From aa1c346cf76cff93bf44b060f5bfd7bd5040c070 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 15 Nov 2025 08:20:52 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...correct-device-handle-check-for-gene.patch | 41 +++ ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...ate-command-header-size-against-svga.patch | 44 +++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ ...fixed-use-dev_err_probe-for-register.patch | 40 +++ queue-5.10/series | 6 + ...correct-device-handle-check-for-gene.patch | 41 +++ ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...ate-command-header-size-against-svga.patch | 44 +++ ...orrect-parameter-when-calling-nfs4_c.patch | 56 +++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ queue-5.15/series | 6 + ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...ate-command-header-size-against-svga.patch | 44 +++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ ...fixed-use-dev_err_probe-for-register.patch | 40 +++ queue-5.4/series | 5 + ...correct-device-handle-check-for-gene.patch | 41 +++ ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...acro-fix-resource-leak-in-probe-erro.patch | 44 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...ate-command-header-size-against-svga.patch | 44 +++ ...orrect-parameter-when-calling-nfs4_c.patch | 56 +++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ queue-6.1/series | 7 + ...ckdep-warning-for-hmem_register_reso.patch | 135 ++++++++ ...correct-device-handle-check-for-gene.patch | 41 +++ ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...acro-fix-resource-leak-in-probe-erro.patch | 44 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...-fix-getting-the-wrong-device-number.patch | 52 +++ ...ate-command-header-size-against-svga.patch | 44 +++ ...-failures-when-timestamps-are-delega.patch | 84 +++++ ...ak-when-nfs_client-kobject-add-fails.patch | 37 ++ ...rror-handling-in-nfs_atomic_open_v23.patch | 47 +++ ...orrect-parameter-when-calling-nfs4_c.patch | 56 +++ ...ls-logic-in-_nfs4_pnfs_v4_ds_connect.patch | 97 ++++++ ...rt-security-policy-to-rpc_xprtsec_no.patch | 109 ++++++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ queue-6.12/series | 15 + queue-6.12/simplify-nfs_atomic_open_v23.patch | 63 ++++ ...ckdep-warning-for-hmem_register_reso.patch | 135 ++++++++ ...correct-device-handle-check-for-gene.patch | 41 +++ ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...acro-fix-resource-leak-in-probe-erro.patch | 44 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...-node-reference-leak-in-rsnd_ssiu_pr.patch | 51 +++ ...-fix-getting-the-wrong-device-number.patch | 52 +++ ...nsure-isp_kernel_buffer_alloc-create.patch | 46 +++ ...x-module_parm_desc-string-for-active.patch | 49 +++ ...h-shmem-writes-before-mapping-buffer.patch | 64 ++++ ...re-guest-backed-only-cursor-plane-su.patch | 93 +++++ ...ate-command-header-size-against-svga.patch | 44 +++ ...n-t-use-blk_rq_nr_phys_segments-as-n.patch | 83 +++++ ...s-certificate-fields-in-nfs_match_cl.patch | 43 +++ ...-failures-when-timestamps-are-delega.patch | 84 +++++ ...ak-when-nfs_client-kobject-add-fails.patch | 37 ++ ...rror-handling-in-nfs_atomic_open_v23.patch | 47 +++ ...orrect-parameter-when-calling-nfs4_c.patch | 56 +++ ...ls-logic-in-_nfs4_pnfs_v3_ds_connect.patch | 82 +++++ ...ls-logic-in-_nfs4_pnfs_v4_ds_connect.patch | 97 ++++++ ...rt-security-policy-to-rpc_xprtsec_no.patch | 109 ++++++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ queue-6.17/series | 23 ++ queue-6.17/simplify-nfs_atomic_open_v23.patch | 63 ++++ ...-out-nesting-for-hmat_parse_locality.patch | 81 +++++ ...alculate-abstract-distance-with-hmat.patch | 320 ++++++++++++++++++ ...ckdep-warning-for-hmem_register_reso.patch | 135 ++++++++ ...ctor-hmat_register_target_initiators.patch | 180 ++++++++++ ...nport-target-allocation-to-the-hmat-.patch | 142 ++++++++ ...tting-of-generic-port-system-localit.patch | 93 +++++ ...-enum-for-memory_target-access-coord.patch | 78 +++++ ...correct-device-handle-check-for-gene.patch | 41 +++ ...ix-null-pointer-dereference-in-snd_u.patch | 49 +++ ...acro-fix-resource-leak-in-probe-erro.patch | 44 +++ ...-fix-regulator-leak-on-probe-failure.patch | 67 ++++ ...-fix-getting-the-wrong-device-number.patch | 52 +++ ...hange-node_hmem_attrs-to-access_coor.patch | 311 +++++++++++++++++ ...numerate-node-access-class-for-struc.patch | 206 +++++++++++ ...ncached-read-into-iter_kvec-iterator.patch | 161 +++++++++ ...ate-command-header-size-against-svga.patch | 44 +++ ...dd-abstract-distance-calculation-alg.patch | 195 +++++++++++ queue-6.6/nfs-enable-nconnect-for-rdma.patch | 57 ++++ ...ak-when-nfs_client-kobject-add-fails.patch | 37 ++ ...orrect-parameter-when-calling-nfs4_c.patch | 56 +++ ...ls-logic-in-_nfs4_pnfs_v4_ds_connect.patch | 97 ++++++ ...rt-security-policy-to-rpc_xprtsec_no.patch | 109 ++++++ ...fix-gpio-descriptor-leak-on-register.patch | 42 +++ queue-6.6/series | 23 ++ 92 files changed, 6294 insertions(+) create mode 100644 queue-5.10/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch create mode 100644 queue-5.10/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-5.10/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-5.10/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-5.10/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch create mode 100644 queue-5.10/regulator-fixed-use-dev_err_probe-for-register.patch create mode 100644 queue-5.15/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch create mode 100644 queue-5.15/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-5.15/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-5.15/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-5.15/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch create mode 100644 queue-5.15/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch create mode 100644 queue-5.4/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-5.4/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-5.4/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-5.4/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch create mode 100644 queue-5.4/regulator-fixed-use-dev_err_probe-for-register.patch create mode 100644 queue-6.1/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch create mode 100644 queue-6.1/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-6.1/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch create mode 100644 queue-6.1/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-6.1/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-6.1/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch create mode 100644 queue-6.1/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch create mode 100644 queue-6.12/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch create mode 100644 queue-6.12/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch create mode 100644 queue-6.12/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-6.12/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch create mode 100644 queue-6.12/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-6.12/asoc-tas2781-fix-getting-the-wrong-device-number.patch create mode 100644 queue-6.12/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-6.12/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch create mode 100644 queue-6.12/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch create mode 100644 queue-6.12/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch create mode 100644 queue-6.12/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch create mode 100644 queue-6.12/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch create mode 100644 queue-6.12/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch create mode 100644 queue-6.12/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch create mode 100644 queue-6.12/simplify-nfs_atomic_open_v23.patch create mode 100644 queue-6.17/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch create mode 100644 queue-6.17/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch create mode 100644 queue-6.17/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-6.17/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch create mode 100644 queue-6.17/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-6.17/asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch create mode 100644 queue-6.17/asoc-tas2781-fix-getting-the-wrong-device-number.patch create mode 100644 queue-6.17/drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch create mode 100644 queue-6.17/drm-client-fix-module_parm_desc-string-for-active.patch create mode 100644 queue-6.17/drm-panthor-flush-shmem-writes-before-mapping-buffer.patch create mode 100644 queue-6.17/drm-vmwgfx-restore-guest-backed-only-cursor-plane-su.patch create mode 100644 queue-6.17/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-6.17/io_uring-rsrc-don-t-use-blk_rq_nr_phys_segments-as-n.patch create mode 100644 queue-6.17/nfs-check-the-tls-certificate-fields-in-nfs_match_cl.patch create mode 100644 queue-6.17/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch create mode 100644 queue-6.17/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch create mode 100644 queue-6.17/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch create mode 100644 queue-6.17/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch create mode 100644 queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v3_ds_connect.patch create mode 100644 queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch create mode 100644 queue-6.17/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch create mode 100644 queue-6.17/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch create mode 100644 queue-6.17/simplify-nfs_atomic_open_v23.patch create mode 100644 queue-6.6/acpi-break-out-nesting-for-hmat_parse_locality.patch create mode 100644 queue-6.6/acpi-hmat-calculate-abstract-distance-with-hmat.patch create mode 100644 queue-6.6/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch create mode 100644 queue-6.6/acpi-hmat-refactor-hmat_register_target_initiators.patch create mode 100644 queue-6.6/acpi-numa-add-genport-target-allocation-to-the-hmat-.patch create mode 100644 queue-6.6/acpi-numa-add-setting-of-generic-port-system-localit.patch create mode 100644 queue-6.6/acpi-numa-create-enum-for-memory_target-access-coord.patch create mode 100644 queue-6.6/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch create mode 100644 queue-6.6/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch create mode 100644 queue-6.6/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch create mode 100644 queue-6.6/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch create mode 100644 queue-6.6/asoc-tas2781-fix-getting-the-wrong-device-number.patch create mode 100644 queue-6.6/base-node-acpi-change-node_hmem_attrs-to-access_coor.patch create mode 100644 queue-6.6/base-node-acpi-enumerate-node-access-class-for-struc.patch create mode 100644 queue-6.6/cifs-fix-uncached-read-into-iter_kvec-iterator.patch create mode 100644 queue-6.6/drm-vmwgfx-validate-command-header-size-against-svga.patch create mode 100644 queue-6.6/memory-tiering-add-abstract-distance-calculation-alg.patch create mode 100644 queue-6.6/nfs-enable-nconnect-for-rdma.patch create mode 100644 queue-6.6/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch create mode 100644 queue-6.6/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch create mode 100644 queue-6.6/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch create mode 100644 queue-6.6/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch create mode 100644 queue-6.6/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch diff --git a/queue-5.10/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch b/queue-5.10/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch new file mode 100644 index 0000000000..eb5f07f180 --- /dev/null +++ b/queue-5.10/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch @@ -0,0 +1,41 @@ +From c38e2472cdca0d6d562b5caf9ce82dd12d0aad5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 10:32:24 +0800 +Subject: acpi,srat: Fix incorrect device handle check for Generic Initiator + +From: Shuai Xue + +[ Upstream commit 7c3643f204edf1c5edb12b36b34838683ee5f8dc ] + +The Generic Initiator Affinity Structure in SRAT table uses device +handle type field to indicate the device type. According to ACPI +specification, the device handle type value of 1 represents PCI device, +not 0. + +Fixes: 894c26a1c274 ("ACPI: Support Generic Initiator only domains") +Reported-by: Wu Zongyong +Signed-off-by: Shuai Xue +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250913023224.39281-1-xueshuai@linux.alibaba.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index 6021a10134422..8749a00ad73de 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -140,7 +140,7 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header) + struct acpi_srat_generic_affinity *p = + (struct acpi_srat_generic_affinity *)header; + +- if (p->device_handle_type == 0) { ++ if (p->device_handle_type == 1) { + /* + * For pci devices this may be the only place they + * are assigned a proximity domain +-- +2.51.0 + diff --git a/queue-5.10/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-5.10/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..edef6c2104 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From 6c15f28b834742e1619b5174b24dd61bf59845bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index c84e25b2b1fb9..6b9a472ea43cb 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2999,6 +2999,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-5.10/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-5.10/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..44f3147ea7 --- /dev/null +++ b/queue-5.10/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From 35c85fe1c38632c335a41df9ca04ee8fae62acb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index d43762ae8f3da..6d997ea772ec0 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -594,17 +594,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -614,6 +614,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-5.10/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-5.10/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..93dced2b68 --- /dev/null +++ b/queue-5.10/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From a98855301ad0f8ca81087e672ed952011bb6e101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 987633c6c49f4..17d7f172a9e0f 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3622,6 +3622,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-5.10/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-5.10/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..a98c5bcf54 --- /dev/null +++ b/queue-5.10/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From 43398277f38871675bd3187bcad3133e469817d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 49e162b3cf42d..1503a5ea0cc89 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -241,6 +241,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.10/regulator-fixed-use-dev_err_probe-for-register.patch b/queue-5.10/regulator-fixed-use-dev_err_probe-for-register.patch new file mode 100644 index 0000000000..9b47600064 --- /dev/null +++ b/queue-5.10/regulator-fixed-use-dev_err_probe-for-register.patch @@ -0,0 +1,40 @@ +From 97c2b174c5780eb23925bcbeb78ae66666fa0dcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:57:16 -0500 +Subject: regulator: fixed: use dev_err_probe for register + +From: Chris Morgan + +[ Upstream commit d0f95e6496a974a890df5eda65ffaee66ab0dc73 ] + +Instead of returning error directly, use dev_err_probe. This avoids +messages in the dmesg log for devices which will be probed again later. + +Signed-off-by: Chris Morgan +Link: https://lore.kernel.org/r/20210721165716.19915-1-macroalpha82@gmail.com +Signed-off-by: Mark Brown +Stable-dep-of: 636f4618b1cd ("regulator: fixed: fix GPIO descriptor leak on register failure") +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 4acfff1908072..49e162b3cf42d 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -238,8 +238,9 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); + if (IS_ERR(drvdata->dev)) { +- ret = PTR_ERR(drvdata->dev); +- dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); ++ ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index f6c0ec8420..49e53beda0 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -191,3 +191,9 @@ net-mlx5e-fix-wraparound-in-rate-limiting-for-values.patch net_sched-limit-try_bulk_dequeue_skb-batches.patch hsr-fix-supervision-frame-sending-on-hsrv0.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch +acpi-srat-fix-incorrect-device-handle-check-for-gene.patch +regulator-fixed-use-dev_err_probe-for-register.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch diff --git a/queue-5.15/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch b/queue-5.15/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch new file mode 100644 index 0000000000..080e6f9af3 --- /dev/null +++ b/queue-5.15/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch @@ -0,0 +1,41 @@ +From 0282aec6ec6dceb221967cef2628e9fd6c5030be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 10:32:24 +0800 +Subject: acpi,srat: Fix incorrect device handle check for Generic Initiator + +From: Shuai Xue + +[ Upstream commit 7c3643f204edf1c5edb12b36b34838683ee5f8dc ] + +The Generic Initiator Affinity Structure in SRAT table uses device +handle type field to indicate the device type. According to ACPI +specification, the device handle type value of 1 represents PCI device, +not 0. + +Fixes: 894c26a1c274 ("ACPI: Support Generic Initiator only domains") +Reported-by: Wu Zongyong +Signed-off-by: Shuai Xue +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250913023224.39281-1-xueshuai@linux.alibaba.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index b8795fc490975..6e7dfef4d322c 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -140,7 +140,7 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header) + struct acpi_srat_generic_affinity *p = + (struct acpi_srat_generic_affinity *)header; + +- if (p->device_handle_type == 0) { ++ if (p->device_handle_type == 1) { + /* + * For pci devices this may be the only place they + * are assigned a proximity domain +-- +2.51.0 + diff --git a/queue-5.15/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-5.15/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..53bf5011b4 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From 3cb18d645289d428865a8246bd3b471c07ae414c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 5163d5e7682e7..de80240d9ed58 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3071,6 +3071,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-5.15/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-5.15/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..0492e37a0d --- /dev/null +++ b/queue-5.15/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From d08ab4f92ed07106f863c1edb2c272cee54d720a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 7663f89ac6a24..c3f447a6ff62e 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -594,17 +594,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -614,6 +614,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-5.15/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-5.15/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..98bde086d8 --- /dev/null +++ b/queue-5.15/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From 2be0b9b4995b15c67ba1475863aef5e65328460e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 7dd42c5a7fd62..fd7d6987f9134 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3627,6 +3627,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-5.15/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch b/queue-5.15/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch new file mode 100644 index 0000000000..bed4f8acb7 --- /dev/null +++ b/queue-5.15/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch @@ -0,0 +1,56 @@ +From 38b86ed36e9a9ff3a88fb6018b8ab20124d65f95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 10:51:42 -0400 +Subject: NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() + +From: Trond Myklebust + +[ Upstream commit 1f214e9c3aef2d0936be971072e991d78a174d71 ] + +The Smatch static checker noted that in _nfs4_proc_lookupp(), the flag +RPC_TASK_TIMEOUT is being passed as an argument to nfs4_init_sequence(), +which is clearly incorrect. +Since LOOKUPP is an idempotent operation, nfs4_init_sequence() should +not ask the server to cache the result. The RPC_TASK_TIMEOUT flag needs +to be passed down to the RPC layer. + +Reported-by: Dan Carpenter +Reported-by: Harshit Mogalapalli +Fixes: 76998ebb9158 ("NFSv4: Observe the NFS_MOUNT_SOFTREVAL flag in _nfs4_proc_lookupp") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 5c29e2d383639..768433688cb2f 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4533,16 +4533,19 @@ static int _nfs4_proc_lookupp(struct inode *inode, + }; + unsigned short task_flags = 0; + +- if (NFS_SERVER(inode)->flags & NFS_MOUNT_SOFTREVAL) ++ if (server->flags & NFS_MOUNT_SOFTREVAL) + task_flags |= RPC_TASK_TIMEOUT; ++ if (server->caps & NFS_CAP_MOVEABLE) ++ task_flags |= RPC_TASK_MOVEABLE; + + args.bitmask = nfs4_bitmask(server, label); + + nfs_fattr_init(fattr); ++ nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0); + + dprintk("NFS call lookupp ino=0x%lx\n", inode->i_ino); +- status = nfs4_call_sync(clnt, server, &msg, &args.seq_args, +- &res.seq_res, task_flags); ++ status = nfs4_do_call_sync(clnt, server, &msg, &args.seq_args, ++ &res.seq_res, task_flags); + dprintk("NFS reply lookupp: %d\n", status); + return status; + } +-- +2.51.0 + diff --git a/queue-5.15/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-5.15/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..140d5f4441 --- /dev/null +++ b/queue-5.15/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From c7a827c17f157f4030f537c164bd93411ed5e966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index fb163458337fc..adc21b1bad94b 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -290,6 +290,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index cb445c495b..0cd7f47c68 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -256,3 +256,9 @@ net-mlx5e-fix-wraparound-in-rate-limiting-for-values.patch net_sched-limit-try_bulk_dequeue_skb-batches.patch hsr-fix-supervision-frame-sending-on-hsrv0.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch +acpi-srat-fix-incorrect-device-handle-check-for-gene.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch diff --git a/queue-5.4/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-5.4/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..cee1f22aa7 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From fcacfd10de5f1c49543d03190e22e8f943ff461b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index f2c697ff50b57..11a74cc0e94d8 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2967,6 +2967,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-5.4/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-5.4/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..9bf8610658 --- /dev/null +++ b/queue-5.4/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From ba07529b63121170e5eff4b6a900bc47f9efc59d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 04b86a51e0554..1df484ff34a0d 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -594,17 +594,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -614,6 +614,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-5.4/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-5.4/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..6d9b6c86c4 --- /dev/null +++ b/queue-5.4/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From 65fe5068f5d0357296c2744bb8de901aa5657a3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 0d29fe6f60358..d31e9d380967d 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3216,6 +3216,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-5.4/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-5.4/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..4060da5ffd --- /dev/null +++ b/queue-5.4/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From b000e73da311cb33e4c1f6695d7ec22567cc190e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 529f401243245..2bb4924fc3026 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -247,6 +247,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.4/regulator-fixed-use-dev_err_probe-for-register.patch b/queue-5.4/regulator-fixed-use-dev_err_probe-for-register.patch new file mode 100644 index 0000000000..394d1255c9 --- /dev/null +++ b/queue-5.4/regulator-fixed-use-dev_err_probe-for-register.patch @@ -0,0 +1,40 @@ +From a9007a57def72e2c09589654049239023705605e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 11:57:16 -0500 +Subject: regulator: fixed: use dev_err_probe for register + +From: Chris Morgan + +[ Upstream commit d0f95e6496a974a890df5eda65ffaee66ab0dc73 ] + +Instead of returning error directly, use dev_err_probe. This avoids +messages in the dmesg log for devices which will be probed again later. + +Signed-off-by: Chris Morgan +Link: https://lore.kernel.org/r/20210721165716.19915-1-macroalpha82@gmail.com +Signed-off-by: Mark Brown +Stable-dep-of: 636f4618b1cd ("regulator: fixed: fix GPIO descriptor leak on register failure") +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 2f0bed86467f9..529f401243245 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -244,8 +244,9 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + drvdata->dev = devm_regulator_register(&pdev->dev, &drvdata->desc, + &cfg); + if (IS_ERR(drvdata->dev)) { +- ret = PTR_ERR(drvdata->dev); +- dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); ++ ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), ++ "Failed to register regulator: %ld\n", ++ PTR_ERR(drvdata->dev)); + return ret; + } + +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 8f9ac8aa37..ab8cc8ffec 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -143,3 +143,8 @@ net-mlx5e-fix-wraparound-in-rate-limiting-for-values.patch net_sched-remove-need_resched-from-qdisc_run.patch net_sched-limit-try_bulk_dequeue_skb-batches.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch +regulator-fixed-use-dev_err_probe-for-register.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch diff --git a/queue-6.1/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch b/queue-6.1/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch new file mode 100644 index 0000000000..b506ccc325 --- /dev/null +++ b/queue-6.1/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch @@ -0,0 +1,41 @@ +From 3f103192605c6da8053fd3d53777becd8f363f23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 10:32:24 +0800 +Subject: acpi,srat: Fix incorrect device handle check for Generic Initiator + +From: Shuai Xue + +[ Upstream commit 7c3643f204edf1c5edb12b36b34838683ee5f8dc ] + +The Generic Initiator Affinity Structure in SRAT table uses device +handle type field to indicate the device type. According to ACPI +specification, the device handle type value of 1 represents PCI device, +not 0. + +Fixes: 894c26a1c274 ("ACPI: Support Generic Initiator only domains") +Reported-by: Wu Zongyong +Signed-off-by: Shuai Xue +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250913023224.39281-1-xueshuai@linux.alibaba.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index a44c0761fd1c0..848942bf883cb 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -140,7 +140,7 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header) + struct acpi_srat_generic_affinity *p = + (struct acpi_srat_generic_affinity *)header; + +- if (p->device_handle_type == 0) { ++ if (p->device_handle_type == 1) { + /* + * For pci devices this may be the only place they + * are assigned a proximity domain +-- +2.51.0 + diff --git a/queue-6.1/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-6.1/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..e7b4b59605 --- /dev/null +++ b/queue-6.1/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From ceb679a034ad92e21d51fd0ea09ded5eb814f4ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index d258c7324fcc7..9b34004e67131 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3081,6 +3081,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-6.1/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch b/queue-6.1/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch new file mode 100644 index 0000000000..da69102246 --- /dev/null +++ b/queue-6.1/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch @@ -0,0 +1,44 @@ +From d9bd2079665628e93be50cdb039c0a70efcfc147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 22:31:14 +0800 +Subject: ASoC: codecs: va-macro: fix resource leak in probe error path + +From: Haotian Zhang + +[ Upstream commit 3dc8c73365d3ca25c99e7e1a0f493039d7291df5 ] + +In the commit referenced by the Fixes tag, clk_hw_get_clk() +was added in va_macro_probe() to get the fsgen clock, +but forgot to add the corresponding clk_put() in va_macro_remove(). +This leads to a clock reference leak when the driver is unloaded. + +Switch to devm_clk_hw_get_clk() to automatically manage the +clock resource. + +Fixes: 30097967e056 ("ASoC: codecs: va-macro: use fsgen as clock") +Suggested-by: Konrad Dybcio +Signed-off-by: Haotian Zhang +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20251106143114.729-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-va-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-va-macro.c b/sound/soc/codecs/lpass-va-macro.c +index 1623ba78ddb3d..1f6e27d6a2276 100644 +--- a/sound/soc/codecs/lpass-va-macro.c ++++ b/sound/soc/codecs/lpass-va-macro.c +@@ -1554,7 +1554,7 @@ static int va_macro_probe(struct platform_device *pdev) + if (ret) + goto err_clkout; + +- va->fsgen = clk_hw_get_clk(&va->hw, "fsgen"); ++ va->fsgen = devm_clk_hw_get_clk(dev, &va->hw, "fsgen"); + if (IS_ERR(va->fsgen)) { + ret = PTR_ERR(va->fsgen); + goto err_clkout; +-- +2.51.0 + diff --git a/queue-6.1/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-6.1/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..d90a872979 --- /dev/null +++ b/queue-6.1/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From c0959bf8cbf0d58f6d8b032ea8d3a3b0a691eb66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 2021cf4426061..f6c9430612f53 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -594,17 +594,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -614,6 +614,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-6.1/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-6.1/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..ab8cf47e37 --- /dev/null +++ b/queue-6.1/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From ae68a85b7346bc8886ce8c6a6c89067b432c939d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 0d12d6af67c09..247ef293bf845 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3669,6 +3669,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-6.1/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch b/queue-6.1/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch new file mode 100644 index 0000000000..a6746638e4 --- /dev/null +++ b/queue-6.1/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch @@ -0,0 +1,56 @@ +From a98a97f86f47a77cc3487e34bd295b0ef60e4c69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 10:51:42 -0400 +Subject: NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() + +From: Trond Myklebust + +[ Upstream commit 1f214e9c3aef2d0936be971072e991d78a174d71 ] + +The Smatch static checker noted that in _nfs4_proc_lookupp(), the flag +RPC_TASK_TIMEOUT is being passed as an argument to nfs4_init_sequence(), +which is clearly incorrect. +Since LOOKUPP is an idempotent operation, nfs4_init_sequence() should +not ask the server to cache the result. The RPC_TASK_TIMEOUT flag needs +to be passed down to the RPC layer. + +Reported-by: Dan Carpenter +Reported-by: Harshit Mogalapalli +Fixes: 76998ebb9158 ("NFSv4: Observe the NFS_MOUNT_SOFTREVAL flag in _nfs4_proc_lookupp") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index f387a3862ca09..d4ae2ce56af4a 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4584,16 +4584,19 @@ static int _nfs4_proc_lookupp(struct inode *inode, + }; + unsigned short task_flags = 0; + +- if (NFS_SERVER(inode)->flags & NFS_MOUNT_SOFTREVAL) ++ if (server->flags & NFS_MOUNT_SOFTREVAL) + task_flags |= RPC_TASK_TIMEOUT; ++ if (server->caps & NFS_CAP_MOVEABLE) ++ task_flags |= RPC_TASK_MOVEABLE; + + args.bitmask = nfs4_bitmask(server, fattr->label); + + nfs_fattr_init(fattr); ++ nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0); + + dprintk("NFS call lookupp ino=0x%lx\n", inode->i_ino); +- status = nfs4_call_sync(clnt, server, &msg, &args.seq_args, +- &res.seq_res, task_flags); ++ status = nfs4_do_call_sync(clnt, server, &msg, &args.seq_args, ++ &res.seq_res, task_flags); + dprintk("NFS reply lookupp: %d\n", status); + return status; + } +-- +2.51.0 + diff --git a/queue-6.1/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-6.1/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..dec5857f8f --- /dev/null +++ b/queue-6.1/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From 24579a730ec9eac876b08c28aeecea557817df4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index e6724a229d237..e273275e60259 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -287,6 +287,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 9de2495055..7123464e7c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -378,3 +378,10 @@ acpi-cppc-check-_cpc-validity-for-only-the-online-cp.patch acpi-cppc-perform-fast-check-switch-only-for-online-.patch acpi-cppc-limit-perf-ctrs-in-pcc-check-only-to-onlin.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch +acpi-srat-fix-incorrect-device-handle-check-for-gene.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch diff --git a/queue-6.12/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch b/queue-6.12/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch new file mode 100644 index 0000000000..3c0a3a8ad9 --- /dev/null +++ b/queue-6.12/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch @@ -0,0 +1,135 @@ +From f62fa762732b57b2eeaa59d1c3f12c2bcf379f91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 16:51:15 -0700 +Subject: acpi/hmat: Fix lockdep warning for hmem_register_resource() + +From: Dave Jiang + +[ Upstream commit 214291cbaaceeb28debd773336642b1fca393ae0 ] + +The following lockdep splat was observed while kernel auto-online a CXL +memory region: + +====================================================== +WARNING: possible circular locking dependency detected +6.17.0djtest+ #53 Tainted: G W +------------------------------------------------------ +systemd-udevd/3334 is trying to acquire lock: +ffffffff90346188 (hmem_resource_lock){+.+.}-{4:4}, at: hmem_register_resource+0x31/0x50 + +but task is already holding lock: +ffffffff90338890 ((node_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x2e/0x70 + +which lock already depends on the new lock. +[..] +Chain exists of: + hmem_resource_lock --> mem_hotplug_lock --> (node_chain).rwsem + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + rlock((node_chain).rwsem); + lock(mem_hotplug_lock); + lock((node_chain).rwsem); + lock(hmem_resource_lock); + +The lock ordering can cause potential deadlock. There are instances +where hmem_resource_lock is taken after (node_chain).rwsem, and vice +versa. + +Split out the target update section of hmat_register_target() so that +hmat_callback() only envokes that section instead of attempt to register +hmem devices that it does not need to. + +[ dj: Fix up comment to be closer to 80cols. (Jonathan) ] + +Fixes: cf8741ac57ed ("ACPI: NUMA: HMAT: Register "soft reserved" memory as an "hmem" device") +Reviewed-by: Jonathan Cameron +Tested-by: Smita Koralahalli +Reviewed-by: Smita Koralahalli +Reviewed-by: Dan Williams +Link: https://patch.msgid.link/20251105235115.85062-3-dave.jiang@intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 46 ++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 1a902a02390f6..c805d63df54ad 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -864,10 +864,32 @@ static void hmat_register_target_devices(struct memory_target *target) + } + } + +-static void hmat_register_target(struct memory_target *target) ++static void hmat_hotplug_target(struct memory_target *target) + { + int nid = pxm_to_node(target->memory_pxm); + ++ /* ++ * Skip offline nodes. This can happen when memory marked EFI_MEMORY_SP, ++ * "specific purpose", is applied to all the memory in a proximity ++ * domain leading to * the node being marked offline / unplugged, or if ++ * memory-only "hotplug" node is offline. ++ */ ++ if (nid == NUMA_NO_NODE || !node_online(nid)) ++ return; ++ ++ guard(mutex)(&target_lock); ++ if (target->registered) ++ return; ++ ++ hmat_register_target_initiators(target); ++ hmat_register_target_cache(target); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); ++ target->registered = true; ++} ++ ++static void hmat_register_target(struct memory_target *target) ++{ + /* + * Devices may belong to either an offline or online + * node, so unconditionally add them. +@@ -885,25 +907,7 @@ static void hmat_register_target(struct memory_target *target) + } + mutex_unlock(&target_lock); + +- /* +- * Skip offline nodes. This can happen when memory +- * marked EFI_MEMORY_SP, "specific purpose", is applied +- * to all the memory in a proximity domain leading to +- * the node being marked offline / unplugged, or if +- * memory-only "hotplug" node is offline. +- */ +- if (nid == NUMA_NO_NODE || !node_online(nid)) +- return; +- +- mutex_lock(&target_lock); +- if (!target->registered) { +- hmat_register_target_initiators(target); +- hmat_register_target_cache(target); +- hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); +- hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); +- target->registered = true; +- } +- mutex_unlock(&target_lock); ++ hmat_hotplug_target(target); + } + + static void hmat_register_targets(void) +@@ -929,7 +933,7 @@ static int hmat_callback(struct notifier_block *self, + if (!target) + return NOTIFY_OK; + +- hmat_register_target(target); ++ hmat_hotplug_target(target); + return NOTIFY_OK; + } + +-- +2.51.0 + diff --git a/queue-6.12/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch b/queue-6.12/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch new file mode 100644 index 0000000000..145210f389 --- /dev/null +++ b/queue-6.12/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch @@ -0,0 +1,41 @@ +From 7aeb474419575791f4af6f91eaa9c8b270e7ab7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 10:32:24 +0800 +Subject: acpi,srat: Fix incorrect device handle check for Generic Initiator + +From: Shuai Xue + +[ Upstream commit 7c3643f204edf1c5edb12b36b34838683ee5f8dc ] + +The Generic Initiator Affinity Structure in SRAT table uses device +handle type field to indicate the device type. According to ACPI +specification, the device handle type value of 1 represents PCI device, +not 0. + +Fixes: 894c26a1c274 ("ACPI: Support Generic Initiator only domains") +Reported-by: Wu Zongyong +Signed-off-by: Shuai Xue +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250913023224.39281-1-xueshuai@linux.alibaba.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index bec0dcd1f9c38..dccdc062d8aa3 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -143,7 +143,7 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header) + struct acpi_srat_generic_affinity *p = + (struct acpi_srat_generic_affinity *)header; + +- if (p->device_handle_type == 0) { ++ if (p->device_handle_type == 1) { + /* + * For pci devices this may be the only place they + * are assigned a proximity domain +-- +2.51.0 + diff --git a/queue-6.12/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-6.12/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..1cc71251e9 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From 4195d0cd3fb267f1057dddca7b50b5d54c799554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index ba9c6874915a2..4853336f0e6b5 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3079,6 +3079,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-6.12/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch b/queue-6.12/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch new file mode 100644 index 0000000000..4250dc5e35 --- /dev/null +++ b/queue-6.12/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch @@ -0,0 +1,44 @@ +From 446f7c27172a6841a24655750efb88e170c0a885 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 22:31:14 +0800 +Subject: ASoC: codecs: va-macro: fix resource leak in probe error path + +From: Haotian Zhang + +[ Upstream commit 3dc8c73365d3ca25c99e7e1a0f493039d7291df5 ] + +In the commit referenced by the Fixes tag, clk_hw_get_clk() +was added in va_macro_probe() to get the fsgen clock, +but forgot to add the corresponding clk_put() in va_macro_remove(). +This leads to a clock reference leak when the driver is unloaded. + +Switch to devm_clk_hw_get_clk() to automatically manage the +clock resource. + +Fixes: 30097967e056 ("ASoC: codecs: va-macro: use fsgen as clock") +Suggested-by: Konrad Dybcio +Signed-off-by: Haotian Zhang +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20251106143114.729-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-va-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-va-macro.c b/sound/soc/codecs/lpass-va-macro.c +index c781da4762407..d44b5b0a80a1c 100644 +--- a/sound/soc/codecs/lpass-va-macro.c ++++ b/sound/soc/codecs/lpass-va-macro.c +@@ -1637,7 +1637,7 @@ static int va_macro_probe(struct platform_device *pdev) + if (ret) + goto err_clkout; + +- va->fsgen = clk_hw_get_clk(&va->hw, "fsgen"); ++ va->fsgen = devm_clk_hw_get_clk(dev, &va->hw, "fsgen"); + if (IS_ERR(va->fsgen)) { + ret = PTR_ERR(va->fsgen); + goto err_clkout; +-- +2.51.0 + diff --git a/queue-6.12/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-6.12/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..0012c436ac --- /dev/null +++ b/queue-6.12/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From e9f500ceb6254864a12856115b60374c2b2817bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index e864188ae5eb9..1d3261d0f1fd0 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -581,17 +581,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -601,6 +601,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-6.12/asoc-tas2781-fix-getting-the-wrong-device-number.patch b/queue-6.12/asoc-tas2781-fix-getting-the-wrong-device-number.patch new file mode 100644 index 0000000000..05da160882 --- /dev/null +++ b/queue-6.12/asoc-tas2781-fix-getting-the-wrong-device-number.patch @@ -0,0 +1,52 @@ +From 086b0fc24b984c3c33a060bf7565c00667da600b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 13:49:59 +0800 +Subject: ASoC: tas2781: fix getting the wrong device number + +From: Shenghao Ding + +[ Upstream commit 29528c8e643bb0c54da01237a35010c6438423d2 ] + +The return value of device_property_read_u32_array used for getting the +property is the status instead of the number of the property. + +Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") +Signed-off-by: Shenghao Ding +Link: https://patch.msgid.link/20251107054959.950-1-shenghao-ding@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-i2c.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index 1b2f55030c396..2f100cbfdc41f 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -1635,7 +1635,8 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + { + struct i2c_client *client = (struct i2c_client *)tas_priv->client; + unsigned int dev_addrs[TASDEVICE_MAX_CHANNELS]; +- int i, ndev = 0; ++ int ndev = 0; ++ int i, rc; + + if (tas_priv->isacpi) { + ndev = device_property_read_u32_array(&client->dev, +@@ -1646,8 +1647,12 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + } else { + ndev = (ndev < ARRAY_SIZE(dev_addrs)) + ? ndev : ARRAY_SIZE(dev_addrs); +- ndev = device_property_read_u32_array(&client->dev, ++ rc = device_property_read_u32_array(&client->dev, + "ti,audio-slots", dev_addrs, ndev); ++ if (rc != 0) { ++ ndev = 1; ++ dev_addrs[0] = client->addr; ++ } + } + + tas_priv->irq = +-- +2.51.0 + diff --git a/queue-6.12/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-6.12/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..b18dd5a5b5 --- /dev/null +++ b/queue-6.12/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From 2297e85e6f9a3818d5de08f9aedee916a34f91f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 8b72848bb25cd..0c1bd3acf3598 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3686,6 +3686,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-6.12/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch b/queue-6.12/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch new file mode 100644 index 0000000000..3b5369485b --- /dev/null +++ b/queue-6.12/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch @@ -0,0 +1,84 @@ +From 45a5a7574fd2d91a34500319937efd55db93df85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Nov 2025 09:05:08 -0800 +Subject: NFS: Fix LTP test failures when timestamps are delegated + +From: Dai Ngo + +[ Upstream commit b623390045a81fc559decb9bfeb79319721d3dfb ] + +The utimes01 and utime06 tests fail when delegated timestamps are +enabled, specifically in subtests that modify the atime and mtime +fields using the 'nobody' user ID. + +The problem can be reproduced as follow: + +# echo "/media *(rw,no_root_squash,sync)" >> /etc/exports +# export -ra +# mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir +# cd /opt/ltp +# ./runltp -d /tmpdir -s utimes01 +# ./runltp -d /tmpdir -s utime06 + +This issue occurs because nfs_setattr does not verify the inode's +UID against the caller's fsuid when delegated timestamps are +permitted for the inode. + +This patch adds the UID check and if it does not match then the +request is sent to the server for permission checking. + +Fixes: e12912d94137 ("NFSv4: Add support for delegated atime and mtime attributes") +Signed-off-by: Dai Ngo +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 5bf5fb5ddd34c..5bab9db5417c2 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -711,6 +711,8 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + struct inode *inode = d_inode(dentry); + struct nfs_fattr *fattr; + int error = 0; ++ kuid_t task_uid = current_fsuid(); ++ kuid_t owner_uid = inode->i_uid; + + nfs_inc_stats(inode, NFSIOS_VFSSETATTR); + +@@ -732,9 +734,11 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + if (nfs_have_delegated_mtime(inode) && attr->ia_valid & ATTR_MTIME) { + spin_lock(&inode->i_lock); + if (attr->ia_valid & ATTR_MTIME_SET) { +- nfs_set_timestamps_to_ts(inode, attr); +- attr->ia_valid &= ~(ATTR_MTIME|ATTR_MTIME_SET| ++ if (uid_eq(task_uid, owner_uid)) { ++ nfs_set_timestamps_to_ts(inode, attr); ++ attr->ia_valid &= ~(ATTR_MTIME|ATTR_MTIME_SET| + ATTR_ATIME|ATTR_ATIME_SET); ++ } + } else { + nfs_update_timestamps(inode, attr->ia_valid); + attr->ia_valid &= ~(ATTR_MTIME|ATTR_ATIME); +@@ -744,10 +748,12 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + attr->ia_valid & ATTR_ATIME && + !(attr->ia_valid & ATTR_MTIME)) { + if (attr->ia_valid & ATTR_ATIME_SET) { +- spin_lock(&inode->i_lock); +- nfs_set_timestamps_to_ts(inode, attr); +- spin_unlock(&inode->i_lock); +- attr->ia_valid &= ~(ATTR_ATIME|ATTR_ATIME_SET); ++ if (uid_eq(task_uid, owner_uid)) { ++ spin_lock(&inode->i_lock); ++ nfs_set_timestamps_to_ts(inode, attr); ++ spin_unlock(&inode->i_lock); ++ attr->ia_valid &= ~(ATTR_ATIME|ATTR_ATIME_SET); ++ } + } else { + nfs_update_delegated_atime(inode); + attr->ia_valid &= ~ATTR_ATIME; +-- +2.51.0 + diff --git a/queue-6.12/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch b/queue-6.12/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch new file mode 100644 index 0000000000..9a3832e56b --- /dev/null +++ b/queue-6.12/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch @@ -0,0 +1,37 @@ +From fc7454e2dedaa2eb9542679481f3ef157ab2adc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 11:03:25 +0800 +Subject: NFS: sysfs: fix leak when nfs_client kobject add fails + +From: Yang Xiuwei + +[ Upstream commit 7a7a3456520b309a0bffa1d9d62bd6c9dcab89b3 ] + +If adding the second kobject fails, drop both references to avoid sysfs +residue and memory leak. + +Fixes: e96f9268eea6 ("NFS: Make all of /sys/fs/nfs network-namespace unique") + +Signed-off-by: Yang Xiuwei +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c +index 784f7c1d003bf..53d4cdf28ee00 100644 +--- a/fs/nfs/sysfs.c ++++ b/fs/nfs/sysfs.c +@@ -189,6 +189,7 @@ static struct nfs_netns_client *nfs_netns_client_alloc(struct kobject *parent, + return p; + + kobject_put(&p->kobject); ++ kobject_put(&p->nfs_net_kobj); + } + return NULL; + } +-- +2.51.0 + diff --git a/queue-6.12/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch b/queue-6.12/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch new file mode 100644 index 0000000000..d2fc567763 --- /dev/null +++ b/queue-6.12/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch @@ -0,0 +1,47 @@ +From 9d9d3b594f70737f7e25e93c0b42d9d16dede9da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:27:43 -0400 +Subject: NFSv2/v3: Fix error handling in nfs_atomic_open_v23() + +From: Trond Myklebust + +[ Upstream commit 85d2c2392ac6348e1171d627497034a341a250c1 ] + +When nfs_do_create() returns an EEXIST error, it means that a regular +file could not be created. That could mean that a symlink needs to be +resolved. If that's the case, a lookup needs to be kicked off. + +Reported-by: Stephen Abbene +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220710 +Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.") +Signed-off-by: Trond Myklebust +Reviewed-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index c05c737ac5282..048ce25ebfb70 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2280,11 +2280,12 @@ int nfs_atomic_open_v23(struct inode *dir, struct dentry *dentry, + return -ENAMETOOLONG; + + if (open_flags & O_CREAT) { +- file->f_mode |= FMODE_CREATED; + error = nfs_do_create(dir, dentry, mode, open_flags); +- if (error) ++ if (!error) { ++ file->f_mode |= FMODE_CREATED; ++ return finish_open(file, dentry, NULL); ++ } else if (error != -EEXIST || open_flags & O_EXCL) + return error; +- return finish_open(file, dentry, NULL); + } + if (d_in_lookup(dentry)) { + /* The only flags nfs_lookup considers are +-- +2.51.0 + diff --git a/queue-6.12/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch b/queue-6.12/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch new file mode 100644 index 0000000000..d264491ece --- /dev/null +++ b/queue-6.12/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch @@ -0,0 +1,56 @@ +From 0b3d9867bc5fee43864e4abefd3f998c003f512d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 10:51:42 -0400 +Subject: NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() + +From: Trond Myklebust + +[ Upstream commit 1f214e9c3aef2d0936be971072e991d78a174d71 ] + +The Smatch static checker noted that in _nfs4_proc_lookupp(), the flag +RPC_TASK_TIMEOUT is being passed as an argument to nfs4_init_sequence(), +which is clearly incorrect. +Since LOOKUPP is an idempotent operation, nfs4_init_sequence() should +not ask the server to cache the result. The RPC_TASK_TIMEOUT flag needs +to be passed down to the RPC layer. + +Reported-by: Dan Carpenter +Reported-by: Harshit Mogalapalli +Fixes: 76998ebb9158 ("NFSv4: Observe the NFS_MOUNT_SOFTREVAL flag in _nfs4_proc_lookupp") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index a4531386c6485..6342d360732d2 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4695,16 +4695,19 @@ static int _nfs4_proc_lookupp(struct inode *inode, + }; + unsigned short task_flags = 0; + +- if (NFS_SERVER(inode)->flags & NFS_MOUNT_SOFTREVAL) ++ if (server->flags & NFS_MOUNT_SOFTREVAL) + task_flags |= RPC_TASK_TIMEOUT; ++ if (server->caps & NFS_CAP_MOVEABLE) ++ task_flags |= RPC_TASK_MOVEABLE; + + args.bitmask = nfs4_bitmask(server, fattr->label); + + nfs_fattr_init(fattr); ++ nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0); + + dprintk("NFS call lookupp ino=0x%lx\n", inode->i_ino); +- status = nfs4_call_sync(clnt, server, &msg, &args.seq_args, +- &res.seq_res, task_flags); ++ status = nfs4_do_call_sync(clnt, server, &msg, &args.seq_args, ++ &res.seq_res, task_flags); + dprintk("NFS reply lookupp: %d\n", status); + return status; + } +-- +2.51.0 + diff --git a/queue-6.12/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch b/queue-6.12/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch new file mode 100644 index 0000000000..42cfccea92 --- /dev/null +++ b/queue-6.12/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch @@ -0,0 +1,97 @@ +From 5bae33e67df869006775c3fdd245cc01bb92d8cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:34 -0400 +Subject: pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() + +From: Trond Myklebust + +[ Upstream commit 28e19737e1570c7c71890547c2e43c3e0da79df9 ] + +Don't try to add an RDMA transport to a client that is already marked as +being a TCP/TLS transport. + +Fixes: a35518cae4b3 ("NFSv4.1/pnfs: fix NFS with TLS in pnfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs_nfs.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index 2ee20a0f0b36d..dd688d17b5b95 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -867,7 +867,10 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + u32 minor_version) + { + struct nfs_client *clp = ERR_PTR(-EIO); ++ struct nfs_client *mds_clp = mds_srv->nfs_client; ++ enum xprtsec_policies xprtsec_policy = mds_clp->cl_xprtsec.policy; + struct nfs4_pnfs_ds_addr *da; ++ int ds_proto; + int status = 0; + + dprintk("--> %s DS %s\n", __func__, ds->ds_remotestr); +@@ -895,12 +898,8 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + .data = &xprtdata, + }; + +- if (da->da_transport != clp->cl_proto && +- clp->cl_proto != XPRT_TRANSPORT_TCP_TLS) +- continue; +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == +- XPRT_TRANSPORT_TCP_TLS) { ++ if (xprt_args.ident == XPRT_TRANSPORT_TCP && ++ clp->cl_proto == XPRT_TRANSPORT_TCP_TLS) { + struct sockaddr *addr = + (struct sockaddr *)&da->da_addr; + struct sockaddr_in *sin = +@@ -931,7 +930,10 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + xprt_args.ident = XPRT_TRANSPORT_TCP_TLS; + xprt_args.servername = servername; + } +- if (da->da_addr.ss_family != clp->cl_addr.ss_family) ++ if (xprt_args.ident != clp->cl_proto) ++ continue; ++ if (xprt_args.dstaddr->sa_family != ++ clp->cl_addr.ss_family) + continue; + + /** +@@ -945,15 +947,14 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + if (xprtdata.cred) + put_cred(xprtdata.cred); + } else { +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == +- XPRT_TRANSPORT_TCP_TLS) +- da->da_transport = XPRT_TRANSPORT_TCP_TLS; +- clp = nfs4_set_ds_client(mds_srv, +- &da->da_addr, +- da->da_addrlen, +- da->da_transport, timeo, +- retrans, minor_version); ++ ds_proto = da->da_transport; ++ if (ds_proto == XPRT_TRANSPORT_TCP && ++ xprtsec_policy != RPC_XPRTSEC_NONE) ++ ds_proto = XPRT_TRANSPORT_TCP_TLS; ++ ++ clp = nfs4_set_ds_client(mds_srv, &da->da_addr, ++ da->da_addrlen, ds_proto, ++ timeo, retrans, minor_version); + if (IS_ERR(clp)) + continue; + +@@ -964,7 +965,6 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + clp = ERR_PTR(-EIO); + continue; + } +- + } + } + +-- +2.51.0 + diff --git a/queue-6.12/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch b/queue-6.12/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch new file mode 100644 index 0000000000..50fd0c106e --- /dev/null +++ b/queue-6.12/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch @@ -0,0 +1,109 @@ +From 8b167ff91255617c84ddd5e4d8b01fa3054979ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:35 -0400 +Subject: pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using + TLS + +From: Trond Myklebust + +[ Upstream commit 8ab523ce78d4ca13add6b4ecbacff0f84c274603 ] + +The default setting for the transport security policy must be +RPC_XPRTSEC_NONE, when using a TCP or RDMA connection without TLS. +Conversely, when using TLS, the security policy needs to be set. + +Fixes: 6c0a8c5fcf71 ("NFS: Have struct nfs_client carry a TLS policy field") +Signed-off-by: Trond Myklebust +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3client.c | 14 ++++++++++++-- + fs/nfs/nfs4client.c | 14 ++++++++++++-- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/nfs3client.c b/fs/nfs/nfs3client.c +index b0c8a39c2bbde..1aa4c43c9b3b4 100644 +--- a/fs/nfs/nfs3client.c ++++ b/fs/nfs/nfs3client.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "nfs3_fs.h" + #include "netns.h" +@@ -98,7 +99,11 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + .net = mds_clp->cl_net, + .timeparms = &ds_timeout, + .cred = mds_srv->cred, +- .xprtsec = mds_clp->cl_xprtsec, ++ .xprtsec = { ++ .policy = RPC_XPRTSEC_NONE, ++ .cert_serial = TLS_NO_CERT, ++ .privkey_serial = TLS_NO_PRIVKEY, ++ }, + .connect_timeout = connect_timeout, + .reconnect_timeout = connect_timeout, + }; +@@ -111,9 +116,14 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_TCP_TLS: ++ if (mds_clp->cl_xprtsec.policy != RPC_XPRTSEC_NONE) ++ cl_init.xprtsec = mds_clp->cl_xprtsec; ++ else ++ ds_proto = XPRT_TRANSPORT_TCP; ++ fallthrough; + case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: +- case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) + cl_init.nconnect = mds_clp->cl_nconnect; + } +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index aaf723471228b..b14688da814d6 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "callback.h" + #include "delegation.h" +@@ -992,7 +993,11 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + .net = mds_clp->cl_net, + .timeparms = &ds_timeout, + .cred = mds_srv->cred, +- .xprtsec = mds_srv->nfs_client->cl_xprtsec, ++ .xprtsec = { ++ .policy = RPC_XPRTSEC_NONE, ++ .cert_serial = TLS_NO_CERT, ++ .privkey_serial = TLS_NO_PRIVKEY, ++ }, + }; + char buf[INET6_ADDRSTRLEN + 1]; + +@@ -1001,9 +1006,14 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_TCP_TLS: ++ if (mds_srv->nfs_client->cl_xprtsec.policy != RPC_XPRTSEC_NONE) ++ cl_init.xprtsec = mds_srv->nfs_client->cl_xprtsec; ++ else ++ ds_proto = XPRT_TRANSPORT_TCP; ++ fallthrough; + case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: +- case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) { + cl_init.nconnect = mds_clp->cl_nconnect; + cl_init.max_connect = NFS_MAX_TRANSPORTS; +-- +2.51.0 + diff --git a/queue-6.12/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-6.12/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..7ba61e0ef2 --- /dev/null +++ b/queue-6.12/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From 98bcb90bb527f7953a2c228a654cd307c6639b81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 1cb647ed70c62..a2d16e9abfb58 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -334,6 +334,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index bb4a5c4152..84c1f1af6e 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -64,3 +64,18 @@ acpi-cppc-check-_cpc-validity-for-only-the-online-cp.patch acpi-cppc-perform-fast-check-switch-only-for-online-.patch acpi-cppc-limit-perf-ctrs-in-pcc-check-only-to-onlin.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch +acpi-srat-fix-incorrect-device-handle-check-for-gene.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +asoc-tas2781-fix-getting-the-wrong-device-number.patch +pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch +pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch +simplify-nfs_atomic_open_v23.patch +nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch +nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch +nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch +nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch +acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch diff --git a/queue-6.12/simplify-nfs_atomic_open_v23.patch b/queue-6.12/simplify-nfs_atomic_open_v23.patch new file mode 100644 index 0000000000..f70583c2aa --- /dev/null +++ b/queue-6.12/simplify-nfs_atomic_open_v23.patch @@ -0,0 +1,63 @@ +From a063e60b5c8899c0bea38f6c1dc081de459aba0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 11:52:41 -0400 +Subject: simplify nfs_atomic_open_v23() + +From: Al Viro + +[ Upstream commit aae9db5739164353fa1894db000fabad940a835b ] + +1) finish_no_open() takes ERR_PTR() as dentry now. +2) caller of ->atomic_open() will call d_lookup_done() itself, no +need to do it here. + +Reviewed-by: NeilBrown +Signed-off-by: Al Viro +Stable-dep-of: 85d2c2392ac6 ("NFSv2/v3: Fix error handling in nfs_atomic_open_v23()") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index bbc625e742aa3..c05c737ac5282 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2270,7 +2270,7 @@ int nfs_atomic_open_v23(struct inode *dir, struct dentry *dentry, + struct file *file, unsigned int open_flags, + umode_t mode) + { +- ++ struct dentry *res = NULL; + /* Same as look+open from lookup_open(), but with different O_TRUNC + * handling. + */ +@@ -2285,21 +2285,15 @@ int nfs_atomic_open_v23(struct inode *dir, struct dentry *dentry, + if (error) + return error; + return finish_open(file, dentry, NULL); +- } else if (d_in_lookup(dentry)) { ++ } ++ if (d_in_lookup(dentry)) { + /* The only flags nfs_lookup considers are + * LOOKUP_EXCL and LOOKUP_RENAME_TARGET, and + * we want those to be zero so the lookup isn't skipped. + */ +- struct dentry *res = nfs_lookup(dir, dentry, 0); +- +- d_lookup_done(dentry); +- if (unlikely(res)) { +- if (IS_ERR(res)) +- return PTR_ERR(res); +- return finish_no_open(file, res); +- } ++ res = nfs_lookup(dir, dentry, 0); + } +- return finish_no_open(file, NULL); ++ return finish_no_open(file, res); + + } + EXPORT_SYMBOL_GPL(nfs_atomic_open_v23); +-- +2.51.0 + diff --git a/queue-6.17/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch b/queue-6.17/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch new file mode 100644 index 0000000000..f22a5c810b --- /dev/null +++ b/queue-6.17/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch @@ -0,0 +1,135 @@ +From 25b98eef2c40c8b9237126d464a58bab0ceca4ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 16:51:15 -0700 +Subject: acpi/hmat: Fix lockdep warning for hmem_register_resource() + +From: Dave Jiang + +[ Upstream commit 214291cbaaceeb28debd773336642b1fca393ae0 ] + +The following lockdep splat was observed while kernel auto-online a CXL +memory region: + +====================================================== +WARNING: possible circular locking dependency detected +6.17.0djtest+ #53 Tainted: G W +------------------------------------------------------ +systemd-udevd/3334 is trying to acquire lock: +ffffffff90346188 (hmem_resource_lock){+.+.}-{4:4}, at: hmem_register_resource+0x31/0x50 + +but task is already holding lock: +ffffffff90338890 ((node_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x2e/0x70 + +which lock already depends on the new lock. +[..] +Chain exists of: + hmem_resource_lock --> mem_hotplug_lock --> (node_chain).rwsem + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + rlock((node_chain).rwsem); + lock(mem_hotplug_lock); + lock((node_chain).rwsem); + lock(hmem_resource_lock); + +The lock ordering can cause potential deadlock. There are instances +where hmem_resource_lock is taken after (node_chain).rwsem, and vice +versa. + +Split out the target update section of hmat_register_target() so that +hmat_callback() only envokes that section instead of attempt to register +hmem devices that it does not need to. + +[ dj: Fix up comment to be closer to 80cols. (Jonathan) ] + +Fixes: cf8741ac57ed ("ACPI: NUMA: HMAT: Register "soft reserved" memory as an "hmem" device") +Reviewed-by: Jonathan Cameron +Tested-by: Smita Koralahalli +Reviewed-by: Smita Koralahalli +Reviewed-by: Dan Williams +Link: https://patch.msgid.link/20251105235115.85062-3-dave.jiang@intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 46 ++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 4958301f54179..9085375830605 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -908,10 +908,32 @@ static void hmat_register_target_devices(struct memory_target *target) + } + } + +-static void hmat_register_target(struct memory_target *target) ++static void hmat_hotplug_target(struct memory_target *target) + { + int nid = pxm_to_node(target->memory_pxm); + ++ /* ++ * Skip offline nodes. This can happen when memory marked EFI_MEMORY_SP, ++ * "specific purpose", is applied to all the memory in a proximity ++ * domain leading to * the node being marked offline / unplugged, or if ++ * memory-only "hotplug" node is offline. ++ */ ++ if (nid == NUMA_NO_NODE || !node_online(nid)) ++ return; ++ ++ guard(mutex)(&target_lock); ++ if (target->registered) ++ return; ++ ++ hmat_register_target_initiators(target); ++ hmat_register_target_cache(target); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); ++ target->registered = true; ++} ++ ++static void hmat_register_target(struct memory_target *target) ++{ + /* + * Devices may belong to either an offline or online + * node, so unconditionally add them. +@@ -929,25 +951,7 @@ static void hmat_register_target(struct memory_target *target) + } + mutex_unlock(&target_lock); + +- /* +- * Skip offline nodes. This can happen when memory +- * marked EFI_MEMORY_SP, "specific purpose", is applied +- * to all the memory in a proximity domain leading to +- * the node being marked offline / unplugged, or if +- * memory-only "hotplug" node is offline. +- */ +- if (nid == NUMA_NO_NODE || !node_online(nid)) +- return; +- +- mutex_lock(&target_lock); +- if (!target->registered) { +- hmat_register_target_initiators(target); +- hmat_register_target_cache(target); +- hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); +- hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); +- target->registered = true; +- } +- mutex_unlock(&target_lock); ++ hmat_hotplug_target(target); + } + + static void hmat_register_targets(void) +@@ -973,7 +977,7 @@ static int hmat_callback(struct notifier_block *self, + if (!target) + return NOTIFY_OK; + +- hmat_register_target(target); ++ hmat_hotplug_target(target); + return NOTIFY_OK; + } + +-- +2.51.0 + diff --git a/queue-6.17/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch b/queue-6.17/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch new file mode 100644 index 0000000000..8f3a386861 --- /dev/null +++ b/queue-6.17/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch @@ -0,0 +1,41 @@ +From 8a86f4b23c805ec3baedf11a3ae7a813a9b01f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 10:32:24 +0800 +Subject: acpi,srat: Fix incorrect device handle check for Generic Initiator + +From: Shuai Xue + +[ Upstream commit 7c3643f204edf1c5edb12b36b34838683ee5f8dc ] + +The Generic Initiator Affinity Structure in SRAT table uses device +handle type field to indicate the device type. According to ACPI +specification, the device handle type value of 1 represents PCI device, +not 0. + +Fixes: 894c26a1c274 ("ACPI: Support Generic Initiator only domains") +Reported-by: Wu Zongyong +Signed-off-by: Shuai Xue +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250913023224.39281-1-xueshuai@linux.alibaba.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index 53816dfab6452..aa87ee1583a4e 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -237,7 +237,7 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header) + struct acpi_srat_generic_affinity *p = + (struct acpi_srat_generic_affinity *)header; + +- if (p->device_handle_type == 0) { ++ if (p->device_handle_type == 1) { + /* + * For pci devices this may be the only place they + * are assigned a proximity domain +-- +2.51.0 + diff --git a/queue-6.17/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-6.17/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..025024b59f --- /dev/null +++ b/queue-6.17/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From c1c428c60a30b4912112006ec73465c994c41ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index cf296decefefc..f2058eb71fc8d 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3080,6 +3080,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-6.17/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch b/queue-6.17/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch new file mode 100644 index 0000000000..76a937d699 --- /dev/null +++ b/queue-6.17/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch @@ -0,0 +1,44 @@ +From bd5e1db83e53caae3c5307f3499e7658348a961c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 22:31:14 +0800 +Subject: ASoC: codecs: va-macro: fix resource leak in probe error path + +From: Haotian Zhang + +[ Upstream commit 3dc8c73365d3ca25c99e7e1a0f493039d7291df5 ] + +In the commit referenced by the Fixes tag, clk_hw_get_clk() +was added in va_macro_probe() to get the fsgen clock, +but forgot to add the corresponding clk_put() in va_macro_remove(). +This leads to a clock reference leak when the driver is unloaded. + +Switch to devm_clk_hw_get_clk() to automatically manage the +clock resource. + +Fixes: 30097967e056 ("ASoC: codecs: va-macro: use fsgen as clock") +Suggested-by: Konrad Dybcio +Signed-off-by: Haotian Zhang +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20251106143114.729-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-va-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-va-macro.c b/sound/soc/codecs/lpass-va-macro.c +index a49551f3fb29a..fead5c941f210 100644 +--- a/sound/soc/codecs/lpass-va-macro.c ++++ b/sound/soc/codecs/lpass-va-macro.c +@@ -1636,7 +1636,7 @@ static int va_macro_probe(struct platform_device *pdev) + if (ret) + goto err_clkout; + +- va->fsgen = clk_hw_get_clk(&va->hw, "fsgen"); ++ va->fsgen = devm_clk_hw_get_clk(dev, &va->hw, "fsgen"); + if (IS_ERR(va->fsgen)) { + ret = PTR_ERR(va->fsgen); + goto err_clkout; +-- +2.51.0 + diff --git a/queue-6.17/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-6.17/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..ff487dec9e --- /dev/null +++ b/queue-6.17/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From 95f4b7c6c8b0f10ff8604463aa7637c47e73f5ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 6a3cca3d26c7e..ead447a5da7f8 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -581,17 +581,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -601,6 +601,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-6.17/asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch b/queue-6.17/asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch new file mode 100644 index 0000000000..9a1c064e01 --- /dev/null +++ b/queue-6.17/asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch @@ -0,0 +1,51 @@ +From b09d3c969ae16677989980e2c68d21814436829a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 14:57:09 +0800 +Subject: ASoC: rsnd: fix OF node reference leak in rsnd_ssiu_probe() + +From: Haotian Zhang + +[ Upstream commit 360b3730f8eab6c4467c6cca4cb0e30902174a63 ] + +rsnd_ssiu_probe() leaks an OF node reference obtained by +rsnd_ssiu_of_node(). The node reference is acquired but +never released across all return paths. + +Fix it by declaring the device node with the __free(device_node) +cleanup construct to ensure automatic release when the variable goes +out of scope. + +Fixes: 4e7788fb8018 ("ASoC: rsnd: add SSIU BUSIF support") +Signed-off-by: Haotian Zhang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20251112065709.1522-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/renesas/rcar/ssiu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/renesas/rcar/ssiu.c b/sound/soc/renesas/rcar/ssiu.c +index faf351126d574..244fb833292a7 100644 +--- a/sound/soc/renesas/rcar/ssiu.c ++++ b/sound/soc/renesas/rcar/ssiu.c +@@ -509,7 +509,7 @@ void rsnd_parse_connect_ssiu(struct rsnd_dai *rdai, + int rsnd_ssiu_probe(struct rsnd_priv *priv) + { + struct device *dev = rsnd_priv_to_dev(priv); +- struct device_node *node; ++ struct device_node *node __free(device_node) = rsnd_ssiu_of_node(priv); + struct rsnd_ssiu *ssiu; + struct rsnd_mod_ops *ops; + const int *list = NULL; +@@ -522,7 +522,6 @@ int rsnd_ssiu_probe(struct rsnd_priv *priv) + * see + * rsnd_ssiu_bufsif_to_id() + */ +- node = rsnd_ssiu_of_node(priv); + if (node) + nr = rsnd_node_count(priv, node, SSIU_NAME); + else +-- +2.51.0 + diff --git a/queue-6.17/asoc-tas2781-fix-getting-the-wrong-device-number.patch b/queue-6.17/asoc-tas2781-fix-getting-the-wrong-device-number.patch new file mode 100644 index 0000000000..eac7084bc1 --- /dev/null +++ b/queue-6.17/asoc-tas2781-fix-getting-the-wrong-device-number.patch @@ -0,0 +1,52 @@ +From 68bea980dd2f421cf60302126e0fb14f1fd50474 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 13:49:59 +0800 +Subject: ASoC: tas2781: fix getting the wrong device number + +From: Shenghao Ding + +[ Upstream commit 29528c8e643bb0c54da01237a35010c6438423d2 ] + +The return value of device_property_read_u32_array used for getting the +property is the status instead of the number of the property. + +Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") +Signed-off-by: Shenghao Ding +Link: https://patch.msgid.link/20251107054959.950-1-shenghao-ding@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-i2c.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index ea3cdb8553de1..9890b1a6d2924 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -1864,7 +1864,8 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + { + struct i2c_client *client = (struct i2c_client *)tas_priv->client; + unsigned int dev_addrs[TASDEVICE_MAX_CHANNELS]; +- int i, ndev = 0; ++ int ndev = 0; ++ int i, rc; + + if (tas_priv->isacpi) { + ndev = device_property_read_u32_array(&client->dev, +@@ -1875,8 +1876,12 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + } else { + ndev = (ndev < ARRAY_SIZE(dev_addrs)) + ? ndev : ARRAY_SIZE(dev_addrs); +- ndev = device_property_read_u32_array(&client->dev, ++ rc = device_property_read_u32_array(&client->dev, + "ti,audio-slots", dev_addrs, ndev); ++ if (rc != 0) { ++ ndev = 1; ++ dev_addrs[0] = client->addr; ++ } + } + + tas_priv->irq = +-- +2.51.0 + diff --git a/queue-6.17/drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch b/queue-6.17/drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch new file mode 100644 index 0000000000..205035f483 --- /dev/null +++ b/queue-6.17/drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch @@ -0,0 +1,46 @@ +From 473f9e37613a061ff0a025108759e70d1be46e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 13:07:13 -0500 +Subject: drm/amd/amdgpu: Ensure isp_kernel_buffer_alloc() creates a new BO + +From: Sultan Alsawaf + +[ Upstream commit 7132f7e025f9382157543dd86a62d161335b48b9 ] + +When the BO pointer provided to amdgpu_bo_create_kernel() points to +non-NULL, amdgpu_bo_create_kernel() takes it as a hint to pin that address +rather than allocate a new BO. + +This functionality is never desired for allocating ISP buffers. A new BO +should always be created when isp_kernel_buffer_alloc() is called, per the +description for isp_kernel_buffer_alloc(). + +Ensure this by zeroing *bo right before the amdgpu_bo_create_kernel() call. + +Fixes: 55d42f616976 ("drm/amd/amdgpu: Add helper functions for isp buffers") +Reviewed-by: Mario Limonciello (AMD) +Reviewed-by: Pratap Nirujogi +Signed-off-by: Sultan Alsawaf +Signed-off-by: Alex Deucher +(cherry picked from commit 73c8c29baac7f0c7e703d92eba009008cbb5228e) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c +index 9cddbf50442a4..37270c4dab8dd 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_isp.c +@@ -280,6 +280,8 @@ int isp_kernel_buffer_alloc(struct device *dev, u64 size, + if (ret) + return ret; + ++ /* Ensure *bo is NULL so a new BO will be created */ ++ *bo = NULL; + ret = amdgpu_bo_create_kernel(adev, + size, + ISP_MC_ADDR_ALIGN, +-- +2.51.0 + diff --git a/queue-6.17/drm-client-fix-module_parm_desc-string-for-active.patch b/queue-6.17/drm-client-fix-module_parm_desc-string-for-active.patch new file mode 100644 index 0000000000..212d92b82f --- /dev/null +++ b/queue-6.17/drm-client-fix-module_parm_desc-string-for-active.patch @@ -0,0 +1,49 @@ +From 0fffb2f6793d9efb2159d4d545b743239f22b35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 17:09:20 -0800 +Subject: drm/client: fix MODULE_PARM_DESC string for "active" + +From: Randy Dunlap + +[ Upstream commit 0a4a18e888ae8c8004582f665c5792c84a681668 ] + +The MODULE_PARM_DESC string for the "active" parameter is missing a +space and has an extraneous trailing ']' character. Correct these. + +Before patch: +$ modinfo -p ./drm_client_lib.ko +active:Choose which drm client to start, default isfbdev] (string) + +After patch: +$ modinfo -p ./drm_client_lib.ko +active:Choose which drm client to start, default is fbdev (string) + +Fixes: f7b42442c4ac ("drm/log: Introduce a new boot logger to draw the kmsg on the screen") +Signed-off-by: Randy Dunlap +Reviewed-by: Thomas Zimmermann +Reviewed-by: Jocelyn Falempe +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20251112010920.2355712-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/clients/drm_client_setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/clients/drm_client_setup.c b/drivers/gpu/drm/clients/drm_client_setup.c +index 72480db1f00d0..515aceac22b18 100644 +--- a/drivers/gpu/drm/clients/drm_client_setup.c ++++ b/drivers/gpu/drm/clients/drm_client_setup.c +@@ -13,8 +13,8 @@ + static char drm_client_default[16] = CONFIG_DRM_CLIENT_DEFAULT; + module_param_string(active, drm_client_default, sizeof(drm_client_default), 0444); + MODULE_PARM_DESC(active, +- "Choose which drm client to start, default is" +- CONFIG_DRM_CLIENT_DEFAULT "]"); ++ "Choose which drm client to start, default is " ++ CONFIG_DRM_CLIENT_DEFAULT); + + /** + * drm_client_setup() - Setup in-kernel DRM clients +-- +2.51.0 + diff --git a/queue-6.17/drm-panthor-flush-shmem-writes-before-mapping-buffer.patch b/queue-6.17/drm-panthor-flush-shmem-writes-before-mapping-buffer.patch new file mode 100644 index 0000000000..6ea226b515 --- /dev/null +++ b/queue-6.17/drm-panthor-flush-shmem-writes-before-mapping-buffer.patch @@ -0,0 +1,64 @@ +From 5461902e2760c5fd68eac3dd6bfb3a846279b4c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 18:12:14 +0100 +Subject: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached + +From: Boris Brezillon + +[ Upstream commit 576c930e5e7dcb937648490611a83f1bf0171048 ] + +The shmem layer zeroes out the new pages using cached mappings, and if +we don't CPU-flush we might leave dirty cachelines behind, leading to +potential data leaks and/or asynchronous buffer corruption when dirty +cachelines are evicted. + +Fixes: 8a1cc07578bf ("drm/panthor: Add GEM logical block") +Signed-off-by: Boris Brezillon +Reviewed-by: Steven Price +Reviewed-by: Liviu Dudau +Signed-off-by: Steven Price +Link: https://patch.msgid.link/20251107171214.1186299-1-boris.brezillon@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_gem.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c +index a123bc740ba14..eb5f0b9d437fc 100644 +--- a/drivers/gpu/drm/panthor/panthor_gem.c ++++ b/drivers/gpu/drm/panthor/panthor_gem.c +@@ -291,6 +291,23 @@ panthor_gem_create_with_handle(struct drm_file *file, + + panthor_gem_debugfs_set_usage_flags(bo, 0); + ++ /* If this is a write-combine mapping, we query the sgt to force a CPU ++ * cache flush (dma_map_sgtable() is called when the sgt is created). ++ * This ensures the zero-ing is visible to any uncached mapping created ++ * by vmap/mmap. ++ * FIXME: Ideally this should be done when pages are allocated, not at ++ * BO creation time. ++ */ ++ if (shmem->map_wc) { ++ struct sg_table *sgt; ++ ++ sgt = drm_gem_shmem_get_pages_sgt(shmem); ++ if (IS_ERR(sgt)) { ++ ret = PTR_ERR(sgt); ++ goto out_put_gem; ++ } ++ } ++ + /* + * Allocate an id of idr table where the obj is registered + * and handle has the id what user can see. +@@ -299,6 +316,7 @@ panthor_gem_create_with_handle(struct drm_file *file, + if (!ret) + *size = bo->base.base.size; + ++out_put_gem: + /* drop reference from allocate - handle holds it now. */ + drm_gem_object_put(&shmem->base); + +-- +2.51.0 + diff --git a/queue-6.17/drm-vmwgfx-restore-guest-backed-only-cursor-plane-su.patch b/queue-6.17/drm-vmwgfx-restore-guest-backed-only-cursor-plane-su.patch new file mode 100644 index 0000000000..a2d2c6c558 --- /dev/null +++ b/queue-6.17/drm-vmwgfx-restore-guest-backed-only-cursor-plane-su.patch @@ -0,0 +1,93 @@ +From 1452f5706a592e85ed670bb2217007b3d386aaff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 14:19:20 -0600 +Subject: drm/vmwgfx: Restore Guest-Backed only cursor plane support + +From: Ian Forbes + +[ Upstream commit eef295a8508202e750e4f103a97447f3c9d5e3d0 ] + +The referenced fixes commit broke the cursor plane for configurations +which have Guest-Backed surfaces but no cursor MOB support. + +Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251103201920.381503-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c | 16 +++++++++++++++- + drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h | 1 + + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c +index 718832b08d96e..c46f17ba7236d 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.c +@@ -100,8 +100,10 @@ vmw_cursor_update_type(struct vmw_private *vmw, struct vmw_plane_state *vps) + if (vmw->has_mob) { + if ((vmw->capabilities2 & SVGA_CAP2_CURSOR_MOB) != 0) + return VMW_CURSOR_UPDATE_MOB; ++ else ++ return VMW_CURSOR_UPDATE_GB_ONLY; + } +- ++ drm_warn_once(&vmw->drm, "Unknown Cursor Type!\n"); + return VMW_CURSOR_UPDATE_NONE; + } + +@@ -139,6 +141,7 @@ static u32 vmw_cursor_mob_size(enum vmw_cursor_update_type update_type, + { + switch (update_type) { + case VMW_CURSOR_UPDATE_LEGACY: ++ case VMW_CURSOR_UPDATE_GB_ONLY: + case VMW_CURSOR_UPDATE_NONE: + return 0; + case VMW_CURSOR_UPDATE_MOB: +@@ -623,6 +626,7 @@ int vmw_cursor_plane_prepare_fb(struct drm_plane *plane, + if (!surface || vps->cursor.legacy.id == surface->snooper.id) + vps->cursor.update_type = VMW_CURSOR_UPDATE_NONE; + break; ++ case VMW_CURSOR_UPDATE_GB_ONLY: + case VMW_CURSOR_UPDATE_MOB: { + bo = vmw_user_object_buffer(&vps->uo); + if (bo) { +@@ -737,6 +741,7 @@ void + vmw_cursor_plane_atomic_update(struct drm_plane *plane, + struct drm_atomic_state *state) + { ++ struct vmw_bo *bo; + struct drm_plane_state *new_state = + drm_atomic_get_new_plane_state(state, plane); + struct drm_plane_state *old_state = +@@ -762,6 +767,15 @@ vmw_cursor_plane_atomic_update(struct drm_plane *plane, + case VMW_CURSOR_UPDATE_MOB: + vmw_cursor_update_mob(dev_priv, vps); + break; ++ case VMW_CURSOR_UPDATE_GB_ONLY: ++ bo = vmw_user_object_buffer(&vps->uo); ++ if (bo) ++ vmw_send_define_cursor_cmd(dev_priv, bo->map.virtual, ++ vps->base.crtc_w, ++ vps->base.crtc_h, ++ vps->base.hotspot_x, ++ vps->base.hotspot_y); ++ break; + case VMW_CURSOR_UPDATE_NONE: + /* do nothing */ + break; +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h b/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h +index 40694925a70e6..0c2cc0699b0d9 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cursor_plane.h +@@ -33,6 +33,7 @@ static const u32 __maybe_unused vmw_cursor_plane_formats[] = { + enum vmw_cursor_update_type { + VMW_CURSOR_UPDATE_NONE = 0, + VMW_CURSOR_UPDATE_LEGACY, ++ VMW_CURSOR_UPDATE_GB_ONLY, + VMW_CURSOR_UPDATE_MOB, + }; + +-- +2.51.0 + diff --git a/queue-6.17/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-6.17/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..9dabd345ae --- /dev/null +++ b/queue-6.17/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From af0c791e9732ccbef125dfe29986e3b635e896bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index d539f25b5fbe0..3057f8baa7d25 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3668,6 +3668,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-6.17/io_uring-rsrc-don-t-use-blk_rq_nr_phys_segments-as-n.patch b/queue-6.17/io_uring-rsrc-don-t-use-blk_rq_nr_phys_segments-as-n.patch new file mode 100644 index 0000000000..ceed1d4005 --- /dev/null +++ b/queue-6.17/io_uring-rsrc-don-t-use-blk_rq_nr_phys_segments-as-n.patch @@ -0,0 +1,83 @@ +From 79bef2c1dafa6dabbb47719ceb093e34267f0ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 12:15:29 -0700 +Subject: io_uring/rsrc: don't use blk_rq_nr_phys_segments() as number of bvecs + +From: Caleb Sander Mateos + +[ Upstream commit 2d0e88f3fd1dcb37072d499c36162baf5b009d41 ] + +io_buffer_register_bvec() currently uses blk_rq_nr_phys_segments() as +the number of bvecs in the request. However, bvecs may be split into +multiple segments depending on the queue limits. Thus, the number of +segments may overestimate the number of bvecs. For ublk devices, the +only current users of io_buffer_register_bvec(), virt_boundary_mask, +seg_boundary_mask, max_segments, and max_segment_size can all be set +arbitrarily by the ublk server process. +Set imu->nr_bvecs based on the number of bvecs the rq_for_each_bvec() +loop actually yields. However, continue using blk_rq_nr_phys_segments() +as an upper bound on the number of bvecs when allocating imu to avoid +needing to iterate the bvecs a second time. + +Link: https://lore.kernel.org/io-uring/20251111191530.1268875-1-csander@purestorage.com/ +Signed-off-by: Caleb Sander Mateos +Fixes: 27cb27b6d5ea ("io_uring: add support for kernel registered bvecs") +Reviewed-by: Ming Lei +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/rsrc.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c +index 5961f21dd65d1..b0852674730c5 100644 +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -942,8 +942,8 @@ int io_buffer_register_bvec(struct io_uring_cmd *cmd, struct request *rq, + struct req_iterator rq_iter; + struct io_mapped_ubuf *imu; + struct io_rsrc_node *node; +- struct bio_vec bv, *bvec; +- u16 nr_bvecs; ++ struct bio_vec bv; ++ unsigned int nr_bvecs = 0; + int ret = 0; + + io_ring_submit_lock(ctx, issue_flags); +@@ -964,8 +964,11 @@ int io_buffer_register_bvec(struct io_uring_cmd *cmd, struct request *rq, + goto unlock; + } + +- nr_bvecs = blk_rq_nr_phys_segments(rq); +- imu = io_alloc_imu(ctx, nr_bvecs); ++ /* ++ * blk_rq_nr_phys_segments() may overestimate the number of bvecs ++ * but avoids needing to iterate over the bvecs ++ */ ++ imu = io_alloc_imu(ctx, blk_rq_nr_phys_segments(rq)); + if (!imu) { + kfree(node); + ret = -ENOMEM; +@@ -976,16 +979,15 @@ int io_buffer_register_bvec(struct io_uring_cmd *cmd, struct request *rq, + imu->len = blk_rq_bytes(rq); + imu->acct_pages = 0; + imu->folio_shift = PAGE_SHIFT; +- imu->nr_bvecs = nr_bvecs; + refcount_set(&imu->refs, 1); + imu->release = release; + imu->priv = rq; + imu->is_kbuf = true; + imu->dir = 1 << rq_data_dir(rq); + +- bvec = imu->bvec; + rq_for_each_bvec(bv, rq, rq_iter) +- *bvec++ = bv; ++ imu->bvec[nr_bvecs++] = bv; ++ imu->nr_bvecs = nr_bvecs; + + node->buf = imu; + data->nodes[index] = node; +-- +2.51.0 + diff --git a/queue-6.17/nfs-check-the-tls-certificate-fields-in-nfs_match_cl.patch b/queue-6.17/nfs-check-the-tls-certificate-fields-in-nfs_match_cl.patch new file mode 100644 index 0000000000..09a1a7bf21 --- /dev/null +++ b/queue-6.17/nfs-check-the-tls-certificate-fields-in-nfs_match_cl.patch @@ -0,0 +1,43 @@ +From 24e779307fdcf7d292468fcf0f784856add926fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:36 -0400 +Subject: NFS: Check the TLS certificate fields in nfs_match_client() + +From: Trond Myklebust + +[ Upstream commit fb2cba0854a7f315c8100a807a6959b99d72479e ] + +If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the +cert_serial and privkey_serial fields need to match as well since they +define the client's identity, as presented to the server. + +Fixes: 90c9550a8d65 ("NFS: support the kernel keyring for TLS") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/client.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/nfs/client.c b/fs/nfs/client.c +index 4e3dcc157a83c..54699299d5b16 100644 +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -338,6 +338,14 @@ static struct nfs_client *nfs_match_client(const struct nfs_client_initdata *dat + /* Match the xprt security policy */ + if (clp->cl_xprtsec.policy != data->xprtsec.policy) + continue; ++ if (clp->cl_xprtsec.policy == RPC_XPRTSEC_TLS_X509) { ++ if (clp->cl_xprtsec.cert_serial != ++ data->xprtsec.cert_serial) ++ continue; ++ if (clp->cl_xprtsec.privkey_serial != ++ data->xprtsec.privkey_serial) ++ continue; ++ } + + refcount_inc(&clp->cl_count); + return clp; +-- +2.51.0 + diff --git a/queue-6.17/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch b/queue-6.17/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch new file mode 100644 index 0000000000..3756a36ee8 --- /dev/null +++ b/queue-6.17/nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch @@ -0,0 +1,84 @@ +From 93e5479a1d51589c620a91325c38e137c7f220d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Nov 2025 09:05:08 -0800 +Subject: NFS: Fix LTP test failures when timestamps are delegated + +From: Dai Ngo + +[ Upstream commit b623390045a81fc559decb9bfeb79319721d3dfb ] + +The utimes01 and utime06 tests fail when delegated timestamps are +enabled, specifically in subtests that modify the atime and mtime +fields using the 'nobody' user ID. + +The problem can be reproduced as follow: + +# echo "/media *(rw,no_root_squash,sync)" >> /etc/exports +# export -ra +# mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir +# cd /opt/ltp +# ./runltp -d /tmpdir -s utimes01 +# ./runltp -d /tmpdir -s utime06 + +This issue occurs because nfs_setattr does not verify the inode's +UID against the caller's fsuid when delegated timestamps are +permitted for the inode. + +This patch adds the UID check and if it does not match then the +request is sent to the server for permission checking. + +Fixes: e12912d94137 ("NFSv4: Add support for delegated atime and mtime attributes") +Signed-off-by: Dai Ngo +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 49df9debb1a69..35bdb49236bac 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -718,6 +718,8 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + struct nfs_fattr *fattr; + loff_t oldsize = i_size_read(inode); + int error = 0; ++ kuid_t task_uid = current_fsuid(); ++ kuid_t owner_uid = inode->i_uid; + + nfs_inc_stats(inode, NFSIOS_VFSSETATTR); + +@@ -739,9 +741,11 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + if (nfs_have_delegated_mtime(inode) && attr->ia_valid & ATTR_MTIME) { + spin_lock(&inode->i_lock); + if (attr->ia_valid & ATTR_MTIME_SET) { +- nfs_set_timestamps_to_ts(inode, attr); +- attr->ia_valid &= ~(ATTR_MTIME|ATTR_MTIME_SET| ++ if (uid_eq(task_uid, owner_uid)) { ++ nfs_set_timestamps_to_ts(inode, attr); ++ attr->ia_valid &= ~(ATTR_MTIME|ATTR_MTIME_SET| + ATTR_ATIME|ATTR_ATIME_SET); ++ } + } else { + nfs_update_timestamps(inode, attr->ia_valid); + attr->ia_valid &= ~(ATTR_MTIME|ATTR_ATIME); +@@ -751,10 +755,12 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + attr->ia_valid & ATTR_ATIME && + !(attr->ia_valid & ATTR_MTIME)) { + if (attr->ia_valid & ATTR_ATIME_SET) { +- spin_lock(&inode->i_lock); +- nfs_set_timestamps_to_ts(inode, attr); +- spin_unlock(&inode->i_lock); +- attr->ia_valid &= ~(ATTR_ATIME|ATTR_ATIME_SET); ++ if (uid_eq(task_uid, owner_uid)) { ++ spin_lock(&inode->i_lock); ++ nfs_set_timestamps_to_ts(inode, attr); ++ spin_unlock(&inode->i_lock); ++ attr->ia_valid &= ~(ATTR_ATIME|ATTR_ATIME_SET); ++ } + } else { + nfs_update_delegated_atime(inode); + attr->ia_valid &= ~ATTR_ATIME; +-- +2.51.0 + diff --git a/queue-6.17/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch b/queue-6.17/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch new file mode 100644 index 0000000000..6cee72f47d --- /dev/null +++ b/queue-6.17/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch @@ -0,0 +1,37 @@ +From 5f2618ddeb37ed417a37bddb9514c60ddccf1f07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 11:03:25 +0800 +Subject: NFS: sysfs: fix leak when nfs_client kobject add fails + +From: Yang Xiuwei + +[ Upstream commit 7a7a3456520b309a0bffa1d9d62bd6c9dcab89b3 ] + +If adding the second kobject fails, drop both references to avoid sysfs +residue and memory leak. + +Fixes: e96f9268eea6 ("NFS: Make all of /sys/fs/nfs network-namespace unique") + +Signed-off-by: Yang Xiuwei +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c +index 545148d42dcc9..ea6e6168092b2 100644 +--- a/fs/nfs/sysfs.c ++++ b/fs/nfs/sysfs.c +@@ -189,6 +189,7 @@ static struct nfs_netns_client *nfs_netns_client_alloc(struct kobject *parent, + return p; + + kobject_put(&p->kobject); ++ kobject_put(&p->nfs_net_kobj); + } + return NULL; + } +-- +2.51.0 + diff --git a/queue-6.17/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch b/queue-6.17/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch new file mode 100644 index 0000000000..c43ea3a8f6 --- /dev/null +++ b/queue-6.17/nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch @@ -0,0 +1,47 @@ +From 5bdecffb4cd3c49f8c851c864ccc391426d69ad4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 17:27:43 -0400 +Subject: NFSv2/v3: Fix error handling in nfs_atomic_open_v23() + +From: Trond Myklebust + +[ Upstream commit 85d2c2392ac6348e1171d627497034a341a250c1 ] + +When nfs_do_create() returns an EEXIST error, it means that a regular +file could not be created. That could mean that a symlink needs to be +resolved. If that's the case, a lookup needs to be kicked off. + +Reported-by: Stephen Abbene +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220710 +Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.") +Signed-off-by: Trond Myklebust +Reviewed-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index c8dd1d0b8d850..82ef36cc9ceec 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2270,11 +2270,12 @@ int nfs_atomic_open_v23(struct inode *dir, struct dentry *dentry, + return -ENAMETOOLONG; + + if (open_flags & O_CREAT) { +- file->f_mode |= FMODE_CREATED; + error = nfs_do_create(dir, dentry, mode, open_flags); +- if (error) ++ if (!error) { ++ file->f_mode |= FMODE_CREATED; ++ return finish_open(file, dentry, NULL); ++ } else if (error != -EEXIST || open_flags & O_EXCL) + return error; +- return finish_open(file, dentry, NULL); + } + if (d_in_lookup(dentry)) { + /* The only flags nfs_lookup considers are +-- +2.51.0 + diff --git a/queue-6.17/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch b/queue-6.17/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch new file mode 100644 index 0000000000..f3ba30df90 --- /dev/null +++ b/queue-6.17/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch @@ -0,0 +1,56 @@ +From be56ca243a1401eeca455afa3e6c22d108b8b067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 10:51:42 -0400 +Subject: NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() + +From: Trond Myklebust + +[ Upstream commit 1f214e9c3aef2d0936be971072e991d78a174d71 ] + +The Smatch static checker noted that in _nfs4_proc_lookupp(), the flag +RPC_TASK_TIMEOUT is being passed as an argument to nfs4_init_sequence(), +which is clearly incorrect. +Since LOOKUPP is an idempotent operation, nfs4_init_sequence() should +not ask the server to cache the result. The RPC_TASK_TIMEOUT flag needs +to be passed down to the RPC layer. + +Reported-by: Dan Carpenter +Reported-by: Harshit Mogalapalli +Fixes: 76998ebb9158 ("NFSv4: Observe the NFS_MOUNT_SOFTREVAL flag in _nfs4_proc_lookupp") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index e5fa29dcdd114..a1e95732fd031 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4715,16 +4715,19 @@ static int _nfs4_proc_lookupp(struct inode *inode, + }; + unsigned short task_flags = 0; + +- if (NFS_SERVER(inode)->flags & NFS_MOUNT_SOFTREVAL) ++ if (server->flags & NFS_MOUNT_SOFTREVAL) + task_flags |= RPC_TASK_TIMEOUT; ++ if (server->caps & NFS_CAP_MOVEABLE) ++ task_flags |= RPC_TASK_MOVEABLE; + + args.bitmask = nfs4_bitmask(server, fattr->label); + + nfs_fattr_init(fattr); ++ nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0); + + dprintk("NFS call lookupp ino=0x%lx\n", inode->i_ino); +- status = nfs4_call_sync(clnt, server, &msg, &args.seq_args, +- &res.seq_res, task_flags); ++ status = nfs4_do_call_sync(clnt, server, &msg, &args.seq_args, ++ &res.seq_res, task_flags); + dprintk("NFS reply lookupp: %d\n", status); + return status; + } +-- +2.51.0 + diff --git a/queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v3_ds_connect.patch b/queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v3_ds_connect.patch new file mode 100644 index 0000000000..27924dff71 --- /dev/null +++ b/queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v3_ds_connect.patch @@ -0,0 +1,82 @@ +From 5d07911296ddc076f1b6cd431f791841bcb0edb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:33 -0400 +Subject: pnfs: Fix TLS logic in _nfs4_pnfs_v3_ds_connect() + +From: Trond Myklebust + +[ Upstream commit 7aca00d950e782e66c34fbd045c9605eca343a36 ] + +Don't try to add an RDMA transport to a client that is already marked as +being a TCP/TLS transport. + +Fixes: 04a15263662a ("pnfs/flexfiles: connect to NFSv3 DS using TLS if MDS connection uses TLS") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs_nfs.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index 7b32afb297827..ff48056bf750e 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -809,8 +809,11 @@ static int _nfs4_pnfs_v3_ds_connect(struct nfs_server *mds_srv, + unsigned int retrans) + { + struct nfs_client *clp = ERR_PTR(-EIO); ++ struct nfs_client *mds_clp = mds_srv->nfs_client; ++ enum xprtsec_policies xprtsec_policy = mds_clp->cl_xprtsec.policy; + struct nfs4_pnfs_ds_addr *da; + unsigned long connect_timeout = timeo * (retrans + 1) * HZ / 10; ++ int ds_proto; + int status = 0; + + dprintk("--> %s DS %s\n", __func__, ds->ds_remotestr); +@@ -834,27 +837,28 @@ static int _nfs4_pnfs_v3_ds_connect(struct nfs_server *mds_srv, + .xprtsec = clp->cl_xprtsec, + }; + +- if (da->da_transport != clp->cl_proto && +- clp->cl_proto != XPRT_TRANSPORT_TCP_TLS) +- continue; +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == XPRT_TRANSPORT_TCP_TLS) ++ if (xprt_args.ident == XPRT_TRANSPORT_TCP && ++ clp->cl_proto == XPRT_TRANSPORT_TCP_TLS) + xprt_args.ident = XPRT_TRANSPORT_TCP_TLS; + +- if (da->da_addr.ss_family != clp->cl_addr.ss_family) ++ if (xprt_args.ident != clp->cl_proto) ++ continue; ++ if (xprt_args.dstaddr->sa_family != ++ clp->cl_addr.ss_family) + continue; + /* Add this address as an alias */ + rpc_clnt_add_xprt(clp->cl_rpcclient, &xprt_args, +- rpc_clnt_test_and_add_xprt, NULL); ++ rpc_clnt_test_and_add_xprt, NULL); + continue; + } +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == XPRT_TRANSPORT_TCP_TLS) +- da->da_transport = XPRT_TRANSPORT_TCP_TLS; +- clp = get_v3_ds_connect(mds_srv, +- &da->da_addr, +- da->da_addrlen, da->da_transport, +- timeo, retrans); ++ ++ ds_proto = da->da_transport; ++ if (ds_proto == XPRT_TRANSPORT_TCP && ++ xprtsec_policy != RPC_XPRTSEC_NONE) ++ ds_proto = XPRT_TRANSPORT_TCP_TLS; ++ ++ clp = get_v3_ds_connect(mds_srv, &da->da_addr, da->da_addrlen, ++ ds_proto, timeo, retrans); + if (IS_ERR(clp)) + continue; + clp->cl_rpcclient->cl_softerr = 0; +-- +2.51.0 + diff --git a/queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch b/queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch new file mode 100644 index 0000000000..eee1af7514 --- /dev/null +++ b/queue-6.17/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch @@ -0,0 +1,97 @@ +From 21cccca1a09c0f8f6e94dc37507f4fa0843622b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:34 -0400 +Subject: pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() + +From: Trond Myklebust + +[ Upstream commit 28e19737e1570c7c71890547c2e43c3e0da79df9 ] + +Don't try to add an RDMA transport to a client that is already marked as +being a TCP/TLS transport. + +Fixes: a35518cae4b3 ("NFSv4.1/pnfs: fix NFS with TLS in pnfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs_nfs.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index ff48056bf750e..9976cc16b6890 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -884,7 +884,10 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + u32 minor_version) + { + struct nfs_client *clp = ERR_PTR(-EIO); ++ struct nfs_client *mds_clp = mds_srv->nfs_client; ++ enum xprtsec_policies xprtsec_policy = mds_clp->cl_xprtsec.policy; + struct nfs4_pnfs_ds_addr *da; ++ int ds_proto; + int status = 0; + + dprintk("--> %s DS %s\n", __func__, ds->ds_remotestr); +@@ -912,12 +915,8 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + .data = &xprtdata, + }; + +- if (da->da_transport != clp->cl_proto && +- clp->cl_proto != XPRT_TRANSPORT_TCP_TLS) +- continue; +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == +- XPRT_TRANSPORT_TCP_TLS) { ++ if (xprt_args.ident == XPRT_TRANSPORT_TCP && ++ clp->cl_proto == XPRT_TRANSPORT_TCP_TLS) { + struct sockaddr *addr = + (struct sockaddr *)&da->da_addr; + struct sockaddr_in *sin = +@@ -948,7 +947,10 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + xprt_args.ident = XPRT_TRANSPORT_TCP_TLS; + xprt_args.servername = servername; + } +- if (da->da_addr.ss_family != clp->cl_addr.ss_family) ++ if (xprt_args.ident != clp->cl_proto) ++ continue; ++ if (xprt_args.dstaddr->sa_family != ++ clp->cl_addr.ss_family) + continue; + + /** +@@ -962,15 +964,14 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + if (xprtdata.cred) + put_cred(xprtdata.cred); + } else { +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == +- XPRT_TRANSPORT_TCP_TLS) +- da->da_transport = XPRT_TRANSPORT_TCP_TLS; +- clp = nfs4_set_ds_client(mds_srv, +- &da->da_addr, +- da->da_addrlen, +- da->da_transport, timeo, +- retrans, minor_version); ++ ds_proto = da->da_transport; ++ if (ds_proto == XPRT_TRANSPORT_TCP && ++ xprtsec_policy != RPC_XPRTSEC_NONE) ++ ds_proto = XPRT_TRANSPORT_TCP_TLS; ++ ++ clp = nfs4_set_ds_client(mds_srv, &da->da_addr, ++ da->da_addrlen, ds_proto, ++ timeo, retrans, minor_version); + if (IS_ERR(clp)) + continue; + +@@ -981,7 +982,6 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + clp = ERR_PTR(-EIO); + continue; + } +- + } + } + +-- +2.51.0 + diff --git a/queue-6.17/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch b/queue-6.17/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch new file mode 100644 index 0000000000..455a5d0354 --- /dev/null +++ b/queue-6.17/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch @@ -0,0 +1,109 @@ +From 5b263a29ddf546096661948f15626aed52b88f52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:35 -0400 +Subject: pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using + TLS + +From: Trond Myklebust + +[ Upstream commit 8ab523ce78d4ca13add6b4ecbacff0f84c274603 ] + +The default setting for the transport security policy must be +RPC_XPRTSEC_NONE, when using a TCP or RDMA connection without TLS. +Conversely, when using TLS, the security policy needs to be set. + +Fixes: 6c0a8c5fcf71 ("NFS: Have struct nfs_client carry a TLS policy field") +Signed-off-by: Trond Myklebust +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3client.c | 14 ++++++++++++-- + fs/nfs/nfs4client.c | 14 ++++++++++++-- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/nfs3client.c b/fs/nfs/nfs3client.c +index 0d7310c1ee0c0..5d97c1d38bb62 100644 +--- a/fs/nfs/nfs3client.c ++++ b/fs/nfs/nfs3client.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "nfs3_fs.h" + #include "netns.h" +@@ -98,7 +99,11 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + .net = mds_clp->cl_net, + .timeparms = &ds_timeout, + .cred = mds_srv->cred, +- .xprtsec = mds_clp->cl_xprtsec, ++ .xprtsec = { ++ .policy = RPC_XPRTSEC_NONE, ++ .cert_serial = TLS_NO_CERT, ++ .privkey_serial = TLS_NO_PRIVKEY, ++ }, + .connect_timeout = connect_timeout, + .reconnect_timeout = connect_timeout, + }; +@@ -111,9 +116,14 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_TCP_TLS: ++ if (mds_clp->cl_xprtsec.policy != RPC_XPRTSEC_NONE) ++ cl_init.xprtsec = mds_clp->cl_xprtsec; ++ else ++ ds_proto = XPRT_TRANSPORT_TCP; ++ fallthrough; + case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: +- case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) + cl_init.nconnect = mds_clp->cl_nconnect; + } +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 5998d6bd8a4f4..3a4baed993c96 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "callback.h" + #include "delegation.h" +@@ -983,7 +984,11 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + .net = mds_clp->cl_net, + .timeparms = &ds_timeout, + .cred = mds_srv->cred, +- .xprtsec = mds_srv->nfs_client->cl_xprtsec, ++ .xprtsec = { ++ .policy = RPC_XPRTSEC_NONE, ++ .cert_serial = TLS_NO_CERT, ++ .privkey_serial = TLS_NO_PRIVKEY, ++ }, + }; + char buf[INET6_ADDRSTRLEN + 1]; + +@@ -992,9 +997,14 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_TCP_TLS: ++ if (mds_srv->nfs_client->cl_xprtsec.policy != RPC_XPRTSEC_NONE) ++ cl_init.xprtsec = mds_srv->nfs_client->cl_xprtsec; ++ else ++ ds_proto = XPRT_TRANSPORT_TCP; ++ fallthrough; + case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: +- case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) { + cl_init.nconnect = mds_clp->cl_nconnect; + cl_init.max_connect = NFS_MAX_TRANSPORTS; +-- +2.51.0 + diff --git a/queue-6.17/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-6.17/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..0b1c3104fe --- /dev/null +++ b/queue-6.17/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From 3bab930a3eb8fe848bddbaa60c37a47c523b1c4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 1cb647ed70c62..a2d16e9abfb58 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -334,6 +334,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index c20ea3f45d..bce04e6e55 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -92,3 +92,26 @@ acpi-cppc-limit-perf-ctrs-in-pcc-check-only-to-onlin.patch cpufreq-intel_pstate-check-ida-only-before-msr_ia32_.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch netfilter-nft_ct-add-seqadj-extension-for-natted-con.patch +io_uring-rsrc-don-t-use-blk_rq_nr_phys_segments-as-n.patch +acpi-srat-fix-incorrect-device-handle-check-for-gene.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +drm-vmwgfx-restore-guest-backed-only-cursor-plane-su.patch +asoc-tas2781-fix-getting-the-wrong-device-number.patch +drm-panthor-flush-shmem-writes-before-mapping-buffer.patch +pnfs-fix-tls-logic-in-_nfs4_pnfs_v3_ds_connect.patch +pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch +pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch +nfs-check-the-tls-certificate-fields-in-nfs_match_cl.patch +simplify-nfs_atomic_open_v23.patch +nfsv2-v3-fix-error-handling-in-nfs_atomic_open_v23.patch +nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch +nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch +nfs-fix-ltp-test-failures-when-timestamps-are-delega.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch +drm-amd-amdgpu-ensure-isp_kernel_buffer_alloc-create.patch +acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch +asoc-rsnd-fix-of-node-reference-leak-in-rsnd_ssiu_pr.patch +drm-client-fix-module_parm_desc-string-for-active.patch diff --git a/queue-6.17/simplify-nfs_atomic_open_v23.patch b/queue-6.17/simplify-nfs_atomic_open_v23.patch new file mode 100644 index 0000000000..4008e89c98 --- /dev/null +++ b/queue-6.17/simplify-nfs_atomic_open_v23.patch @@ -0,0 +1,63 @@ +From a80b2e05dec0a405dcdf93493adf30187fb5a29f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 11:52:41 -0400 +Subject: simplify nfs_atomic_open_v23() + +From: Al Viro + +[ Upstream commit aae9db5739164353fa1894db000fabad940a835b ] + +1) finish_no_open() takes ERR_PTR() as dentry now. +2) caller of ->atomic_open() will call d_lookup_done() itself, no +need to do it here. + +Reviewed-by: NeilBrown +Signed-off-by: Al Viro +Stable-dep-of: 85d2c2392ac6 ("NFSv2/v3: Fix error handling in nfs_atomic_open_v23()") +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index d812179239362..c8dd1d0b8d850 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -2260,7 +2260,7 @@ int nfs_atomic_open_v23(struct inode *dir, struct dentry *dentry, + struct file *file, unsigned int open_flags, + umode_t mode) + { +- ++ struct dentry *res = NULL; + /* Same as look+open from lookup_open(), but with different O_TRUNC + * handling. + */ +@@ -2275,21 +2275,15 @@ int nfs_atomic_open_v23(struct inode *dir, struct dentry *dentry, + if (error) + return error; + return finish_open(file, dentry, NULL); +- } else if (d_in_lookup(dentry)) { ++ } ++ if (d_in_lookup(dentry)) { + /* The only flags nfs_lookup considers are + * LOOKUP_EXCL and LOOKUP_RENAME_TARGET, and + * we want those to be zero so the lookup isn't skipped. + */ +- struct dentry *res = nfs_lookup(dir, dentry, 0); +- +- d_lookup_done(dentry); +- if (unlikely(res)) { +- if (IS_ERR(res)) +- return PTR_ERR(res); +- return finish_no_open(file, res); +- } ++ res = nfs_lookup(dir, dentry, 0); + } +- return finish_no_open(file, NULL); ++ return finish_no_open(file, res); + + } + EXPORT_SYMBOL_GPL(nfs_atomic_open_v23); +-- +2.51.0 + diff --git a/queue-6.6/acpi-break-out-nesting-for-hmat_parse_locality.patch b/queue-6.6/acpi-break-out-nesting-for-hmat_parse_locality.patch new file mode 100644 index 0000000000..6abb5b8bfd --- /dev/null +++ b/queue-6.6/acpi-break-out-nesting-for-hmat_parse_locality.patch @@ -0,0 +1,81 @@ +From d89f8fd2a5c761c29a00b6301aeb36a59d22c179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:02:55 -0700 +Subject: acpi: Break out nesting for hmat_parse_locality() + +From: Dave Jiang + +[ Upstream commit 79205651120620c2683f90c25ef3d2ac8e454026 ] + +Refactor hmat_parse_locality() to break up the deep nesting of the +function. + +Suggested-by: Jonathan Cameron +Reviewed-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/170319617537.2212653.10625501075519862509.stgit@djiang5-mobl3 +Signed-off-by: Dan Williams +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 21722cbec324d..4cae2e84251a2 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -322,11 +322,28 @@ static __init void hmat_add_locality(struct acpi_hmat_locality *hmat_loc) + } + } + ++static __init void hmat_update_target(unsigned int tgt_pxm, unsigned int init_pxm, ++ u8 mem_hier, u8 type, u32 value) ++{ ++ struct memory_target *target = find_mem_target(tgt_pxm); ++ ++ if (mem_hier != ACPI_HMAT_MEMORY) ++ return; ++ ++ if (target && target->processor_pxm == init_pxm) { ++ hmat_update_target_access(target, type, value, ++ NODE_ACCESS_CLASS_0); ++ /* If the node has a CPU, update access 1 */ ++ if (node_state(pxm_to_node(init_pxm), N_CPU)) ++ hmat_update_target_access(target, type, value, ++ NODE_ACCESS_CLASS_1); ++ } ++} ++ + static __init int hmat_parse_locality(union acpi_subtable_headers *header, + const unsigned long end) + { + struct acpi_hmat_locality *hmat_loc = (void *)header; +- struct memory_target *target; + unsigned int init, targ, total_size, ipds, tpds; + u32 *inits, *targs, value; + u16 *entries; +@@ -367,17 +384,8 @@ static __init int hmat_parse_locality(union acpi_subtable_headers *header, + inits[init], targs[targ], value, + hmat_data_type_suffix(type)); + +- if (mem_hier == ACPI_HMAT_MEMORY) { +- target = find_mem_target(targs[targ]); +- if (target && target->processor_pxm == inits[init]) { +- hmat_update_target_access(target, type, value, +- NODE_ACCESS_CLASS_0); +- /* If the node has a CPU, update access 1 */ +- if (node_state(pxm_to_node(inits[init]), N_CPU)) +- hmat_update_target_access(target, type, value, +- NODE_ACCESS_CLASS_1); +- } +- } ++ hmat_update_target(targs[targ], inits[init], ++ mem_hier, type, value); + } + } + +-- +2.51.0 + diff --git a/queue-6.6/acpi-hmat-calculate-abstract-distance-with-hmat.patch b/queue-6.6/acpi-hmat-calculate-abstract-distance-with-hmat.patch new file mode 100644 index 0000000000..ad0ef96458 --- /dev/null +++ b/queue-6.6/acpi-hmat-calculate-abstract-distance-with-hmat.patch @@ -0,0 +1,320 @@ +From 2e400db32d0cb98f61b06f8d3c4b52cc2b3351fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 14:06:27 +0800 +Subject: acpi, hmat: calculate abstract distance with HMAT + +From: Huang Ying + +[ Upstream commit 3718c02dbd4c88d47b5af003acdb3d1112604ea3 ] + +A memory tiering abstract distance calculation algorithm based on ACPI +HMAT is implemented. The basic idea is as follows. + +The performance attributes of system default DRAM nodes are recorded as +the base line. Whose abstract distance is MEMTIER_ADISTANCE_DRAM. Then, +the ratio of the abstract distance of a memory node (target) to +MEMTIER_ADISTANCE_DRAM is scaled based on the ratio of the performance +attributes of the node to that of the default DRAM nodes. + +The functions to record the read/write latency/bandwidth of the default +DRAM nodes and calculate abstract distance according to read/write +latency/bandwidth ratio will be used by CXL CDAT (Coherent Device +Attribute Table) and other memory device drivers. So, they are put in +memory-tiers.c. + +Link: https://lkml.kernel.org/r/20230926060628.265989-4-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Tested-by: Bharata B Rao +Reviewed-by: Dave Jiang +Reviewed-by: Alistair Popple +Cc: Aneesh Kumar K.V +Cc: Wei Xu +Cc: Dan Williams +Cc: Dave Hansen +Cc: Davidlohr Bueso +Cc: Johannes Weiner +Cc: Jonathan Cameron +Cc: Michal Hocko +Cc: Yang Shi +Cc: Rafael J Wysocki +Signed-off-by: Andrew Morton +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 65 +++++++++++++++++++++- + include/linux/memory-tiers.h | 18 ++++++ + mm/memory-tiers.c | 103 ++++++++++++++++++++++++++++++++++- + 3 files changed, 183 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 2dee0098f1a97..9ef5f1bdcfdbc 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + static u8 hmat_revision; + static int hmat_disable __initdata; +@@ -759,6 +760,61 @@ static int hmat_callback(struct notifier_block *self, + return NOTIFY_OK; + } + ++static int hmat_set_default_dram_perf(void) ++{ ++ int rc; ++ int nid, pxm; ++ struct memory_target *target; ++ struct node_hmem_attrs *attrs; ++ ++ if (!default_dram_type) ++ return -EIO; ++ ++ for_each_node_mask(nid, default_dram_type->nodes) { ++ pxm = node_to_pxm(nid); ++ target = find_mem_target(pxm); ++ if (!target) ++ continue; ++ attrs = &target->hmem_attrs[1]; ++ rc = mt_set_default_dram_perf(nid, attrs, "ACPI HMAT"); ++ if (rc) ++ return rc; ++ } ++ ++ return 0; ++} ++ ++static int hmat_calculate_adistance(struct notifier_block *self, ++ unsigned long nid, void *data) ++{ ++ static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); ++ struct memory_target *target; ++ struct node_hmem_attrs *perf; ++ int *adist = data; ++ int pxm; ++ ++ pxm = node_to_pxm(nid); ++ target = find_mem_target(pxm); ++ if (!target) ++ return NOTIFY_OK; ++ ++ mutex_lock(&target_lock); ++ hmat_update_target_attrs(target, p_nodes, 1); ++ mutex_unlock(&target_lock); ++ ++ perf = &target->hmem_attrs[1]; ++ ++ if (mt_perf_to_adistance(perf, adist)) ++ return NOTIFY_OK; ++ ++ return NOTIFY_STOP; ++} ++ ++static struct notifier_block hmat_adist_nb __meminitdata = { ++ .notifier_call = hmat_calculate_adistance, ++ .priority = 100, ++}; ++ + static __init void hmat_free_structures(void) + { + struct memory_target *target, *tnext; +@@ -841,8 +897,13 @@ static __init int hmat_init(void) + hmat_register_targets(); + + /* Keep the table and structures if the notifier may use them */ +- if (!hotplug_memory_notifier(hmat_callback, HMAT_CALLBACK_PRI)) +- return 0; ++ if (hotplug_memory_notifier(hmat_callback, HMAT_CALLBACK_PRI)) ++ goto out_put; ++ ++ if (!hmat_set_default_dram_perf()) ++ register_mt_adistance_algorithm(&hmat_adist_nb); ++ ++ return 0; + out_put: + hmat_free_structures(); + acpi_put_table(tbl); +diff --git a/include/linux/memory-tiers.h b/include/linux/memory-tiers.h +index c8382220cced9..9d27ca3b143e6 100644 +--- a/include/linux/memory-tiers.h ++++ b/include/linux/memory-tiers.h +@@ -31,8 +31,11 @@ struct memory_dev_type { + struct kref kref; + }; + ++struct node_hmem_attrs; ++ + #ifdef CONFIG_NUMA + extern bool numa_demotion_enabled; ++extern struct memory_dev_type *default_dram_type; + struct memory_dev_type *alloc_memory_type(int adistance); + void put_memory_type(struct memory_dev_type *memtype); + void init_node_memory_type(int node, struct memory_dev_type *default_type); +@@ -40,6 +43,9 @@ void clear_node_memory_type(int node, struct memory_dev_type *memtype); + int register_mt_adistance_algorithm(struct notifier_block *nb); + int unregister_mt_adistance_algorithm(struct notifier_block *nb); + int mt_calc_adistance(int node, int *adist); ++int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, ++ const char *source); ++int mt_perf_to_adistance(struct node_hmem_attrs *perf, int *adist); + #ifdef CONFIG_MIGRATION + int next_demotion_node(int node); + void node_get_allowed_targets(pg_data_t *pgdat, nodemask_t *targets); +@@ -64,6 +70,7 @@ static inline bool node_is_toptier(int node) + #else + + #define numa_demotion_enabled false ++#define default_dram_type NULL + /* + * CONFIG_NUMA implementation returns non NULL error. + */ +@@ -116,5 +123,16 @@ static inline int mt_calc_adistance(int node, int *adist) + { + return NOTIFY_DONE; + } ++ ++static inline int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, ++ const char *source) ++{ ++ return -EIO; ++} ++ ++static inline int mt_perf_to_adistance(struct node_hmem_attrs *perf, int *adist) ++{ ++ return -EIO; ++} + #endif /* CONFIG_NUMA */ + #endif /* _LINUX_MEMORY_TIERS_H */ +diff --git a/mm/memory-tiers.c b/mm/memory-tiers.c +index 76c0ad47a5ad3..fa1a8b418f9a8 100644 +--- a/mm/memory-tiers.c ++++ b/mm/memory-tiers.c +@@ -37,7 +37,7 @@ struct node_memory_type_map { + static DEFINE_MUTEX(memory_tier_lock); + static LIST_HEAD(memory_tiers); + static struct node_memory_type_map node_memory_types[MAX_NUMNODES]; +-static struct memory_dev_type *default_dram_type; ++struct memory_dev_type *default_dram_type; + + static struct bus_type memory_tier_subsys = { + .name = "memory_tiering", +@@ -108,6 +108,11 @@ static struct demotion_nodes *node_demotion __read_mostly; + + static BLOCKING_NOTIFIER_HEAD(mt_adistance_algorithms); + ++static bool default_dram_perf_error; ++static struct node_hmem_attrs default_dram_perf; ++static int default_dram_perf_ref_nid = NUMA_NO_NODE; ++static const char *default_dram_perf_ref_source; ++ + static inline struct memory_tier *to_memory_tier(struct device *device) + { + return container_of(device, struct memory_tier, dev); +@@ -595,6 +600,102 @@ void clear_node_memory_type(int node, struct memory_dev_type *memtype) + } + EXPORT_SYMBOL_GPL(clear_node_memory_type); + ++static void dump_hmem_attrs(struct node_hmem_attrs *attrs, const char *prefix) ++{ ++ pr_info( ++"%sread_latency: %u, write_latency: %u, read_bandwidth: %u, write_bandwidth: %u\n", ++ prefix, attrs->read_latency, attrs->write_latency, ++ attrs->read_bandwidth, attrs->write_bandwidth); ++} ++ ++int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, ++ const char *source) ++{ ++ int rc = 0; ++ ++ mutex_lock(&memory_tier_lock); ++ if (default_dram_perf_error) { ++ rc = -EIO; ++ goto out; ++ } ++ ++ if (perf->read_latency + perf->write_latency == 0 || ++ perf->read_bandwidth + perf->write_bandwidth == 0) { ++ rc = -EINVAL; ++ goto out; ++ } ++ ++ if (default_dram_perf_ref_nid == NUMA_NO_NODE) { ++ default_dram_perf = *perf; ++ default_dram_perf_ref_nid = nid; ++ default_dram_perf_ref_source = kstrdup(source, GFP_KERNEL); ++ goto out; ++ } ++ ++ /* ++ * The performance of all default DRAM nodes is expected to be ++ * same (that is, the variation is less than 10%). And it ++ * will be used as base to calculate the abstract distance of ++ * other memory nodes. ++ */ ++ if (abs(perf->read_latency - default_dram_perf.read_latency) * 10 > ++ default_dram_perf.read_latency || ++ abs(perf->write_latency - default_dram_perf.write_latency) * 10 > ++ default_dram_perf.write_latency || ++ abs(perf->read_bandwidth - default_dram_perf.read_bandwidth) * 10 > ++ default_dram_perf.read_bandwidth || ++ abs(perf->write_bandwidth - default_dram_perf.write_bandwidth) * 10 > ++ default_dram_perf.write_bandwidth) { ++ pr_info( ++"memory-tiers: the performance of DRAM node %d mismatches that of the reference\n" ++"DRAM node %d.\n", nid, default_dram_perf_ref_nid); ++ pr_info(" performance of reference DRAM node %d:\n", ++ default_dram_perf_ref_nid); ++ dump_hmem_attrs(&default_dram_perf, " "); ++ pr_info(" performance of DRAM node %d:\n", nid); ++ dump_hmem_attrs(perf, " "); ++ pr_info( ++" disable default DRAM node performance based abstract distance algorithm.\n"); ++ default_dram_perf_error = true; ++ rc = -EINVAL; ++ } ++ ++out: ++ mutex_unlock(&memory_tier_lock); ++ return rc; ++} ++ ++int mt_perf_to_adistance(struct node_hmem_attrs *perf, int *adist) ++{ ++ if (default_dram_perf_error) ++ return -EIO; ++ ++ if (default_dram_perf_ref_nid == NUMA_NO_NODE) ++ return -ENOENT; ++ ++ if (perf->read_latency + perf->write_latency == 0 || ++ perf->read_bandwidth + perf->write_bandwidth == 0) ++ return -EINVAL; ++ ++ mutex_lock(&memory_tier_lock); ++ /* ++ * The abstract distance of a memory node is in direct proportion to ++ * its memory latency (read + write) and inversely proportional to its ++ * memory bandwidth (read + write). The abstract distance, memory ++ * latency, and memory bandwidth of the default DRAM nodes are used as ++ * the base. ++ */ ++ *adist = MEMTIER_ADISTANCE_DRAM * ++ (perf->read_latency + perf->write_latency) / ++ (default_dram_perf.read_latency + default_dram_perf.write_latency) * ++ (default_dram_perf.read_bandwidth + default_dram_perf.write_bandwidth) / ++ (perf->read_bandwidth + perf->write_bandwidth); ++ mutex_unlock(&memory_tier_lock); ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(mt_perf_to_adistance); ++ + /** + * register_mt_adistance_algorithm() - Register memory tiering abstract distance algorithm + * @nb: The notifier block which describe the algorithm +-- +2.51.0 + diff --git a/queue-6.6/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch b/queue-6.6/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch new file mode 100644 index 0000000000..4dd410f802 --- /dev/null +++ b/queue-6.6/acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch @@ -0,0 +1,135 @@ +From 03663e481c9379ccd1b6653aecef4c0e06f11984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 16:51:15 -0700 +Subject: acpi/hmat: Fix lockdep warning for hmem_register_resource() + +From: Dave Jiang + +[ Upstream commit 214291cbaaceeb28debd773336642b1fca393ae0 ] + +The following lockdep splat was observed while kernel auto-online a CXL +memory region: + +====================================================== +WARNING: possible circular locking dependency detected +6.17.0djtest+ #53 Tainted: G W +------------------------------------------------------ +systemd-udevd/3334 is trying to acquire lock: +ffffffff90346188 (hmem_resource_lock){+.+.}-{4:4}, at: hmem_register_resource+0x31/0x50 + +but task is already holding lock: +ffffffff90338890 ((node_chain).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x2e/0x70 + +which lock already depends on the new lock. +[..] +Chain exists of: + hmem_resource_lock --> mem_hotplug_lock --> (node_chain).rwsem + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + rlock((node_chain).rwsem); + lock(mem_hotplug_lock); + lock((node_chain).rwsem); + lock(hmem_resource_lock); + +The lock ordering can cause potential deadlock. There are instances +where hmem_resource_lock is taken after (node_chain).rwsem, and vice +versa. + +Split out the target update section of hmat_register_target() so that +hmat_callback() only envokes that section instead of attempt to register +hmem devices that it does not need to. + +[ dj: Fix up comment to be closer to 80cols. (Jonathan) ] + +Fixes: cf8741ac57ed ("ACPI: NUMA: HMAT: Register "soft reserved" memory as an "hmem" device") +Reviewed-by: Jonathan Cameron +Tested-by: Smita Koralahalli +Reviewed-by: Smita Koralahalli +Reviewed-by: Dan Williams +Link: https://patch.msgid.link/20251105235115.85062-3-dave.jiang@intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 46 ++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 570be52c8d90a..ea620ebd0c7c1 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -780,10 +780,32 @@ static void hmat_register_target_devices(struct memory_target *target) + } + } + +-static void hmat_register_target(struct memory_target *target) ++static void hmat_hotplug_target(struct memory_target *target) + { + int nid = pxm_to_node(target->memory_pxm); + ++ /* ++ * Skip offline nodes. This can happen when memory marked EFI_MEMORY_SP, ++ * "specific purpose", is applied to all the memory in a proximity ++ * domain leading to * the node being marked offline / unplugged, or if ++ * memory-only "hotplug" node is offline. ++ */ ++ if (nid == NUMA_NO_NODE || !node_online(nid)) ++ return; ++ ++ guard(mutex)(&target_lock); ++ if (target->registered) ++ return; ++ ++ hmat_register_target_initiators(target); ++ hmat_register_target_cache(target); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); ++ target->registered = true; ++} ++ ++static void hmat_register_target(struct memory_target *target) ++{ + /* + * Devices may belong to either an offline or online + * node, so unconditionally add them. +@@ -801,25 +823,7 @@ static void hmat_register_target(struct memory_target *target) + } + mutex_unlock(&target_lock); + +- /* +- * Skip offline nodes. This can happen when memory +- * marked EFI_MEMORY_SP, "specific purpose", is applied +- * to all the memory in a proximity domain leading to +- * the node being marked offline / unplugged, or if +- * memory-only "hotplug" node is offline. +- */ +- if (nid == NUMA_NO_NODE || !node_online(nid)) +- return; +- +- mutex_lock(&target_lock); +- if (!target->registered) { +- hmat_register_target_initiators(target); +- hmat_register_target_cache(target); +- hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); +- hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); +- target->registered = true; +- } +- mutex_unlock(&target_lock); ++ hmat_hotplug_target(target); + } + + static void hmat_register_targets(void) +@@ -845,7 +849,7 @@ static int hmat_callback(struct notifier_block *self, + if (!target) + return NOTIFY_OK; + +- hmat_register_target(target); ++ hmat_hotplug_target(target); + return NOTIFY_OK; + } + +-- +2.51.0 + diff --git a/queue-6.6/acpi-hmat-refactor-hmat_register_target_initiators.patch b/queue-6.6/acpi-hmat-refactor-hmat_register_target_initiators.patch new file mode 100644 index 0000000000..2bdc35a793 --- /dev/null +++ b/queue-6.6/acpi-hmat-refactor-hmat_register_target_initiators.patch @@ -0,0 +1,180 @@ +From bb1b69535253f053d635c9b218ff619f8c07fb9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 14:06:26 +0800 +Subject: acpi, hmat: refactor hmat_register_target_initiators() + +From: Huang Ying + +[ Upstream commit d0376aac59a166cd7bd9d1a9768e31e71002631b ] + +Previously, in hmat_register_target_initiators(), the performance +attributes are calculated and the corresponding sysfs links and files are +created too. Which is called during memory onlining. + +But now, to calculate the abstract distance of a memory target before +memory onlining, we need to calculate the performance attributes for a +memory target without creating sysfs links and files. + +To do that, hmat_register_target_initiators() is refactored to make it +possible to calculate performance attributes separately. + +Link: https://lkml.kernel.org/r/20230926060628.265989-3-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Reviewed-by: Alistair Popple +Tested-by: Alistair Popple +Tested-by: Bharata B Rao +Reviewed-by: Dave Jiang +Cc: Aneesh Kumar K.V +Cc: Wei Xu +Cc: Dan Williams +Cc: Dave Hansen +Cc: Davidlohr Bueso +Cc: Johannes Weiner +Cc: Jonathan Cameron +Cc: Michal Hocko +Cc: Yang Shi +Cc: Rafael J Wysocki +Signed-off-by: Andrew Morton +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 81 +++++++++++++++------------------------- + 1 file changed, 30 insertions(+), 51 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index bba268ecd802f..2dee0098f1a97 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -582,28 +582,25 @@ static int initiators_to_nodemask(unsigned long *p_nodes) + return 0; + } + +-static void hmat_register_target_initiators(struct memory_target *target) ++static void hmat_update_target_attrs(struct memory_target *target, ++ unsigned long *p_nodes, int access) + { +- static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); + struct memory_initiator *initiator; +- unsigned int mem_nid, cpu_nid; ++ unsigned int cpu_nid; + struct memory_locality *loc = NULL; + u32 best = 0; +- bool access0done = false; + int i; + +- mem_nid = pxm_to_node(target->memory_pxm); ++ bitmap_zero(p_nodes, MAX_NUMNODES); + /* +- * If the Address Range Structure provides a local processor pxm, link ++ * If the Address Range Structure provides a local processor pxm, set + * only that one. Otherwise, find the best performance attributes and +- * register all initiators that match. ++ * collect all initiators that match. + */ + if (target->processor_pxm != PXM_INVAL) { + cpu_nid = pxm_to_node(target->processor_pxm); +- register_memory_node_under_compute_node(mem_nid, cpu_nid, 0); +- access0done = true; +- if (node_state(cpu_nid, N_CPU)) { +- register_memory_node_under_compute_node(mem_nid, cpu_nid, 1); ++ if (access == 0 || node_state(cpu_nid, N_CPU)) { ++ set_bit(target->processor_pxm, p_nodes); + return; + } + } +@@ -617,47 +614,10 @@ static void hmat_register_target_initiators(struct memory_target *target) + * We'll also use the sorting to prime the candidate nodes with known + * initiators. + */ +- bitmap_zero(p_nodes, MAX_NUMNODES); + list_sort(NULL, &initiators, initiator_cmp); + if (initiators_to_nodemask(p_nodes) < 0) + return; + +- if (!access0done) { +- for (i = WRITE_LATENCY; i <= READ_BANDWIDTH; i++) { +- loc = localities_types[i]; +- if (!loc) +- continue; +- +- best = 0; +- list_for_each_entry(initiator, &initiators, node) { +- u32 value; +- +- if (!test_bit(initiator->processor_pxm, p_nodes)) +- continue; +- +- value = hmat_initiator_perf(target, initiator, +- loc->hmat_loc); +- if (hmat_update_best(loc->hmat_loc->data_type, value, &best)) +- bitmap_clear(p_nodes, 0, initiator->processor_pxm); +- if (value != best) +- clear_bit(initiator->processor_pxm, p_nodes); +- } +- if (best) +- hmat_update_target_access(target, loc->hmat_loc->data_type, +- best, 0); +- } +- +- for_each_set_bit(i, p_nodes, MAX_NUMNODES) { +- cpu_nid = pxm_to_node(i); +- register_memory_node_under_compute_node(mem_nid, cpu_nid, 0); +- } +- } +- +- /* Access 1 ignores Generic Initiators */ +- bitmap_zero(p_nodes, MAX_NUMNODES); +- if (initiators_to_nodemask(p_nodes) < 0) +- return; +- + for (i = WRITE_LATENCY; i <= READ_BANDWIDTH; i++) { + loc = localities_types[i]; + if (!loc) +@@ -667,7 +627,7 @@ static void hmat_register_target_initiators(struct memory_target *target) + list_for_each_entry(initiator, &initiators, node) { + u32 value; + +- if (!initiator->has_cpu) { ++ if (access == 1 && !initiator->has_cpu) { + clear_bit(initiator->processor_pxm, p_nodes); + continue; + } +@@ -681,14 +641,33 @@ static void hmat_register_target_initiators(struct memory_target *target) + clear_bit(initiator->processor_pxm, p_nodes); + } + if (best) +- hmat_update_target_access(target, loc->hmat_loc->data_type, best, 1); ++ hmat_update_target_access(target, loc->hmat_loc->data_type, best, access); + } ++} ++ ++static void __hmat_register_target_initiators(struct memory_target *target, ++ unsigned long *p_nodes, ++ int access) ++{ ++ unsigned int mem_nid, cpu_nid; ++ int i; ++ ++ mem_nid = pxm_to_node(target->memory_pxm); ++ hmat_update_target_attrs(target, p_nodes, access); + for_each_set_bit(i, p_nodes, MAX_NUMNODES) { + cpu_nid = pxm_to_node(i); +- register_memory_node_under_compute_node(mem_nid, cpu_nid, 1); ++ register_memory_node_under_compute_node(mem_nid, cpu_nid, access); + } + } + ++static void hmat_register_target_initiators(struct memory_target *target) ++{ ++ static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); ++ ++ __hmat_register_target_initiators(target, p_nodes, 0); ++ __hmat_register_target_initiators(target, p_nodes, 1); ++} ++ + static void hmat_register_target_cache(struct memory_target *target) + { + unsigned mem_nid = pxm_to_node(target->memory_pxm); +-- +2.51.0 + diff --git a/queue-6.6/acpi-numa-add-genport-target-allocation-to-the-hmat-.patch b/queue-6.6/acpi-numa-add-genport-target-allocation-to-the-hmat-.patch new file mode 100644 index 0000000000..a0b76f811e --- /dev/null +++ b/queue-6.6/acpi-numa-add-genport-target-allocation-to-the-hmat-.patch @@ -0,0 +1,142 @@ +From 2db117bf203b12bbbacfb7e842da5e67b566264d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:02:49 -0700 +Subject: acpi: numa: Add genport target allocation to the HMAT parsing + +From: Dave Jiang + +[ Upstream commit 6373c48b8c9dfb5c1e09fdb538e700d9cc91c45e ] + +Add SRAT parsing for the HMAT init in order to collect the device handle +from the Generic Port Affinity Structure. The device handle will serve as +the key to search for target data. + +Consolidate the common code with alloc_memory_target() in a helper function +alloc_target(). + +Reviewed-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/170319616951.2212653.14862375982250406464.stgit@djiang5-mobl3 +Signed-off-by: Dan Williams +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 59 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 56 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index ca7aedfbb5f2d..21722cbec324d 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -72,6 +72,7 @@ struct memory_target { + struct access_coordinate coord[NODE_ACCESS_CLASS_MAX]; + struct list_head caches; + struct node_cache_attrs cache_attrs; ++ u8 gen_port_device_handle[ACPI_SRAT_DEVICE_HANDLE_SIZE]; + bool registered; + }; + +@@ -126,8 +127,7 @@ static __init void alloc_memory_initiator(unsigned int cpu_pxm) + list_add_tail(&initiator->node, &initiators); + } + +-static __init void alloc_memory_target(unsigned int mem_pxm, +- resource_size_t start, resource_size_t len) ++static __init struct memory_target *alloc_target(unsigned int mem_pxm) + { + struct memory_target *target; + +@@ -135,7 +135,7 @@ static __init void alloc_memory_target(unsigned int mem_pxm, + if (!target) { + target = kzalloc(sizeof(*target), GFP_KERNEL); + if (!target) +- return; ++ return NULL; + target->memory_pxm = mem_pxm; + target->processor_pxm = PXM_INVAL; + target->memregions = (struct resource) { +@@ -148,6 +148,19 @@ static __init void alloc_memory_target(unsigned int mem_pxm, + INIT_LIST_HEAD(&target->caches); + } + ++ return target; ++} ++ ++static __init void alloc_memory_target(unsigned int mem_pxm, ++ resource_size_t start, ++ resource_size_t len) ++{ ++ struct memory_target *target; ++ ++ target = alloc_target(mem_pxm); ++ if (!target) ++ return; ++ + /* + * There are potentially multiple ranges per PXM, so record each + * in the per-target memregions resource tree. +@@ -158,6 +171,18 @@ static __init void alloc_memory_target(unsigned int mem_pxm, + start, start + len, mem_pxm); + } + ++static __init void alloc_genport_target(unsigned int mem_pxm, u8 *handle) ++{ ++ struct memory_target *target; ++ ++ target = alloc_target(mem_pxm); ++ if (!target) ++ return; ++ ++ memcpy(target->gen_port_device_handle, handle, ++ ACPI_SRAT_DEVICE_HANDLE_SIZE); ++} ++ + static __init const char *hmat_data_type(u8 type) + { + switch (type) { +@@ -499,6 +524,27 @@ static __init int srat_parse_mem_affinity(union acpi_subtable_headers *header, + return 0; + } + ++static __init int srat_parse_genport_affinity(union acpi_subtable_headers *header, ++ const unsigned long end) ++{ ++ struct acpi_srat_generic_affinity *ga = (void *)header; ++ ++ if (!ga) ++ return -EINVAL; ++ ++ if (!(ga->flags & ACPI_SRAT_GENERIC_AFFINITY_ENABLED)) ++ return 0; ++ ++ /* Skip PCI device_handle for now */ ++ if (ga->device_handle_type != 0) ++ return 0; ++ ++ alloc_genport_target(ga->proximity_domain, ++ (u8 *)ga->device_handle); ++ ++ return 0; ++} ++ + static u32 hmat_initiator_perf(struct memory_target *target, + struct memory_initiator *initiator, + struct acpi_hmat_locality *hmat_loc) +@@ -878,6 +924,13 @@ static __init int hmat_init(void) + ACPI_SRAT_TYPE_MEMORY_AFFINITY, + srat_parse_mem_affinity, 0) < 0) + goto out_put; ++ ++ if (acpi_table_parse_entries(ACPI_SIG_SRAT, ++ sizeof(struct acpi_table_srat), ++ ACPI_SRAT_TYPE_GENERIC_PORT_AFFINITY, ++ srat_parse_genport_affinity, 0) < 0) ++ goto out_put; ++ + acpi_put_table(tbl); + + status = acpi_get_table(ACPI_SIG_HMAT, 0, &tbl); +-- +2.51.0 + diff --git a/queue-6.6/acpi-numa-add-setting-of-generic-port-system-localit.patch b/queue-6.6/acpi-numa-add-setting-of-generic-port-system-localit.patch new file mode 100644 index 0000000000..9c5da0fcb7 --- /dev/null +++ b/queue-6.6/acpi-numa-add-setting-of-generic-port-system-localit.patch @@ -0,0 +1,93 @@ +From d5932c0344bcb09a5c3085bedcfb3de7a55ced29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:03:01 -0700 +Subject: acpi: numa: Add setting of generic port system locality attributes + +From: Dave Jiang + +[ Upstream commit a3a3e341f169511823f7b2d140a0bdfbd620dcbd ] + +Add generic port support for the parsing of HMAT system locality sub-table. +The attributes will be added to the third array member of the access +coordinates in order to not mix with the existing memory attributes. It +only provides the system locality attributes from initiator to the +generic port targets and is missing the rest of the data to the actual +memory device. + +The complete attributes will be updated when a memory device is +attached and the system locality information is calculated end to end. + +Through hmat_update_target_attrs(), the best performance attributes will +be setup in target->coord. + +Reviewed-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/170319618135.2212653.13778540010384821833.stgit@djiang5-mobl3 +Signed-off-by: Dan Williams +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 4cae2e84251a2..8a1802e078f3c 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -61,6 +61,7 @@ struct target_cache { + enum { + NODE_ACCESS_CLASS_0 = 0, + NODE_ACCESS_CLASS_1, ++ NODE_ACCESS_CLASS_GENPORT_SINK, + NODE_ACCESS_CLASS_MAX, + }; + +@@ -654,6 +655,11 @@ static void hmat_update_target_attrs(struct memory_target *target, + u32 best = 0; + int i; + ++ /* Don't update for generic port if there's no device handle */ ++ if (access == NODE_ACCESS_CLASS_GENPORT_SINK && ++ !(*(u16 *)target->gen_port_device_handle)) ++ return; ++ + bitmap_zero(p_nodes, MAX_NUMNODES); + /* + * If the Address Range Structure provides a local processor pxm, set +@@ -723,6 +729,14 @@ static void __hmat_register_target_initiators(struct memory_target *target, + } + } + ++static void hmat_register_generic_target_initiators(struct memory_target *target) ++{ ++ static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); ++ ++ __hmat_register_target_initiators(target, p_nodes, ++ NODE_ACCESS_CLASS_GENPORT_SINK); ++} ++ + static void hmat_register_target_initiators(struct memory_target *target) + { + static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); +@@ -774,6 +788,17 @@ static void hmat_register_target(struct memory_target *target) + */ + hmat_register_target_devices(target); + ++ /* ++ * Register generic port perf numbers. The nid may not be ++ * initialized and is still NUMA_NO_NODE. ++ */ ++ mutex_lock(&target_lock); ++ if (*(u16 *)target->gen_port_device_handle) { ++ hmat_register_generic_target_initiators(target); ++ target->registered = true; ++ } ++ mutex_unlock(&target_lock); ++ + /* + * Skip offline nodes. This can happen when memory + * marked EFI_MEMORY_SP, "specific purpose", is applied +-- +2.51.0 + diff --git a/queue-6.6/acpi-numa-create-enum-for-memory_target-access-coord.patch b/queue-6.6/acpi-numa-create-enum-for-memory_target-access-coord.patch new file mode 100644 index 0000000000..f064dda3bc --- /dev/null +++ b/queue-6.6/acpi-numa-create-enum-for-memory_target-access-coord.patch @@ -0,0 +1,78 @@ +From c3fc2de0dac568b272957999023936be2bd4caf5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:02:43 -0700 +Subject: acpi: numa: Create enum for memory_target access coordinates indexing + +From: Dave Jiang + +[ Upstream commit 69b789b64456093819f730b3f9c13a593a5485d9 ] + +Create enums to provide named indexing for the access coordinate array. +This is in preparation for adding generic port support which will add a +third index in the array to keep the generic port attributes separate from +the memory attributes. + +Reviewed-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/170319616332.2212653.3872789279950567889.stgit@djiang5-mobl3 +Signed-off-by: Dan Williams +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 83bc2b69401bf..ca7aedfbb5f2d 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -58,12 +58,18 @@ struct target_cache { + struct node_cache_attrs cache_attrs; + }; + ++enum { ++ NODE_ACCESS_CLASS_0 = 0, ++ NODE_ACCESS_CLASS_1, ++ NODE_ACCESS_CLASS_MAX, ++}; ++ + struct memory_target { + struct list_head node; + unsigned int memory_pxm; + unsigned int processor_pxm; + struct resource memregions; +- struct access_coordinate coord[2]; ++ struct access_coordinate coord[NODE_ACCESS_CLASS_MAX]; + struct list_head caches; + struct node_cache_attrs cache_attrs; + bool registered; +@@ -339,10 +345,12 @@ static __init int hmat_parse_locality(union acpi_subtable_headers *header, + if (mem_hier == ACPI_HMAT_MEMORY) { + target = find_mem_target(targs[targ]); + if (target && target->processor_pxm == inits[init]) { +- hmat_update_target_access(target, type, value, 0); ++ hmat_update_target_access(target, type, value, ++ NODE_ACCESS_CLASS_0); + /* If the node has a CPU, update access 1 */ + if (node_state(pxm_to_node(inits[init]), N_CPU)) +- hmat_update_target_access(target, type, value, 1); ++ hmat_update_target_access(target, type, value, ++ NODE_ACCESS_CLASS_1); + } + } + } +@@ -726,8 +734,8 @@ static void hmat_register_target(struct memory_target *target) + if (!target->registered) { + hmat_register_target_initiators(target); + hmat_register_target_cache(target); +- hmat_register_target_perf(target, 0); +- hmat_register_target_perf(target, 1); ++ hmat_register_target_perf(target, NODE_ACCESS_CLASS_0); ++ hmat_register_target_perf(target, NODE_ACCESS_CLASS_1); + target->registered = true; + } + mutex_unlock(&target_lock); +-- +2.51.0 + diff --git a/queue-6.6/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch b/queue-6.6/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch new file mode 100644 index 0000000000..f93a246173 --- /dev/null +++ b/queue-6.6/acpi-srat-fix-incorrect-device-handle-check-for-gene.patch @@ -0,0 +1,41 @@ +From 573f5ed2f196a11950b2c3e4bb25ed78974f2d1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 10:32:24 +0800 +Subject: acpi,srat: Fix incorrect device handle check for Generic Initiator + +From: Shuai Xue + +[ Upstream commit 7c3643f204edf1c5edb12b36b34838683ee5f8dc ] + +The Generic Initiator Affinity Structure in SRAT table uses device +handle type field to indicate the device type. According to ACPI +specification, the device handle type value of 1 represents PCI device, +not 0. + +Fixes: 894c26a1c274 ("ACPI: Support Generic Initiator only domains") +Reported-by: Wu Zongyong +Signed-off-by: Shuai Xue +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250913023224.39281-1-xueshuai@linux.alibaba.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/srat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/numa/srat.c b/drivers/acpi/numa/srat.c +index a44c0761fd1c0..848942bf883cb 100644 +--- a/drivers/acpi/numa/srat.c ++++ b/drivers/acpi/numa/srat.c +@@ -140,7 +140,7 @@ acpi_table_print_srat_entry(struct acpi_subtable_header *header) + struct acpi_srat_generic_affinity *p = + (struct acpi_srat_generic_affinity *)header; + +- if (p->device_handle_type == 0) { ++ if (p->device_handle_type == 1) { + /* + * For pci devices this may be the only place they + * are assigned a proximity domain +-- +2.51.0 + diff --git a/queue-6.6/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch b/queue-6.6/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch new file mode 100644 index 0000000000..2d7453c82d --- /dev/null +++ b/queue-6.6/alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch @@ -0,0 +1,49 @@ +From c3a336def5a59e2835ee55f1cdd971505adf3f5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 00:37:54 +0900 +Subject: ALSA: usb-audio: Fix NULL pointer dereference in + snd_usb_mixer_controls_badd + +From: Haein Lee + +[ Upstream commit 632108ec072ad64c8c83db6e16a7efee29ebfb74 ] + +In snd_usb_create_streams(), for UAC version 3 devices, the Interface +Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this +call fails, a fallback routine attempts to obtain the IAD from the next +interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() +assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, +without performing a NULL check. This can lead to a NULL pointer +dereference when usb_ifnum_to_if() fails to find the interface descriptor. + +This patch adds a NULL pointer check after calling usb_ifnum_to_if() in +snd_usb_mixer_controls_badd() to prevent the dereference. + +This issue was discovered by syzkaller, which triggered the bug by sending +a crafted USB device descriptor. + +Fixes: 17156f23e93c ("ALSA: usb: add UAC3 BADD profiles support") +Signed-off-by: Haein Lee +Link: https://patch.msgid.link/vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index cc051756a4220..787cdeddbdf44 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3079,6 +3079,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mixer_interface *mixer, + int i; + + assoc = usb_ifnum_to_if(dev, ctrlif)->intf_assoc; ++ if (!assoc) ++ return -EINVAL; + + /* Detect BADD capture/playback channels from AS EP descriptors */ + for (i = 0; i < assoc->bInterfaceCount; i++) { +-- +2.51.0 + diff --git a/queue-6.6/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch b/queue-6.6/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch new file mode 100644 index 0000000000..a3480a89b7 --- /dev/null +++ b/queue-6.6/asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch @@ -0,0 +1,44 @@ +From 45c5657855aa95373a0c9ffdda4e02e2b1258f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Nov 2025 22:31:14 +0800 +Subject: ASoC: codecs: va-macro: fix resource leak in probe error path + +From: Haotian Zhang + +[ Upstream commit 3dc8c73365d3ca25c99e7e1a0f493039d7291df5 ] + +In the commit referenced by the Fixes tag, clk_hw_get_clk() +was added in va_macro_probe() to get the fsgen clock, +but forgot to add the corresponding clk_put() in va_macro_remove(). +This leads to a clock reference leak when the driver is unloaded. + +Switch to devm_clk_hw_get_clk() to automatically manage the +clock resource. + +Fixes: 30097967e056 ("ASoC: codecs: va-macro: use fsgen as clock") +Suggested-by: Konrad Dybcio +Signed-off-by: Haotian Zhang +Reviewed-by: Konrad Dybcio +Link: https://patch.msgid.link/20251106143114.729-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-va-macro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/lpass-va-macro.c b/sound/soc/codecs/lpass-va-macro.c +index b71ef03c4aef0..c7d6696b1bfdf 100644 +--- a/sound/soc/codecs/lpass-va-macro.c ++++ b/sound/soc/codecs/lpass-va-macro.c +@@ -1555,7 +1555,7 @@ static int va_macro_probe(struct platform_device *pdev) + if (ret) + goto err_clkout; + +- va->fsgen = clk_hw_get_clk(&va->hw, "fsgen"); ++ va->fsgen = devm_clk_hw_get_clk(dev, &va->hw, "fsgen"); + if (IS_ERR(va->fsgen)) { + ret = PTR_ERR(va->fsgen); + goto err_clkout; +-- +2.51.0 + diff --git a/queue-6.6/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch b/queue-6.6/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch new file mode 100644 index 0000000000..58dbcf7555 --- /dev/null +++ b/queue-6.6/asoc-cs4271-fix-regulator-leak-on-probe-failure.patch @@ -0,0 +1,67 @@ +From d57a21e4fbe577e667b0bea587eb98579fbcd709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 14:22:46 +0800 +Subject: ASoC: cs4271: Fix regulator leak on probe failure + +From: Haotian Zhang + +[ Upstream commit 6b6eddc63ce871897d3a5bc4f8f593e698aef104 ] + +The probe function enables regulators at the beginning +but fails to disable them in its error handling path. +If any operation after enabling the regulators fails, +the probe will exit with an error, leaving the regulators +permanently enabled, which could lead to a resource leak. + +Add a proper error handling path to call regulator_bulk_disable() +before returning an error. + +Fixes: 9a397f473657 ("ASoC: cs4271: add regulator consumer support") +Signed-off-by: Haotian Zhang +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20251105062246.1955-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs4271.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/cs4271.c b/sound/soc/codecs/cs4271.c +index 188b8b43c524f..b7529e2900572 100644 +--- a/sound/soc/codecs/cs4271.c ++++ b/sound/soc/codecs/cs4271.c +@@ -594,17 +594,17 @@ static int cs4271_component_probe(struct snd_soc_component *component) + + ret = regcache_sync(cs4271->regmap); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN, + CS4271_MODE2_PDN | CS4271_MODE2_CPEN); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + ret = regmap_update_bits(cs4271->regmap, CS4271_MODE2, + CS4271_MODE2_PDN, 0); + if (ret < 0) +- return ret; ++ goto err_disable_regulator; + /* Power-up sequence requires 85 uS */ + udelay(85); + +@@ -614,6 +614,10 @@ static int cs4271_component_probe(struct snd_soc_component *component) + CS4271_MODE2_MUTECAEQUB); + + return 0; ++ ++err_disable_regulator: ++ regulator_bulk_disable(ARRAY_SIZE(cs4271->supplies), cs4271->supplies); ++ return ret; + } + + static void cs4271_component_remove(struct snd_soc_component *component) +-- +2.51.0 + diff --git a/queue-6.6/asoc-tas2781-fix-getting-the-wrong-device-number.patch b/queue-6.6/asoc-tas2781-fix-getting-the-wrong-device-number.patch new file mode 100644 index 0000000000..0ccf054fdb --- /dev/null +++ b/queue-6.6/asoc-tas2781-fix-getting-the-wrong-device-number.patch @@ -0,0 +1,52 @@ +From 3ef0c22c32390f01c3c2ee62aab3f5fd5f9dd32e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 13:49:59 +0800 +Subject: ASoC: tas2781: fix getting the wrong device number + +From: Shenghao Ding + +[ Upstream commit 29528c8e643bb0c54da01237a35010c6438423d2 ] + +The return value of device_property_read_u32_array used for getting the +property is the status instead of the number of the property. + +Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") +Signed-off-by: Shenghao Ding +Link: https://patch.msgid.link/20251107054959.950-1-shenghao-ding@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2781-i2c.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c +index 43775c1944452..836cf06a45266 100644 +--- a/sound/soc/codecs/tas2781-i2c.c ++++ b/sound/soc/codecs/tas2781-i2c.c +@@ -616,7 +616,8 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + { + struct i2c_client *client = (struct i2c_client *)tas_priv->client; + unsigned int dev_addrs[TASDEVICE_MAX_CHANNELS]; +- int i, ndev = 0; ++ int ndev = 0; ++ int i, rc; + + if (tas_priv->isacpi) { + ndev = device_property_read_u32_array(&client->dev, +@@ -627,8 +628,12 @@ static void tasdevice_parse_dt(struct tasdevice_priv *tas_priv) + } else { + ndev = (ndev < ARRAY_SIZE(dev_addrs)) + ? ndev : ARRAY_SIZE(dev_addrs); +- ndev = device_property_read_u32_array(&client->dev, ++ rc = device_property_read_u32_array(&client->dev, + "ti,audio-slots", dev_addrs, ndev); ++ if (rc != 0) { ++ ndev = 1; ++ dev_addrs[0] = client->addr; ++ } + } + + tas_priv->irq = +-- +2.51.0 + diff --git a/queue-6.6/base-node-acpi-change-node_hmem_attrs-to-access_coor.patch b/queue-6.6/base-node-acpi-change-node_hmem_attrs-to-access_coor.patch new file mode 100644 index 0000000000..387cc8e26c --- /dev/null +++ b/queue-6.6/base-node-acpi-change-node_hmem_attrs-to-access_coor.patch @@ -0,0 +1,311 @@ +From 27560af3b22e797456805e276a3f6a1baf4eeb48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Dec 2023 15:02:37 -0700 +Subject: base/node / acpi: Change 'node_hmem_attrs' to 'access_coordinates' + +From: Dave Jiang + +[ Upstream commit 6a954e94d038f41d79c4e04348c95774d1c9337d ] + +Dan Williams suggested changing the struct 'node_hmem_attrs' to +'access_coordinates' [1]. The struct is a container of r/w-latency and +r/w-bandwidth numbers. Moving forward, this container will also be used by +CXL to store the performance characteristics of each link hop in +the PCIE/CXL topology. So, where node_hmem_attrs is just the access +parameters of a memory-node, access_coordinates applies more broadly +to hardware topology characteristics. The observation is that seemed like +an exercise in having the application identify "where" it falls on a +spectrum of bandwidth and latency needs. For the tuple of +read/write-latency and read/write-bandwidth, "coordinates" is not a perfect +fit. Sometimes it is just conveying values in isolation and not a +"location" relative to other performance points, but in the end this data +is used to identify the performance operation point of a given memory-node. +[2] + +Link: http://lore.kernel.org/r/64471313421f7_1b66294d5@dwillia2-xfh.jf.intel.com.notmuch/ +Link: https://lore.kernel.org/linux-cxl/645e6215ee0de_1e6f2945e@dwillia2-xfh.jf.intel.com.notmuch/ +Suggested-by: Dan Williams +Reviewed-by: Dan Williams +Reviewed-by: Jonathan Cameron +Signed-off-by: Dave Jiang +Acked-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/170319615734.2212653.15319394025985499185.stgit@djiang5-mobl3 +Signed-off-by: Dan Williams +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 28 ++++++++++++++-------------- + drivers/base/node.c | 12 ++++++------ + include/linux/memory-tiers.h | 10 +++++----- + include/linux/node.h | 8 ++++---- + mm/memory-tiers.c | 12 ++++++------ + 5 files changed, 35 insertions(+), 35 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 9ef5f1bdcfdbc..83bc2b69401bf 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -63,7 +63,7 @@ struct memory_target { + unsigned int memory_pxm; + unsigned int processor_pxm; + struct resource memregions; +- struct node_hmem_attrs hmem_attrs[2]; ++ struct access_coordinate coord[2]; + struct list_head caches; + struct node_cache_attrs cache_attrs; + bool registered; +@@ -228,24 +228,24 @@ static void hmat_update_target_access(struct memory_target *target, + { + switch (type) { + case ACPI_HMAT_ACCESS_LATENCY: +- target->hmem_attrs[access].read_latency = value; +- target->hmem_attrs[access].write_latency = value; ++ target->coord[access].read_latency = value; ++ target->coord[access].write_latency = value; + break; + case ACPI_HMAT_READ_LATENCY: +- target->hmem_attrs[access].read_latency = value; ++ target->coord[access].read_latency = value; + break; + case ACPI_HMAT_WRITE_LATENCY: +- target->hmem_attrs[access].write_latency = value; ++ target->coord[access].write_latency = value; + break; + case ACPI_HMAT_ACCESS_BANDWIDTH: +- target->hmem_attrs[access].read_bandwidth = value; +- target->hmem_attrs[access].write_bandwidth = value; ++ target->coord[access].read_bandwidth = value; ++ target->coord[access].write_bandwidth = value; + break; + case ACPI_HMAT_READ_BANDWIDTH: +- target->hmem_attrs[access].read_bandwidth = value; ++ target->coord[access].read_bandwidth = value; + break; + case ACPI_HMAT_WRITE_BANDWIDTH: +- target->hmem_attrs[access].write_bandwidth = value; ++ target->coord[access].write_bandwidth = value; + break; + default: + break; +@@ -681,7 +681,7 @@ static void hmat_register_target_cache(struct memory_target *target) + static void hmat_register_target_perf(struct memory_target *target, int access) + { + unsigned mem_nid = pxm_to_node(target->memory_pxm); +- node_set_perf_attrs(mem_nid, &target->hmem_attrs[access], access); ++ node_set_perf_attrs(mem_nid, &target->coord[access], access); + } + + static void hmat_register_target_devices(struct memory_target *target) +@@ -765,7 +765,7 @@ static int hmat_set_default_dram_perf(void) + int rc; + int nid, pxm; + struct memory_target *target; +- struct node_hmem_attrs *attrs; ++ struct access_coordinate *attrs; + + if (!default_dram_type) + return -EIO; +@@ -775,7 +775,7 @@ static int hmat_set_default_dram_perf(void) + target = find_mem_target(pxm); + if (!target) + continue; +- attrs = &target->hmem_attrs[1]; ++ attrs = &target->coord[1]; + rc = mt_set_default_dram_perf(nid, attrs, "ACPI HMAT"); + if (rc) + return rc; +@@ -789,7 +789,7 @@ static int hmat_calculate_adistance(struct notifier_block *self, + { + static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); + struct memory_target *target; +- struct node_hmem_attrs *perf; ++ struct access_coordinate *perf; + int *adist = data; + int pxm; + +@@ -802,7 +802,7 @@ static int hmat_calculate_adistance(struct notifier_block *self, + hmat_update_target_attrs(target, p_nodes, 1); + mutex_unlock(&target_lock); + +- perf = &target->hmem_attrs[1]; ++ perf = &target->coord[1]; + + if (mt_perf_to_adistance(perf, adist)) + return NOTIFY_OK; +diff --git a/drivers/base/node.c b/drivers/base/node.c +index 47960a34305d3..9a312650bd57e 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -74,14 +74,14 @@ static BIN_ATTR_RO(cpulist, CPULIST_FILE_MAX_BYTES); + * @dev: Device for this memory access class + * @list_node: List element in the node's access list + * @access: The access class rank +- * @hmem_attrs: Heterogeneous memory performance attributes ++ * @coord: Heterogeneous memory performance coordinates + */ + struct node_access_nodes { + struct device dev; + struct list_head list_node; + unsigned int access; + #ifdef CONFIG_HMEM_REPORTING +- struct node_hmem_attrs hmem_attrs; ++ struct access_coordinate coord; + #endif + }; + #define to_access_nodes(dev) container_of(dev, struct node_access_nodes, dev) +@@ -167,7 +167,7 @@ static ssize_t property##_show(struct device *dev, \ + char *buf) \ + { \ + return sysfs_emit(buf, "%u\n", \ +- to_access_nodes(dev)->hmem_attrs.property); \ ++ to_access_nodes(dev)->coord.property); \ + } \ + static DEVICE_ATTR_RO(property) + +@@ -187,10 +187,10 @@ static struct attribute *access_attrs[] = { + /** + * node_set_perf_attrs - Set the performance values for given access class + * @nid: Node identifier to be set +- * @hmem_attrs: Heterogeneous memory performance attributes ++ * @coord: Heterogeneous memory performance coordinates + * @access: The access class the for the given attributes + */ +-void node_set_perf_attrs(unsigned int nid, struct node_hmem_attrs *hmem_attrs, ++void node_set_perf_attrs(unsigned int nid, struct access_coordinate *coord, + unsigned int access) + { + struct node_access_nodes *c; +@@ -205,7 +205,7 @@ void node_set_perf_attrs(unsigned int nid, struct node_hmem_attrs *hmem_attrs, + if (!c) + return; + +- c->hmem_attrs = *hmem_attrs; ++ c->coord = *coord; + for (i = 0; access_attrs[i] != NULL; i++) { + if (sysfs_add_file_to_group(&c->dev.kobj, access_attrs[i], + "initiators")) { +diff --git a/include/linux/memory-tiers.h b/include/linux/memory-tiers.h +index 9d27ca3b143e6..c906de6e077ab 100644 +--- a/include/linux/memory-tiers.h ++++ b/include/linux/memory-tiers.h +@@ -31,7 +31,7 @@ struct memory_dev_type { + struct kref kref; + }; + +-struct node_hmem_attrs; ++struct access_coordinate; + + #ifdef CONFIG_NUMA + extern bool numa_demotion_enabled; +@@ -43,9 +43,9 @@ void clear_node_memory_type(int node, struct memory_dev_type *memtype); + int register_mt_adistance_algorithm(struct notifier_block *nb); + int unregister_mt_adistance_algorithm(struct notifier_block *nb); + int mt_calc_adistance(int node, int *adist); +-int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, ++int mt_set_default_dram_perf(int nid, struct access_coordinate *perf, + const char *source); +-int mt_perf_to_adistance(struct node_hmem_attrs *perf, int *adist); ++int mt_perf_to_adistance(struct access_coordinate *perf, int *adist); + #ifdef CONFIG_MIGRATION + int next_demotion_node(int node); + void node_get_allowed_targets(pg_data_t *pgdat, nodemask_t *targets); +@@ -124,13 +124,13 @@ static inline int mt_calc_adistance(int node, int *adist) + return NOTIFY_DONE; + } + +-static inline int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, ++static inline int mt_set_default_dram_perf(int nid, struct access_coordinate *perf, + const char *source) + { + return -EIO; + } + +-static inline int mt_perf_to_adistance(struct node_hmem_attrs *perf, int *adist) ++static inline int mt_perf_to_adistance(struct access_coordinate *perf, int *adist) + { + return -EIO; + } +diff --git a/include/linux/node.h b/include/linux/node.h +index 427a5975cf405..25b66d705ee2e 100644 +--- a/include/linux/node.h ++++ b/include/linux/node.h +@@ -20,14 +20,14 @@ + #include + + /** +- * struct node_hmem_attrs - heterogeneous memory performance attributes ++ * struct access_coordinate - generic performance coordinates container + * + * @read_bandwidth: Read bandwidth in MB/s + * @write_bandwidth: Write bandwidth in MB/s + * @read_latency: Read latency in nanoseconds + * @write_latency: Write latency in nanoseconds + */ +-struct node_hmem_attrs { ++struct access_coordinate { + unsigned int read_bandwidth; + unsigned int write_bandwidth; + unsigned int read_latency; +@@ -65,7 +65,7 @@ struct node_cache_attrs { + + #ifdef CONFIG_HMEM_REPORTING + void node_add_cache(unsigned int nid, struct node_cache_attrs *cache_attrs); +-void node_set_perf_attrs(unsigned int nid, struct node_hmem_attrs *hmem_attrs, ++void node_set_perf_attrs(unsigned int nid, struct access_coordinate *coord, + unsigned access); + #else + static inline void node_add_cache(unsigned int nid, +@@ -74,7 +74,7 @@ static inline void node_add_cache(unsigned int nid, + } + + static inline void node_set_perf_attrs(unsigned int nid, +- struct node_hmem_attrs *hmem_attrs, ++ struct access_coordinate *coord, + unsigned access) + { + } +diff --git a/mm/memory-tiers.c b/mm/memory-tiers.c +index fa1a8b418f9a8..5e4c5ae4e2e80 100644 +--- a/mm/memory-tiers.c ++++ b/mm/memory-tiers.c +@@ -109,7 +109,7 @@ static struct demotion_nodes *node_demotion __read_mostly; + static BLOCKING_NOTIFIER_HEAD(mt_adistance_algorithms); + + static bool default_dram_perf_error; +-static struct node_hmem_attrs default_dram_perf; ++static struct access_coordinate default_dram_perf; + static int default_dram_perf_ref_nid = NUMA_NO_NODE; + static const char *default_dram_perf_ref_source; + +@@ -600,15 +600,15 @@ void clear_node_memory_type(int node, struct memory_dev_type *memtype) + } + EXPORT_SYMBOL_GPL(clear_node_memory_type); + +-static void dump_hmem_attrs(struct node_hmem_attrs *attrs, const char *prefix) ++static void dump_hmem_attrs(struct access_coordinate *coord, const char *prefix) + { + pr_info( + "%sread_latency: %u, write_latency: %u, read_bandwidth: %u, write_bandwidth: %u\n", +- prefix, attrs->read_latency, attrs->write_latency, +- attrs->read_bandwidth, attrs->write_bandwidth); ++ prefix, coord->read_latency, coord->write_latency, ++ coord->read_bandwidth, coord->write_bandwidth); + } + +-int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, ++int mt_set_default_dram_perf(int nid, struct access_coordinate *perf, + const char *source) + { + int rc = 0; +@@ -665,7 +665,7 @@ int mt_set_default_dram_perf(int nid, struct node_hmem_attrs *perf, + return rc; + } + +-int mt_perf_to_adistance(struct node_hmem_attrs *perf, int *adist) ++int mt_perf_to_adistance(struct access_coordinate *perf, int *adist) + { + if (default_dram_perf_error) + return -EIO; +-- +2.51.0 + diff --git a/queue-6.6/base-node-acpi-enumerate-node-access-class-for-struc.patch b/queue-6.6/base-node-acpi-enumerate-node-access-class-for-struc.patch new file mode 100644 index 0000000000..365c1d682f --- /dev/null +++ b/queue-6.6/base-node-acpi-enumerate-node-access-class-for-struc.patch @@ -0,0 +1,206 @@ +From 23628c38fab8c91219cc4fd8b668c5df00fccaeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Mar 2024 14:59:21 -0700 +Subject: base/node / ACPI: Enumerate node access class for 'struct + access_coordinate' + +From: Dave Jiang + +[ Upstream commit 11270e526276ffad4c4237acb393da82a3287487 ] + +Both generic node and HMAT handling code have been using magic numbers to +indicate access classes for 'struct access_coordinate'. Introduce enums to +enumerate the access0 and access1 classes shared by the two subsystems. +Update the function parameters and callers as appropriate to utilize the +new enum. + +Access0 is named to ACCESS_COORDINATE_LOCAL in order to indicate that the +access class is for 'struct access_coordinate' between a target node and +the nearest initiator node. + +Access1 is named to ACCESS_COORDINATE_CPU in order to indicate that the +access class is for 'struct access_coordinate' between a target node and +the nearest CPU node. + +Cc: Greg Kroah-Hartman +Cc: Rafael J. Wysocki +Reviewed-by: Jonathan Cameron +Tested-by: Jonathan Cameron +Acked-by: Greg Kroah-Hartman +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/20240308220055.2172956-3-dave.jiang@intel.com +Signed-off-by: Dan Williams +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + drivers/acpi/numa/hmat.c | 26 ++++++++++++++------------ + drivers/base/node.c | 6 +++--- + include/linux/node.h | 18 +++++++++++++++--- + 3 files changed, 32 insertions(+), 18 deletions(-) + +diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c +index 8a1802e078f3c..570be52c8d90a 100644 +--- a/drivers/acpi/numa/hmat.c ++++ b/drivers/acpi/numa/hmat.c +@@ -59,9 +59,7 @@ struct target_cache { + }; + + enum { +- NODE_ACCESS_CLASS_0 = 0, +- NODE_ACCESS_CLASS_1, +- NODE_ACCESS_CLASS_GENPORT_SINK, ++ NODE_ACCESS_CLASS_GENPORT_SINK = ACCESS_COORDINATE_MAX, + NODE_ACCESS_CLASS_MAX, + }; + +@@ -333,11 +331,11 @@ static __init void hmat_update_target(unsigned int tgt_pxm, unsigned int init_px + + if (target && target->processor_pxm == init_pxm) { + hmat_update_target_access(target, type, value, +- NODE_ACCESS_CLASS_0); ++ ACCESS_COORDINATE_LOCAL); + /* If the node has a CPU, update access 1 */ + if (node_state(pxm_to_node(init_pxm), N_CPU)) + hmat_update_target_access(target, type, value, +- NODE_ACCESS_CLASS_1); ++ ACCESS_COORDINATE_CPU); + } + } + +@@ -668,7 +666,8 @@ static void hmat_update_target_attrs(struct memory_target *target, + */ + if (target->processor_pxm != PXM_INVAL) { + cpu_nid = pxm_to_node(target->processor_pxm); +- if (access == 0 || node_state(cpu_nid, N_CPU)) { ++ if (access == ACCESS_COORDINATE_LOCAL || ++ node_state(cpu_nid, N_CPU)) { + set_bit(target->processor_pxm, p_nodes); + return; + } +@@ -696,7 +695,8 @@ static void hmat_update_target_attrs(struct memory_target *target, + list_for_each_entry(initiator, &initiators, node) { + u32 value; + +- if (access == 1 && !initiator->has_cpu) { ++ if (access == ACCESS_COORDINATE_CPU && ++ !initiator->has_cpu) { + clear_bit(initiator->processor_pxm, p_nodes); + continue; + } +@@ -741,8 +741,10 @@ static void hmat_register_target_initiators(struct memory_target *target) + { + static DECLARE_BITMAP(p_nodes, MAX_NUMNODES); + +- __hmat_register_target_initiators(target, p_nodes, 0); +- __hmat_register_target_initiators(target, p_nodes, 1); ++ __hmat_register_target_initiators(target, p_nodes, ++ ACCESS_COORDINATE_LOCAL); ++ __hmat_register_target_initiators(target, p_nodes, ++ ACCESS_COORDINATE_CPU); + } + + static void hmat_register_target_cache(struct memory_target *target) +@@ -813,8 +815,8 @@ static void hmat_register_target(struct memory_target *target) + if (!target->registered) { + hmat_register_target_initiators(target); + hmat_register_target_cache(target); +- hmat_register_target_perf(target, NODE_ACCESS_CLASS_0); +- hmat_register_target_perf(target, NODE_ACCESS_CLASS_1); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_LOCAL); ++ hmat_register_target_perf(target, ACCESS_COORDINATE_CPU); + target->registered = true; + } + mutex_unlock(&target_lock); +@@ -886,7 +888,7 @@ static int hmat_calculate_adistance(struct notifier_block *self, + return NOTIFY_OK; + + mutex_lock(&target_lock); +- hmat_update_target_attrs(target, p_nodes, 1); ++ hmat_update_target_attrs(target, p_nodes, ACCESS_COORDINATE_CPU); + mutex_unlock(&target_lock); + + perf = &target->coord[1]; +diff --git a/drivers/base/node.c b/drivers/base/node.c +index 9a312650bd57e..2b398c8a0f06c 100644 +--- a/drivers/base/node.c ++++ b/drivers/base/node.c +@@ -126,7 +126,7 @@ static void node_access_release(struct device *dev) + } + + static struct node_access_nodes *node_init_node_access(struct node *node, +- unsigned int access) ++ enum access_coordinate_class access) + { + struct node_access_nodes *access_node; + struct device *dev; +@@ -191,7 +191,7 @@ static struct attribute *access_attrs[] = { + * @access: The access class the for the given attributes + */ + void node_set_perf_attrs(unsigned int nid, struct access_coordinate *coord, +- unsigned int access) ++ enum access_coordinate_class access) + { + struct node_access_nodes *c; + struct node *node; +@@ -689,7 +689,7 @@ int register_cpu_under_node(unsigned int cpu, unsigned int nid) + */ + int register_memory_node_under_compute_node(unsigned int mem_nid, + unsigned int cpu_nid, +- unsigned int access) ++ enum access_coordinate_class access) + { + struct node *init_node, *targ_node; + struct node_access_nodes *initiator, *target; +diff --git a/include/linux/node.h b/include/linux/node.h +index 25b66d705ee2e..dfc004e4bee74 100644 +--- a/include/linux/node.h ++++ b/include/linux/node.h +@@ -34,6 +34,18 @@ struct access_coordinate { + unsigned int write_latency; + }; + ++/* ++ * ACCESS_COORDINATE_LOCAL correlates to ACCESS CLASS 0 ++ * - access_coordinate between target node and nearest initiator node ++ * ACCESS_COORDINATE_CPU correlates to ACCESS CLASS 1 ++ * - access_coordinate between target node and nearest CPU node ++ */ ++enum access_coordinate_class { ++ ACCESS_COORDINATE_LOCAL, ++ ACCESS_COORDINATE_CPU, ++ ACCESS_COORDINATE_MAX ++}; ++ + enum cache_indexing { + NODE_CACHE_DIRECT_MAP, + NODE_CACHE_INDEXED, +@@ -66,7 +78,7 @@ struct node_cache_attrs { + #ifdef CONFIG_HMEM_REPORTING + void node_add_cache(unsigned int nid, struct node_cache_attrs *cache_attrs); + void node_set_perf_attrs(unsigned int nid, struct access_coordinate *coord, +- unsigned access); ++ enum access_coordinate_class access); + #else + static inline void node_add_cache(unsigned int nid, + struct node_cache_attrs *cache_attrs) +@@ -75,7 +87,7 @@ static inline void node_add_cache(unsigned int nid, + + static inline void node_set_perf_attrs(unsigned int nid, + struct access_coordinate *coord, +- unsigned access) ++ enum access_coordinate_class access) + { + } + #endif +@@ -137,7 +149,7 @@ extern void unregister_memory_block_under_nodes(struct memory_block *mem_blk); + + extern int register_memory_node_under_compute_node(unsigned int mem_nid, + unsigned int cpu_nid, +- unsigned access); ++ enum access_coordinate_class access); + #else + static inline void node_dev_init(void) + { +-- +2.51.0 + diff --git a/queue-6.6/cifs-fix-uncached-read-into-iter_kvec-iterator.patch b/queue-6.6/cifs-fix-uncached-read-into-iter_kvec-iterator.patch new file mode 100644 index 0000000000..c2f243b44b --- /dev/null +++ b/queue-6.6/cifs-fix-uncached-read-into-iter_kvec-iterator.patch @@ -0,0 +1,161 @@ +From 34fb329ea4be280a110a7e1ff8a475173d873a4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 06:13:35 +0000 +Subject: cifs: Fix uncached read into ITER_KVEC iterator + +From: David Howells + +If a cifs share is mounted cache=none, internal reads (such as by exec) +will pass a KVEC iterator down from __cifs_readv() to +cifs_send_async_read() which will then call cifs_limit_bvec_subset() upon +it to limit the number of contiguous elements for RDMA purposes. This +doesn't work on non-BVEC iterators, however. + +Fix this by extracting a KVEC iterator into a BVEC iterator in +__cifs_readv() (it would be dup'd anyway it async). + +This caused the following warning: + + WARNING: CPU: 0 PID: 6290 at fs/smb/client/file.c:3549 cifs_limit_bvec_subset+0xe/0xc0 + ... + Call Trace: + + cifs_send_async_read+0x146/0x2e0 + __cifs_readv+0x207/0x2d0 + __kernel_read+0xf6/0x160 + search_binary_handler+0x49/0x210 + exec_binprm+0x4a/0x140 + bprm_execve.part.0+0xe4/0x170 + do_execveat_common.isra.0+0x196/0x1c0 + do_execve+0x1f/0x30 + +Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") +Acked-by: Bharath SM +Tested-by: Bharath SM +Signed-off-by: David Howells +cc: stable@kernel.org # v6.6~v6.9 +Signed-off-by: Sasha Levin +--- + fs/smb/client/file.c | 97 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 94 insertions(+), 3 deletions(-) + +diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c +index 1f0a53738426e..92e43589fd83f 100644 +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -37,6 +37,81 @@ + #include "cifs_ioctl.h" + #include "cached_dir.h" + ++/* ++ * Allocate a bio_vec array and extract up to sg_max pages from a KVEC-type ++ * iterator and add them to the array. This can deal with vmalloc'd buffers as ++ * well as kmalloc'd or static buffers. The pages are not pinned. ++ */ ++static ssize_t extract_kvec_to_bvec(struct iov_iter *iter, ssize_t maxsize, ++ unsigned int bc_max, ++ struct bio_vec **_bv, unsigned int *_bc) ++{ ++ const struct kvec *kv = iter->kvec; ++ struct bio_vec *bv; ++ unsigned long start = iter->iov_offset; ++ unsigned int i, bc = 0; ++ ssize_t ret = 0; ++ ++ bc_max = iov_iter_npages(iter, bc_max); ++ if (bc_max == 0) { ++ *_bv = NULL; ++ *_bc = 0; ++ return 0; ++ } ++ ++ bv = kvmalloc(array_size(bc_max, sizeof(*bv)), GFP_NOFS); ++ if (!bv) { ++ *_bv = NULL; ++ *_bc = 0; ++ return -ENOMEM; ++ } ++ *_bv = bv; ++ ++ for (i = 0; i < iter->nr_segs; i++) { ++ struct page *page; ++ unsigned long kaddr; ++ size_t off, len, seg; ++ ++ len = kv[i].iov_len; ++ if (start >= len) { ++ start -= len; ++ continue; ++ } ++ ++ kaddr = (unsigned long)kv[i].iov_base + start; ++ off = kaddr & ~PAGE_MASK; ++ len = min_t(size_t, maxsize, len - start); ++ kaddr &= PAGE_MASK; ++ ++ maxsize -= len; ++ ret += len; ++ do { ++ seg = umin(len, PAGE_SIZE - off); ++ if (is_vmalloc_or_module_addr((void *)kaddr)) ++ page = vmalloc_to_page((void *)kaddr); ++ else ++ page = virt_to_page((void *)kaddr); ++ ++ bvec_set_page(bv, page, len, off); ++ bv++; ++ bc++; ++ ++ len -= seg; ++ kaddr += PAGE_SIZE; ++ off = 0; ++ } while (len > 0 && bc < bc_max); ++ ++ if (maxsize <= 0 || bc >= bc_max) ++ break; ++ start = 0; ++ } ++ ++ if (ret > 0) ++ iov_iter_advance(iter, ret); ++ *_bc = bc; ++ return ret; ++} ++ + /* + * Remove the dirty flags from a span of pages. + */ +@@ -4330,11 +4405,27 @@ static ssize_t __cifs_readv( + ctx->bv = (void *)ctx->iter.bvec; + ctx->bv_need_unpin = iov_iter_extract_will_pin(to); + ctx->should_dirty = true; +- } else if ((iov_iter_is_bvec(to) || iov_iter_is_kvec(to)) && +- !is_sync_kiocb(iocb)) { ++ } else if (iov_iter_is_kvec(to)) { ++ /* ++ * Extract a KVEC-type iterator into a BVEC-type iterator. We ++ * assume that the storage will be retained by the caller; in ++ * any case, we may or may not be able to pin the pages, so we ++ * don't try. ++ */ ++ unsigned int bc; ++ ++ rc = extract_kvec_to_bvec(to, iov_iter_count(to), INT_MAX, ++ &ctx->bv, &bc); ++ if (rc < 0) { ++ kref_put(&ctx->refcount, cifs_aio_ctx_release); ++ return rc; ++ } ++ ++ iov_iter_bvec(&ctx->iter, ITER_DEST, ctx->bv, bc, rc); ++ } else if (iov_iter_is_bvec(to) && !is_sync_kiocb(iocb)) { + /* + * If the op is asynchronous, we need to copy the list attached +- * to a BVEC/KVEC-type iterator, but we assume that the storage ++ * to a BVEC-type iterator, but we assume that the storage + * will be retained by the caller; in any case, we may or may + * not be able to pin the pages, so we don't try. + */ +-- +2.51.0 + diff --git a/queue-6.6/drm-vmwgfx-validate-command-header-size-against-svga.patch b/queue-6.6/drm-vmwgfx-validate-command-header-size-against-svga.patch new file mode 100644 index 0000000000..1df73d296e --- /dev/null +++ b/queue-6.6/drm-vmwgfx-validate-command-header-size-against-svga.patch @@ -0,0 +1,44 @@ +From a35ede596ee68fef3c70c95f51fdeb290a537a24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 14:01:28 -0500 +Subject: drm/vmwgfx: Validate command header size against + SVGA_CMD_MAX_DATASIZE + +From: Ian Forbes + +[ Upstream commit 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af ] + +This data originates from userspace and is used in buffer offset +calculations which could potentially overflow causing an out-of-bounds +access. + +Fixes: 8ce75f8ab904 ("drm/vmwgfx: Update device includes for DX device functionality") +Reported-by: Rohit Keshri +Signed-off-by: Ian Forbes +Reviewed-by: Maaz Mombasawala +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251021190128.13014-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index b235e7cc41f3f..92b3e44d022fe 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3683,6 +3683,11 @@ static int vmw_cmd_check(struct vmw_private *dev_priv, + + + cmd_id = header->id; ++ if (header->size > SVGA_CMD_MAX_DATASIZE) { ++ VMW_DEBUG_USER("SVGA3D command: %d is too big.\n", ++ cmd_id + SVGA_3D_CMD_BASE); ++ return -E2BIG; ++ } + *size = header->size + sizeof(SVGA3dCmdHeader); + + cmd_id -= SVGA_3D_CMD_BASE; +-- +2.51.0 + diff --git a/queue-6.6/memory-tiering-add-abstract-distance-calculation-alg.patch b/queue-6.6/memory-tiering-add-abstract-distance-calculation-alg.patch new file mode 100644 index 0000000000..cfb076cf48 --- /dev/null +++ b/queue-6.6/memory-tiering-add-abstract-distance-calculation-alg.patch @@ -0,0 +1,195 @@ +From 3f10174821971030a93a621aef5ed3869e502969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 14:06:25 +0800 +Subject: memory tiering: add abstract distance calculation algorithms + management + +From: Huang Ying + +[ Upstream commit 07a8bdd4120ced3490ef9adf51b8086af0aaa8e7 ] + +Patch series "memory tiering: calculate abstract distance based on ACPI +HMAT", v4. + +We have the explicit memory tiers framework to manage systems with +multiple types of memory, e.g., DRAM in DIMM slots and CXL memory devices. +Where, same kind of memory devices will be grouped into memory types, +then put into memory tiers. To describe the performance of a memory type, +abstract distance is defined. Which is in direct proportion to the memory +latency and inversely proportional to the memory bandwidth. To keep the +code as simple as possible, fixed abstract distance is used in dax/kmem to +describe slow memory such as Optane DCPMM. + +To support more memory types, in this series, we added the abstract +distance calculation algorithm management mechanism, provided a algorithm +implementation based on ACPI HMAT, and used the general abstract distance +calculation interface in dax/kmem driver. So, dax/kmem can support HBM +(high bandwidth memory) in addition to the original Optane DCPMM. + +This patch (of 4): + +The abstract distance may be calculated by various drivers, such as ACPI +HMAT, CXL CDAT, etc. While it may be used by various code which hot-add +memory node, such as dax/kmem etc. To decouple the algorithm users and +the providers, the abstract distance calculation algorithms management +mechanism is implemented in this patch. It provides interface for the +providers to register the implementation, and interface for the users. + +Multiple algorithm implementations can cooperate via calculating abstract +distance for different memory nodes. The preference of algorithm +implementations can be specified via priority (notifier_block.priority). + +Link: https://lkml.kernel.org/r/20230926060628.265989-1-ying.huang@intel.com +Link: https://lkml.kernel.org/r/20230926060628.265989-2-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Tested-by: Bharata B Rao +Reviewed-by: Alistair Popple +Reviewed-by: Dave Jiang +Cc: Aneesh Kumar K.V +Cc: Wei Xu +Cc: Dan Williams +Cc: Dave Hansen +Cc: Davidlohr Bueso +Cc: Johannes Weiner +Cc: Jonathan Cameron +Cc: Michal Hocko +Cc: Yang Shi +Cc: Rafael J Wysocki +Signed-off-by: Andrew Morton +Stable-dep-of: 214291cbaace ("acpi/hmat: Fix lockdep warning for hmem_register_resource()") +Signed-off-by: Sasha Levin +--- + include/linux/memory-tiers.h | 19 ++++++++++++ + mm/memory-tiers.c | 59 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+) + +diff --git a/include/linux/memory-tiers.h b/include/linux/memory-tiers.h +index 437441cdf78fb..c8382220cced9 100644 +--- a/include/linux/memory-tiers.h ++++ b/include/linux/memory-tiers.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + /* + * Each tier cover a abstrace distance chunk size of 128 + */ +@@ -36,6 +37,9 @@ struct memory_dev_type *alloc_memory_type(int adistance); + void put_memory_type(struct memory_dev_type *memtype); + void init_node_memory_type(int node, struct memory_dev_type *default_type); + void clear_node_memory_type(int node, struct memory_dev_type *memtype); ++int register_mt_adistance_algorithm(struct notifier_block *nb); ++int unregister_mt_adistance_algorithm(struct notifier_block *nb); ++int mt_calc_adistance(int node, int *adist); + #ifdef CONFIG_MIGRATION + int next_demotion_node(int node); + void node_get_allowed_targets(pg_data_t *pgdat, nodemask_t *targets); +@@ -97,5 +101,20 @@ static inline bool node_is_toptier(int node) + { + return true; + } ++ ++static inline int register_mt_adistance_algorithm(struct notifier_block *nb) ++{ ++ return 0; ++} ++ ++static inline int unregister_mt_adistance_algorithm(struct notifier_block *nb) ++{ ++ return 0; ++} ++ ++static inline int mt_calc_adistance(int node, int *adist) ++{ ++ return NOTIFY_DONE; ++} + #endif /* CONFIG_NUMA */ + #endif /* _LINUX_MEMORY_TIERS_H */ +diff --git a/mm/memory-tiers.c b/mm/memory-tiers.c +index 37a4f59d9585b..76c0ad47a5ad3 100644 +--- a/mm/memory-tiers.c ++++ b/mm/memory-tiers.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +@@ -105,6 +106,8 @@ static int top_tier_adistance; + static struct demotion_nodes *node_demotion __read_mostly; + #endif /* CONFIG_MIGRATION */ + ++static BLOCKING_NOTIFIER_HEAD(mt_adistance_algorithms); ++ + static inline struct memory_tier *to_memory_tier(struct device *device) + { + return container_of(device, struct memory_tier, dev); +@@ -592,6 +595,62 @@ void clear_node_memory_type(int node, struct memory_dev_type *memtype) + } + EXPORT_SYMBOL_GPL(clear_node_memory_type); + ++/** ++ * register_mt_adistance_algorithm() - Register memory tiering abstract distance algorithm ++ * @nb: The notifier block which describe the algorithm ++ * ++ * Return: 0 on success, errno on error. ++ * ++ * Every memory tiering abstract distance algorithm provider needs to ++ * register the algorithm with register_mt_adistance_algorithm(). To ++ * calculate the abstract distance for a specified memory node, the ++ * notifier function will be called unless some high priority ++ * algorithm has provided result. The prototype of the notifier ++ * function is as follows, ++ * ++ * int (*algorithm_notifier)(struct notifier_block *nb, ++ * unsigned long nid, void *data); ++ * ++ * Where "nid" specifies the memory node, "data" is the pointer to the ++ * returned abstract distance (that is, "int *adist"). If the ++ * algorithm provides the result, NOTIFY_STOP should be returned. ++ * Otherwise, return_value & %NOTIFY_STOP_MASK == 0 to allow the next ++ * algorithm in the chain to provide the result. ++ */ ++int register_mt_adistance_algorithm(struct notifier_block *nb) ++{ ++ return blocking_notifier_chain_register(&mt_adistance_algorithms, nb); ++} ++EXPORT_SYMBOL_GPL(register_mt_adistance_algorithm); ++ ++/** ++ * unregister_mt_adistance_algorithm() - Unregister memory tiering abstract distance algorithm ++ * @nb: the notifier block which describe the algorithm ++ * ++ * Return: 0 on success, errno on error. ++ */ ++int unregister_mt_adistance_algorithm(struct notifier_block *nb) ++{ ++ return blocking_notifier_chain_unregister(&mt_adistance_algorithms, nb); ++} ++EXPORT_SYMBOL_GPL(unregister_mt_adistance_algorithm); ++ ++/** ++ * mt_calc_adistance() - Calculate abstract distance with registered algorithms ++ * @node: the node to calculate abstract distance for ++ * @adist: the returned abstract distance ++ * ++ * Return: if return_value & %NOTIFY_STOP_MASK != 0, then some ++ * abstract distance algorithm provides the result, and return it via ++ * @adist. Otherwise, no algorithm can provide the result and @adist ++ * will be kept as it is. ++ */ ++int mt_calc_adistance(int node, int *adist) ++{ ++ return blocking_notifier_call_chain(&mt_adistance_algorithms, node, adist); ++} ++EXPORT_SYMBOL_GPL(mt_calc_adistance); ++ + static int __meminit memtier_hotplug_callback(struct notifier_block *self, + unsigned long action, void *_arg) + { +-- +2.51.0 + diff --git a/queue-6.6/nfs-enable-nconnect-for-rdma.patch b/queue-6.6/nfs-enable-nconnect-for-rdma.patch new file mode 100644 index 0000000000..fac55e86a0 --- /dev/null +++ b/queue-6.6/nfs-enable-nconnect-for-rdma.patch @@ -0,0 +1,57 @@ +From 2f95754e3077b2a31eff6d006adf7bfc4b48bfac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Feb 2024 13:31:47 -0500 +Subject: NFS: enable nconnect for RDMA + +From: Trond Myklebust + +[ Upstream commit b326df4a8ec6ef53e2e2f1c2cbf14f8a20e85baa ] + +It appears that in certain cases, RDMA capable transports can benefit +from the ability to establish multiple connections to increase their +throughput. This patch therefore enables the use of the "nconnect" mount +option for those use cases. + +Signed-off-by: Trond Myklebust +Stable-dep-of: 8ab523ce78d4 ("pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using TLS") +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3client.c | 1 + + fs/nfs/nfs4client.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/fs/nfs/nfs3client.c b/fs/nfs/nfs3client.c +index 674c012868b1a..b0c8a39c2bbde 100644 +--- a/fs/nfs/nfs3client.c ++++ b/fs/nfs/nfs3client.c +@@ -111,6 +111,7 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: + case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index 32b1147fcafc4..aaf723471228b 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -924,6 +924,7 @@ static int nfs4_set_client(struct nfs_server *server, + else + cl_init.max_connect = max_connect; + switch (proto) { ++ case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: + case XPRT_TRANSPORT_TCP_TLS: + cl_init.nconnect = nconnect; +@@ -1000,6 +1001,7 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: + case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) { +-- +2.51.0 + diff --git a/queue-6.6/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch b/queue-6.6/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch new file mode 100644 index 0000000000..b17afee709 --- /dev/null +++ b/queue-6.6/nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch @@ -0,0 +1,37 @@ +From 174d664174f2e3aa71d9ee0f02598a51931ec5e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 11:03:25 +0800 +Subject: NFS: sysfs: fix leak when nfs_client kobject add fails + +From: Yang Xiuwei + +[ Upstream commit 7a7a3456520b309a0bffa1d9d62bd6c9dcab89b3 ] + +If adding the second kobject fails, drop both references to avoid sysfs +residue and memory leak. + +Fixes: e96f9268eea6 ("NFS: Make all of /sys/fs/nfs network-namespace unique") + +Signed-off-by: Yang Xiuwei +Reviewed-by: Benjamin Coddington +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c +index 784f7c1d003bf..53d4cdf28ee00 100644 +--- a/fs/nfs/sysfs.c ++++ b/fs/nfs/sysfs.c +@@ -189,6 +189,7 @@ static struct nfs_netns_client *nfs_netns_client_alloc(struct kobject *parent, + return p; + + kobject_put(&p->kobject); ++ kobject_put(&p->nfs_net_kobj); + } + return NULL; + } +-- +2.51.0 + diff --git a/queue-6.6/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch b/queue-6.6/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch new file mode 100644 index 0000000000..d12e892ed6 --- /dev/null +++ b/queue-6.6/nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch @@ -0,0 +1,56 @@ +From b9b7be011eea565b490c7d902e1711e312e26808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Oct 2025 10:51:42 -0400 +Subject: NFSv4: Fix an incorrect parameter when calling nfs4_call_sync() + +From: Trond Myklebust + +[ Upstream commit 1f214e9c3aef2d0936be971072e991d78a174d71 ] + +The Smatch static checker noted that in _nfs4_proc_lookupp(), the flag +RPC_TASK_TIMEOUT is being passed as an argument to nfs4_init_sequence(), +which is clearly incorrect. +Since LOOKUPP is an idempotent operation, nfs4_init_sequence() should +not ask the server to cache the result. The RPC_TASK_TIMEOUT flag needs +to be passed down to the RPC layer. + +Reported-by: Dan Carpenter +Reported-by: Harshit Mogalapalli +Fixes: 76998ebb9158 ("NFSv4: Observe the NFS_MOUNT_SOFTREVAL flag in _nfs4_proc_lookupp") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 92e40e41443cd..a0a71a163ffed 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4578,16 +4578,19 @@ static int _nfs4_proc_lookupp(struct inode *inode, + }; + unsigned short task_flags = 0; + +- if (NFS_SERVER(inode)->flags & NFS_MOUNT_SOFTREVAL) ++ if (server->flags & NFS_MOUNT_SOFTREVAL) + task_flags |= RPC_TASK_TIMEOUT; ++ if (server->caps & NFS_CAP_MOVEABLE) ++ task_flags |= RPC_TASK_MOVEABLE; + + args.bitmask = nfs4_bitmask(server, fattr->label); + + nfs_fattr_init(fattr); ++ nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0); + + dprintk("NFS call lookupp ino=0x%lx\n", inode->i_ino); +- status = nfs4_call_sync(clnt, server, &msg, &args.seq_args, +- &res.seq_res, task_flags); ++ status = nfs4_do_call_sync(clnt, server, &msg, &args.seq_args, ++ &res.seq_res, task_flags); + dprintk("NFS reply lookupp: %d\n", status); + return status; + } +-- +2.51.0 + diff --git a/queue-6.6/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch b/queue-6.6/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch new file mode 100644 index 0000000000..cdf3981035 --- /dev/null +++ b/queue-6.6/pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch @@ -0,0 +1,97 @@ +From 7ce5ddedcdc5383750687d04cf9f7336dd839657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:34 -0400 +Subject: pnfs: Fix TLS logic in _nfs4_pnfs_v4_ds_connect() + +From: Trond Myklebust + +[ Upstream commit 28e19737e1570c7c71890547c2e43c3e0da79df9 ] + +Don't try to add an RDMA transport to a client that is already marked as +being a TCP/TLS transport. + +Fixes: a35518cae4b3 ("NFSv4.1/pnfs: fix NFS with TLS in pnfs") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs_nfs.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index 1b317c44da126..5314dabb725d8 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -914,7 +914,10 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + u32 minor_version) + { + struct nfs_client *clp = ERR_PTR(-EIO); ++ struct nfs_client *mds_clp = mds_srv->nfs_client; ++ enum xprtsec_policies xprtsec_policy = mds_clp->cl_xprtsec.policy; + struct nfs4_pnfs_ds_addr *da; ++ int ds_proto; + int status = 0; + + dprintk("--> %s DS %s\n", __func__, ds->ds_remotestr); +@@ -942,12 +945,8 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + .data = &xprtdata, + }; + +- if (da->da_transport != clp->cl_proto && +- clp->cl_proto != XPRT_TRANSPORT_TCP_TLS) +- continue; +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == +- XPRT_TRANSPORT_TCP_TLS) { ++ if (xprt_args.ident == XPRT_TRANSPORT_TCP && ++ clp->cl_proto == XPRT_TRANSPORT_TCP_TLS) { + struct sockaddr *addr = + (struct sockaddr *)&da->da_addr; + struct sockaddr_in *sin = +@@ -978,7 +977,10 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + xprt_args.ident = XPRT_TRANSPORT_TCP_TLS; + xprt_args.servername = servername; + } +- if (da->da_addr.ss_family != clp->cl_addr.ss_family) ++ if (xprt_args.ident != clp->cl_proto) ++ continue; ++ if (xprt_args.dstaddr->sa_family != ++ clp->cl_addr.ss_family) + continue; + + /** +@@ -992,15 +994,14 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + if (xprtdata.cred) + put_cred(xprtdata.cred); + } else { +- if (da->da_transport == XPRT_TRANSPORT_TCP && +- mds_srv->nfs_client->cl_proto == +- XPRT_TRANSPORT_TCP_TLS) +- da->da_transport = XPRT_TRANSPORT_TCP_TLS; +- clp = nfs4_set_ds_client(mds_srv, +- &da->da_addr, +- da->da_addrlen, +- da->da_transport, timeo, +- retrans, minor_version); ++ ds_proto = da->da_transport; ++ if (ds_proto == XPRT_TRANSPORT_TCP && ++ xprtsec_policy != RPC_XPRTSEC_NONE) ++ ds_proto = XPRT_TRANSPORT_TCP_TLS; ++ ++ clp = nfs4_set_ds_client(mds_srv, &da->da_addr, ++ da->da_addrlen, ds_proto, ++ timeo, retrans, minor_version); + if (IS_ERR(clp)) + continue; + +@@ -1011,7 +1012,6 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + clp = ERR_PTR(-EIO); + continue; + } +- + } + } + +-- +2.51.0 + diff --git a/queue-6.6/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch b/queue-6.6/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch new file mode 100644 index 0000000000..acc93881d0 --- /dev/null +++ b/queue-6.6/pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch @@ -0,0 +1,109 @@ +From b6d2dbc38d97dce0b0e90a922833213efdcb68c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 20:10:35 -0400 +Subject: pnfs: Set transport security policy to RPC_XPRTSEC_NONE unless using + TLS + +From: Trond Myklebust + +[ Upstream commit 8ab523ce78d4ca13add6b4ecbacff0f84c274603 ] + +The default setting for the transport security policy must be +RPC_XPRTSEC_NONE, when using a TCP or RDMA connection without TLS. +Conversely, when using TLS, the security policy needs to be set. + +Fixes: 6c0a8c5fcf71 ("NFS: Have struct nfs_client carry a TLS policy field") +Signed-off-by: Trond Myklebust +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3client.c | 14 ++++++++++++-- + fs/nfs/nfs4client.c | 14 ++++++++++++-- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/nfs3client.c b/fs/nfs/nfs3client.c +index b0c8a39c2bbde..1aa4c43c9b3b4 100644 +--- a/fs/nfs/nfs3client.c ++++ b/fs/nfs/nfs3client.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "nfs3_fs.h" + #include "netns.h" +@@ -98,7 +99,11 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + .net = mds_clp->cl_net, + .timeparms = &ds_timeout, + .cred = mds_srv->cred, +- .xprtsec = mds_clp->cl_xprtsec, ++ .xprtsec = { ++ .policy = RPC_XPRTSEC_NONE, ++ .cert_serial = TLS_NO_CERT, ++ .privkey_serial = TLS_NO_PRIVKEY, ++ }, + .connect_timeout = connect_timeout, + .reconnect_timeout = connect_timeout, + }; +@@ -111,9 +116,14 @@ struct nfs_client *nfs3_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_TCP_TLS: ++ if (mds_clp->cl_xprtsec.policy != RPC_XPRTSEC_NONE) ++ cl_init.xprtsec = mds_clp->cl_xprtsec; ++ else ++ ds_proto = XPRT_TRANSPORT_TCP; ++ fallthrough; + case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: +- case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) + cl_init.nconnect = mds_clp->cl_nconnect; + } +diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c +index aaf723471228b..b14688da814d6 100644 +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "callback.h" + #include "delegation.h" +@@ -992,7 +993,11 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + .net = mds_clp->cl_net, + .timeparms = &ds_timeout, + .cred = mds_srv->cred, +- .xprtsec = mds_srv->nfs_client->cl_xprtsec, ++ .xprtsec = { ++ .policy = RPC_XPRTSEC_NONE, ++ .cert_serial = TLS_NO_CERT, ++ .privkey_serial = TLS_NO_PRIVKEY, ++ }, + }; + char buf[INET6_ADDRSTRLEN + 1]; + +@@ -1001,9 +1006,14 @@ struct nfs_client *nfs4_set_ds_client(struct nfs_server *mds_srv, + cl_init.hostname = buf; + + switch (ds_proto) { ++ case XPRT_TRANSPORT_TCP_TLS: ++ if (mds_srv->nfs_client->cl_xprtsec.policy != RPC_XPRTSEC_NONE) ++ cl_init.xprtsec = mds_srv->nfs_client->cl_xprtsec; ++ else ++ ds_proto = XPRT_TRANSPORT_TCP; ++ fallthrough; + case XPRT_TRANSPORT_RDMA: + case XPRT_TRANSPORT_TCP: +- case XPRT_TRANSPORT_TCP_TLS: + if (mds_clp->cl_nconnect > 1) { + cl_init.nconnect = mds_clp->cl_nconnect; + cl_init.max_connect = NFS_MAX_TRANSPORTS; +-- +2.51.0 + diff --git a/queue-6.6/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch b/queue-6.6/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch new file mode 100644 index 0000000000..b6bf3de96f --- /dev/null +++ b/queue-6.6/regulator-fixed-fix-gpio-descriptor-leak-on-register.patch @@ -0,0 +1,42 @@ +From bacb5b6883fd83ccf73a025016a09025e46aa49f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 01:28:28 +0800 +Subject: regulator: fixed: fix GPIO descriptor leak on register failure + +From: Haotian Zhang + +[ Upstream commit 636f4618b1cd96f6b5a2b8c7c4f665c8533ecf13 ] + +In the commit referenced by the Fixes tag, +devm_gpiod_get_optional() was replaced by manual +GPIO management, relying on the regulator core to release the +GPIO descriptor. However, this approach does not account for the +error path: when regulator registration fails, the core never +takes over the GPIO, resulting in a resource leak. + +Add gpiod_put() before returning on regulator registration failure. + +Fixes: 5e6f3ae5c13b ("regulator: fixed: Let core handle GPIO descriptor") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251028172828.625-1-vulab@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/fixed.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/fixed.c b/drivers/regulator/fixed.c +index 55130efae9b8b..4477bdeb9e60f 100644 +--- a/drivers/regulator/fixed.c ++++ b/drivers/regulator/fixed.c +@@ -286,6 +286,7 @@ static int reg_fixed_voltage_probe(struct platform_device *pdev) + ret = dev_err_probe(&pdev->dev, PTR_ERR(drvdata->dev), + "Failed to register regulator: %ld\n", + PTR_ERR(drvdata->dev)); ++ gpiod_put(cfg.ena_gpiod); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 085f4fd3bb..79211ed8ae 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -420,3 +420,26 @@ acpi-cppc-perform-fast-check-switch-only-for-online-.patch acpi-cppc-limit-perf-ctrs-in-pcc-check-only-to-onlin.patch bluetooth-l2cap-export-l2cap_chan_hold-for-modules.patch cifs-stop-writeback-extension-when-change-of-size-is.patch +cifs-fix-uncached-read-into-iter_kvec-iterator.patch +acpi-srat-fix-incorrect-device-handle-check-for-gene.patch +regulator-fixed-fix-gpio-descriptor-leak-on-register.patch +asoc-cs4271-fix-regulator-leak-on-probe-failure.patch +asoc-codecs-va-macro-fix-resource-leak-in-probe-erro.patch +drm-vmwgfx-validate-command-header-size-against-svga.patch +asoc-tas2781-fix-getting-the-wrong-device-number.patch +pnfs-fix-tls-logic-in-_nfs4_pnfs_v4_ds_connect.patch +nfs-enable-nconnect-for-rdma.patch +pnfs-set-transport-security-policy-to-rpc_xprtsec_no.patch +nfs-sysfs-fix-leak-when-nfs_client-kobject-add-fails.patch +nfsv4-fix-an-incorrect-parameter-when-calling-nfs4_c.patch +alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch +memory-tiering-add-abstract-distance-calculation-alg.patch +acpi-hmat-refactor-hmat_register_target_initiators.patch +acpi-hmat-calculate-abstract-distance-with-hmat.patch +base-node-acpi-change-node_hmem_attrs-to-access_coor.patch +acpi-numa-create-enum-for-memory_target-access-coord.patch +acpi-numa-add-genport-target-allocation-to-the-hmat-.patch +acpi-break-out-nesting-for-hmat_parse_locality.patch +acpi-numa-add-setting-of-generic-port-system-localit.patch +base-node-acpi-enumerate-node-access-class-for-struc.patch +acpi-hmat-fix-lockdep-warning-for-hmem_register_reso.patch -- 2.47.3