUSTFLAGS := $(rust_common_flags) + -Crelocation-model=static \ + -Zfunction-sections=n \ + -Wclippy::float_arithmetic ++KBUILD_RUSTFLAGS_OPTION_CHKS := + + KBUILD_AFLAGS_KERNEL := + KBUILD_CFLAGS_KERNEL := +@@ -639,7 +640,7 @@ export KBUILD_USERCFLAGS KBUILD_USERLDFL + + export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS + export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE +-export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE ++export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE KBUILD_RUSTFLAGS_OPTION_CHKS + export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE + export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_RUSTFLAGS_MODULE KBUILD_LDFLAGS_MODULE + export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL KBUILD_RUSTFLAGS_KERNEL +--- a/arch/x86/Makefile ++++ b/arch/x86/Makefile +@@ -79,6 +79,10 @@ KBUILD_CFLAGS += -mno-sse -mno-mmx -mno- + KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json + KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2 + ++# The target.json file is not available when invoking rustc-option, so use the ++# built-in target when checking whether flags are supported instead. ++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-none ++ + # + # CFLAGS for compiling floating point code inside the kernel. + # +--- a/arch/x86/Makefile.um ++++ b/arch/x86/Makefile.um +@@ -14,6 +14,14 @@ endif + + KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json + ++# The target.json file is not available when invoking rustc-option, so use the ++# built-in target when checking whether flags are supported instead. ++ifeq ($(CONFIG_X86_32),y) ++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=i686-unknown-linux-gnu ++else ++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-linux-gnu ++endif ++ + ifeq ($(CONFIG_X86_32),y) + START := 0x8048000 + +--- a/scripts/Makefile.compiler ++++ b/scripts/Makefile.compiler +@@ -80,7 +80,7 @@ ld-option = $(call try-run, $(LD) $(KBUI + # TODO: remove RUSTC_BOOTSTRAP=1 when we raise the minimum GNU Make version to 4.4 + __rustc-option = $(call try-run,\ + echo '$(pound)![allow(missing_docs)]$(pound)![feature(no_core)]$(pound)![no_core]' | RUSTC_BOOTSTRAP=1\ +- $(1) --sysroot=/dev/null $(filter-out --sysroot=/dev/null --target=%,$(2)) $(3)\ ++ $(1) --sysroot=/dev/null $(KBUILD_RUSTFLAGS_OPTION_CHKS) $(filter-out --sysroot=/dev/null --target=%target.json,$(2)) $(3)\ + --crate-type=rlib --out-dir=$(TMPOUT) --emit=obj=- - >/dev/null,$(3),$(4)) + + # rustc-option diff --git a/queue-6.18/rust-x86-support-rust-1.98.0-target-spec.patch b/queue-6.18/rust-x86-support-rust-1.98.0-target-spec.patch new file mode 100644 index 0000000000..0c3e394059 --- /dev/null +++ b/queue-6.18/rust-x86-support-rust-1.98.0-target-spec.patch @@ -0,0 +1,59 @@ +From 905b06d32a52afe32fcf5f30cf298c9ea6359f11 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sat, 30 May 2026 13:49:25 +0200 +Subject: rust: x86: support Rust >= 1.98.0 target spec + +From: Miguel Ojeda + +commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream. + +Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not +support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used, +which is an alias. Otherwise, one gets: + + error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32 + | + = help: run `rustc --print target-list` for a list of built-in targets + +Thus conditionally use one or the other depending on the version. + +The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but +use the newer version instead to avoid changing how the build works for +existing compilers, at least until more testing takes place. + +Cc: Ralf Jung +Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). +Link: https://github.com/rust-lang/rust/pull/157151 [1] +Link: https://github.com/rust-lang/rust/pull/151154 [2] +Reviewed-by: Alice Ryhl +Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + scripts/generate_rust_target.rs | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/scripts/generate_rust_target.rs ++++ b/scripts/generate_rust_target.rs +@@ -196,7 +196,9 @@ fn main() { + } + } else if cfg.has("X86_64") { + ts.push("arch", "x86_64"); +- if cfg.rustc_version_atleast(1, 86, 0) { ++ if cfg.rustc_version_atleast(1, 98, 0) { ++ ts.push("rustc-abi", "softfloat"); ++ } else if cfg.rustc_version_atleast(1, 86, 0) { + ts.push("rustc-abi", "x86-softfloat"); + } + ts.push( +@@ -236,7 +238,9 @@ fn main() { + panic!("32-bit x86 only works under UML"); + } + ts.push("arch", "x86"); +- if cfg.rustc_version_atleast(1, 86, 0) { ++ if cfg.rustc_version_atleast(1, 98, 0) { ++ ts.push("rustc-abi", "softfloat"); ++ } else if cfg.rustc_version_atleast(1, 86, 0) { + ts.push("rustc-abi", "x86-softfloat"); + } + ts.push( diff --git a/queue-6.18/series b/queue-6.18/series index fa432a9868..d28608b4b2 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -144,3 +144,26 @@ drm-virtio-fix-driver-removal-with-disabled-kms.patch drm-vc4-fix-krealloc-memory-leak.patch drm-xe-fix-refcount-leak-in-xe_range_fence_insert.patch accel-amdxdna-fix-mm_struct-reference-leak-in-aie2_p.patch +netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch +netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch +tee-shm-fix-shm-leak-in-register_shm_helper.patch +bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch +bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch +soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch +mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch +accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch +accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch +accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch +tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch +tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch +rust-x86-support-rust-1.98.0-target-spec.patch +arm-do-not-select-have_rust-when-kasan-is-enabled.patch +rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch +rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch +mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch +mshv-add-a-missing-padding-field.patch +kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch +kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch +kvm-arm64-restore-por_el0-access-to-host-el0.patch +drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch +hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch diff --git a/queue-6.18/soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch b/queue-6.18/soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch new file mode 100644 index 0000000000..5a4cf3b6b6 --- /dev/null +++ b/queue-6.18/soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch @@ -0,0 +1,150 @@ +From d922113ef91e6e7e8065e9070f349365341ba32e Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 18 May 2026 19:22:17 +0530 +Subject: soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() + +From: Manivannan Sadhasivam + +commit d922113ef91e6e7e8065e9070f349365341ba32e upstream. + +The current platform driver design causes probe ordering races with +consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE +probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops +with -EPROBE_DEFER, leaving consumers non-functional even when ICE should +be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE +driver probe has failed due to above reasons or it is waiting for the SCM +driver. + +Moreover, there is no devlink dependency between ICE and consumer drivers +as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers +have no idea of when the ICE driver is going to probe. + +To address these issues, store the error pointer in a global xarray with +ice node phandle as a key during probe in addition to the valid ice pointer +and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex. + +If the xarray entry is NULL, then it implies that the driver is not +probed yet, so return -EPROBE_DEFER. If it has any error pointer, return +that error pointer directly. Otherwise, add the devlink as usual and return +the valid pointer to the consumer. + +Xarray is used instead of platform drvdata, since driver core frees the +drvdata during probe failure. So it cannot be used to pass the error +pointer to the consumers. + +Note that this change only fixes the standalone ICE DT node bindings and +not the ones with 'ice' range embedded in the consumer nodes, where there +is no issue. + +Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver") +Reported-by: Sumit Garg +Tested-by: Sumit Garg # OP-TEE as TZ +Acked-by: Sumit Garg +Cc: stable@vger.kernel.org # 6.4 +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/ice.c | 38 +++++++++++++++++++++++++++++++------- + 1 file changed, 31 insertions(+), 7 deletions(-) + +--- a/drivers/soc/qcom/ice.c ++++ b/drivers/soc/qcom/ice.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #include + +@@ -100,6 +101,9 @@ struct qcom_ice { + bool hwkm_init_complete; + }; + ++static DEFINE_XARRAY(ice_handles); ++static DEFINE_MUTEX(ice_mutex); ++ + static bool qcom_ice_check_supported(struct qcom_ice *ice) + { + u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION); +@@ -609,6 +613,8 @@ static struct qcom_ice *of_qcom_ice_get( + return qcom_ice_create(&pdev->dev, base); + } + ++ guard(mutex)(&ice_mutex); ++ + /* + * If the consumer node does not provider an 'ice' reg range + * (legacy DT binding), then it must at least provide a phandle +@@ -625,12 +631,13 @@ static struct qcom_ice *of_qcom_ice_get( + return ERR_PTR(-ENODEV); + } + +- ice = platform_get_drvdata(pdev); +- if (!ice) { +- dev_err(dev, "Cannot get ice instance from %s\n", +- dev_name(&pdev->dev)); ++ ice = xa_load(&ice_handles, pdev->dev.of_node->phandle); ++ if (IS_ERR_OR_NULL(ice)) { + platform_device_put(pdev); +- return ERR_PTR(-EPROBE_DEFER); ++ if (!ice) ++ return ERR_PTR(-EPROBE_DEFER); ++ else ++ return ice; + } + + link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER); +@@ -694,24 +701,40 @@ EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get); + + static int qcom_ice_probe(struct platform_device *pdev) + { ++ unsigned long phandle = pdev->dev.of_node->phandle; + struct qcom_ice *engine; + void __iomem *base; + ++ guard(mutex)(&ice_mutex); ++ + base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(base)) { + dev_warn(&pdev->dev, "ICE registers not found\n"); ++ /* Store the error pointer for devm_of_qcom_ice_get() */ ++ xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL); + return PTR_ERR(base); + } + + engine = qcom_ice_create(&pdev->dev, base); +- if (IS_ERR(engine)) ++ if (IS_ERR(engine)) { ++ /* Store the error pointer for devm_of_qcom_ice_get() */ ++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL); + return PTR_ERR(engine); ++ } + +- platform_set_drvdata(pdev, engine); ++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL); + + return 0; + } + ++static void qcom_ice_remove(struct platform_device *pdev) ++{ ++ unsigned long phandle = pdev->dev.of_node->phandle; ++ ++ guard(mutex)(&ice_mutex); ++ xa_store(&ice_handles, phandle, NULL, GFP_KERNEL); ++} ++ + static const struct of_device_id qcom_ice_of_match_table[] = { + { .compatible = "qcom,inline-crypto-engine" }, + { }, +@@ -720,6 +743,7 @@ MODULE_DEVICE_TABLE(of, qcom_ice_of_matc + + static struct platform_driver qcom_ice_driver = { + .probe = qcom_ice_probe, ++ .remove = qcom_ice_remove, + .driver = { + .name = "qcom-ice", + .of_match_table = qcom_ice_of_match_table, diff --git a/queue-6.18/tee-shm-fix-shm-leak-in-register_shm_helper.patch b/queue-6.18/tee-shm-fix-shm-leak-in-register_shm_helper.patch new file mode 100644 index 0000000000..b3fbe7f981 --- /dev/null +++ b/queue-6.18/tee-shm-fix-shm-leak-in-register_shm_helper.patch @@ -0,0 +1,40 @@ +From 26682f5efc276e3ad96d102019472bfbf03833b2 Mon Sep 17 00:00:00 2001 +From: Georgiy Osokin +Date: Wed, 8 Apr 2026 18:52:03 +0300 +Subject: tee: shm: fix shm leak in register_shm_helper() + +From: Georgiy Osokin + +commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream. + +register_shm_helper() allocates shm before calling +iov_iter_npages(). If iov_iter_npages() returns 0, the function +jumps to err_ctx_put and leaks shm. + +This can be triggered by TEE_IOC_SHM_REGISTER with +struct tee_ioctl_shm_register_data where length is 0. + +Jump to err_free_shm instead. + +Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration") +Cc: stable@vger.kernel.org +Cc: lvc-project@linuxtesting.org +Signed-off-by: Georgiy Osokin +Reviewed-by: Sumit Garg +Signed-off-by: Jens Wiklander +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/tee_shm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tee/tee_shm.c ++++ b/drivers/tee/tee_shm.c +@@ -435,7 +435,7 @@ register_shm_helper(struct tee_context * + num_pages = iov_iter_npages(iter, INT_MAX); + if (!num_pages) { + ret = ERR_PTR(-ENOMEM); +- goto err_ctx_put; ++ goto err_free_shm; + } + + shm->pages = kcalloc(num_pages, sizeof(*shm->pages), GFP_KERNEL); diff --git a/queue-6.18/tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch b/queue-6.18/tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch new file mode 100644 index 0000000000..174549e412 --- /dev/null +++ b/queue-6.18/tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch @@ -0,0 +1,58 @@ +From 0652a3daa78723f955b1ebeb621665ce72bec53e Mon Sep 17 00:00:00 2001 +From: Eva Kurchatova +Date: Wed, 3 Jun 2026 18:31:42 +0300 +Subject: tracing: Fix CFI violation in probestub being called by tprobes + +From: Eva Kurchatova + +commit 0652a3daa78723f955b1ebeb621665ce72bec53e upstream. + +The probestub is a function to allow tprobes to hook to a tracepoint to +gain access to its parameters. The function itself is only referenced by +the tracepoint structure which lives in the __tracepoint section. objtool +explicitly ignores that section and when processing functions in the +kernel, if it detects one that has no references it will seal it to have +its ENDBR stripped on boot up. + +This means when a tprobe is attached to the sched_wakeup tracepoint, when it +is triggered it will call __probestub_sched_wakeup and due to the missing +ENDBR on a CFI-enabled machine it will take a #CP exception. + +Fix this by adding CFI_NOSEAL annotation to probestub declaration. + +Cc: stable@vger.kernel.org +Acked-by: Masami Hiramatsu (Google) +Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com +Fixes: d5173f753750 ("objtool: Exclude __tracepoints data from ENDBR checks") +Signed-off-by: Eva Kurchatova +[ Updated change log ] +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tracepoint.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/include/linux/tracepoint.h ++++ b/include/linux/tracepoint.h +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + struct module; + struct tracepoint; +@@ -348,6 +349,13 @@ static inline struct tracepoint *tracepo + void __probestub_##_name(void *__data, proto) \ + { \ + } \ ++ /* \ ++ * Annotate the probestub 'CFI_NOSEAL' to stop objtool from \ ++ * requesting the kernel remove the ENDBR, because the only \ ++ * references to the function are in the __tracepoint section, \ ++ * that objtool doesn't scan. \ ++ */ \ ++ CFI_NOSEAL(__probestub_##_name); \ + DEFINE_STATIC_CALL(tp_func_##_name, __traceiter_##_name); \ + DEFINE_RUST_DO_TRACE(_name, TP_PROTO(proto), TP_ARGS(args)) + diff --git a/queue-6.18/tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch b/queue-6.18/tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch new file mode 100644 index 0000000000..305b63b95f --- /dev/null +++ b/queue-6.18/tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch @@ -0,0 +1,51 @@ +From 85e0f27dd1396307913ffc5745b0c05137e9beac Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Mon, 25 May 2026 11:21:14 +0900 +Subject: tracing/probes: Point the error offset correctly for eprobe argument error + +From: Masami Hiramatsu (Google) + +commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream. + +Fix to point the error offset correctly for eprobe argument error. +In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter +fetching code to common parser"), due to incorrect backward compatibility +aimed at conforming to the test specifications, the error location was set +to 0 when a non-existent formal parameter was specified for Eprobe. +However, this should be corrected in both the test and the implementation +to point correct error position. + +Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/ + +Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe.c | 2 -- + tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc | 2 +- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/trace/trace_probe.c ++++ b/kernel/trace/trace_probe.c +@@ -962,8 +962,6 @@ static int parse_probe_vars(char *orig_a + code->op = FETCH_OP_COMM; + return 0; + } +- /* backward compatibility */ +- ctx->offset = 0; + goto inval; + } + +--- a/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc ++++ b/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc +@@ -20,7 +20,7 @@ check_error 'e:foo/^12345678901234567890 + check_error 'e:foo/^bar.1 syscalls/sys_enter_openat' # BAD_EVENT_NAME + + check_error 'e:foo/bar syscalls/sys_enter_openat arg=^dfd' # BAD_FETCH_ARG +-check_error 'e:foo/bar syscalls/sys_enter_openat ^arg=$foo' # BAD_ATTACH_ARG ++check_error 'e:foo/bar syscalls/sys_enter_openat arg=^$foo' # BAD_ATTACH_ARG + + if grep -q '\..*\[if \]' README; then + check_error 'e:foo/bar syscalls/sys_enter_openat if ^' # NO_EP_FILTER