From 304babd3b85b55ce958707cb43999a8a241e8d98 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Dec 2025 17:07:59 +0100 Subject: [PATCH] 6.12-stable patches added patches: alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch atm-fore200e-fix-possible-data-race-in-fore200e_open.patch bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch can-sja1000-fix-max-irq-loop-handling.patch can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch dm-verity-fix-unreliable-memory-allocation.patch drivers-usb-dwc3-fix-pci-parent-check.patch firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch mm-memfd-fix-information-leak-in-hugetlb-folios.patch mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch mptcp-clear-scheduled-subflows-on-retransmit.patch mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch nvmem-layouts-fix-nvmem_layout_bus_uevent.patch serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch smb-client-fix-memory-leak-in-cifs_construct_tcon.patch thunderbolt-add-support-for-intel-wildcat-lake.patch --- ...io-add-dsd-quirk-for-leak-stereo-230.patch | 46 +++ ...p-imx6ul-correct-sai3-interrupt-line.patch | 36 ++ ...-conn-swap-interrupts-number-of-eqos.patch | 38 ++ ...troller-select-enable-gpios-polarity.patch | 39 ++ ...-possible-data-race-in-fore200e_open.patch | 57 +++ ...-btusb_mtk_claim_iso_intf-null-deref.patch | 54 +++ ...an-sja1000-fix-max-irq-loop-handling.patch | 45 +++ ..._interrupt-fix-max-irq-loop-handling.patch | 45 +++ ...parse_read-for-encrypted-directories.patch | 373 ++++++++++++++++++ ...ity-fix-unreliable-memory-allocation.patch | 36 ++ ...rivers-usb-dwc3-fix-pci-parent-check.patch | 48 +++ ...vc-fix-bug-in-saving-controller-data.patch | 69 ++++ ...x-information-leak-in-hugetlb-folios.patch | 94 +++++ ...he-th1520-reset-handling-to-ip-level.patch | 95 +++++ ...ear-scheduled-subflows-on-retransmit.patch | 68 ++++ ...d_active_reset-in-mptcp_do_fastclose.patch | 90 +++++ ...-layouts-fix-nvmem_layout_bus_uevent.patch | 40 ++ ...error-over-explicit-address-checking.patch | 41 ++ queue-6.12/series | 21 + ...-leak-in-qcom_slim_ngd_notify_slaves.patch | 38 ++ ...x-memory-leak-in-cifs_construct_tcon.patch | 65 +++ ...t-add-support-for-intel-wildcat-lake.patch | 43 ++ 22 files changed, 1481 insertions(+) create mode 100644 queue-6.12/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch create mode 100644 queue-6.12/arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch create mode 100644 queue-6.12/arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch create mode 100644 queue-6.12/arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch create mode 100644 queue-6.12/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch create mode 100644 queue-6.12/bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch create mode 100644 queue-6.12/can-sja1000-fix-max-irq-loop-handling.patch create mode 100644 queue-6.12/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch create mode 100644 queue-6.12/ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch create mode 100644 queue-6.12/dm-verity-fix-unreliable-memory-allocation.patch create mode 100644 queue-6.12/drivers-usb-dwc3-fix-pci-parent-check.patch create mode 100644 queue-6.12/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch create mode 100644 queue-6.12/mm-memfd-fix-information-leak-in-hugetlb-folios.patch create mode 100644 queue-6.12/mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch create mode 100644 queue-6.12/mptcp-clear-scheduled-subflows-on-retransmit.patch create mode 100644 queue-6.12/mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch create mode 100644 queue-6.12/nvmem-layouts-fix-nvmem_layout_bus_uevent.patch create mode 100644 queue-6.12/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch create mode 100644 queue-6.12/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch create mode 100644 queue-6.12/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch create mode 100644 queue-6.12/thunderbolt-add-support-for-intel-wildcat-lake.patch diff --git a/queue-6.12/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch b/queue-6.12/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch new file mode 100644 index 0000000000..c42720e69b --- /dev/null +++ b/queue-6.12/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch @@ -0,0 +1,46 @@ +From c83fc13960643c4429cd9dfef1321e6430a81b47 Mon Sep 17 00:00:00 2001 +From: Ivan Zhaldak +Date: Mon, 17 Nov 2025 15:58:35 +0300 +Subject: ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 + +From: Ivan Zhaldak + +commit c83fc13960643c4429cd9dfef1321e6430a81b47 upstream. + +Integrated amplifier LEAK Stereo 230 by IAG Limited has built-in +ESS9038Q2M DAC served by XMOS controller. It supports both DSD Native +and DSD-over-PCM (DoP) operational modes. But it doesn't work properly +by default and tries DSD-to-PCM conversion. USB quirks below allow it +to operate as designed. + +Add DSD_RAW quirk flag for IAG Limited devices (vendor ID 0x2622) +Add DSD format quirk for LEAK Stereo 230 (USB ID 0x2622:0x0061) + +Signed-off-by: Ivan Zhaldak +Cc: +Link: https://patch.msgid.link/20251117125848.30769-1-i.v.zhaldak@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2028,6 +2028,7 @@ u64 snd_usb_interface_dsd_format_quirks( + case USB_ID(0x249c, 0x9326): /* M2Tech Young MkIII */ + case USB_ID(0x2616, 0x0106): /* PS Audio NuWave DAC */ + case USB_ID(0x2622, 0x0041): /* Audiolab M-DAC+ */ ++ case USB_ID(0x2622, 0x0061): /* LEAK Stereo 230 */ + case USB_ID(0x278b, 0x5100): /* Rotel RC-1590 */ + case USB_ID(0x27f7, 0x3002): /* W4S DAC-2v2SE */ + case USB_ID(0x29a2, 0x0086): /* Mutec MC3+ USB */ +@@ -2411,6 +2412,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x25ce, /* Mytek devices */ + QUIRK_FLAG_DSD_RAW), ++ VENDOR_FLG(0x2622, /* IAG Limited devices */ ++ QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x278b, /* Rotel? */ + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x292b, /* Gustard/Ess based devices */ diff --git a/queue-6.12/arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch b/queue-6.12/arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch new file mode 100644 index 0000000000..60ebbb9ff7 --- /dev/null +++ b/queue-6.12/arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch @@ -0,0 +1,36 @@ +From 1b03346314b791ad966d3c6d59253328226a2b2d Mon Sep 17 00:00:00 2001 +From: Maarten Zanders +Date: Fri, 24 Oct 2025 16:21:06 +0200 +Subject: ARM: dts: nxp: imx6ul: correct SAI3 interrupt line + +From: Maarten Zanders + +commit 1b03346314b791ad966d3c6d59253328226a2b2d upstream. + +The i.MX6UL reference manual lists two possible interrupt lines for +SAI3 (56 and 57, offset +32). The current device tree entry uses +the first one (24), which prevents IRQs from being handled properly. + +Use the second interrupt line (25), which does allow interrupts +to work as expected. + +Fixes: 36e2edf6ac07 ("ARM: dts: imx6ul: add sai support") +Signed-off-by: Maarten Zanders +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/nxp/imx/imx6ul.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi ++++ b/arch/arm/boot/dts/nxp/imx/imx6ul.dtsi +@@ -333,7 +333,7 @@ + #sound-dai-cells = <0>; + compatible = "fsl,imx6ul-sai", "fsl,imx6sx-sai"; + reg = <0x02030000 0x4000>; +- interrupts = ; ++ interrupts = ; + clocks = <&clks IMX6UL_CLK_SAI3_IPG>, + <&clks IMX6UL_CLK_SAI3>, + <&clks IMX6UL_CLK_DUMMY>, <&clks IMX6UL_CLK_DUMMY>; diff --git a/queue-6.12/arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch b/queue-6.12/arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch new file mode 100644 index 0000000000..d2bb80e33e --- /dev/null +++ b/queue-6.12/arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch @@ -0,0 +1,38 @@ +From 5b6677d6451bbbac3b6ab93fae6506b59e2c19bd Mon Sep 17 00:00:00 2001 +From: Frank Li +Date: Wed, 22 Oct 2025 12:50:22 -0400 +Subject: arm64: dts: imx8dxl-ss-conn: swap interrupts number of eqos + +From: Frank Li + +commit 5b6677d6451bbbac3b6ab93fae6506b59e2c19bd upstream. + +Swap interrupt numbers of eqos because the below commit just swap +interrupt-names and missed swap interrupts also. + +The driver (drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c) use +interrupt-names to get irq numbers. + +Fixes: f29c19a6e488 ("arm64: dts: imx8dxl-ss-conn: Fix Ethernet interrupt-names order") +Signed-off-by: Frank Li +Tested-by: Alexander Dahl +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8dxl-ss-conn.dtsi +@@ -27,8 +27,8 @@ + compatible = "nxp,imx8dxl-dwmac-eqos", "snps,dwmac-5.10a"; + reg = <0x5b050000 0x10000>; + interrupt-parent = <&gic>; +- interrupts = , +- ; ++ interrupts = , ++ ; + interrupt-names = "macirq", "eth_wake_irq"; + clocks = <&eqos_lpcg IMX_LPCG_CLK_4>, + <&eqos_lpcg IMX_LPCG_CLK_6>, diff --git a/queue-6.12/arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch b/queue-6.12/arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch new file mode 100644 index 0000000000..819daab148 --- /dev/null +++ b/queue-6.12/arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch @@ -0,0 +1,39 @@ +From e89ee35567d3d465ef0715953170be72f5ef1d4c Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Thu, 13 Nov 2025 19:14:44 +0800 +Subject: arm64: dts: imx8qm-mek: fix mux-controller select/enable-gpios polarity + +From: Xu Yang + +commit e89ee35567d3d465ef0715953170be72f5ef1d4c upstream. + +According to the board design, set SEL to high means flipped +connection (TX2/RX2). And the TCPM will output logical 1 if it needs +flipped connection. So switch to active high for select-gpios. +The EN pin on mux chip is low active, so switch to active low for +enable-gpios too. + +Fixes: b237975b2cd5 ("arm64: dts: imx8qm-mek: add usb 3.0 and related type C nodes") +Cc: stable@vger.kernel.org +Reviewed-by: Jun Li +Signed-off-by: Xu Yang +Reviewed-by: Frank Li +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts ++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts +@@ -114,8 +114,8 @@ + compatible = "nxp,cbdtu02043", "gpio-sbu-mux"; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_typec_mux>; +- select-gpios = <&lsio_gpio4 6 GPIO_ACTIVE_LOW>; +- enable-gpios = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>; ++ select-gpios = <&lsio_gpio4 6 GPIO_ACTIVE_HIGH>; ++ enable-gpios = <&lsio_gpio4 19 GPIO_ACTIVE_LOW>; + orientation-switch; + + port { diff --git a/queue-6.12/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch b/queue-6.12/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch new file mode 100644 index 0000000000..0e1cfdbbca --- /dev/null +++ b/queue-6.12/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch @@ -0,0 +1,57 @@ +From 82fca3d8a4a34667f01ec2351a607135249c9cff Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Thu, 20 Nov 2025 20:06:57 +0800 +Subject: atm/fore200e: Fix possible data race in fore200e_open() + +From: Gui-Dong Han + +commit 82fca3d8a4a34667f01ec2351a607135249c9cff upstream. + +Protect access to fore200e->available_cell_rate with rate_mtx lock in the +error handling path of fore200e_open() to prevent a data race. + +The field fore200e->available_cell_rate is a shared resource used to track +available bandwidth. It is concurrently accessed by fore200e_open(), +fore200e_close(), and fore200e_change_qos(). + +In fore200e_open(), the lock rate_mtx is correctly held when subtracting +vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. +However, if the subsequent call to fore200e_activate_vcin() fails, the +function restores the reserved bandwidth by adding back to +available_cell_rate without holding the lock. + +This introduces a race condition because available_cell_rate is a global +device resource shared across all VCCs. If the error path in +fore200e_open() executes concurrently with operations like +fore200e_close() or fore200e_change_qos() on other VCCs, a +read-modify-write race occurs. + +Specifically, the error path reads the rate without the lock. If another +CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in +fore200e_close()) between this read and the subsequent write, the error +path will overwrite the concurrent update with a stale value. This results +in incorrect bandwidth accounting. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251120120657.2462194-1-hanguidong02@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/fore200e.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/atm/fore200e.c ++++ b/drivers/atm/fore200e.c +@@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc) + + vcc->dev_data = NULL; + ++ mutex_lock(&fore200e->rate_mtx); + fore200e->available_cell_rate += vcc->qos.txtp.max_pcr; ++ mutex_unlock(&fore200e->rate_mtx); + + kfree(fore200e_vcc); + return -EINVAL; diff --git a/queue-6.12/bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch b/queue-6.12/bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch new file mode 100644 index 0000000000..099adc7cc7 --- /dev/null +++ b/queue-6.12/bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch @@ -0,0 +1,54 @@ +From c884a0b27b4586e607431d86a1aa0bb4fb39169c Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Thu, 20 Nov 2025 08:12:28 -0800 +Subject: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref + +From: Douglas Anderson + +commit c884a0b27b4586e607431d86a1aa0bb4fb39169c upstream. + +In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: + usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) + +That function can return NULL in some cases. Even when it returns +NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). + +As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for +usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() +when `btmtk_data->isopkt_intf` is NULL will cause a crash because +we'll end up passing a bad pointer to device_lock(). Prior to that +commit we'd pass the NULL pointer directly to +usb_driver_claim_interface() which would detect it and return an +error, which was handled. + +Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check +at the start of the function. This makes the code handle a NULL +`btmtk_data->isopkt_intf` the same way it did before the problematic +commit (just with a slight change to the error message printed). + +Reported-by: IncogCyberpunk +Closes: http://lore.kernel.org/r/a380d061-479e-4713-bddd-1d6571ca7e86@leemhuis.info +Fixes: e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()") +Cc: stable@vger.kernel.org +Tested-by: IncogCyberpunk +Signed-off-by: Douglas Anderson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2714,6 +2714,11 @@ static void btusb_mtk_claim_iso_intf(str + if (!btmtk_data) + return; + ++ if (!btmtk_data->isopkt_intf) { ++ bt_dev_err(data->hdev, "Can't claim NULL iso interface"); ++ return; ++ } ++ + /* + * The function usb_driver_claim_interface() is documented to need + * locks held if it's not called from a probe routine. The code here diff --git a/queue-6.12/can-sja1000-fix-max-irq-loop-handling.patch b/queue-6.12/can-sja1000-fix-max-irq-loop-handling.patch new file mode 100644 index 0000000000..e80ba9a82d --- /dev/null +++ b/queue-6.12/can-sja1000-fix-max-irq-loop-handling.patch @@ -0,0 +1,45 @@ +From 30db4451c7f6aabcada029b15859a76962ec0cf8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= +Date: Sat, 15 Nov 2025 15:34:56 +0000 +Subject: can: sja1000: fix max irq loop handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Mühlbacher + +commit 30db4451c7f6aabcada029b15859a76962ec0cf8 upstream. + +Reading the interrupt register `SJA1000_IR` causes all of its bits to be +reset. If we ever reach the condition of handling more than +`SJA1000_MAX_IRQ` IRQs, we will have read the register and reset all its +bits but without actually handling the interrupt inside of the loop +body. + +This may, among other issues, cause us to never `netif_wake_queue()` +again after a transmission interrupt. + +Fixes: 429da1cc841b ("can: Driver for the SJA1000 CAN controller") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Mühlbacher +Acked-by: Oliver Hartkopp +Link: https://patch.msgid.link/20251115153437.11419-1-tmuehlbacher@posteo.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sja1000/sja1000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -548,8 +548,8 @@ irqreturn_t sja1000_interrupt(int irq, v + if (priv->read_reg(priv, SJA1000_IER) == IRQ_OFF) + goto out; + +- while ((isrc = priv->read_reg(priv, SJA1000_IR)) && +- (n < SJA1000_MAX_IRQ)) { ++ while ((n < SJA1000_MAX_IRQ) && ++ (isrc = priv->read_reg(priv, SJA1000_IR))) { + + status = priv->read_reg(priv, SJA1000_SR); + /* check for absent controller due to hw unplug */ diff --git a/queue-6.12/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch b/queue-6.12/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch new file mode 100644 index 0000000000..77271968b3 --- /dev/null +++ b/queue-6.12/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch @@ -0,0 +1,45 @@ +From 76544beea7cfe5bcce6d60f53811657b88ec8be1 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sun, 16 Nov 2025 16:55:26 +0100 +Subject: can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +commit 76544beea7cfe5bcce6d60f53811657b88ec8be1 upstream. + +Reading the interrupt register `SUN4I_REG_INT_ADDR` causes all of its bits +to be reset. If we ever reach the condition of handling more than +`SUN4I_CAN_MAX_IRQ` IRQs, we will have read the register and reset all its +bits but without actually handling the interrupt inside of the loop body. + +This may, among other issues, cause us to never `netif_wake_queue()` again +after a transmission interrupt. + +Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") +Cc: stable@vger.kernel.org +Co-developed-by: Thomas Mühlbacher +Signed-off-by: Thomas Mühlbacher +Acked-by: Jernej Skrabec +Link: https://patch.msgid.link/20251116-sun4i-fix-loop-v1-1-3d76d3f81950@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sun4i_can.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/sun4i_can.c ++++ b/drivers/net/can/sun4i_can.c +@@ -657,8 +657,8 @@ static irqreturn_t sun4i_can_interrupt(i + u8 isrc, status; + int n = 0; + +- while ((isrc = readl(priv->base + SUN4I_REG_INT_ADDR)) && +- (n < SUN4I_CAN_MAX_IRQ)) { ++ while ((n < SUN4I_CAN_MAX_IRQ) && ++ (isrc = readl(priv->base + SUN4I_REG_INT_ADDR))) { + n++; + status = readl(priv->base + SUN4I_REG_STA_ADDR); + diff --git a/queue-6.12/ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch b/queue-6.12/ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch new file mode 100644 index 0000000000..354e70fbc9 --- /dev/null +++ b/queue-6.12/ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch @@ -0,0 +1,373 @@ +From 43962db4a6f593903340c85591056a0cef812dfd Mon Sep 17 00:00:00 2001 +From: Viacheslav Dubeyko +Date: Thu, 13 Nov 2025 14:36:24 -0800 +Subject: ceph: fix crash in process_v2_sparse_read() for encrypted directories + +From: Viacheslav Dubeyko + +commit 43962db4a6f593903340c85591056a0cef812dfd upstream. + +The crash in process_v2_sparse_read() for fscrypt-encrypted directories +has been reported. Issue takes place for Ceph msgr2 protocol in secure +mode. It can be reproduced by the steps: + +sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure + +(1) mkdir /mnt/cephfs/fscrypt-test-3 +(2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3 +(3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3 +(4) fscrypt lock /mnt/cephfs/fscrypt-test-3 +(5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3 +(6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar +(7) Issue has been triggered + +[ 408.072247] ------------[ cut here ]------------ +[ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865 +ceph_con_v2_try_read+0x4b39/0x72f0 +[ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common +intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery +pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass +polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse +serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg +pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore +[ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+ +[ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.17.0-5.fc42 04/01/2014 +[ 408.072310] Workqueue: ceph-msgr ceph_con_workfn +[ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0 +[ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8 +8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06 +fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85 +[ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246 +[ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38 +[ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8 +[ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8 +[ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000 +[ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) +knlGS:0000000000000000 +[ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 +[ 408.072336] PKRU: 55555554 +[ 408.072337] Call Trace: +[ 408.072338] +[ 408.072340] ? sched_clock_noinstr+0x9/0x10 +[ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10 +[ 408.072347] ? _raw_spin_unlock+0xe/0x40 +[ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830 +[ 408.072353] ? __kasan_check_write+0x14/0x30 +[ 408.072357] ? mutex_lock+0x84/0xe0 +[ 408.072359] ? __pfx_mutex_lock+0x10/0x10 +[ 408.072361] ceph_con_workfn+0x27e/0x10e0 +[ 408.072364] ? metric_delayed_work+0x311/0x2c50 +[ 408.072367] process_one_work+0x611/0xe20 +[ 408.072371] ? __kasan_check_write+0x14/0x30 +[ 408.072373] worker_thread+0x7e3/0x1580 +[ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 408.072378] ? __pfx_worker_thread+0x10/0x10 +[ 408.072381] kthread+0x381/0x7a0 +[ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10 +[ 408.072385] ? __pfx_kthread+0x10/0x10 +[ 408.072387] ? __kasan_check_write+0x14/0x30 +[ 408.072389] ? recalc_sigpending+0x160/0x220 +[ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50 +[ 408.072394] ? calculate_sigpending+0x78/0xb0 +[ 408.072395] ? __pfx_kthread+0x10/0x10 +[ 408.072397] ret_from_fork+0x2b6/0x380 +[ 408.072400] ? __pfx_kthread+0x10/0x10 +[ 408.072402] ret_from_fork_asm+0x1a/0x30 +[ 408.072406] +[ 408.072407] ---[ end trace 0000000000000000 ]--- +[ 408.072418] Oops: general protection fault, probably for non-canonical +address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +[ 408.072984] KASAN: null-ptr-deref in range [0x0000000000000000- +0x0000000000000007] +[ 408.073350] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Tainted: G W +6.17.0-rc7+ #1 PREEMPT(voluntary) +[ 408.073886] Tainted: [W]=WARN +[ 408.074042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.17.0-5.fc42 04/01/2014 +[ 408.074468] Workqueue: ceph-msgr ceph_con_workfn +[ 408.074694] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80 +[ 408.074976] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00 +00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16 +84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03 +[ 408.075884] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246 +[ 408.076305] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000 +[ 408.076909] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378 +[ 408.077466] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8 +[ 408.078034] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71 +[ 408.078575] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378 +[ 408.079159] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) +knlGS:0000000000000000 +[ 408.079736] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 408.080039] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 +[ 408.080376] PKRU: 55555554 +[ 408.080513] Call Trace: +[ 408.080630] +[ 408.080729] ceph_con_v2_try_read+0x49b9/0x72f0 +[ 408.081115] ? __pfx_ceph_con_v2_try_read+0x10/0x10 +[ 408.081348] ? _raw_spin_unlock+0xe/0x40 +[ 408.081538] ? finish_task_switch.isra.0+0x15d/0x830 +[ 408.081768] ? __kasan_check_write+0x14/0x30 +[ 408.081986] ? mutex_lock+0x84/0xe0 +[ 408.082160] ? __pfx_mutex_lock+0x10/0x10 +[ 408.082343] ceph_con_workfn+0x27e/0x10e0 +[ 408.082529] ? metric_delayed_work+0x311/0x2c50 +[ 408.082737] process_one_work+0x611/0xe20 +[ 408.082948] ? __kasan_check_write+0x14/0x30 +[ 408.083156] worker_thread+0x7e3/0x1580 +[ 408.083331] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 408.083557] ? __pfx_worker_thread+0x10/0x10 +[ 408.083751] kthread+0x381/0x7a0 +[ 408.083922] ? __pfx__raw_spin_lock_irq+0x10/0x10 +[ 408.084139] ? __pfx_kthread+0x10/0x10 +[ 408.084310] ? __kasan_check_write+0x14/0x30 +[ 408.084510] ? recalc_sigpending+0x160/0x220 +[ 408.084708] ? _raw_spin_unlock_irq+0xe/0x50 +[ 408.084917] ? calculate_sigpending+0x78/0xb0 +[ 408.085138] ? __pfx_kthread+0x10/0x10 +[ 408.085335] ret_from_fork+0x2b6/0x380 +[ 408.085525] ? __pfx_kthread+0x10/0x10 +[ 408.085720] ret_from_fork_asm+0x1a/0x30 +[ 408.085922] +[ 408.086036] Modules linked in: intel_rapl_msr intel_rapl_common +intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery +pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass +polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse +serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg +pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore +[ 408.087778] ---[ end trace 0000000000000000 ]--- +[ 408.088007] RIP: 0010:ceph_msg_data_advance+0x79/0x1a80 +[ 408.088260] Code: fc ff df 49 8d 77 08 48 c1 ee 03 80 3c 16 00 0f 85 07 11 00 +00 48 ba 00 00 00 00 00 fc ff df 49 8b 5f 08 48 89 de 48 c1 ee 03 <0f> b6 14 16 +84 d2 74 09 80 fa 03 0f 8e 0f 0e 00 00 8b 13 83 fa 03 +[ 408.089118] RSP: 0018:ffff88811c3e7990 EFLAGS: 00010246 +[ 408.089357] RAX: ffff8881243a6388 RBX: 0000000000000000 RCX: 0000000000000000 +[ 408.089678] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff8881243a6378 +[ 408.090020] RBP: ffff88811c3e7a20 R08: 0000000000000000 R09: 00000000000000c8 +[ 408.090360] R10: ffff8881243a6388 R11: 0000000000000000 R12: ffffed1024874c71 +[ 408.090687] R13: dffffc0000000000 R14: ffff8881243a6030 R15: ffff8881243a6378 +[ 408.091035] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) +knlGS:0000000000000000 +[ 408.091452] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 408.092015] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 +[ 408.092530] PKRU: 55555554 +[ 417.112915] +================================================================== +[ 417.113491] BUG: KASAN: slab-use-after-free in +__mutex_lock.constprop.0+0x1522/0x1610 +[ 417.114014] Read of size 4 at addr ffff888124870034 by task kworker/2:0/4951 + +[ 417.114587] CPU: 2 UID: 0 PID: 4951 Comm: kworker/2:0 Tainted: G D W +6.17.0-rc7+ #1 PREEMPT(voluntary) +[ 417.114592] Tainted: [D]=DIE, [W]=WARN +[ 417.114593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.17.0-5.fc42 04/01/2014 +[ 417.114596] Workqueue: events handle_timeout +[ 417.114601] Call Trace: +[ 417.114602] +[ 417.114604] dump_stack_lvl+0x5c/0x90 +[ 417.114610] print_report+0x171/0x4dc +[ 417.114613] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 417.114617] ? kasan_complete_mode_report_info+0x80/0x220 +[ 417.114621] kasan_report+0xbd/0x100 +[ 417.114625] ? __mutex_lock.constprop.0+0x1522/0x1610 +[ 417.114628] ? __mutex_lock.constprop.0+0x1522/0x1610 +[ 417.114630] __asan_report_load4_noabort+0x14/0x30 +[ 417.114633] __mutex_lock.constprop.0+0x1522/0x1610 +[ 417.114635] ? queue_con_delay+0x8d/0x200 +[ 417.114638] ? __pfx___mutex_lock.constprop.0+0x10/0x10 +[ 417.114641] ? __send_subscribe+0x529/0xb20 +[ 417.114644] __mutex_lock_slowpath+0x13/0x20 +[ 417.114646] mutex_lock+0xd4/0xe0 +[ 417.114649] ? __pfx_mutex_lock+0x10/0x10 +[ 417.114652] ? ceph_monc_renew_subs+0x2a/0x40 +[ 417.114654] ceph_con_keepalive+0x22/0x110 +[ 417.114656] handle_timeout+0x6b3/0x11d0 +[ 417.114659] ? _raw_spin_unlock_irq+0xe/0x50 +[ 417.114662] ? __pfx_handle_timeout+0x10/0x10 +[ 417.114664] ? queue_delayed_work_on+0x8e/0xa0 +[ 417.114669] process_one_work+0x611/0xe20 +[ 417.114672] ? __kasan_check_write+0x14/0x30 +[ 417.114676] worker_thread+0x7e3/0x1580 +[ 417.114678] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 +[ 417.114682] ? __pfx_sched_setscheduler_nocheck+0x10/0x10 +[ 417.114687] ? __pfx_worker_thread+0x10/0x10 +[ 417.114689] kthread+0x381/0x7a0 +[ 417.114692] ? __pfx__raw_spin_lock_irq+0x10/0x10 +[ 417.114694] ? __pfx_kthread+0x10/0x10 +[ 417.114697] ? __kasan_check_write+0x14/0x30 +[ 417.114699] ? recalc_sigpending+0x160/0x220 +[ 417.114703] ? _raw_spin_unlock_irq+0xe/0x50 +[ 417.114705] ? calculate_sigpending+0x78/0xb0 +[ 417.114707] ? __pfx_kthread+0x10/0x10 +[ 417.114710] ret_from_fork+0x2b6/0x380 +[ 417.114713] ? __pfx_kthread+0x10/0x10 +[ 417.114715] ret_from_fork_asm+0x1a/0x30 +[ 417.114720] + +[ 417.125171] Allocated by task 2: +[ 417.125333] kasan_save_stack+0x26/0x60 +[ 417.125522] kasan_save_track+0x14/0x40 +[ 417.125742] kasan_save_alloc_info+0x39/0x60 +[ 417.125945] __kasan_slab_alloc+0x8b/0xb0 +[ 417.126133] kmem_cache_alloc_node_noprof+0x13b/0x460 +[ 417.126381] copy_process+0x320/0x6250 +[ 417.126595] kernel_clone+0xb7/0x840 +[ 417.126792] kernel_thread+0xd6/0x120 +[ 417.126995] kthreadd+0x85c/0xbe0 +[ 417.127176] ret_from_fork+0x2b6/0x380 +[ 417.127378] ret_from_fork_asm+0x1a/0x30 + +[ 417.127692] Freed by task 0: +[ 417.127851] kasan_save_stack+0x26/0x60 +[ 417.128057] kasan_save_track+0x14/0x40 +[ 417.128267] kasan_save_free_info+0x3b/0x60 +[ 417.128491] __kasan_slab_free+0x6c/0xa0 +[ 417.128708] kmem_cache_free+0x182/0x550 +[ 417.128906] free_task+0xeb/0x140 +[ 417.129070] __put_task_struct+0x1d2/0x4f0 +[ 417.129259] __put_task_struct_rcu_cb+0x15/0x20 +[ 417.129480] rcu_do_batch+0x3d3/0xe70 +[ 417.129681] rcu_core+0x549/0xb30 +[ 417.129839] rcu_core_si+0xe/0x20 +[ 417.130005] handle_softirqs+0x160/0x570 +[ 417.130190] __irq_exit_rcu+0x189/0x1e0 +[ 417.130369] irq_exit_rcu+0xe/0x20 +[ 417.130531] sysvec_apic_timer_interrupt+0x9f/0xd0 +[ 417.130768] asm_sysvec_apic_timer_interrupt+0x1b/0x20 + +[ 417.131082] Last potentially related work creation: +[ 417.131305] kasan_save_stack+0x26/0x60 +[ 417.131484] kasan_record_aux_stack+0xae/0xd0 +[ 417.131695] __call_rcu_common+0xcd/0x14b0 +[ 417.131909] call_rcu+0x31/0x50 +[ 417.132071] delayed_put_task_struct+0x128/0x190 +[ 417.132295] rcu_do_batch+0x3d3/0xe70 +[ 417.132478] rcu_core+0x549/0xb30 +[ 417.132658] rcu_core_si+0xe/0x20 +[ 417.132808] handle_softirqs+0x160/0x570 +[ 417.132993] __irq_exit_rcu+0x189/0x1e0 +[ 417.133181] irq_exit_rcu+0xe/0x20 +[ 417.133353] sysvec_apic_timer_interrupt+0x9f/0xd0 +[ 417.133584] asm_sysvec_apic_timer_interrupt+0x1b/0x20 + +[ 417.133921] Second to last potentially related work creation: +[ 417.134183] kasan_save_stack+0x26/0x60 +[ 417.134362] kasan_record_aux_stack+0xae/0xd0 +[ 417.134566] __call_rcu_common+0xcd/0x14b0 +[ 417.134782] call_rcu+0x31/0x50 +[ 417.134929] put_task_struct_rcu_user+0x58/0xb0 +[ 417.135143] finish_task_switch.isra.0+0x5d3/0x830 +[ 417.135366] __schedule+0xd30/0x5100 +[ 417.135534] schedule_idle+0x5a/0x90 +[ 417.135712] do_idle+0x25f/0x410 +[ 417.135871] cpu_startup_entry+0x53/0x70 +[ 417.136053] start_secondary+0x216/0x2c0 +[ 417.136233] common_startup_64+0x13e/0x141 + +[ 417.136894] The buggy address belongs to the object at ffff888124870000 + which belongs to the cache task_struct of size 10504 +[ 417.138122] The buggy address is located 52 bytes inside of + freed 10504-byte region [ffff888124870000, ffff888124872908) + +[ 417.139465] The buggy address belongs to the physical page: +[ 417.140016] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 +pfn:0x124870 +[ 417.140789] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 +pincount:0 +[ 417.141519] memcg:ffff88811aa20e01 +[ 417.141874] anon flags: +0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) +[ 417.142600] page_type: f5(slab) +[ 417.142922] raw: 0017ffffc0000040 ffff88810094f040 0000000000000000 +dead000000000001 +[ 417.143554] raw: 0000000000000000 0000000000030003 00000000f5000000 +ffff88811aa20e01 +[ 417.143954] head: 0017ffffc0000040 ffff88810094f040 0000000000000000 +dead000000000001 +[ 417.144329] head: 0000000000000000 0000000000030003 00000000f5000000 +ffff88811aa20e01 +[ 417.144710] head: 0017ffffc0000003 ffffea0004921c01 00000000ffffffff +00000000ffffffff +[ 417.145106] head: ffffffffffffffff 0000000000000000 00000000ffffffff +0000000000000008 +[ 417.145485] page dumped because: kasan: bad access detected + +[ 417.145859] Memory state around the buggy address: +[ 417.146094] ffff88812486ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +fc +[ 417.146439] ffff88812486ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +fc +[ 417.146791] >ffff888124870000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb +fb +[ 417.147145] ^ +[ 417.147387] ffff888124870080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +fb +[ 417.147751] ffff888124870100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +fb +[ 417.148123] +================================================================== + +First of all, we have warning in get_bvec_at() because +cursor->total_resid contains zero value. And, finally, +we have crash in ceph_msg_data_advance() because +cursor->data is NULL. It means that get_bvec_at() +receives not initialized ceph_msg_data_cursor structure +because data is NULL and total_resid contains zero. + +Moreover, we don't have likewise issue for the case of +Ceph msgr1 protocol because ceph_msg_data_cursor_init() +has been called before reading sparse data. + +This patch adds calling of ceph_msg_data_cursor_init() +in the beginning of process_v2_sparse_read() with +the goal to guarantee that logic of reading sparse data +works correctly for the case of Ceph msgr2 protocol. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/73152 +Signed-off-by: Viacheslav Dubeyko +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger_v2.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/ceph/messenger_v2.c ++++ b/net/ceph/messenger_v2.c +@@ -1087,13 +1087,16 @@ static int decrypt_control_remainder(str + static int process_v2_sparse_read(struct ceph_connection *con, + struct page **pages, int spos) + { +- struct ceph_msg_data_cursor *cursor = &con->v2.in_cursor; ++ struct ceph_msg_data_cursor cursor; + int ret; + ++ ceph_msg_data_cursor_init(&cursor, con->in_msg, ++ con->in_msg->sparse_read_total); ++ + for (;;) { + char *buf = NULL; + +- ret = con->ops->sparse_read(con, cursor, &buf); ++ ret = con->ops->sparse_read(con, &cursor, &buf); + if (ret <= 0) + return ret; + +@@ -1111,11 +1114,11 @@ static int process_v2_sparse_read(struct + } else { + struct bio_vec bv; + +- get_bvec_at(cursor, &bv); ++ get_bvec_at(&cursor, &bv); + len = min_t(int, len, bv.bv_len); + memcpy_page(bv.bv_page, bv.bv_offset, + spage, soff, len); +- ceph_msg_data_advance(cursor, len); ++ ceph_msg_data_advance(&cursor, len); + } + spos += len; + ret -= len; diff --git a/queue-6.12/dm-verity-fix-unreliable-memory-allocation.patch b/queue-6.12/dm-verity-fix-unreliable-memory-allocation.patch new file mode 100644 index 0000000000..0352003577 --- /dev/null +++ b/queue-6.12/dm-verity-fix-unreliable-memory-allocation.patch @@ -0,0 +1,36 @@ +From fe680d8c747f4e676ac835c8c7fb0f287cd98758 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 17 Nov 2025 21:42:02 +0100 +Subject: dm-verity: fix unreliable memory allocation + +From: Mikulas Patocka + +commit fe680d8c747f4e676ac835c8c7fb0f287cd98758 upstream. + +GFP_NOWAIT allocation may fail anytime. It needs to be changed to +GFP_NOIO. There's no need to handle an error because mempool_alloc with +GFP_NOIO can't fail. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Reviewed-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -331,11 +331,7 @@ static int fec_alloc_bufs(struct dm_veri + if (fio->bufs[n]) + continue; + +- fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOWAIT); +- if (unlikely(!fio->bufs[n])) { +- DMERR("failed to allocate FEC buffer"); +- return -ENOMEM; +- } ++ fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOIO); + } + + /* try to allocate the maximum number of buffers */ diff --git a/queue-6.12/drivers-usb-dwc3-fix-pci-parent-check.patch b/queue-6.12/drivers-usb-dwc3-fix-pci-parent-check.patch new file mode 100644 index 0000000000..a1cc4813c5 --- /dev/null +++ b/queue-6.12/drivers-usb-dwc3-fix-pci-parent-check.patch @@ -0,0 +1,48 @@ +From 40f8d17eed7533ed2bbb5e3cc680049b19411b2e Mon Sep 17 00:00:00 2001 +From: Jamie Iles +Date: Fri, 7 Nov 2025 10:44:37 +0000 +Subject: drivers/usb/dwc3: fix PCI parent check + +From: Jamie Iles + +commit 40f8d17eed7533ed2bbb5e3cc680049b19411b2e upstream. + +The sysdev_is_parent check was being used to infer PCI devices that have +the DMA mask set from the PCI capabilities, but sysdev_is_parent is also +used for non-PCI ACPI devices in which case the DMA mask would be the +bus default or as set by the _DMA method. + +Without this fix the DMA mask would default to 32-bits and so allocation +would fail if there was no DRAM below 4GB. + +Fixes: 47ce45906ca9 ("usb: dwc3: leave default DMA for PCI devices") +Cc: stable +Signed-off-by: Jamie Iles +Signed-off-by: Punit Agrawal +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251107104437.1602509-1-punit.agrawal@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -2211,7 +2212,7 @@ static int dwc3_probe(struct platform_de + platform_set_drvdata(pdev, dwc); + dwc3_cache_hwparams(dwc); + +- if (!dwc->sysdev_is_parent && ++ if (!dev_is_pci(dwc->sysdev) && + DWC3_GHWPARAMS0_AWIDTH(dwc->hwparams.hwparams0) == 64) { + ret = dma_set_mask_and_coherent(dwc->sysdev, DMA_BIT_MASK(64)); + if (ret) diff --git a/queue-6.12/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch b/queue-6.12/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch new file mode 100644 index 0000000000..191655001b --- /dev/null +++ b/queue-6.12/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch @@ -0,0 +1,69 @@ +From d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 Mon Sep 17 00:00:00 2001 +From: Khairul Anuar Romli +Date: Mon, 3 Nov 2025 07:21:28 +0800 +Subject: firmware: stratix10-svc: fix bug in saving controller data + +From: Khairul Anuar Romli + +commit d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 upstream. + +Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They +both are of the same data and overrides each other. This resulted in the +rmmod of the svc driver to fail and throw a kernel panic for kthread_stop +and fifo free. + +Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features") +Cc: stable@vger.kernel.org # 6.6+ +Signed-off-by: Ang Tien Sung +Signed-off-by: Khairul Anuar Romli +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -134,6 +134,7 @@ struct stratix10_svc_data { + * @complete_status: state for completion + * @svc_fifo_lock: protect access to service message data queue + * @invoke_fn: function to issue secure monitor call or hypervisor call ++ * @svc: manages the list of client svc drivers + * + * This struct is used to create communication channels for service clients, to + * handle secure monitor or hypervisor call. +@@ -150,6 +151,7 @@ struct stratix10_svc_controller { + struct completion complete_status; + spinlock_t svc_fifo_lock; + svc_invoke_fn *invoke_fn; ++ struct stratix10_svc *svc; + }; + + /** +@@ -1209,6 +1211,7 @@ static int stratix10_svc_drv_probe(struc + ret = -ENOMEM; + goto err_free_kfifo; + } ++ controller->svc = svc; + + svc->stratix10_svc_rsu = platform_device_alloc(STRATIX10_RSU, 0); + if (!svc->stratix10_svc_rsu) { +@@ -1240,8 +1243,6 @@ static int stratix10_svc_drv_probe(struc + if (ret) + goto err_unregister_fcs_dev; + +- dev_set_drvdata(dev, svc); +- + pr_info("Intel Service Layer Driver Initialized\n"); + + return 0; +@@ -1259,8 +1260,8 @@ err_destroy_pool: + + static void stratix10_svc_drv_remove(struct platform_device *pdev) + { +- struct stratix10_svc *svc = dev_get_drvdata(&pdev->dev); + struct stratix10_svc_controller *ctrl = platform_get_drvdata(pdev); ++ struct stratix10_svc *svc = ctrl->svc; + + of_platform_depopulate(ctrl->dev); + diff --git a/queue-6.12/mm-memfd-fix-information-leak-in-hugetlb-folios.patch b/queue-6.12/mm-memfd-fix-information-leak-in-hugetlb-folios.patch new file mode 100644 index 0000000000..48ba1e0ecd --- /dev/null +++ b/queue-6.12/mm-memfd-fix-information-leak-in-hugetlb-folios.patch @@ -0,0 +1,94 @@ +From de8798965fd0d9a6c47fc2ac57767ec32de12b49 Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Wed, 12 Nov 2025 20:20:34 +0530 +Subject: mm/memfd: fix information leak in hugetlb folios + +From: Deepanshu Kartikey + +commit de8798965fd0d9a6c47fc2ac57767ec32de12b49 upstream. + +When allocating hugetlb folios for memfd, three initialization steps are +missing: + +1. Folios are not zeroed, leading to kernel memory disclosure to userspace +2. Folios are not marked uptodate before adding to page cache +3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache() + +The memfd allocation path bypasses the normal page fault handler +(hugetlb_no_page) which would handle all of these initialization steps. +This is problematic especially for udmabuf use cases where folios are +pinned and directly accessed by userspace via DMA. + +Fix by matching the initialization pattern used in hugetlb_no_page(): +- Zero the folio using folio_zero_user() which is optimized for huge pages +- Mark it uptodate with folio_mark_uptodate() +- Take hugetlb_fault_mutex before adding to page cache to prevent races + +The folio_zero_user() change also fixes a potential security issue where +uninitialized kernel memory could be disclosed to userspace through read() +or mmap() operations on the memfd. + +Link: https://lkml.kernel.org/r/20251112145034.2320452-1-kartikey406@gmail.com +Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/20251112031631.2315651-1-kartikey406@gmail.com/ [v1] +Closes: https://syzkaller.appspot.com/bug?extid=f64019ba229e3a5c411b +Suggested-by: Oscar Salvador +Suggested-by: David Hildenbrand +Tested-by: syzbot+f64019ba229e3a5c411b@syzkaller.appspotmail.com +Acked-by: Oscar Salvador +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Hugh Dickins +Cc: Vivek Kasireddy +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe (v2) +Cc: Christoph Hellwig (v6) +Cc: Dave Airlie +Cc: Gerd Hoffmann +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memfd.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/mm/memfd.c ++++ b/mm/memfd.c +@@ -90,9 +90,36 @@ struct folio *memfd_alloc_folio(struct f + NULL, + gfp_mask); + if (folio) { ++ u32 hash; ++ ++ /* ++ * Zero the folio to prevent information leaks to userspace. ++ * Use folio_zero_user() which is optimized for huge/gigantic ++ * pages. Pass 0 as addr_hint since this is not a faulting path ++ * and we don't have a user virtual address yet. ++ */ ++ folio_zero_user(folio, 0); ++ ++ /* ++ * Mark the folio uptodate before adding to page cache, ++ * as required by filemap.c and other hugetlb paths. ++ */ ++ __folio_mark_uptodate(folio); ++ ++ /* ++ * Serialize hugepage allocation and instantiation to prevent ++ * races with concurrent allocations, as required by all other ++ * callers of hugetlb_add_to_page_cache(). ++ */ ++ hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx); ++ mutex_lock(&hugetlb_fault_mutex_table[hash]); ++ + err = hugetlb_add_to_page_cache(folio, + memfd->f_mapping, + idx); ++ ++ mutex_unlock(&hugetlb_fault_mutex_table[hash]); ++ + if (err) { + folio_put(folio); + return ERR_PTR(err); diff --git a/queue-6.12/mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch b/queue-6.12/mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch new file mode 100644 index 0000000000..3387e2e6d5 --- /dev/null +++ b/queue-6.12/mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch @@ -0,0 +1,95 @@ +From 747528729c9b6733839f9c95f300d5bef95ee52c Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Mon, 17 Nov 2025 08:01:32 +0800 +Subject: mmc: sdhci-of-dwcmshc: Promote the th1520 reset handling to ip level + +From: Jisheng Zhang + +commit 747528729c9b6733839f9c95f300d5bef95ee52c upstream. + +Commit 27e8fe0da3b7 ("mmc: sdhci-of-dwcmshc: Prevent stale command +interrupt handling") clears pending interrupts when resetting +host->pending_reset to ensure no pending stale interrupts after +sdhci_threaded_irq restores interrupts. But this fix is only added for +th1520 platforms, in fact per my test, this issue exists on all +dwcmshc users, such as cv1800b, sg2002, and synaptics platforms. + +So promote the above reset handling from th1520 to ip level. And keep +reset handling on rk, sg2042 and bf3 as is, until it's confirmed that +the same issue exists on these platforms too. + +Fixes: 017199c2849c ("mmc: sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002") +Signed-off-by: Jisheng Zhang +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-dwcmshc.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-dwcmshc.c ++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c +@@ -289,6 +289,19 @@ static void dwcmshc_adma_write_desc(stru + sdhci_adma_write_desc(host, desc, addr, len, cmd); + } + ++static void dwcmshc_reset(struct sdhci_host *host, u8 mask) ++{ ++ sdhci_reset(host, mask); ++ ++ /* The dwcmshc does not comply with the SDHCI specification ++ * regarding the "Software Reset for CMD line should clear 'Command ++ * Complete' in the Normal Interrupt Status Register." Clear the bit ++ * here to compensate for this quirk. ++ */ ++ if (mask & SDHCI_RESET_CMD) ++ sdhci_writel(host, SDHCI_INT_RESPONSE, SDHCI_INT_STATUS); ++} ++ + static unsigned int dwcmshc_get_max_clock(struct sdhci_host *host) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); +@@ -874,15 +887,7 @@ static void th1520_sdhci_reset(struct sd + struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host); + u16 ctrl_2; + +- sdhci_reset(host, mask); +- +- /* The T-Head 1520 SoC does not comply with the SDHCI specification +- * regarding the "Software Reset for CMD line should clear 'Command +- * Complete' in the Normal Interrupt Status Register." Clear the bit +- * here to compensate for this quirk. +- */ +- if (mask & SDHCI_RESET_CMD) +- sdhci_writel(host, SDHCI_INT_RESPONSE, SDHCI_INT_STATUS); ++ dwcmshc_reset(host, mask); + + if (priv->flags & FLAG_IO_FIXED_1V8) { + ctrl_2 = sdhci_readw(host, SDHCI_HOST_CONTROL2); +@@ -928,7 +933,7 @@ static void cv18xx_sdhci_reset(struct sd + struct dwcmshc_priv *priv = sdhci_pltfm_priv(pltfm_host); + u32 val, emmc_caps = MMC_CAP2_NO_SD | MMC_CAP2_NO_SDIO; + +- sdhci_reset(host, mask); ++ dwcmshc_reset(host, mask); + + if ((host->mmc->caps2 & emmc_caps) == emmc_caps) { + val = sdhci_readl(host, priv->vendor_specific_area1 + CV18XX_SDHCI_MSHC_CTRL); +@@ -1000,7 +1005,7 @@ static void cv18xx_sdhci_post_tuning(str + val |= SDHCI_INT_DATA_AVAIL; + sdhci_writel(host, val, SDHCI_INT_STATUS); + +- sdhci_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA); ++ dwcmshc_reset(host, SDHCI_RESET_CMD | SDHCI_RESET_DATA); + } + + static int cv18xx_sdhci_execute_tuning(struct sdhci_host *host, u32 opcode) +@@ -1142,7 +1147,7 @@ static const struct sdhci_ops sdhci_dwcm + .set_bus_width = sdhci_set_bus_width, + .set_uhs_signaling = dwcmshc_set_uhs_signaling, + .get_max_clock = dwcmshc_get_max_clock, +- .reset = sdhci_reset, ++ .reset = dwcmshc_reset, + .adma_write_desc = dwcmshc_adma_write_desc, + .irq = dwcmshc_cqe_irq_handler, + }; diff --git a/queue-6.12/mptcp-clear-scheduled-subflows-on-retransmit.patch b/queue-6.12/mptcp-clear-scheduled-subflows-on-retransmit.patch new file mode 100644 index 0000000000..9938bddf1e --- /dev/null +++ b/queue-6.12/mptcp-clear-scheduled-subflows-on-retransmit.patch @@ -0,0 +1,68 @@ +From 27fd02860164bfa78cec2640dfad630d832e302c Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 25 Nov 2025 17:59:11 +0100 +Subject: mptcp: clear scheduled subflows on retransmit + +From: Paolo Abeni + +commit 27fd02860164bfa78cec2640dfad630d832e302c upstream. + +When __mptcp_retrans() kicks-in, it schedules one or more subflows for +retransmission, but such subflows could be actually left alone if there +is no more data to retransmit and/or in case of concurrent fallback. + +Scheduled subflows could be processed much later in time, i.e. when new +data will be transmitted, leading to bad subflow selection. + +Explicitly clear all scheduled subflows before leaving the +retransmission function. + +Fixes: ee2708aedad0 ("mptcp: use get_retrans wrapper") +Cc: stable@vger.kernel.org +Reported-by: Filip Pokryvka +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251125-net-mptcp-clear-sched-rtx-v1-1-1cea4ad2165f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2721,7 +2721,7 @@ static void __mptcp_retrans(struct sock + } + + if (!mptcp_send_head(sk)) +- return; ++ goto clear_scheduled; + + goto reset_timer; + } +@@ -2752,7 +2752,7 @@ static void __mptcp_retrans(struct sock + if (__mptcp_check_fallback(msk)) { + spin_unlock_bh(&msk->fallback_lock); + release_sock(ssk); +- return; ++ goto clear_scheduled; + } + + while (info.sent < info.limit) { +@@ -2784,6 +2784,15 @@ reset_timer: + + if (!mptcp_rtx_timer_pending(sk)) + mptcp_reset_rtx_timer(sk); ++ ++clear_scheduled: ++ /* If no rtx data was available or in case of fallback, there ++ * could be left-over scheduled subflows; clear them all ++ * or later xmit could use bad ones ++ */ ++ mptcp_for_each_subflow(msk, subflow) ++ if (READ_ONCE(subflow->scheduled)) ++ mptcp_subflow_set_scheduled(subflow, false); + } + + /* schedule the timeout timer for the relevant event: either close timeout diff --git a/queue-6.12/mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch b/queue-6.12/mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch new file mode 100644 index 0000000000..2a039d1e9f --- /dev/null +++ b/queue-6.12/mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch @@ -0,0 +1,90 @@ +From f07f4ea53e22429c84b20832fa098b5ecc0d4e35 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Tue, 25 Nov 2025 19:53:29 +0000 +Subject: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). + +From: Kuniyuki Iwashima + +commit f07f4ea53e22429c84b20832fa098b5ecc0d4e35 upstream. + +syzbot reported divide-by-zero in __tcp_select_window() by +MPTCP socket. [0] + +We had a similar issue for the bare TCP and fixed in commit +499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead +of 0"). + +Let's apply the same fix to mptcp_do_fastclose(). + +[0]: +Oops: divide error: 0000 [#1] SMP KASAN PTI +CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 +Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 +RSP: 0018:ffffc90003017640 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028 +R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0 +Call Trace: + + tcp_select_window net/ipv4/tcp_output.c:281 [inline] + __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 + tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] + tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 + mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793 + mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253 + mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776 + mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0xe5/0x270 net/socket.c:742 + __sys_sendto+0x3bd/0x520 net/socket.c:2244 + __do_sys_sendto net/socket.c:2251 [inline] + __se_sys_sendto net/socket.c:2247 [inline] + __x64_sys_sendto+0xde/0x100 net/socket.c:2247 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f66e998f749 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 +RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006 + + +Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose") +Reported-by: syzbot+3a92d359bc2ec6255a33@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/69260882.a70a0220.d98e3.00b4.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Matthieu Baerts (NGI0) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251125195331.309558-1-kuniyu@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2854,6 +2854,12 @@ static void mptcp_do_fastclose(struct so + goto unlock; + + subflow->send_fastclose = 1; ++ ++ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 ++ * issue in __tcp_select_window(), see tcp_disconnect(). ++ */ ++ inet_csk(ssk)->icsk_ack.rcv_mss = TCP_MIN_MSS; ++ + tcp_send_active_reset(ssk, ssk->sk_allocation, + SK_RST_REASON_TCP_ABORT_ON_CLOSE); + unlock: diff --git a/queue-6.12/nvmem-layouts-fix-nvmem_layout_bus_uevent.patch b/queue-6.12/nvmem-layouts-fix-nvmem_layout_bus_uevent.patch new file mode 100644 index 0000000000..caf49792f0 --- /dev/null +++ b/queue-6.12/nvmem-layouts-fix-nvmem_layout_bus_uevent.patch @@ -0,0 +1,40 @@ +From 03bc4831ef064e114328dea906101cff7c6fb8b3 Mon Sep 17 00:00:00 2001 +From: Wentao Guan +Date: Fri, 14 Nov 2025 11:05:39 +0000 +Subject: nvmem: layouts: fix nvmem_layout_bus_uevent + +From: Wentao Guan + +commit 03bc4831ef064e114328dea906101cff7c6fb8b3 upstream. + +correctly check the ENODEV return value. + +Fixes: 810b790033cc ("nvmem: layouts: fix automatic module loading") +CC: stable@vger.kernel.org +Co-developed-by: WangYuli +Signed-off-by: WangYuli +Signed-off-by: Wentao Guan +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20251114110539.143154-1-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/layouts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvmem/layouts.c b/drivers/nvmem/layouts.c +index f381ce1e84bd..7ebe53249035 100644 +--- a/drivers/nvmem/layouts.c ++++ b/drivers/nvmem/layouts.c +@@ -51,7 +51,7 @@ static int nvmem_layout_bus_uevent(const struct device *dev, + int ret; + + ret = of_device_uevent_modalias(dev, env); +- if (ret != ENODEV) ++ if (ret != -ENODEV) + return ret; + + return 0; +-- +2.52.0 + diff --git a/queue-6.12/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch b/queue-6.12/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch new file mode 100644 index 0000000000..45ec22db99 --- /dev/null +++ b/queue-6.12/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch @@ -0,0 +1,41 @@ +From eb4917f557d43c7a1c805dd73ffcdfddb2aba39a Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 17:20:50 +0800 +Subject: serial: amba-pl011: prefer dma_mapping_error() over explicit address checking + +From: Miaoqian Lin + +commit eb4917f557d43c7a1c805dd73ffcdfddb2aba39a upstream. + +Check for returned DMA addresses using specialized dma_mapping_error() +helper which is generally recommended for this purpose by +Documentation/core-api/dma-api.rst: + + "In some circumstances dma_map_single(), ... +will fail to create a mapping. A driver can check for these errors +by testing the returned DMA address with dma_mapping_error()." + +Found via static analysis and this is similar to commit fa0308134d26 +("ALSA: memalloc: prefer dma_mapping_error() over explicit address checking") + +Fixes: 58ac1b379979 ("ARM: PL011: Fix DMA support") +Cc: stable +Signed-off-by: Miaoqian Lin +Reviewed-by: Gregory CLEMENT +Link: https://patch.msgid.link/20251027092053.87937-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/amba-pl011.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -618,7 +618,7 @@ static int pl011_dma_tx_refill(struct ua + dmatx->len = count; + dmatx->dma = dma_map_single(dma_dev->dev, dmatx->buf, count, + DMA_TO_DEVICE); +- if (dmatx->dma == DMA_MAPPING_ERROR) { ++ if (dma_mapping_error(dma_dev->dev, dmatx->dma)) { + uap->dmatx.queued = false; + dev_dbg(uap->port.dev, "unable to map TX DMA\n"); + return -EBUSY; diff --git a/queue-6.12/series b/queue-6.12/series index 91034adc79..6a89557326 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -63,3 +63,24 @@ iio-adc-rtq6056-correct-the-sign-bit-index.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch tracing-fix-warn_on-in-tracing_buffers_mmap_close-for-split-vmas.patch +alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch +arm64-dts-imx8dxl-ss-conn-swap-interrupts-number-of-eqos.patch +arm64-dts-imx8qm-mek-fix-mux-controller-select-enable-gpios-polarity.patch +arm-dts-nxp-imx6ul-correct-sai3-interrupt-line.patch +atm-fore200e-fix-possible-data-race-in-fore200e_open.patch +bluetooth-btusb-mediatek-avoid-btusb_mtk_claim_iso_intf-null-deref.patch +can-sja1000-fix-max-irq-loop-handling.patch +can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch +ceph-fix-crash-in-process_v2_sparse_read-for-encrypted-directories.patch +dm-verity-fix-unreliable-memory-allocation.patch +drivers-usb-dwc3-fix-pci-parent-check.patch +smb-client-fix-memory-leak-in-cifs_construct_tcon.patch +thunderbolt-add-support-for-intel-wildcat-lake.patch +slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch +nvmem-layouts-fix-nvmem_layout_bus_uevent.patch +firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch +mm-memfd-fix-information-leak-in-hugetlb-folios.patch +mmc-sdhci-of-dwcmshc-promote-the-th1520-reset-handling-to-ip-level.patch +mptcp-clear-scheduled-subflows-on-retransmit.patch +mptcp-initialise-rcv_mss-before-calling-tcp_send_active_reset-in-mptcp_do_fastclose.patch +serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch diff --git a/queue-6.12/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch b/queue-6.12/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch new file mode 100644 index 0000000000..e9e597af9b --- /dev/null +++ b/queue-6.12/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch @@ -0,0 +1,38 @@ +From 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 14:06:01 +0800 +Subject: slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves + +From: Miaoqian Lin + +commit 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e upstream. + +The function qcom_slim_ngd_notify_slaves() calls of_slim_get_device() which +internally uses device_find_child() to obtain a device reference. +According to the device_find_child() documentation, +the caller must drop the reference with put_device() after use. + +Found via static analysis and this is similar to commit 4e65bda8273c +("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Cc: stable +Signed-off-by: Miaoqian Lin +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20251027060601.33228-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1241,6 +1241,7 @@ static void qcom_slim_ngd_notify_slaves( + + if (slim_get_logical_addr(sbdev)) + dev_err(ctrl->dev, "Failed to get logical address\n"); ++ put_device(&sbdev->dev); + } + } + diff --git a/queue-6.12/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch b/queue-6.12/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch new file mode 100644 index 0000000000..ff67b754c3 --- /dev/null +++ b/queue-6.12/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch @@ -0,0 +1,65 @@ +From 3184b6a5a24ec9ee74087b2a550476f386df7dc2 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Mon, 24 Nov 2025 17:00:36 -0300 +Subject: smb: client: fix memory leak in cifs_construct_tcon() + +From: Paulo Alcantara + +commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 upstream. + +When having a multiuser mount with domain= specified and using +cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, +so it needs to be freed before leaving cifs_construct_tcon(). + +This fixes the following memory leak reported by kmemleak: + + mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... + su - testuser + cifscreds add -d ZELDA -u testuser + ... + ls /mnt/1 + ... + umount /mnt + echo scan > /sys/kernel/debug/kmemleak + cat /sys/kernel/debug/kmemleak + unreferenced object 0xffff8881203c3f08 (size 8): + comm "ls", pid 5060, jiffies 4307222943 + hex dump (first 8 bytes): + 5a 45 4c 44 41 00 cc cc ZELDA... + backtrace (crc d109a8cf): + __kmalloc_node_track_caller_noprof+0x572/0x710 + kstrdup+0x3a/0x70 + cifs_sb_tlink+0x1209/0x1770 [cifs] + cifs_get_fattr+0xe1/0xf50 [cifs] + cifs_get_inode_info+0xb5/0x240 [cifs] + cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] + cifs_getattr+0x28e/0x450 [cifs] + vfs_getattr_nosec+0x126/0x180 + vfs_statx+0xf6/0x220 + do_statx+0xab/0x110 + __x64_sys_statx+0xd5/0x130 + do_syscall_64+0xbb/0x380 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser") +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Jay Shin +Cc: stable@vger.kernel.org +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -4227,6 +4227,7 @@ cifs_construct_tcon(struct cifs_sb_info + + out: + kfree(ctx->username); ++ kfree(ctx->domainname); + kfree_sensitive(ctx->password); + kfree(origin_fullpath); + kfree(ctx); diff --git a/queue-6.12/thunderbolt-add-support-for-intel-wildcat-lake.patch b/queue-6.12/thunderbolt-add-support-for-intel-wildcat-lake.patch new file mode 100644 index 0000000000..06b18e9faf --- /dev/null +++ b/queue-6.12/thunderbolt-add-support-for-intel-wildcat-lake.patch @@ -0,0 +1,43 @@ +From 3575254546a27210a4b661ea37fbbfb836c0815d Mon Sep 17 00:00:00 2001 +From: Alan Borzeszkowski +Date: Thu, 14 Nov 2024 10:55:44 +0100 +Subject: thunderbolt: Add support for Intel Wildcat Lake + +From: Alan Borzeszkowski + +commit 3575254546a27210a4b661ea37fbbfb836c0815d upstream. + +Intel Wildcat Lake derives its Thunderbolt/USB4 controller from Lunar +Lake platform. Add Wildcat Lake PCI ID to the driver list of supported +devices. + +Signed-off-by: Alan Borzeszkowski +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/nhi.c | 2 ++ + drivers/thunderbolt/nhi.h | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -1528,6 +1528,8 @@ static struct pci_device_id nhi_ids[] = + .driver_data = (kernel_ulong_t)&icl_nhi_ops }, + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_PTL_P_NHI1), + .driver_data = (kernel_ulong_t)&icl_nhi_ops }, ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_WCL_NHI0), ++ .driver_data = (kernel_ulong_t)&icl_nhi_ops }, + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI) }, + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI) }, + +--- a/drivers/thunderbolt/nhi.h ++++ b/drivers/thunderbolt/nhi.h +@@ -75,6 +75,7 @@ extern const struct tb_nhi_ops icl_nhi_o + #define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_BRIDGE 0x15ef + #define PCI_DEVICE_ID_INTEL_ADL_NHI0 0x463e + #define PCI_DEVICE_ID_INTEL_ADL_NHI1 0x466d ++#define PCI_DEVICE_ID_INTEL_WCL_NHI0 0x4d33 + #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI 0x5781 + #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI 0x5784 + #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HUB_80G_BRIDGE 0x5786 -- 2.47.3