From: Greg Kroah-Hartman Date: Sat, 8 Nov 2025 05:30:23 +0000 (+0900) Subject: 6.17-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch media-uvcvideo-use-heuristic-to-find-stream-entity.patch media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch net-libwx-fix-device-bus-lan-id.patch revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch rust-condvar-fix-broken-intra-doc-link.patch rust-devres-fix-private-intra-doc-link.patch rust-kbuild-treat-build_error-and-rustdoc-as-kernel-objects.patch rust-kbuild-workaround-rustdoc-doctests-modifier-bug.patch tracing-tprobe-events-fix-to-put-tracepoint_user-when-disable-the-tprobe.patch tracing-tprobe-events-fix-to-register-tracepoint-correctly.patch --- diff --git a/queue-6.17/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch b/queue-6.17/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch new file mode 100644 index 0000000000..79abdcefb7 --- /dev/null +++ b/queue-6.17/btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch @@ -0,0 +1,79 @@ +From 2618849f31e7cf51fadd4a5242458501a6d5b315 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Thu, 23 Oct 2025 19:44:04 +1030 +Subject: btrfs: ensure no dirty metadata is written back for an fs with errors + +From: Qu Wenruo + +commit 2618849f31e7cf51fadd4a5242458501a6d5b315 upstream. + +[BUG] +During development of a minor feature (make sure all btrfs_bio::end_io() +is called in task context), I noticed a crash in generic/388, where +metadata writes triggered new works after btrfs_stop_all_workers(). + +It turns out that it can even happen without any code modification, just +using RAID5 for metadata and the same workload from generic/388 is going +to trigger the use-after-free. + +[CAUSE] +If btrfs hits an error, the fs is marked as error, no new +transaction is allowed thus metadata is in a frozen state. + +But there are some metadata modifications before that error, and they are +still in the btree inode page cache. + +Since there will be no real transaction commit, all those dirty folios +are just kept as is in the page cache, and they can not be invalidated +by invalidate_inode_pages2() call inside close_ctree(), because they are +dirty. + +And finally after btrfs_stop_all_workers(), we call iput() on btree +inode, which triggers writeback of those dirty metadata. + +And if the fs is using RAID56 metadata, this will trigger RMW and queue +new works into rmw_workers, which is already stopped, causing warning +from queue_work() and use-after-free. + +[FIX] +Add a special handling for write_one_eb(), that if the fs is already in +an error state, immediately mark the bbio as failure, instead of really +submitting them. + +Then during close_ctree(), iput() will just discard all those dirty +tree blocks without really writing them back, thus no more new jobs for +already stopped-and-freed workqueues. + +The extra discard in write_one_eb() also acts as an extra safenet. +E.g. the transaction abort is triggered by some extent/free space +tree corruptions, and since extent/free space tree is already corrupted +some tree blocks may be allocated where they shouldn't be (overwriting +existing tree blocks). In that case writing them back will further +corrupting the fs. + +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2167,6 +2167,14 @@ static noinline_for_stack void write_one + wbc_account_cgroup_owner(wbc, folio, range_len); + folio_unlock(folio); + } ++ /* ++ * If the fs is already in error status, do not submit any writeback ++ * but immediately finish it. ++ */ ++ if (unlikely(BTRFS_FS_ERROR(fs_info))) { ++ btrfs_bio_end_io(bbio, errno_to_blk_status(BTRFS_FS_ERROR(fs_info))); ++ return; ++ } + btrfs_submit_bbio(bbio, 0); + } + diff --git a/queue-6.17/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch b/queue-6.17/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch new file mode 100644 index 0000000000..168938b5ac --- /dev/null +++ b/queue-6.17/drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch @@ -0,0 +1,107 @@ +From 9882a40640036d5bbc590426a78981526d4f2345 Mon Sep 17 00:00:00 2001 +From: Ariel D'Alessandro +Date: Fri, 24 Oct 2025 17:27:56 -0300 +Subject: drm/mediatek: Disable AFBC support on Mediatek DRM driver + +From: Ariel D'Alessandro + +commit 9882a40640036d5bbc590426a78981526d4f2345 upstream. + +Commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM +driver") added AFBC support to Mediatek DRM and enabled the +32x8/split/sparse modifier. + +However, this is currently broken on Mediatek MT8188 (Genio 700 EVK +platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by +default since Mesa v25.0. + +Kernel trace reports vblank timeouts constantly, and the render is garbled: + +``` +[CRTC:62:crtc-0] vblank wait timed out +WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c +[...] +Hardware name: MediaTek Genio-700 EVK (DT) +Workqueue: events_unbound commit_work +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c +lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c +sp : ffff80008337bca0 +x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 +x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 +x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 +x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a +x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 +x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b +x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 +x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 +x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 +x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 +Call trace: + drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) + drm_atomic_helper_commit_tail_rpm+0x64/0x80 + commit_tail+0xa4/0x1a4 + commit_work+0x14/0x20 + process_one_work+0x150/0x290 + worker_thread+0x2d0/0x3ec + kthread+0x12c/0x210 + ret_from_fork+0x10/0x20 +---[ end trace 0000000000000000 ]--- +``` + +Until this gets fixed upstream, disable AFBC support on this platform, as +it's currently broken with upstream Mesa. + +Fixes: c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ariel D'Alessandro +Reviewed-by: Daniel Stone +Reviewed-by: CK Hu +Reviewed-by: Macpaul Lin +Link: https://patchwork.kernel.org/project/dri-devel/patch/20251024202756.811425-1-ariel.dalessandro@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_plane.c | 24 +----------------------- + 1 file changed, 1 insertion(+), 23 deletions(-) + +--- a/drivers/gpu/drm/mediatek/mtk_plane.c ++++ b/drivers/gpu/drm/mediatek/mtk_plane.c +@@ -21,9 +21,6 @@ + + static const u64 modifiers[] = { + DRM_FORMAT_MOD_LINEAR, +- DRM_FORMAT_MOD_ARM_AFBC(AFBC_FORMAT_MOD_BLOCK_SIZE_32x8 | +- AFBC_FORMAT_MOD_SPLIT | +- AFBC_FORMAT_MOD_SPARSE), + DRM_FORMAT_MOD_INVALID, + }; + +@@ -71,26 +68,7 @@ static bool mtk_plane_format_mod_support + uint32_t format, + uint64_t modifier) + { +- if (modifier == DRM_FORMAT_MOD_LINEAR) +- return true; +- +- if (modifier != DRM_FORMAT_MOD_ARM_AFBC( +- AFBC_FORMAT_MOD_BLOCK_SIZE_32x8 | +- AFBC_FORMAT_MOD_SPLIT | +- AFBC_FORMAT_MOD_SPARSE)) +- return false; +- +- if (format != DRM_FORMAT_XRGB8888 && +- format != DRM_FORMAT_ARGB8888 && +- format != DRM_FORMAT_BGRX8888 && +- format != DRM_FORMAT_BGRA8888 && +- format != DRM_FORMAT_ABGR8888 && +- format != DRM_FORMAT_XBGR8888 && +- format != DRM_FORMAT_RGB888 && +- format != DRM_FORMAT_BGR888) +- return false; +- +- return true; ++ return modifier == DRM_FORMAT_MOD_LINEAR; + } + + static void mtk_plane_destroy_state(struct drm_plane *plane, diff --git a/queue-6.17/media-uvcvideo-use-heuristic-to-find-stream-entity.patch b/queue-6.17/media-uvcvideo-use-heuristic-to-find-stream-entity.patch new file mode 100644 index 0000000000..9b6548c7ca --- /dev/null +++ b/queue-6.17/media-uvcvideo-use-heuristic-to-find-stream-entity.patch @@ -0,0 +1,60 @@ +From 758dbc756aad429da11c569c0d067f7fd032bcf7 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Tue, 21 Oct 2025 10:36:17 +0000 +Subject: media: uvcvideo: Use heuristic to find stream entity + +From: Ricardo Ribalda + +commit 758dbc756aad429da11c569c0d067f7fd032bcf7 upstream. + +Some devices, like the Grandstream GUV3100 webcam, have an invalid UVC +descriptor where multiple entities share the same ID, this is invalid +and makes it impossible to make a proper entity tree without heuristics. + +We have recently introduced a change in the way that we handle invalid +entities that has caused a regression on broken devices. + +Implement a new heuristic to handle these devices properly. + +Reported-by: Angel4005 +Closes: https://lore.kernel.org/linux-media/CAOzBiVuS7ygUjjhCbyWg-KiNx+HFTYnqH5+GJhd6cYsNLT=DaA@mail.gmail.com/ +Fixes: 0e2ee70291e6 ("media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID") +Cc: stable@vger.kernel.org +Signed-off-by: Ricardo Ribalda +Reviewed-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -167,13 +167,26 @@ static struct uvc_entity *uvc_entity_by_ + + static struct uvc_streaming *uvc_stream_by_id(struct uvc_device *dev, int id) + { +- struct uvc_streaming *stream; ++ struct uvc_streaming *stream, *last_stream; ++ unsigned int count = 0; + + list_for_each_entry(stream, &dev->streams, list) { ++ count += 1; ++ last_stream = stream; + if (stream->header.bTerminalLink == id) + return stream; + } + ++ /* ++ * If the streaming entity is referenced by an invalid ID, notify the ++ * user and use heuristics to guess the correct entity. ++ */ ++ if (count == 1 && id == UVC_INVALID_ENTITY_ID) { ++ dev_warn(&dev->intf->dev, ++ "UVC non compliance: Invalid USB header. The streaming entity has an invalid ID, guessing the correct one."); ++ return last_stream; ++ } ++ + return NULL; + } + diff --git a/queue-6.17/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch b/queue-6.17/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch new file mode 100644 index 0000000000..523d569ebe --- /dev/null +++ b/queue-6.17/media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch @@ -0,0 +1,39 @@ +From 27afd6e066cfd80ddbe22a4a11b99174ac89cced Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 23 Oct 2025 16:26:34 +0200 +Subject: media: videobuf2: forbid remove_bufs when legacy fileio is active + +From: Marek Szyprowski + +commit 27afd6e066cfd80ddbe22a4a11b99174ac89cced upstream. + +vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, +potentially overwriting some pointers used by the legacy fileio access +mode. Forbid that ioctl when fileio is active to protect internal queue +state between subsequent read/write calls. + +CC: stable@vger.kernel.org +Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") +Reported-by: Shuangpeng Bai +Closes: https://lore.kernel.org/linux-media/5317B590-AAB4-4F17-8EA1-621965886D49@psu.edu/ +Signed-off-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/common/videobuf2/videobuf2-v4l2.c ++++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c +@@ -1014,6 +1014,11 @@ int vb2_ioctl_remove_bufs(struct file *f + if (vb2_queue_is_busy(vdev->queue, file)) + return -EBUSY; + ++ if (vb2_fileio_is_active(vdev->queue)) { ++ dprintk(vdev->queue, 1, "file io in progress\n"); ++ return -EBUSY; ++ } ++ + return vb2_core_remove_bufs(vdev->queue, d->index, d->count); + } + EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs); diff --git a/queue-6.17/net-libwx-fix-device-bus-lan-id.patch b/queue-6.17/net-libwx-fix-device-bus-lan-id.patch new file mode 100644 index 0000000000..dee4cb2da5 --- /dev/null +++ b/queue-6.17/net-libwx-fix-device-bus-lan-id.patch @@ -0,0 +1,60 @@ +From a04ea57aae375bdda1cb57034d8bcbb351e1f973 Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Tue, 4 Nov 2025 14:23:21 +0800 +Subject: net: libwx: fix device bus LAN ID + +From: Jiawen Wu + +commit a04ea57aae375bdda1cb57034d8bcbb351e1f973 upstream. + +The device bus LAN ID was obtained from PCI_FUNC(), but when a PF +port is passthrough to a virtual machine, the function number may not +match the actual port index on the device. This could cause the driver +to perform operations such as LAN reset on the wrong port. + +Fix this by reading the LAN ID from port status register. + +Fixes: a34b3e6ed8fb ("net: txgbe: Store PCI info") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/B60A670C1F52CB8E+20251104062321.40059-1-jiawenwu@trustnetic.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_hw.c | 3 ++- + drivers/net/ethernet/wangxun/libwx/wx_type.h | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c +@@ -2368,7 +2368,8 @@ int wx_sw_init(struct wx *wx) + wx->oem_svid = pdev->subsystem_vendor; + wx->oem_ssid = pdev->subsystem_device; + wx->bus.device = PCI_SLOT(pdev->devfn); +- wx->bus.func = PCI_FUNC(pdev->devfn); ++ wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, ++ rd32(wx, WX_CFG_PORT_ST)); + + if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || + pdev->is_virtfn) { +--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h +@@ -96,6 +96,8 @@ + #define WX_CFG_PORT_CTL_DRV_LOAD BIT(3) + #define WX_CFG_PORT_CTL_QINQ BIT(2) + #define WX_CFG_PORT_CTL_D_VLAN BIT(0) /* double vlan*/ ++#define WX_CFG_PORT_ST 0x14404 ++#define WX_CFG_PORT_ST_LANID GENMASK(9, 8) + #define WX_CFG_TAG_TPID(_i) (0x14430 + ((_i) * 4)) + #define WX_CFG_PORT_CTL_NUM_VT_MASK GENMASK(13, 12) /* number of TVs */ + +@@ -549,8 +551,6 @@ enum WX_MSCA_CMD_value { + #define TXD_USE_COUNT(S) DIV_ROUND_UP((S), WX_MAX_DATA_PER_TXD) + #define DESC_NEEDED (MAX_SKB_FRAGS + 4) + +-#define WX_CFG_PORT_ST 0x14404 +- + /******************* Receive Descriptor bit definitions **********************/ + #define WX_RXD_STAT_DD BIT(0) /* Done */ + #define WX_RXD_STAT_EOP BIT(1) /* End of Packet */ diff --git a/queue-6.17/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch b/queue-6.17/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch new file mode 100644 index 0000000000..cbef46c275 --- /dev/null +++ b/queue-6.17/revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch @@ -0,0 +1,85 @@ +From 2469bb6a6af944755a7d7daf66be90f3b8decbf9 Mon Sep 17 00:00:00 2001 +From: Baochen Qiang +Date: Mon, 27 Oct 2025 09:49:12 +0800 +Subject: Revert "wifi: ath10k: avoid unnecessary wait for service ready message" + +From: Baochen Qiang + +commit 2469bb6a6af944755a7d7daf66be90f3b8decbf9 upstream. + +This reverts commit 51a73f1b2e56b0324b4a3bb8cebc4221b5be4c7a. + +Although this commit benefits QCA6174, it breaks QCA988x and +QCA9984 [1][2]. Since it is not likely to root cause/fix this +issue in a short time, revert it to get those chips back. + +Compile tested only. + +Fixes: 51a73f1b2e56 ("wifi: ath10k: avoid unnecessary wait for service ready message") +Link: https://lore.kernel.org/ath10k/6d41bc00602c33ffbf68781f563ff2e6c6915a3e.camel@gmail.com # [1] +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220671 # [2] +Signed-off-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251027-ath10k-revert-polling-first-change-v1-1-89aaf3bcbfa1@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi.c | 39 +++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1764,32 +1764,33 @@ void ath10k_wmi_put_wmi_channel(struct a + + int ath10k_wmi_wait_for_service_ready(struct ath10k *ar) + { +- unsigned long timeout = jiffies + WMI_SERVICE_READY_TIMEOUT_HZ; + unsigned long time_left, i; + +- /* Sometimes the PCI HIF doesn't receive interrupt +- * for the service ready message even if the buffer +- * was completed. PCIe sniffer shows that it's +- * because the corresponding CE ring doesn't fires +- * it. Workaround here by polling CE rings. Since +- * the message could arrive at any time, continue +- * polling until timeout. +- */ +- do { ++ time_left = wait_for_completion_timeout(&ar->wmi.service_ready, ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ /* Sometimes the PCI HIF doesn't receive interrupt ++ * for the service ready message even if the buffer ++ * was completed. PCIe sniffer shows that it's ++ * because the corresponding CE ring doesn't fires ++ * it. Workaround here by polling CE rings once. ++ */ ++ ath10k_warn(ar, "failed to receive service ready completion, polling..\n"); ++ + for (i = 0; i < CE_COUNT; i++) + ath10k_hif_send_complete_check(ar, i, 1); + +- /* The 100 ms granularity is a tradeoff considering scheduler +- * overhead and response latency +- */ + time_left = wait_for_completion_timeout(&ar->wmi.service_ready, +- msecs_to_jiffies(100)); +- if (time_left) +- return 0; +- } while (time_before(jiffies, timeout)); ++ WMI_SERVICE_READY_TIMEOUT_HZ); ++ if (!time_left) { ++ ath10k_warn(ar, "polling timed out\n"); ++ return -ETIMEDOUT; ++ } ++ ++ ath10k_warn(ar, "service ready completion received, continuing normally\n"); ++ } + +- ath10k_warn(ar, "failed to receive service ready completion\n"); +- return -ETIMEDOUT; ++ return 0; + } + + int ath10k_wmi_wait_for_unified_ready(struct ath10k *ar) diff --git a/queue-6.17/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch b/queue-6.17/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch new file mode 100644 index 0000000000..ed69bdd7cb --- /dev/null +++ b/queue-6.17/ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch @@ -0,0 +1,51 @@ +From aa997d2d2a0b2e76f4df0f1f12829f02acb4fb6b Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 16 Oct 2025 13:28:48 -0400 +Subject: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up + +From: Steven Rostedt + +commit aa997d2d2a0b2e76f4df0f1f12829f02acb4fb6b upstream. + +The function ring_buffer_map_get_reader() is a bit more strict than the +other get reader functions, and except for certain situations the +rb_get_reader_page() should not return NULL. If it does, it triggers a +warning. + +This warning was triggering but after looking at why, it was because +another acceptable situation was happening and it wasn't checked for. + +If the reader catches up to the writer and there's still data to be read +on the reader page, then the rb_get_reader_page() will return NULL as +there's no new page to get. + +In this situation, the reader page should not be updated and no warning +should trigger. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Vincent Donnefort +Reported-by: syzbot+92a3745cea5ec6360309@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/690babec.050a0220.baf87.0064.GAE@google.com/ +Link: https://lore.kernel.org/20251016132848.1b11bb37@gandalf.local.home +Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -7344,6 +7344,10 @@ consume: + goto out; + } + ++ /* Did the reader catch up with the writer? */ ++ if (cpu_buffer->reader_page == cpu_buffer->commit_page) ++ goto out; ++ + reader = rb_get_reader_page(cpu_buffer); + if (WARN_ON(!reader)) + goto out; diff --git a/queue-6.17/rust-condvar-fix-broken-intra-doc-link.patch b/queue-6.17/rust-condvar-fix-broken-intra-doc-link.patch new file mode 100644 index 0000000000..d43b28045f --- /dev/null +++ b/queue-6.17/rust-condvar-fix-broken-intra-doc-link.patch @@ -0,0 +1,52 @@ +From 09b1704f5b02c18dd02b21343530463fcfc92c54 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Wed, 29 Oct 2025 08:33:44 +0100 +Subject: rust: condvar: fix broken intra-doc link + +From: Miguel Ojeda + +commit 09b1704f5b02c18dd02b21343530463fcfc92c54 upstream. + +The future move of pin-init to `syn` uncovers the following broken +intra-doc link: + + error: unresolved link to `crate::pin_init` + --> rust/kernel/sync/condvar.rs:39:40 + | + 39 | /// instances is with the [`pin_init`](crate::pin_init!) and [`new_condvar`] macros. + | ^^^^^^^^^^^^^^^^ no item named `pin_init` in module `kernel` + | + = note: `-D rustdoc::broken-intra-doc-links` implied by `-D warnings` + = help: to override `-D warnings` add `#[allow(rustdoc::broken_intra_doc_links)]` + +Currently, when rendered, the link points to a literal `crate::pin_init!` +URL. + +Thus fix it. + +Cc: stable@vger.kernel.org +Fixes: 129e97be8e28 ("rust: pin-init: fix documentation links") +Reviewed-by: Alice Ryhl +Link: https://patch.msgid.link/20251029073344.349341-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/sync/condvar.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rust/kernel/sync/condvar.rs b/rust/kernel/sync/condvar.rs +index c6ec64295c9f..aa5b9a7a726d 100644 +--- a/rust/kernel/sync/condvar.rs ++++ b/rust/kernel/sync/condvar.rs +@@ -36,7 +36,7 @@ macro_rules! new_condvar { + /// spuriously. + /// + /// Instances of [`CondVar`] need a lock class and to be pinned. The recommended way to create such +-/// instances is with the [`pin_init`](crate::pin_init!) and [`new_condvar`] macros. ++/// instances is with the [`pin_init`](pin_init::pin_init!) and [`new_condvar`] macros. + /// + /// # Examples + /// +-- +2.51.2 + diff --git a/queue-6.17/rust-devres-fix-private-intra-doc-link.patch b/queue-6.17/rust-devres-fix-private-intra-doc-link.patch new file mode 100644 index 0000000000..eaff196e5a --- /dev/null +++ b/queue-6.17/rust-devres-fix-private-intra-doc-link.patch @@ -0,0 +1,53 @@ +From ff4d2ef3874773c9c6173b0f099372bf62252aaf Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Wed, 29 Oct 2025 08:14:06 +0100 +Subject: rust: devres: fix private intra-doc link + +From: Miguel Ojeda + +commit ff4d2ef3874773c9c6173b0f099372bf62252aaf upstream. + +The future move of pin-init to `syn` uncovers the following private +intra-doc link: + + error: public documentation for `Devres` links to private item `Self::inner` + --> rust/kernel/devres.rs:106:7 + | + 106 | /// [`Self::inner`] is guaranteed to be initialized and is always accessed read-only. + | ^^^^^^^^^^^ this item is private + | + = note: this link will resolve properly if you pass `--document-private-items` + = note: `-D rustdoc::private-intra-doc-links` implied by `-D warnings` + = help: to override `-D warnings` add `#[allow(rustdoc::private_intra_doc_links)]` + +Currently, when rendered, the link points to "nowhere" (an inexistent +anchor for a "method"). + +Thus fix it. + +Cc: stable@vger.kernel.org +Fixes: f5d3ef25d238 ("rust: devres: get rid of Devres' inner Arc") +Acked-by: Danilo Krummrich +Link: https://patch.msgid.link/20251029071406.324511-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/devres.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rust/kernel/devres.rs b/rust/kernel/devres.rs +index 10a6a1789854..2392c281459e 100644 +--- a/rust/kernel/devres.rs ++++ b/rust/kernel/devres.rs +@@ -103,7 +103,7 @@ struct Inner { + /// + /// # Invariants + /// +-/// [`Self::inner`] is guaranteed to be initialized and is always accessed read-only. ++/// `Self::inner` is guaranteed to be initialized and is always accessed read-only. + #[pin_data(PinnedDrop)] + pub struct Devres { + dev: ARef, +-- +2.51.2 + diff --git a/queue-6.17/rust-kbuild-treat-build_error-and-rustdoc-as-kernel-objects.patch b/queue-6.17/rust-kbuild-treat-build_error-and-rustdoc-as-kernel-objects.patch new file mode 100644 index 0000000000..33c30e0583 --- /dev/null +++ b/queue-6.17/rust-kbuild-treat-build_error-and-rustdoc-as-kernel-objects.patch @@ -0,0 +1,77 @@ +From 16c43a56b79e2c3220b043236369a129d508c65a Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sun, 2 Nov 2025 22:28:52 +0100 +Subject: rust: kbuild: treat `build_error` and `rustdoc` as kernel objects + +From: Miguel Ojeda + +commit 16c43a56b79e2c3220b043236369a129d508c65a upstream. + +Even if normally `build_error` isn't a kernel object, it should still +be treated as such so that we pass the same flags. Similarly, `rustdoc` +targets are never kernel objects, but we need to treat them as such. + +Otherwise, starting with Rust 1.91.0 (released 2025-10-30), `rustc` +will complain about missing sanitizer flags since `-Zsanitizer` is a +target modifier too [1]: + + error: mixing `-Zsanitizer` will cause an ABI mismatch in crate `build_error` + --> rust/build_error.rs:3:1 + | + 3 | //! Build-time error. + | ^ + | + = help: the `-Zsanitizer` flag modifies the ABI so Rust crates compiled with different values of this flag cannot be used together safely + = note: unset `-Zsanitizer` in this crate is incompatible with `-Zsanitizer=kernel-address` in dependency `core` + = help: set `-Zsanitizer=kernel-address` in this crate or unset `-Zsanitizer` in `core` + = help: if you are sure this will not cause problems, you may use `-Cunsafe-allow-abi-mismatch=sanitizer` to silence this error + +Thus explicitly mark them as kernel objects. + +Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). +Link: https://github.com/rust-lang/rust/pull/138736 [1] +Reviewed-by: Alice Ryhl +Tested-by: Justin M. Forbes +Link: https://patch.msgid.link/20251102212853.1505384-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/Makefile | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/rust/Makefile ++++ b/rust/Makefile +@@ -124,9 +124,14 @@ rustdoc-core: private rustc_target_flags + rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs rustdoc-clean FORCE + +$(call if_changed,rustdoc) + ++# Even if `rustdoc` targets are not kernel objects, they should still be ++# treated as such so that we pass the same flags. Otherwise, for instance, ++# `rustdoc` will complain about missing sanitizer flags causing an ABI mismatch. ++rustdoc-compiler_builtins: private is-kernel-object := y + rustdoc-compiler_builtins: $(src)/compiler_builtins.rs rustdoc-core FORCE + +$(call if_changed,rustdoc) + ++rustdoc-ffi: private is-kernel-object := y + rustdoc-ffi: $(src)/ffi.rs rustdoc-core FORCE + +$(call if_changed,rustdoc) + +@@ -144,6 +149,7 @@ rustdoc-pin_init: $(src)/pin-init/src/li + rustdoc-macros FORCE + +$(call if_changed,rustdoc) + ++rustdoc-kernel: private is-kernel-object := y + rustdoc-kernel: private rustc_target_flags = --extern ffi --extern pin_init \ + --extern build_error --extern macros \ + --extern bindings --extern uapi +@@ -526,6 +532,10 @@ $(obj)/pin_init.o: $(src)/pin-init/src/l + $(obj)/$(libpin_init_internal_name) $(obj)/$(libmacros_name) FORCE + +$(call if_changed_rule,rustc_library) + ++# Even if normally `build_error` is not a kernel object, it should still be ++# treated as such so that we pass the same flags. Otherwise, for instance, ++# `rustc` will complain about missing sanitizer flags causing an ABI mismatch. ++$(obj)/build_error.o: private is-kernel-object := y + $(obj)/build_error.o: private skip_gendwarfksyms = 1 + $(obj)/build_error.o: $(src)/build_error.rs $(obj)/compiler_builtins.o FORCE + +$(call if_changed_rule,rustc_library) diff --git a/queue-6.17/rust-kbuild-workaround-rustdoc-doctests-modifier-bug.patch b/queue-6.17/rust-kbuild-workaround-rustdoc-doctests-modifier-bug.patch new file mode 100644 index 0000000000..775d8d91a5 --- /dev/null +++ b/queue-6.17/rust-kbuild-workaround-rustdoc-doctests-modifier-bug.patch @@ -0,0 +1,87 @@ +From fad472efab0a805dd939f017c5b8669a786a4bcf Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sun, 2 Nov 2025 22:28:53 +0100 +Subject: rust: kbuild: workaround `rustdoc` doctests modifier bug + +From: Miguel Ojeda + +commit fad472efab0a805dd939f017c5b8669a786a4bcf upstream. + +The `rustdoc` modifiers bug [1] was fixed in Rust 1.90.0 [2], for which +we added a workaround in commit abbf9a449441 ("rust: workaround `rustdoc` +target modifiers bug"). + +However, `rustdoc`'s doctest generation still has a similar issue [3], +being fixed at [4], which does not affect us because we apply the +workaround to both, and now, starting with Rust 1.91.0 (released +2025-10-30), `-Zsanitizer` is a target modifier too [5], which means we +fail with: + + RUSTDOC TK rust/kernel/lib.rs + error: mixing `-Zsanitizer` will cause an ABI mismatch in crate `kernel` + --> rust/kernel/lib.rs:3:1 + | + 3 | //! The `kernel` crate. + | ^ + | + = help: the `-Zsanitizer` flag modifies the ABI so Rust crates compiled with different values of this flag cannot be used together safely + = note: unset `-Zsanitizer` in this crate is incompatible with `-Zsanitizer=kernel-address` in dependency `core` + = help: set `-Zsanitizer=kernel-address` in this crate or unset `-Zsanitizer` in `core` + = help: if you are sure this will not cause problems, you may use `-Cunsafe-allow-abi-mismatch=sanitizer` to silence this error + +A simple way around is to add the sanitizer to the list in the existing +workaround (especially if we had not started to pass the sanitizer +flags in the previous commit, since in that case that would not be +necessary). However, that still applies the workaround in more cases +than necessary. + +Instead, only modify the doctests flags to ignore the check for +sanitizers, so that it is more local (and thus the compiler keeps checking +it for us in the normal `rustdoc` calls). Since the previous commit +already treated the `rustdoc` calls as kernel objects, this should allow +us in the future to easily remove this workaround when the time comes. + +By the way, the `-Cunsafe-allow-abi-mismatch` flag overwrites previous +ones rather than appending, so it needs to be all done in the same flag. +Moreover, unknown modifiers are rejected, and thus we have to gate based +on the version too. + +Finally, `-Zsanitizer-cfi-normalize-integers` is not affected (in Rust +1.91.0), so it is not needed in the workaround for the moment. + +Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). +Link: https://github.com/rust-lang/rust/issues/144521 [1] +Link: https://github.com/rust-lang/rust/pull/144523 [2] +Link: https://github.com/rust-lang/rust/issues/146465 [3] +Link: https://github.com/rust-lang/rust/pull/148068 [4] +Link: https://github.com/rust-lang/rust/pull/138736 [5] +Reviewed-by: Alice Ryhl +Tested-by: Justin M. Forbes +Link: https://patch.msgid.link/20251102212853.1505384-2-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/Makefile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/rust/Makefile ++++ b/rust/Makefile +@@ -69,6 +69,9 @@ core-edition := $(if $(call rustc-min-ve + # the time being (https://github.com/rust-lang/rust/issues/144521). + rustdoc_modifiers_workaround := $(if $(call rustc-min-version,108800),-Cunsafe-allow-abi-mismatch=fixed-x18) + ++# Similarly, for doctests (https://github.com/rust-lang/rust/issues/146465). ++doctests_modifiers_workaround := $(rustdoc_modifiers_workaround)$(if $(call rustc-min-version,109100),$(comma)sanitizer) ++ + # `rustc` recognizes `--remap-path-prefix` since 1.26.0, but `rustdoc` only + # since Rust 1.81.0. Moreover, `rustdoc` ICEs on out-of-tree builds since Rust + # 1.82.0 (https://github.com/rust-lang/rust/issues/138520). Thus workaround both +@@ -224,7 +227,7 @@ quiet_cmd_rustdoc_test_kernel = RUSTDOC + --extern bindings --extern uapi \ + --no-run --crate-name kernel -Zunstable-options \ + --sysroot=/dev/null \ +- $(rustdoc_modifiers_workaround) \ ++ $(doctests_modifiers_workaround) \ + --test-builder $(objtree)/scripts/rustdoc_test_builder \ + $< $(rustdoc_test_kernel_quiet); \ + $(objtree)/scripts/rustdoc_test_gen diff --git a/queue-6.17/series b/queue-6.17/series index edf6dec537..1aa2a24dc2 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -735,3 +735,16 @@ ceph-fix-potential-race-condition-in-ceph_ioctl_lazy.patch ceph-refactor-wake_up_bit-pattern-of-calling.patch ceph-fix-multifs-mds-auth-caps-issue.patch x86-uaccess-don-t-use-runtime-const-rewriting-in-mod.patch +rust-condvar-fix-broken-intra-doc-link.patch +rust-devres-fix-private-intra-doc-link.patch +rust-kbuild-workaround-rustdoc-doctests-modifier-bug.patch +rust-kbuild-treat-build_error-and-rustdoc-as-kernel-objects.patch +btrfs-ensure-no-dirty-metadata-is-written-back-for-an-fs-with-errors.patch +media-uvcvideo-use-heuristic-to-find-stream-entity.patch +media-videobuf2-forbid-remove_bufs-when-legacy-fileio-is-active.patch +drm-mediatek-disable-afbc-support-on-mediatek-drm-driver.patch +revert-wifi-ath10k-avoid-unnecessary-wait-for-service-ready-message.patch +tracing-tprobe-events-fix-to-register-tracepoint-correctly.patch +tracing-tprobe-events-fix-to-put-tracepoint_user-when-disable-the-tprobe.patch +ring-buffer-do-not-warn-in-ring_buffer_map_get_reader-when-reader-catches-up.patch +net-libwx-fix-device-bus-lan-id.patch diff --git a/queue-6.17/tracing-tprobe-events-fix-to-put-tracepoint_user-when-disable-the-tprobe.patch b/queue-6.17/tracing-tprobe-events-fix-to-put-tracepoint_user-when-disable-the-tprobe.patch new file mode 100644 index 0000000000..205911f68d --- /dev/null +++ b/queue-6.17/tracing-tprobe-events-fix-to-put-tracepoint_user-when-disable-the-tprobe.patch @@ -0,0 +1,46 @@ +From c91afa7610235f89a5e8f5686aac23892ab227ed Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Fri, 7 Nov 2025 01:52:24 +0900 +Subject: tracing: tprobe-events: Fix to put tracepoint_user when disable the tprobe + +From: Masami Hiramatsu (Google) + +commit c91afa7610235f89a5e8f5686aac23892ab227ed upstream. + +__unregister_trace_fprobe() checks tf->tuser to put it when removing +tprobe. However, disable_trace_fprobe() does not use it and only calls +unregister_fprobe(). Thus it forgets to disable tracepoint_user. + +If the trace_fprobe has tuser, put it for unregistering the tracepoint +callbacks when disabling tprobe correctly. + +Link: https://lore.kernel.org/all/176244794466.155515.3971904050506100243.stgit@devnote2/ + +Fixes: 2867495dea86 ("tracing: tprobe-events: Register tracepoint when enable tprobe event") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Tested-by: Beau Belgrave +Reviewed-by: Beau Belgrave +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_fprobe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c +index fd1b108ab639..8001dbf16891 100644 +--- a/kernel/trace/trace_fprobe.c ++++ b/kernel/trace/trace_fprobe.c +@@ -1514,6 +1514,10 @@ static int disable_trace_fprobe(struct trace_event_call *call, + if (!trace_probe_is_enabled(tp)) { + list_for_each_entry(tf, trace_probe_probe_list(tp), tp.list) { + unregister_fprobe(&tf->fp); ++ if (tf->tuser) { ++ tracepoint_user_put(tf->tuser); ++ tf->tuser = NULL; ++ } + } + } + +-- +2.51.2 + diff --git a/queue-6.17/tracing-tprobe-events-fix-to-register-tracepoint-correctly.patch b/queue-6.17/tracing-tprobe-events-fix-to-register-tracepoint-correctly.patch new file mode 100644 index 0000000000..d04428dafa --- /dev/null +++ b/queue-6.17/tracing-tprobe-events-fix-to-register-tracepoint-correctly.patch @@ -0,0 +1,58 @@ +From 10d9dda426d684e98b17161f02f77894c6de9b60 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Fri, 7 Nov 2025 01:52:15 +0900 +Subject: tracing: tprobe-events: Fix to register tracepoint correctly + +From: Masami Hiramatsu (Google) + +commit 10d9dda426d684e98b17161f02f77894c6de9b60 upstream. + +Since __tracepoint_user_init() calls tracepoint_user_register() without +initializing tuser->tpoint with given tracpoint, it does not register +tracepoint stub function as callback correctly, and tprobe does not work. + +Initializing tuser->tpoint correctly before tracepoint_user_register() +so that it sets up tracepoint callback. + +I confirmed below example works fine again. + +echo "t sched_switch preempt prev_pid=prev->pid next_pid=next->pid" > /sys/kernel/tracing/dynamic_events +echo 1 > /sys/kernel/tracing/events/tracepoints/sched_switch/enable +cat /sys/kernel/tracing/trace_pipe + +Link: https://lore.kernel.org/all/176244793514.155515.6466348656998627773.stgit@devnote2/ + +Fixes: 2867495dea86 ("tracing: tprobe-events: Register tracepoint when enable tprobe event") +Reported-by: Beau Belgrave +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Tested-by: Beau Belgrave +Reviewed-by: Beau Belgrave +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_fprobe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c +index ad9d6347b5fa..fd1b108ab639 100644 +--- a/kernel/trace/trace_fprobe.c ++++ b/kernel/trace/trace_fprobe.c +@@ -106,13 +106,14 @@ static struct tracepoint_user *__tracepoint_user_init(const char *name, struct t + if (!tuser->name) + return NULL; + ++ /* Register tracepoint if it is loaded. */ + if (tpoint) { ++ tuser->tpoint = tpoint; + ret = tracepoint_user_register(tuser); + if (ret) + return ERR_PTR(ret); + } + +- tuser->tpoint = tpoint; + tuser->refcount = 1; + INIT_LIST_HEAD(&tuser->list); + list_add(&tuser->list, &tracepoint_user_list); +-- +2.51.2 +