From 1933e81a571899c535154c7512ba60875e5bf2dd Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 15 Aug 2025 17:36:58 +0200 Subject: [PATCH] 6.12-stable patches added patches: alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch gpio-mlxbf2-use-platform_get_irq_optional.patch gpio-mlxbf3-use-platform_get_irq_optional.patch gpio-virtio-fix-config-space-reading.patch io_uring-don-t-use-int-for-abi.patch leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch net-enetc-fix-device-and-of-node-leak-at-probe.patch net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch net-mtk_eth_soc-fix-device-leak-at-probe.patch net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch series smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch --- ...laptop-13-amd-ryzen-ai-300-to-quirks.patch | 31 ++++++ ...altek-fix-headset-mic-on-honor-brb-x.patch | 31 ++++++ ...ate-uac3-cluster-segment-descriptors.patch | 91 +++++++++++++++++ ...te-uac3-power-domain-descriptors-too.patch | 51 ++++++++++ ...mlxbf2-use-platform_get_irq_optional.patch | 39 ++++++++ ...mlxbf3-use-platform_get_irq_optional.patch | 38 +++++++ ...gpio-virtio-fix-config-space-reading.patch | 52 ++++++++++ .../io_uring-don-t-use-int-for-abi.patch | 35 +++++++ ...sh-fix-registry-access-after-re-bind.patch | 78 +++++++++++++++ ...e-leak-when-querying-time-stamp-info.patch | 41 ++++++++ ...fix-device-and-of-node-leak-at-probe.patch | 58 +++++++++++ ...r-access-in-ftgmac100_phy_disconnect.patch | 47 +++++++++ ...e-leak-when-querying-time-stamp-info.patch | 41 ++++++++ ...mtk_eth_soc-fix-device-leak-at-probe.patch | 35 +++++++ ...icrel-fix-ksz8081-ksz8091-cable-test.patch | 43 ++++++++ ...ix-device-and-of-node-leaks-at-probe.patch | 82 ++++++++++++++++ ...es-add-phy_mask-for-ax88772-mdio-bus.patch | 42 ++++++++ ...ite-retry-looping-in-netlink_unicast.patch | 80 +++++++++++++++ ...3-only-get-irq-for-device-instance-0.patch | 98 +++++++++++++++++++ ...re-led-blink-interval-for-hw-offload.patch | 85 ++++++++++++++++ queue-6.12/series | 22 +++++ ...t-lstrp-update-in-negotiate-protocol.patch | 52 ++++++++++ ...slab-out-of-bounds-on-mount-to-ksmbd.patch | 95 ++++++++++++++++++ 23 files changed, 1267 insertions(+) create mode 100644 queue-6.12/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch create mode 100644 queue-6.12/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch create mode 100644 queue-6.12/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch create mode 100644 queue-6.12/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch create mode 100644 queue-6.12/gpio-mlxbf2-use-platform_get_irq_optional.patch create mode 100644 queue-6.12/gpio-mlxbf3-use-platform_get_irq_optional.patch create mode 100644 queue-6.12/gpio-virtio-fix-config-space-reading.patch create mode 100644 queue-6.12/io_uring-don-t-use-int-for-abi.patch create mode 100644 queue-6.12/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch create mode 100644 queue-6.12/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch create mode 100644 queue-6.12/net-enetc-fix-device-and-of-node-leak-at-probe.patch create mode 100644 queue-6.12/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch create mode 100644 queue-6.12/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch create mode 100644 queue-6.12/net-mtk_eth_soc-fix-device-leak-at-probe.patch create mode 100644 queue-6.12/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch create mode 100644 queue-6.12/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch create mode 100644 queue-6.12/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch create mode 100644 queue-6.12/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch create mode 100644 queue-6.12/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch create mode 100644 queue-6.12/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch create mode 100644 queue-6.12/series create mode 100644 queue-6.12/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch create mode 100644 queue-6.12/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch diff --git a/queue-6.12/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch b/queue-6.12/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch new file mode 100644 index 0000000000..23f3c15d26 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch @@ -0,0 +1,31 @@ +From 0db77eccd964b11ab2b757031d1354fcc5a025ea Mon Sep 17 00:00:00 2001 +From: Christopher Eby +Date: Sat, 9 Aug 2025 20:00:06 -0700 +Subject: ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks + +From: Christopher Eby + +commit 0db77eccd964b11ab2b757031d1354fcc5a025ea upstream. + +Framework Laptop 13 (AMD Ryzen AI 300) requires the same quirk for +headset detection as other Framework 13 models. + +Signed-off-by: Christopher Eby +Cc: +Link: https://patch.msgid.link/20250810030006.9060-1-kreed@kreed.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11348,6 +11348,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x0006, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x0009, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0xf111, 0x000b, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0xf111, 0x000c, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE), + + #if 0 diff --git a/queue-6.12/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch b/queue-6.12/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch new file mode 100644 index 0000000000..9581fa059a --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch @@ -0,0 +1,31 @@ +From b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Mon, 11 Aug 2025 16:27:16 +0300 +Subject: ALSA: hda/realtek: Fix headset mic on HONOR BRB-X + +From: Vasiliy Kovalev + +commit b26e2afb3834d4a61ce54c8484ff6014bef0b4b7 upstream. + +Add a PCI quirk to enable microphone input on the headphone jack on +the HONOR BRB-X M1010 laptop. + +Signed-off-by: Vasiliy Kovalev +Cc: +Link: https://patch.msgid.link/20250811132716.45076-1-kovalev@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -11331,6 +11331,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC), ++ SND_PCI_QUIRK(0x1ee7, 0x2078, "HONOR BRB-X M1010", ALC2XX_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), + SND_PCI_QUIRK(0x2782, 0x0214, "VAIO VJFE-CL", ALC269_FIXUP_LIMIT_INT_MIC_BOOST), diff --git a/queue-6.12/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch b/queue-6.12/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch new file mode 100644 index 0000000000..8d5fff83bf --- /dev/null +++ b/queue-6.12/alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch @@ -0,0 +1,91 @@ +From ecfd41166b72b67d3bdeb88d224ff445f6163869 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Aug 2025 10:12:43 +0200 +Subject: ALSA: usb-audio: Validate UAC3 cluster segment descriptors + +From: Takashi Iwai + +commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream. + +UAC3 class segment descriptors need to be verified whether their sizes +match with the declared lengths and whether they fit with the +allocated buffer sizes, too. Otherwise malicious firmware may lead to +the unexpected OOB accesses. + +Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support") +Reported-and-tested-by: Youngjun Lee +Cc: +Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/stream.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -341,20 +341,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + + len = le16_to_cpu(cluster->wLength); + c = 0; +- p += sizeof(struct uac3_cluster_header_descriptor); ++ p += sizeof(*cluster); ++ len -= sizeof(*cluster); + +- while (((p - (void *)cluster) < len) && (c < channels)) { ++ while (len > 0 && (c < channels)) { + struct uac3_cluster_segment_descriptor *cs_desc = p; + u16 cs_len; + u8 cs_type; + ++ if (len < sizeof(*p)) ++ break; + cs_len = le16_to_cpu(cs_desc->wLength); ++ if (len < cs_len) ++ break; + cs_type = cs_desc->bSegmentType; + + if (cs_type == UAC3_CHANNEL_INFORMATION) { + struct uac3_cluster_information_segment_descriptor *is = p; + unsigned char map; + ++ if (cs_len < sizeof(*is)) ++ break; ++ + /* + * TODO: this conversion is not complete, update it + * after adding UAC3 values to asound.h +@@ -456,6 +464,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str + chmap->map[c++] = map; + } + p += cs_len; ++ len -= cs_len; + } + + if (channels < c) +@@ -880,7 +889,7 @@ snd_usb_get_audioformat_uac3(struct snd_ + u64 badd_formats = 0; + unsigned int num_channels; + struct audioformat *fp; +- u16 cluster_id, wLength; ++ u16 cluster_id, wLength, cluster_wLength; + int clock = 0; + int err; + +@@ -1008,6 +1017,16 @@ snd_usb_get_audioformat_uac3(struct snd_ + iface_no, altno); + kfree(cluster); + return ERR_PTR(-EIO); ++ } ++ ++ cluster_wLength = le16_to_cpu(cluster->wLength); ++ if (cluster_wLength < sizeof(*cluster) || ++ cluster_wLength > wLength) { ++ dev_err(&dev->dev, ++ "%u:%d : invalid Cluster Descriptor size\n", ++ iface_no, altno); ++ kfree(cluster); ++ return ERR_PTR(-EIO); + } + + num_channels = cluster->bNrChannels; diff --git a/queue-6.12/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch b/queue-6.12/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch new file mode 100644 index 0000000000..cf5680e1ba --- /dev/null +++ b/queue-6.12/alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch @@ -0,0 +1,51 @@ +From d832ccbc301fbd9e5a1d691bdcf461cdb514595f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 14 Aug 2025 10:12:42 +0200 +Subject: ALSA: usb-audio: Validate UAC3 power domain descriptors, too + +From: Takashi Iwai + +commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream. + +UAC3 power domain descriptors need to be verified with its variable +bLength for avoiding the unexpected OOB accesses by malicious +firmware, too. + +Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support") +Reported-and-tested-by: Youngjun Lee +Cc: +Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/validate.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c + return d->bLength >= sizeof(*d) + 4 + 2; + } + ++static bool validate_uac3_power_domain_unit(const void *p, ++ const struct usb_desc_validator *v) ++{ ++ const struct uac3_power_domain_descriptor *d = p; ++ ++ if (d->bLength < sizeof(*d)) ++ return false; ++ /* baEntities[] + wPDomainDescrStr */ ++ return d->bLength >= sizeof(*d) + d->bNrEntities + 2; ++} ++ + static bool validate_midi_out_jack(const void *p, + const struct usb_desc_validator *v) + { +@@ -285,6 +296,7 @@ static const struct usb_desc_validator a + struct uac3_clock_multiplier_descriptor), + /* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */ + /* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */ ++ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit), + { } /* terminator */ + }; + diff --git a/queue-6.12/gpio-mlxbf2-use-platform_get_irq_optional.patch b/queue-6.12/gpio-mlxbf2-use-platform_get_irq_optional.patch new file mode 100644 index 0000000000..833ac47b55 --- /dev/null +++ b/queue-6.12/gpio-mlxbf2-use-platform_get_irq_optional.patch @@ -0,0 +1,39 @@ +From 63c7bc53a35e785accdc2ceab8f72d94501931ab Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Mon, 28 Jul 2025 10:46:19 -0400 +Subject: gpio: mlxbf2: use platform_get_irq_optional() + +From: David Thompson + +commit 63c7bc53a35e785accdc2ceab8f72d94501931ab upstream. + +The gpio-mlxbf2 driver interfaces with four GPIO controllers, +device instances 0-3. There are two IRQ resources shared between +the four controllers, and they are found in the ACPI table for +instances 0 and 3. The driver should not use platform_get_irq(), +otherwise this error is logged when probing instances 1 and 2: + mlxbf2_gpio MLNXBF22:01: error -ENXIO: IRQ index 0 not found + +Fixes: 2b725265cb08 ("gpio: mlxbf2: Introduce IRQ support") +Cc: stable@vger.kernel.org +Signed-off-by: David Thompson +Reviewed-by: Shravan Kumar Ramani +Reviewed-by: Mika Westerberg +Link: https://lore.kernel.org/r/20250728144619.29894-1-davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mlxbf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mlxbf2.c ++++ b/drivers/gpio/gpio-mlxbf2.c +@@ -397,7 +397,7 @@ mlxbf2_gpio_probe(struct platform_device + gc->ngpio = npins; + gc->owner = THIS_MODULE; + +- irq = platform_get_irq(pdev, 0); ++ irq = platform_get_irq_optional(pdev, 0); + if (irq >= 0) { + girq = &gs->gc.irq; + gpio_irq_chip_set_chip(girq, &mlxbf2_gpio_irq_chip); diff --git a/queue-6.12/gpio-mlxbf3-use-platform_get_irq_optional.patch b/queue-6.12/gpio-mlxbf3-use-platform_get_irq_optional.patch new file mode 100644 index 0000000000..fa87ea3ed6 --- /dev/null +++ b/queue-6.12/gpio-mlxbf3-use-platform_get_irq_optional.patch @@ -0,0 +1,38 @@ +From 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Mon, 11 Aug 2025 13:50:45 -0400 +Subject: gpio: mlxbf3: use platform_get_irq_optional() + +From: David Thompson + +commit 810bd9066fb1871b8a9528f31f2fdbf2a8b73bf2 upstream. + +The gpio-mlxbf3 driver interfaces with two GPIO controllers, +device instance 0 and 1. There is a single IRQ resource shared +between the two controllers, and it is found in the ACPI table for +device instance 0. The driver should not use platform_get_irq(), +otherwise this error is logged when probing instance 1: + mlxbf3_gpio MLNXBF33:01: error -ENXIO: IRQ index 0 not found + +Cc: stable@vger.kernel.org +Fixes: cd33f216d241 ("gpio: mlxbf3: Add gpio driver support") +Signed-off-by: David Thompson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/ce70b98a201ce82b9df9aa80ac7a5eeaa2268e52.1754928650.git.davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mlxbf3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-mlxbf3.c ++++ b/drivers/gpio/gpio-mlxbf3.c +@@ -227,7 +227,7 @@ static int mlxbf3_gpio_probe(struct plat + gc->owner = THIS_MODULE; + gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges; + +- irq = platform_get_irq(pdev, 0); ++ irq = platform_get_irq_optional(pdev, 0); + if (irq >= 0) { + girq = &gs->gc.irq; + gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); diff --git a/queue-6.12/gpio-virtio-fix-config-space-reading.patch b/queue-6.12/gpio-virtio-fix-config-space-reading.patch new file mode 100644 index 0000000000..3955894421 --- /dev/null +++ b/queue-6.12/gpio-virtio-fix-config-space-reading.patch @@ -0,0 +1,52 @@ +From 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 Mon Sep 17 00:00:00 2001 +From: Harald Mommer +Date: Thu, 24 Jul 2025 16:36:53 +0200 +Subject: gpio: virtio: Fix config space reading. + +From: Harald Mommer + +commit 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 upstream. + +Quote from the virtio specification chapter 4.2.2.2: + +"For the device-specific configuration space, the driver MUST use 8 bit +wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses +for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and +64 bit wide fields." + +Signed-off-by: Harald Mommer +Cc: stable@vger.kernel.org +Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver") +Acked-by: Viresh Kumar +Link: https://lore.kernel.org/r/20250724143718.5442-2-harald.mommer@oss.qualcomm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-virtio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-virtio.c ++++ b/drivers/gpio/gpio-virtio.c +@@ -539,7 +539,6 @@ static const char **virtio_gpio_get_name + + static int virtio_gpio_probe(struct virtio_device *vdev) + { +- struct virtio_gpio_config config; + struct device *dev = &vdev->dev; + struct virtio_gpio *vgpio; + u32 gpio_names_size; +@@ -551,9 +550,11 @@ static int virtio_gpio_probe(struct virt + return -ENOMEM; + + /* Read configuration */ +- virtio_cread_bytes(vdev, 0, &config, sizeof(config)); +- gpio_names_size = le32_to_cpu(config.gpio_names_size); +- ngpio = le16_to_cpu(config.ngpio); ++ gpio_names_size = ++ virtio_cread32(vdev, offsetof(struct virtio_gpio_config, ++ gpio_names_size)); ++ ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config, ++ ngpio)); + if (!ngpio) { + dev_err(dev, "Number of GPIOs can't be zero\n"); + return -EINVAL; diff --git a/queue-6.12/io_uring-don-t-use-int-for-abi.patch b/queue-6.12/io_uring-don-t-use-int-for-abi.patch new file mode 100644 index 0000000000..b3d47d81af --- /dev/null +++ b/queue-6.12/io_uring-don-t-use-int-for-abi.patch @@ -0,0 +1,35 @@ +From cf73d9970ea4f8cace5d8f02d2565a2723003112 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Wed, 2 Jul 2025 21:31:54 +0100 +Subject: io_uring: don't use int for ABI + +From: Pavel Begunkov + +commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream. + +__kernel_rwf_t is defined as int, the actual size of which is +implementation defined. It won't go well if some compiler / archs +ever defines it as i64, so replace it with __u32, hoping that +there is no one using i16 for it. + +Cc: stable@vger.kernel.org +Fixes: 2b188cc1bb857 ("Add io_uring IO interface") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/io_uring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/io_uring.h ++++ b/include/uapi/linux/io_uring.h +@@ -50,7 +50,7 @@ struct io_uring_sqe { + }; + __u32 len; /* buffer size or number of iovecs */ + union { +- __kernel_rwf_t rw_flags; ++ __u32 rw_flags; + __u32 fsync_flags; + __u16 poll_events; /* compatibility */ + __u32 poll32_events; /* word-reversed for BE */ diff --git a/queue-6.12/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch b/queue-6.12/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch new file mode 100644 index 0000000000..7897442a24 --- /dev/null +++ b/queue-6.12/leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch @@ -0,0 +1,78 @@ +From fab15f57360b1e6620a1d0d6b0fbee896e6c1f07 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 29 May 2025 08:33:36 +0200 +Subject: leds: flash: leds-qcom-flash: Fix registry access after re-bind + +From: Krzysztof Kozlowski + +commit fab15f57360b1e6620a1d0d6b0fbee896e6c1f07 upstream. + +Driver in probe() updates each of 'reg_field' with 'reg_base': + + for (i = 0; i < REG_MAX_COUNT; i++) + regs[i].reg += reg_base; + +'reg_field' array (under variable 'regs' above) is statically allocated, +thus each re-bind would add another 'reg_base' leading to bogus +register addresses. Constify the local 'reg_field' array and duplicate +it in probe to solve this. + +Fixes: 96a2e242a5dc ("leds: flash: Add driver to support flash LED module in QCOM PMICs") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Fenglin Wu +Link: https://lore.kernel.org/r/20250529063335.8785-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/flash/leds-qcom-flash.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/leds/flash/leds-qcom-flash.c ++++ b/drivers/leds/flash/leds-qcom-flash.c +@@ -117,7 +117,7 @@ enum { + REG_MAX_COUNT, + }; + +-static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { ++static const struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { + REG_FIELD(0x08, 0, 7), /* status1 */ + REG_FIELD(0x09, 0, 7), /* status2 */ + REG_FIELD(0x0a, 0, 7), /* status3 */ +@@ -132,7 +132,7 @@ static struct reg_field mvflash_3ch_regs + REG_FIELD(0x58, 0, 2), /* therm_thrsh3 */ + }; + +-static struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { ++static const struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { + REG_FIELD(0x06, 0, 7), /* status1 */ + REG_FIELD(0x07, 0, 6), /* status2 */ + REG_FIELD(0x09, 0, 7), /* status3 */ +@@ -855,11 +855,17 @@ static int qcom_flash_led_probe(struct p + if (val == FLASH_SUBTYPE_3CH_PM8150_VAL || val == FLASH_SUBTYPE_3CH_PMI8998_VAL) { + flash_data->hw_type = QCOM_MVFLASH_3CH; + flash_data->max_channels = 3; +- regs = mvflash_3ch_regs; ++ regs = devm_kmemdup(dev, mvflash_3ch_regs, sizeof(mvflash_3ch_regs), ++ GFP_KERNEL); ++ if (!regs) ++ return -ENOMEM; + } else if (val == FLASH_SUBTYPE_4CH_VAL) { + flash_data->hw_type = QCOM_MVFLASH_4CH; + flash_data->max_channels = 4; +- regs = mvflash_4ch_regs; ++ regs = devm_kmemdup(dev, mvflash_4ch_regs, sizeof(mvflash_4ch_regs), ++ GFP_KERNEL); ++ if (!regs) ++ return -ENOMEM; + + rc = regmap_read(regmap, reg_base + FLASH_REVISION_REG, &val); + if (rc < 0) { +@@ -881,6 +887,7 @@ static int qcom_flash_led_probe(struct p + dev_err(dev, "Failed to allocate regmap field, rc=%d\n", rc); + return rc; + } ++ devm_kfree(dev, regs); /* devm_regmap_field_bulk_alloc() makes copies */ + + platform_set_drvdata(pdev, flash_data); + mutex_init(&flash_data->lock); diff --git a/queue-6.12/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch b/queue-6.12/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch new file mode 100644 index 0000000000..9708f3412d --- /dev/null +++ b/queue-6.12/net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch @@ -0,0 +1,41 @@ +From 3fa840230f534385b34a4f39c8dd313fbe723f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:09 +0200 +Subject: net: dpaa: fix device leak when querying time stamp info + +From: Johan Hovold + +commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream. + +Make sure to drop the reference to the ptp device taken by +of_find_device_by_node() when querying the time stamping capabilities. + +Note that holding a reference to the ptp device does not prevent its +driver data from going away. + +Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool") +Cc: stable@vger.kernel.org # 4.19 +Cc: Yangbo Lu +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -415,8 +415,10 @@ static int dpaa_get_ts_info(struct net_d + of_node_put(ptp_node); + } + +- if (ptp_dev) ++ if (ptp_dev) { + ptp = platform_get_drvdata(ptp_dev); ++ put_device(&ptp_dev->dev); ++ } + + if (ptp) + info->phc_index = ptp->phc_index; diff --git a/queue-6.12/net-enetc-fix-device-and-of-node-leak-at-probe.patch b/queue-6.12/net-enetc-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..58b00f65eb --- /dev/null +++ b/queue-6.12/net-enetc-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,58 @@ +From 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:10 +0200 +Subject: net: enetc: fix device and OF node leak at probe + +From: Johan Hovold + +commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed upstream. + +Make sure to drop the references to the IERB OF node and platform device +taken by of_parse_phandle() and of_find_device_by_node() during probe. + +Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block") +Cc: stable@vger.kernel.org # 5.13 +Cc: Vladimir Oltean +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c +@@ -1182,19 +1182,29 @@ static int enetc_pf_register_with_ierb(s + { + struct platform_device *ierb_pdev; + struct device_node *ierb_node; ++ int ret; + + ierb_node = of_find_compatible_node(NULL, NULL, + "fsl,ls1028a-enetc-ierb"); +- if (!ierb_node || !of_device_is_available(ierb_node)) ++ if (!ierb_node) + return -ENODEV; + ++ if (!of_device_is_available(ierb_node)) { ++ of_node_put(ierb_node); ++ return -ENODEV; ++ } ++ + ierb_pdev = of_find_device_by_node(ierb_node); + of_node_put(ierb_node); + + if (!ierb_pdev) + return -EPROBE_DEFER; + +- return enetc_ierb_register_pf(ierb_pdev, pdev); ++ ret = enetc_ierb_register_pf(ierb_pdev, pdev); ++ ++ put_device(&ierb_pdev->dev); ++ ++ return ret; + } + + static struct enetc_si *enetc_psi_create(struct pci_dev *pdev) diff --git a/queue-6.12/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch b/queue-6.12/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch new file mode 100644 index 0000000000..113fc4ab55 --- /dev/null +++ b/queue-6.12/net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch @@ -0,0 +1,47 @@ +From e88fbc30dda1cb7438515303704ceddb3ade4ecd Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Wed, 30 Jul 2025 22:23:23 +0200 +Subject: net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect + +From: Heiner Kallweit + +commit e88fbc30dda1cb7438515303704ceddb3ade4ecd upstream. + +After the call to phy_disconnect() netdev->phydev is reset to NULL. +So fixed_phy_unregister() would be called with a NULL pointer as argument. +Therefore cache the phy_device before this call. + +Fixes: e24a6c874601 ("net: ftgmac100: Get link speed and duplex for NC-SI") +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Reviewed-by: Dawid Osuchowski +Link: https://patch.msgid.link/2b80a77a-06db-4dd7-85dc-3a8e0de55a1d@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/faraday/ftgmac100.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -1730,16 +1730,17 @@ err_register_mdiobus: + static void ftgmac100_phy_disconnect(struct net_device *netdev) + { + struct ftgmac100 *priv = netdev_priv(netdev); ++ struct phy_device *phydev = netdev->phydev; + +- if (!netdev->phydev) ++ if (!phydev) + return; + +- phy_disconnect(netdev->phydev); ++ phy_disconnect(phydev); + if (of_phy_is_fixed_link(priv->dev->of_node)) + of_phy_deregister_fixed_link(priv->dev->of_node); + + if (priv->use_ncsi) +- fixed_phy_unregister(netdev->phydev); ++ fixed_phy_unregister(phydev); + } + + static void ftgmac100_destroy_mdio(struct net_device *netdev) diff --git a/queue-6.12/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch b/queue-6.12/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch new file mode 100644 index 0000000000..3072e112c4 --- /dev/null +++ b/queue-6.12/net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch @@ -0,0 +1,41 @@ +From da717540acd34e5056e3fa35791d50f6b3303f55 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:11 +0200 +Subject: net: gianfar: fix device leak when querying time stamp info + +From: Johan Hovold + +commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream. + +Make sure to drop the reference to the ptp device taken by +of_find_device_by_node() when querying the time stamping capabilities. + +Note that holding a reference to the ptp device does not prevent its +driver data from going away. + +Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") +Cc: stable@vger.kernel.org # 4.18 +Cc: Yangbo Lu +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c ++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c +@@ -1464,8 +1464,10 @@ static int gfar_get_ts_info(struct net_d + if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); + of_node_put(ptp_node); +- if (ptp_dev) ++ if (ptp_dev) { + ptp = platform_get_drvdata(ptp_dev); ++ put_device(&ptp_dev->dev); ++ } + } + + if (ptp) diff --git a/queue-6.12/net-mtk_eth_soc-fix-device-leak-at-probe.patch b/queue-6.12/net-mtk_eth_soc-fix-device-leak-at-probe.patch new file mode 100644 index 0000000000..a5b9e77e3f --- /dev/null +++ b/queue-6.12/net-mtk_eth_soc-fix-device-leak-at-probe.patch @@ -0,0 +1,35 @@ +From 3e13274ca8750823e8b68181bdf185d238febe0d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:12 +0200 +Subject: net: mtk_eth_soc: fix device leak at probe + +From: Johan Hovold + +commit 3e13274ca8750823e8b68181bdf185d238febe0d upstream. + +The reference count to the WED devices has already been incremented when +looking them up using of_find_device_by_node() so drop the bogus +additional reference taken during probe. + +Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)") +Cc: stable@vger.kernel.org # 5.19 +Cc: Felix Fietkau +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-5-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mediatek/mtk_wed.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/mediatek/mtk_wed.c ++++ b/drivers/net/ethernet/mediatek/mtk_wed.c +@@ -2794,7 +2794,6 @@ void mtk_wed_add_hw(struct device_node * + if (!pdev) + goto err_of_node_put; + +- get_device(&pdev->dev); + irq = platform_get_irq(pdev, 0); + if (irq < 0) + goto err_put_device; diff --git a/queue-6.12/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch b/queue-6.12/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch new file mode 100644 index 0000000000..f3c21a801b --- /dev/null +++ b/queue-6.12/net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch @@ -0,0 +1,43 @@ +From 49db61c27c4bbd24364086dc0892bd3e14c1502e Mon Sep 17 00:00:00 2001 +From: Florian Larysch +Date: Thu, 24 Jul 2025 00:20:42 +0200 +Subject: net: phy: micrel: fix KSZ8081/KSZ8091 cable test + +From: Florian Larysch + +commit 49db61c27c4bbd24364086dc0892bd3e14c1502e upstream. + +Commit 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 +phy") introduced cable_test support for the LAN8814 that reuses parts of +the KSZ886x logic and introduced the cable_diag_reg and pair_mask +parameters to account for differences between those chips. + +However, it did not update the ksz8081_type struct, so those members are +now 0, causing no pairs to be tested in ksz886x_cable_test_get_status +and ksz886x_cable_test_wait_for_completion to poll the wrong register +for the affected PHYs (Basic Control/Reset, which is 0 in normal +operation) and exit immediately. + +Fix this by setting both struct members accordingly. + +Fixes: 21b688dabecb ("net: phy: micrel: Cable Diag feature for lan8814 phy") +Cc: stable@vger.kernel.org +Signed-off-by: Florian Larysch +Link: https://patch.msgid.link/20250723222250.13960-1-fl@n621.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -470,6 +470,8 @@ static const struct kszphy_type ksz8051_ + + static const struct kszphy_type ksz8081_type = { + .led_mode_reg = MII_KSZPHY_CTRL_2, ++ .cable_diag_reg = KSZ8081_LMD, ++ .pair_mask = KSZPHY_WIRE_PAIR_MASK, + .has_broadcast_disable = true, + .has_nand_tree_disable = true, + .has_rmii_ref_clk_sel = true, diff --git a/queue-6.12/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch b/queue-6.12/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch new file mode 100644 index 0000000000..2fb1079055 --- /dev/null +++ b/queue-6.12/net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch @@ -0,0 +1,82 @@ +From e05c54974a05ab19658433545d6ced88d9075cf0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Jul 2025 19:12:13 +0200 +Subject: net: ti: icss-iep: fix device and OF node leaks at probe + +From: Johan Hovold + +commit e05c54974a05ab19658433545d6ced88d9075cf0 upstream. + +Make sure to drop the references to the IEP OF node and device taken by +of_parse_phandle() and of_find_device_by_node() when looking up IEP +devices during probe. + +Drop the bogus additional reference taken on successful lookup so that +the device is released correctly by icss_iep_put(). + +Fixes: c1e0230eeaab ("net: ti: icss-iep: Add IEP driver") +Cc: stable@vger.kernel.org # 6.6 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250725171213.880-6-johan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/icssg/icss_iep.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/ti/icssg/icss_iep.c ++++ b/drivers/net/ethernet/ti/icssg/icss_iep.c +@@ -685,11 +685,17 @@ struct icss_iep *icss_iep_get_idx(struct + struct platform_device *pdev; + struct device_node *iep_np; + struct icss_iep *iep; ++ int ret; + + iep_np = of_parse_phandle(np, "ti,iep", idx); +- if (!iep_np || !of_device_is_available(iep_np)) ++ if (!iep_np) + return ERR_PTR(-ENODEV); + ++ if (!of_device_is_available(iep_np)) { ++ of_node_put(iep_np); ++ return ERR_PTR(-ENODEV); ++ } ++ + pdev = of_find_device_by_node(iep_np); + of_node_put(iep_np); + +@@ -698,21 +704,28 @@ struct icss_iep *icss_iep_get_idx(struct + return ERR_PTR(-EPROBE_DEFER); + + iep = platform_get_drvdata(pdev); +- if (!iep) +- return ERR_PTR(-EPROBE_DEFER); ++ if (!iep) { ++ ret = -EPROBE_DEFER; ++ goto err_put_pdev; ++ } + + device_lock(iep->dev); + if (iep->client_np) { + device_unlock(iep->dev); + dev_err(iep->dev, "IEP is already acquired by %s", + iep->client_np->name); +- return ERR_PTR(-EBUSY); ++ ret = -EBUSY; ++ goto err_put_pdev; + } + iep->client_np = np; + device_unlock(iep->dev); +- get_device(iep->dev); + + return iep; ++ ++err_put_pdev: ++ put_device(&pdev->dev); ++ ++ return ERR_PTR(ret); + } + EXPORT_SYMBOL_GPL(icss_iep_get_idx); + diff --git a/queue-6.12/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch b/queue-6.12/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch new file mode 100644 index 0000000000..8c1e686f9a --- /dev/null +++ b/queue-6.12/net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch @@ -0,0 +1,42 @@ +From 4faff70959d51078f9ee8372f8cff0d7045e4114 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 11 Aug 2025 17:29:31 +0800 +Subject: net: usb: asix_devices: add phy_mask for ax88772 mdio bus + +From: Xu Yang + +commit 4faff70959d51078f9ee8372f8cff0d7045e4114 upstream. + +Without setting phy_mask for ax88772 mdio bus, current driver may create +at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. +DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy +device will bind to net phy driver. This is creating issue during system +suspend/resume since phy_polling_mode() in phy_state_machine() will +directly deference member of phydev->drv for non-main phy devices. Then +NULL pointer dereference issue will occur. Due to only external phy or +internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud +the issue. + +Closes: https://lore.kernel.org/netdev/20250806082931.3289134-1-xu.yang_2@nxp.com +Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support") +Cc: stable@vger.kernel.org +Signed-off-by: Xu Yang +Tested-by: Oleksij Rempel +Reviewed-by: Oleksij Rempel +Link: https://patch.msgid.link/20250811092931.860333-1-xu.yang_2@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_devices.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -676,6 +676,7 @@ static int ax88772_init_mdio(struct usbn + priv->mdio->read = &asix_mdio_bus_read; + priv->mdio->write = &asix_mdio_bus_write; + priv->mdio->name = "Asix MDIO Bus"; ++ priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR)); + /* mii bus name is usb-- */ + snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d", + dev->udev->bus->busnum, dev->udev->devnum); diff --git a/queue-6.12/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch b/queue-6.12/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch new file mode 100644 index 0000000000..dfc3ce96a5 --- /dev/null +++ b/queue-6.12/netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch @@ -0,0 +1,80 @@ +From 759dfc7d04bab1b0b86113f1164dc1fec192b859 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Mon, 28 Jul 2025 11:06:47 +0300 +Subject: netlink: avoid infinite retry looping in netlink_unicast() + +From: Fedor Pchelkin + +commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream. + +netlink_attachskb() checks for the socket's read memory allocation +constraints. Firstly, it has: + + rmem < READ_ONCE(sk->sk_rcvbuf) + +to check if the just increased rmem value fits into the socket's receive +buffer. If not, it proceeds and tries to wait for the memory under: + + rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) + +The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is +equal to sk->sk_rcvbuf. Thus the function neither successfully accepts +these conditions, nor manages to reschedule the task - and is called in +retry loop for indefinite time which is caught as: + + rcu: INFO: rcu_sched self-detected stall on CPU + rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 + (t=26000 jiffies g=230833 q=259957) + NMI backtrace for cpu 0 + CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 + Call Trace: + + dump_stack lib/dump_stack.c:120 + nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 + nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 + rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 + rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 + update_process_times kernel/time/timer.c:1953 + tick_sched_handle kernel/time/tick-sched.c:227 + tick_sched_timer kernel/time/tick-sched.c:1399 + __hrtimer_run_queues kernel/time/hrtimer.c:1652 + hrtimer_interrupt kernel/time/hrtimer.c:1717 + __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 + asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 + + + netlink_attachskb net/netlink/af_netlink.c:1234 + netlink_unicast net/netlink/af_netlink.c:1349 + kauditd_send_queue kernel/audit.c:776 + kauditd_thread kernel/audit.c:897 + kthread kernel/kthread.c:328 + ret_from_fork arch/x86/entry/entry_64.S:304 + +Restore the original behavior of the check which commit in Fixes +accidentally missed when restructuring the code. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1222,7 +1222,7 @@ int netlink_attachskb(struct sock *sk, s + nlk = nlk_sk(sk); + rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); + +- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && ++ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) && + !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { + netlink_skb_set_owner_r(skb, sk); + return 0; diff --git a/queue-6.12/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch b/queue-6.12/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch new file mode 100644 index 0000000000..0014c2a7b4 --- /dev/null +++ b/queue-6.12/revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch @@ -0,0 +1,98 @@ +From 56bdf7270ff4f870e2d4bfacdc00161e766dba2d Mon Sep 17 00:00:00 2001 +From: David Thompson +Date: Mon, 11 Aug 2025 13:50:44 -0400 +Subject: Revert "gpio: mlxbf3: only get IRQ for device instance 0" + +From: David Thompson + +commit 56bdf7270ff4f870e2d4bfacdc00161e766dba2d upstream. + +This reverts commit 10af0273a35ab4513ca1546644b8c853044da134. + +While this change was merged, it is not the preferred solution. +During review of a similar change to the gpio-mlxbf2 driver, the +use of "platform_get_irq_optional" was identified as the preferred +solution, so let's use it for gpio-mlxbf3 driver as well. + +Cc: stable@vger.kernel.org +Fixes: 10af0273a35a ("gpio: mlxbf3: only get IRQ for device instance 0") +Signed-off-by: David Thompson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/8d2b630c71b3742f2c74242cf7d602706a6108e6.1754928650.git.davthompson@nvidia.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-mlxbf3.c | 54 +++++++++++++++------------------------------ + 1 file changed, 19 insertions(+), 35 deletions(-) + +--- a/drivers/gpio/gpio-mlxbf3.c ++++ b/drivers/gpio/gpio-mlxbf3.c +@@ -190,9 +190,7 @@ static int mlxbf3_gpio_probe(struct plat + struct mlxbf3_gpio_context *gs; + struct gpio_irq_chip *girq; + struct gpio_chip *gc; +- char *colon_ptr; + int ret, irq; +- long num; + + gs = devm_kzalloc(dev, sizeof(*gs), GFP_KERNEL); + if (!gs) +@@ -229,39 +227,25 @@ static int mlxbf3_gpio_probe(struct plat + gc->owner = THIS_MODULE; + gc->add_pin_ranges = mlxbf3_gpio_add_pin_ranges; + +- colon_ptr = strchr(dev_name(dev), ':'); +- if (!colon_ptr) { +- dev_err(dev, "invalid device name format\n"); +- return -EINVAL; +- } +- +- ret = kstrtol(++colon_ptr, 16, &num); +- if (ret) { +- dev_err(dev, "invalid device instance\n"); +- return ret; +- } +- +- if (!num) { +- irq = platform_get_irq(pdev, 0); +- if (irq >= 0) { +- girq = &gs->gc.irq; +- gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); +- girq->default_type = IRQ_TYPE_NONE; +- /* This will let us handle the parent IRQ in the driver */ +- girq->num_parents = 0; +- girq->parents = NULL; +- girq->parent_handler = NULL; +- girq->handler = handle_bad_irq; +- +- /* +- * Directly request the irq here instead of passing +- * a flow-handler because the irq is shared. +- */ +- ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler, +- IRQF_SHARED, dev_name(dev), gs); +- if (ret) +- return dev_err_probe(dev, ret, "failed to request IRQ"); +- } ++ irq = platform_get_irq(pdev, 0); ++ if (irq >= 0) { ++ girq = &gs->gc.irq; ++ gpio_irq_chip_set_chip(girq, &gpio_mlxbf3_irqchip); ++ girq->default_type = IRQ_TYPE_NONE; ++ /* This will let us handle the parent IRQ in the driver */ ++ girq->num_parents = 0; ++ girq->parents = NULL; ++ girq->parent_handler = NULL; ++ girq->handler = handle_bad_irq; ++ ++ /* ++ * Directly request the irq here instead of passing ++ * a flow-handler because the irq is shared. ++ */ ++ ret = devm_request_irq(dev, irq, mlxbf3_gpio_irq_handler, ++ IRQF_SHARED, dev_name(dev), gs); ++ if (ret) ++ return dev_err_probe(dev, ret, "failed to request IRQ"); + } + + platform_set_drvdata(pdev, gs); diff --git a/queue-6.12/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch b/queue-6.12/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch new file mode 100644 index 0000000000..732fd4fc2b --- /dev/null +++ b/queue-6.12/revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch @@ -0,0 +1,85 @@ +From 26f732791f2bcab18f59c61915bbe35225f30136 Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Sat, 12 Jul 2025 16:39:21 +0100 +Subject: Revert "leds: trigger: netdev: Configure LED blink interval for HW offload" + +From: Daniel Golle + +commit 26f732791f2bcab18f59c61915bbe35225f30136 upstream. + +This reverts commit c629c972b310af41e9e072febb6dae9a299edde6. + +While .led_blink_set() would previously put an LED into an unconditional +permanently blinking state, the offending commit now uses same operation +to (also?) set the blink timing of the netdev trigger when offloading. + +This breaks many if not all of the existing PHY drivers which offer +offloading LED operations, as those drivers would just put the LED into +blinking state after .led_blink_set() has been called. + +Unfortunately the change even made it into stable kernels for unknown +reasons, so it should be reverted there as well. + +Fixes: c629c972b310a ("leds: trigger: netdev: Configure LED blink interval for HW offload") +Link: https://lore.kernel.org/linux-leds/c6134e26-2e45-4121-aa15-58aaef327201@lunn.ch/T/#m9d6fe81bbcb273e59f12bbedbd633edd32118387 +Suggested-by: Andrew Lunn +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Golle +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/6dcc77ee1c9676891d6250d8994850f521426a0f.1752334655.git.daniel@makrotopia.org +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/trigger/ledtrig-netdev.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -68,7 +68,6 @@ struct led_netdev_data { + unsigned int last_activity; + + unsigned long mode; +- unsigned long blink_delay; + int link_speed; + __ETHTOOL_DECLARE_LINK_MODE_MASK(supported_link_modes); + u8 duplex; +@@ -87,10 +86,6 @@ static void set_baseline_state(struct le + /* Already validated, hw control is possible with the requested mode */ + if (trigger_data->hw_control) { + led_cdev->hw_control_set(led_cdev, trigger_data->mode); +- if (led_cdev->blink_set) { +- led_cdev->blink_set(led_cdev, &trigger_data->blink_delay, +- &trigger_data->blink_delay); +- } + + return; + } +@@ -459,11 +454,10 @@ static ssize_t interval_store(struct dev + size_t size) + { + struct led_netdev_data *trigger_data = led_trigger_get_drvdata(dev); +- struct led_classdev *led_cdev = trigger_data->led_cdev; + unsigned long value; + int ret; + +- if (trigger_data->hw_control && !led_cdev->blink_set) ++ if (trigger_data->hw_control) + return -EINVAL; + + ret = kstrtoul(buf, 0, &value); +@@ -472,13 +466,9 @@ static ssize_t interval_store(struct dev + + /* impose some basic bounds on the timer interval */ + if (value >= 5 && value <= 10000) { +- if (trigger_data->hw_control) { +- trigger_data->blink_delay = value; +- } else { +- cancel_delayed_work_sync(&trigger_data->work); ++ cancel_delayed_work_sync(&trigger_data->work); + +- atomic_set(&trigger_data->interval, msecs_to_jiffies(value)); +- } ++ atomic_set(&trigger_data->interval, msecs_to_jiffies(value)); + set_baseline_state(trigger_data); /* resets timer */ + } + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..02c6d520f6 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,22 @@ +io_uring-don-t-use-int-for-abi.patch +alsa-usb-audio-validate-uac3-power-domain-descriptors-too.patch +alsa-usb-audio-validate-uac3-cluster-segment-descriptors.patch +alsa-hda-realtek-fix-headset-mic-on-honor-brb-x.patch +alsa-hda-realtek-add-framework-laptop-13-amd-ryzen-ai-300-to-quirks.patch +smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch +smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch +gpio-virtio-fix-config-space-reading.patch +gpio-mlxbf2-use-platform_get_irq_optional.patch +revert-gpio-mlxbf3-only-get-irq-for-device-instance-0.patch +gpio-mlxbf3-use-platform_get_irq_optional.patch +leds-flash-leds-qcom-flash-fix-registry-access-after-re-bind.patch +revert-leds-trigger-netdev-configure-led-blink-interval-for-hw-offload.patch +netlink-avoid-infinite-retry-looping-in-netlink_unicast.patch +net-phy-micrel-fix-ksz8081-ksz8091-cable-test.patch +net-ftgmac100-fix-potential-null-pointer-access-in-ftgmac100_phy_disconnect.patch +net-gianfar-fix-device-leak-when-querying-time-stamp-info.patch +net-enetc-fix-device-and-of-node-leak-at-probe.patch +net-mtk_eth_soc-fix-device-leak-at-probe.patch +net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch +net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch +net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch diff --git a/queue-6.12/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch b/queue-6.12/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch new file mode 100644 index 0000000000..17db650d52 --- /dev/null +++ b/queue-6.12/smb-client-remove-redundant-lstrp-update-in-negotiate-protocol.patch @@ -0,0 +1,52 @@ +From e19d8dd694d261ac26adb2a26121a37c107c81ad Mon Sep 17 00:00:00 2001 +From: Wang Zhaolong +Date: Fri, 1 Aug 2025 17:07:24 +0800 +Subject: smb: client: remove redundant lstrp update in negotiate protocol + +From: Wang Zhaolong + +commit e19d8dd694d261ac26adb2a26121a37c107c81ad upstream. + +Commit 34331d7beed7 ("smb: client: fix first command failure during +re-negotiation") addressed a race condition by updating lstrp before +entering negotiate state. However, this approach may have some unintended +side effects. + +The lstrp field is documented as "when we got last response from this +server", and updating it before actually receiving a server response +could potentially affect other mechanisms that rely on this timestamp. +For example, the SMB echo detection logic also uses lstrp as a reference +point. In scenarios with frequent user operations during reconnect states, +the repeated calls to cifs_negotiate_protocol() might continuously +update lstrp, which could interfere with the echo detection timing. + +Additionally, commit 266b5d02e14f ("smb: client: fix race condition in +negotiate timeout by using more precise timing") introduced a dedicated +neg_start field specifically for tracking negotiate start time. This +provides a more precise solution for the original race condition while +preserving the intended semantics of lstrp. + +Since the race condition is now properly handled by the neg_start +mechanism, the lstrp update in cifs_negotiate_protocol() is no longer +necessary and can be safely removed. + +Fixes: 266b5d02e14f ("smb: client: fix race condition in negotiate timeout by using more precise timing") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -4001,7 +4001,6 @@ retry: + return 0; + } + +- server->lstrp = jiffies; + server->tcpStatus = CifsInNegotiate; + server->neg_start = jiffies; + spin_unlock(&server->srv_lock); diff --git a/queue-6.12/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch b/queue-6.12/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch new file mode 100644 index 0000000000..1c8e9419da --- /dev/null +++ b/queue-6.12/smb3-fix-for-slab-out-of-bounds-on-mount-to-ksmbd.patch @@ -0,0 +1,95 @@ +From 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 11 Aug 2025 23:14:55 -0500 +Subject: smb3: fix for slab out of bounds on mount to ksmbd + +From: Steve French + +commit 7d34ec36abb84fdfb6632a0f2cbda90379ae21fc upstream. + +With KASAN enabled, it is possible to get a slab out of bounds +during mount to ksmbd due to missing check in parse_server_interfaces() +(see below): + + BUG: KASAN: slab-out-of-bounds in + parse_server_interfaces+0x14ee/0x1880 [cifs] + Read of size 4 at addr ffff8881433dba98 by task mount/9827 + + CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G + OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) + Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE + Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, + BIOS 2.13.1 06/14/2019 + Call Trace: + + dump_stack_lvl+0x9f/0xf0 + print_report+0xd1/0x670 + __virt_addr_valid+0x22c/0x430 + ? parse_server_interfaces+0x14ee/0x1880 [cifs] + ? kasan_complete_mode_report_info+0x2a/0x1f0 + ? parse_server_interfaces+0x14ee/0x1880 [cifs] + kasan_report+0xd6/0x110 + parse_server_interfaces+0x14ee/0x1880 [cifs] + __asan_report_load_n_noabort+0x13/0x20 + parse_server_interfaces+0x14ee/0x1880 [cifs] + ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] + ? trace_hardirqs_on+0x51/0x60 + SMB3_request_interfaces+0x1ad/0x3f0 [cifs] + ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] + ? SMB2_tcon+0x23c/0x15d0 [cifs] + smb3_qfs_tcon+0x173/0x2b0 [cifs] + ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] + ? cifs_get_tcon+0x105d/0x2120 [cifs] + ? do_raw_spin_unlock+0x5d/0x200 + ? cifs_get_tcon+0x105d/0x2120 [cifs] + ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] + cifs_mount_get_tcon+0x369/0xb90 [cifs] + ? dfs_cache_find+0xe7/0x150 [cifs] + dfs_mount_share+0x985/0x2970 [cifs] + ? check_path.constprop.0+0x28/0x50 + ? save_trace+0x54/0x370 + ? __pfx_dfs_mount_share+0x10/0x10 [cifs] + ? __lock_acquire+0xb82/0x2ba0 + ? __kasan_check_write+0x18/0x20 + cifs_mount+0xbc/0x9e0 [cifs] + ? __pfx_cifs_mount+0x10/0x10 [cifs] + ? do_raw_spin_unlock+0x5d/0x200 + ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] + cifs_smb3_do_mount+0x263/0x1990 [cifs] + +Reported-by: Namjae Jeon +Tested-by: Namjae Jeon +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2ops.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2ops.c ++++ b/fs/smb/client/smb2ops.c +@@ -772,6 +772,13 @@ next_iface: + bytes_left -= sizeof(*p); + break; + } ++ /* Validate that Next doesn't point beyond the buffer */ ++ if (next > bytes_left) { ++ cifs_dbg(VFS, "%s: invalid Next pointer %zu > %zd\n", ++ __func__, next, bytes_left); ++ rc = -EINVAL; ++ goto out; ++ } + p = (struct network_interface_info_ioctl_rsp *)((u8 *)p+next); + bytes_left -= next; + } +@@ -783,7 +790,9 @@ next_iface: + } + + /* Azure rounds the buffer size up 8, to a 16 byte boundary */ +- if ((bytes_left > 8) || p->Next) ++ if ((bytes_left > 8) || ++ (bytes_left >= offsetof(struct network_interface_info_ioctl_rsp, Next) ++ + sizeof(p->Next) && p->Next)) + cifs_dbg(VFS, "%s: incomplete interface info\n", __func__); + + ses->iface_last_update = jiffies; -- 2.47.3