From c9b68919e6f71e4d07bbbdb8cd5ed20058c23350 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 26 Oct 2025 15:52:04 +0100 Subject: [PATCH] 6.12-stable patches added patches: acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch cifs-fix-tcp_server_info-credits-to-be-signed.patch dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch fs-notify-call-exportfs_encode_fid-with-s_umount.patch gpio-104-idio-16-define-maximum-valid-register-address-offset.patch gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch mm-prevent-poison-consumption-when-splitting-thp.patch net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch net-ravb-enforce-descriptor-type-ordering.patch net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch net-usb-rtl8150-fix-frame-padding.patch ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch revert-cpuidle-menu-avoid-discarding-useful-information.patch selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch vsock-fix-lock-inversion-in-vsock_assign_transport.patch xfs-fix-locking-in-xchk_nlinks_collect_dir.patch --- ...ringop-overread-warning-since-gcc-11.patch | 52 ++++++++ ...check-in-topology_parse_cpu_capacity.patch | 48 +++++++ ...-fs_info-in-btrfs_check_leaked_roots.patch | 76 +++++++++++ ...allow-disabling-of-automatic-restart.patch | 62 +++++++++ ...tcp_server_info-credits-to-be-signed.patch | 37 ++++++ ...es-with-dma_bounce_unaligned_kmalloc.patch | 59 +++++++++ ...and-fix-link-enc-null-pointer-access.patch | 60 +++++++++ ...ll-exportfs_encode_fid-with-s_umount.patch | 106 +++++++++++++++ ...aximum-valid-register-address-offset.patch | 39 ++++++ ...aximum-valid-register-address-offset.patch | 39 ++++++ ...enting-i8042-driver-from-registering.patch | 65 +++++++++ ...oison-consumption-when-splitting-thp.patch | 125 ++++++++++++++++++ ...-peer-notify-event-loss-or-dup-issue.patch | 113 ++++++++++++++++ ...avb-enforce-descriptor-type-ordering.patch | 73 ++++++++++ ...completes-before-ringing-tx-doorbell.patch | 52 ++++++++ ...rk-fix-disabling-set_clock_selection.patch | 51 +++++++ .../net-usb-rtl8150-fix-frame-padding.patch | 54 ++++++++ ...e-after-moving-defragmenting-extents.patch | 62 +++++++++ ...-avoid-discarding-useful-information.patch | 78 +++++++++++ ...h-re-add-as-skipped-if-not-supported.patch | 36 +++++ ...it-tests-as-skipped-if-not-supported.patch | 45 +++++++ queue-6.12/series | 25 ++++ ...slab-obj_exts-in-alloc_slab_obj_exts.patch | 72 ++++++++++ ...onsidered-null-due-to-race-condition.patch | 73 ++++++++++ ...-inversion-in-vsock_assign_transport.patch | 95 +++++++++++++ ...x-locking-in-xchk_nlinks_collect_dir.patch | 98 ++++++++++++++ 26 files changed, 1695 insertions(+) create mode 100644 queue-6.12/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch create mode 100644 queue-6.12/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch create mode 100644 queue-6.12/btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch create mode 100644 queue-6.12/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch create mode 100644 queue-6.12/cifs-fix-tcp_server_info-credits-to-be-signed.patch create mode 100644 queue-6.12/dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch create mode 100644 queue-6.12/drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch create mode 100644 queue-6.12/fs-notify-call-exportfs_encode_fid-with-s_umount.patch create mode 100644 queue-6.12/gpio-104-idio-16-define-maximum-valid-register-address-offset.patch create mode 100644 queue-6.12/gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch create mode 100644 queue-6.12/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch create mode 100644 queue-6.12/mm-prevent-poison-consumption-when-splitting-thp.patch create mode 100644 queue-6.12/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch create mode 100644 queue-6.12/net-ravb-enforce-descriptor-type-ordering.patch create mode 100644 queue-6.12/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch create mode 100644 queue-6.12/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch create mode 100644 queue-6.12/net-usb-rtl8150-fix-frame-padding.patch create mode 100644 queue-6.12/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch create mode 100644 queue-6.12/revert-cpuidle-menu-avoid-discarding-useful-information.patch create mode 100644 queue-6.12/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch create mode 100644 queue-6.12/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch create mode 100644 queue-6.12/slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch create mode 100644 queue-6.12/slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch create mode 100644 queue-6.12/vsock-fix-lock-inversion-in-vsock_assign_transport.patch create mode 100644 queue-6.12/xfs-fix-locking-in-xchk_nlinks_collect_dir.patch diff --git a/queue-6.12/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch b/queue-6.12/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch new file mode 100644 index 0000000000..40743db086 --- /dev/null +++ b/queue-6.12/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch @@ -0,0 +1,52 @@ +From 6e3a4754717a74e931a9f00b5f953be708e07acb Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Tue, 21 Oct 2025 17:28:25 +0800 +Subject: ACPICA: Work around bogus -Wstringop-overread warning since GCC 11 + +From: Xi Ruoyao + +commit 6e3a4754717a74e931a9f00b5f953be708e07acb upstream. + +When ACPI_MISALIGNMENT_NOT_SUPPORTED is set, GCC can produce a bogus +-Wstringop-overread warning, see [1]. + +To me, it's very clear that we have a compiler bug here, thus just +disable the warning. + +Fixes: a9d13433fe17 ("LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled") +Link: https://lore.kernel.org/all/899f2dec-e8b9-44f4-ab8d-001e160a2aed@roeck-us.net/ +Link: https://github.com/acpica/acpica/commit/abf5b573 +Link: https://gcc.gnu.org/PR122073 [1] +Co-developed-by: Saket Dumbre +Signed-off-by: Saket Dumbre +Signed-off-by: Xi Ruoyao +Acked-by: Huacai Chen +Cc: All applicable +[ rjw: Subject and changelog edits ] +Link: https://patch.msgid.link/20251021092825.822007-1-xry111@xry111.site +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/tbprint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/acpica/tbprint.c ++++ b/drivers/acpi/acpica/tbprint.c +@@ -95,6 +95,11 @@ acpi_tb_print_table_header(acpi_physical + { + struct acpi_table_header local_header; + ++#pragma GCC diagnostic push ++#if defined(__GNUC__) && __GNUC__ >= 11 ++#pragma GCC diagnostic ignored "-Wstringop-overread" ++#endif ++ + if (ACPI_COMPARE_NAMESEG(header->signature, ACPI_SIG_FACS)) { + + /* FACS only has signature and length fields */ +@@ -135,4 +140,5 @@ acpi_tb_print_table_header(acpi_physical + local_header.asl_compiler_id, + local_header.asl_compiler_revision)); + } ++#pragma GCC diagnostic pop + } diff --git a/queue-6.12/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch b/queue-6.12/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch new file mode 100644 index 0000000000..24ba013d95 --- /dev/null +++ b/queue-6.12/arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch @@ -0,0 +1,48 @@ +From 2eead19334516c8e9927c11b448fbe512b1f18a1 Mon Sep 17 00:00:00 2001 +From: Kaushlendra Kumar +Date: Tue, 23 Sep 2025 23:13:08 +0530 +Subject: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() + +From: Kaushlendra Kumar + +commit 2eead19334516c8e9927c11b448fbe512b1f18a1 upstream. + +Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() +which causes the code to proceed with NULL clock pointers. The current +logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both +valid pointers and NULL, leading to potential NULL pointer dereference +in clk_get_rate(). + +Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: +"The error code within @ptr if it is an error pointer; 0 otherwise." + +This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL +pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) +when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be +called when of_clk_get() returns NULL. + +Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid +pointers, preventing potential NULL pointer dereference in clk_get_rate(). + +Cc: stable +Signed-off-by: Kaushlendra Kumar +Reviewed-by: Sudeep Holla +Fixes: b8fe128dad8f ("arch_topology: Adjust initial CPU capacities with current freq") +Link: https://patch.msgid.link/20250923174308.1771906-1-kaushlendra.kumar@intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/arch_topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/arch_topology.c ++++ b/drivers/base/arch_topology.c +@@ -341,7 +341,7 @@ bool __init topology_parse_cpu_capacity( + * frequency (by keeping the initial capacity_freq_ref value). + */ + cpu_clk = of_clk_get(cpu_node, 0); +- if (!PTR_ERR_OR_ZERO(cpu_clk)) { ++ if (!IS_ERR_OR_NULL(cpu_clk)) { + per_cpu(capacity_freq_ref, cpu) = + clk_get_rate(cpu_clk) / HZ_PER_KHZ; + clk_put(cpu_clk); diff --git a/queue-6.12/btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch b/queue-6.12/btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch new file mode 100644 index 0000000000..8ed8624937 --- /dev/null +++ b/queue-6.12/btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch @@ -0,0 +1,76 @@ +From 17679ac6df6c4830ba711835aa8cf961be36cfa1 Mon Sep 17 00:00:00 2001 +From: Dewei Meng +Date: Thu, 16 Oct 2025 14:10:11 +0800 +Subject: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() + +From: Dewei Meng + +commit 17679ac6df6c4830ba711835aa8cf961be36cfa1 upstream. + +If fs_info->super_copy or fs_info->super_for_commit allocated failed in +btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). +Otherwise btrfs_check_leaked_roots() would access NULL pointer because +fs_info->allocated_roots had not been initialised. + +syzkaller reported the following information: + ------------[ cut here ]------------ + BUG: unable to handle page fault for address: fffffffffffffbb0 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 + Oops: Oops: 0000 [#1] SMP KASAN PTI + CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) + RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] + RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] + RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] + RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] + RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 + [...] + Call Trace: + + btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 + btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 + btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 + vfs_get_tree+0x98/0x320 fs/super.c:1759 + do_new_mount+0x357/0x660 fs/namespace.c:3899 + path_mount+0x716/0x19c0 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount fs/namespace.c:4427 [inline] + __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f032eaffa8d + [...] + +Fixes: 3bb17a25bcb0 ("btrfs: add get_tree callback for new mount API") +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Daniel Vacek +Reviewed-by: Qu Wenruo +Signed-off-by: Dewei Meng +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -2029,7 +2029,13 @@ static int btrfs_get_tree_subvol(struct + fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL); + fs_info->super_for_commit = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL); + if (!fs_info->super_copy || !fs_info->super_for_commit) { +- btrfs_free_fs_info(fs_info); ++ /* ++ * Dont call btrfs_free_fs_info() to free it as it's still ++ * initialized partially. ++ */ ++ kfree(fs_info->super_copy); ++ kfree(fs_info->super_for_commit); ++ kvfree(fs_info); + return -ENOMEM; + } + btrfs_init_fs_info(fs_info); diff --git a/queue-6.12/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch b/queue-6.12/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch new file mode 100644 index 0000000000..08efb24209 --- /dev/null +++ b/queue-6.12/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch @@ -0,0 +1,62 @@ +From 8e93ac51e4c6dc399fad59ec21f55f2cfb46d27c Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 20 Oct 2025 11:51:03 +0200 +Subject: can: netlink: can_changelink(): allow disabling of automatic restart + +From: Marc Kleine-Budde + +commit 8e93ac51e4c6dc399fad59ec21f55f2cfb46d27c upstream. + +Since the commit c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL +pointer deref of struct can_priv::do_set_mode"), the automatic restart +delay can only be set for devices that implement the restart handler struct +can_priv::do_set_mode. As it makes no sense to configure a automatic +restart for devices that doesn't support it. + +However, since systemd commit 13ce5d4632e3 ("network/can: properly handle +CAN.RestartSec=0") [1], systemd-networkd correctly handles a restart delay +of "0" (i.e. the restart is disabled). Which means that a disabled restart +is always configured in the kernel. + +On systems with both changes active this causes that CAN interfaces that +don't implement a restart handler cannot be brought up by systemd-networkd. + +Solve this problem by allowing a delay of "0" to be configured, even if the +device does not implement a restart handler. + +[1] https://github.com/systemd/systemd/commit/13ce5d4632e395521e6205c954493c7fc1c4c6e0 + +Cc: stable@vger.kernel.org +Cc: Andrei Lalaev +Reported-by: Marc Kleine-Budde +Closes: https://lore.kernel.org/all/20251020-certain-arrogant-vole-of-sunshine-141841-mkl@pengutronix.de +Fixes: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode") +Link: https://patch.msgid.link/20251020-netlink-fix-restart-v1-1-3f53c7f8520b@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev/netlink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/dev/netlink.c ++++ b/drivers/net/can/dev/netlink.c +@@ -285,7 +285,9 @@ static int can_changelink(struct net_dev + } + + if (data[IFLA_CAN_RESTART_MS]) { +- if (!priv->do_set_mode) { ++ unsigned int restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); ++ ++ if (restart_ms != 0 && !priv->do_set_mode) { + NL_SET_ERR_MSG(extack, + "Device doesn't support restart from Bus Off"); + return -EOPNOTSUPP; +@@ -294,7 +296,7 @@ static int can_changelink(struct net_dev + /* Do not allow changing restart delay while running */ + if (dev->flags & IFF_UP) + return -EBUSY; +- priv->restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); ++ priv->restart_ms = restart_ms; + } + + if (data[IFLA_CAN_RESTART]) { diff --git a/queue-6.12/cifs-fix-tcp_server_info-credits-to-be-signed.patch b/queue-6.12/cifs-fix-tcp_server_info-credits-to-be-signed.patch new file mode 100644 index 0000000000..7a7c104de0 --- /dev/null +++ b/queue-6.12/cifs-fix-tcp_server_info-credits-to-be-signed.patch @@ -0,0 +1,37 @@ +From 5b2ff4873aeab972f919d5aea11c51393322bf58 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Mon, 20 Oct 2025 09:40:02 +0100 +Subject: cifs: Fix TCP_Server_Info::credits to be signed + +From: David Howells + +commit 5b2ff4873aeab972f919d5aea11c51393322bf58 upstream. + +Fix TCP_Server_Info::credits to be signed, just as echo_credits and +oplock_credits are. This also fixes what ought to get at least a +compilation warning if not an outright error in *get_credits_field() as a +pointer to the unsigned server->credits field is passed back as a pointer +to a signed int. + +Signed-off-by: David Howells +cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Acked-by: Pavel Shilovskiy +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsglob.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -703,7 +703,7 @@ struct TCP_Server_Info { + bool nosharesock; + bool tcp_nodelay; + bool terminate; +- unsigned int credits; /* send no more requests at once */ ++ int credits; /* send no more requests at once */ + unsigned int max_credits; /* can override large 32000 default at mnt */ + unsigned int in_flight; /* number of requests on the wire to server */ + unsigned int max_in_flight; /* max number of requests that were on wire */ diff --git a/queue-6.12/dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch b/queue-6.12/dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch new file mode 100644 index 0000000000..570d2d3cdd --- /dev/null +++ b/queue-6.12/dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch @@ -0,0 +1,59 @@ +From 03521c892bb8d0712c23e158ae9bdf8705897df8 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 9 Oct 2025 16:15:08 +0200 +Subject: dma-debug: don't report false positives with DMA_BOUNCE_UNALIGNED_KMALLOC + +From: Marek Szyprowski + +commit 03521c892bb8d0712c23e158ae9bdf8705897df8 upstream. + +Commit 370645f41e6e ("dma-mapping: force bouncing if the kmalloc() size is +not cache-line-aligned") introduced DMA_BOUNCE_UNALIGNED_KMALLOC feature +and permitted architecture specific code configure kmalloc slabs with +sizes smaller than the value of dma_get_cache_alignment(). + +When that feature is enabled, the physical address of some small +kmalloc()-ed buffers might be not aligned to the CPU cachelines, thus not +really suitable for typical DMA. To properly handle that case a SWIOTLB +buffer bouncing is used, so no CPU cache corruption occurs. When that +happens, there is no point reporting a false-positive DMA-API warning that +the buffer is not properly aligned, as this is not a client driver fault. + +[m.szyprowski@samsung.com: replace is_swiotlb_allocated() with is_swiotlb_active(), per Catalin] + Link: https://lkml.kernel.org/r/20251010173009.3916215-1-m.szyprowski@samsung.com +Link: https://lkml.kernel.org/r/20251009141508.2342138-1-m.szyprowski@samsung.com +Fixes: 370645f41e6e ("dma-mapping: force bouncing if the kmalloc() size is not cache-line-aligned") +Signed-off-by: Marek Szyprowski +Reviewed-by: Catalin Marinas +Cc: Christoph Hellwig +Cc: Inki Dae +Cc: Robin Murohy +Cc: "Isaac J. Manjarres" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/dma/debug.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include "debug.h" + +@@ -594,7 +595,9 @@ static void add_dma_entry(struct dma_deb + if (rc == -ENOMEM) { + pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); + global_disable = true; +- } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC)) { ++ } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && ++ !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && ++ is_swiotlb_active(entry->dev))) { + err_printk(entry->dev, entry, + "cacheline tracking EEXIST, overlapping mappings aren't supported\n"); + } diff --git a/queue-6.12/drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch b/queue-6.12/drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch new file mode 100644 index 0000000000..78b9caefd8 --- /dev/null +++ b/queue-6.12/drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch @@ -0,0 +1,60 @@ +From bec947cbe9a65783adb475a5fb47980d7b4f4796 Mon Sep 17 00:00:00 2001 +From: Charlene Liu +Date: Mon, 29 Sep 2025 20:29:30 -0400 +Subject: drm/amd/display: increase max link count and fix link->enc NULL pointer access + +From: Charlene Liu + +commit bec947cbe9a65783adb475a5fb47980d7b4f4796 upstream. + +[why] +1.) dc->links[MAX_LINKS] array size smaller than actual requested. +max_connector + max_dpia + 4 virtual = 14. +increase from 12 to 14. + +2.) hw_init() access null LINK_ENC for dpia non display_endpoint. + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Meenakshikumar Somasundaram +Reviewed-by: Chris Park +Signed-off-by: Charlene Liu +Signed-off-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +(cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 3 +++ + drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h | 8 +++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +@@ -287,6 +287,9 @@ void dcn401_init_hw(struct dc *dc) + */ + struct dc_link *link = dc->links[i]; + ++ if (link->ep_type != DISPLAY_ENDPOINT_PHY) ++ continue; ++ + link->link_enc->funcs->hw_init(link->link_enc); + + /* Check for enabled DIG to identify enabled display */ +--- a/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h +@@ -44,7 +44,13 @@ + */ + #define MAX_PIPES 6 + #define MAX_PHANTOM_PIPES (MAX_PIPES / 2) +-#define MAX_LINKS (MAX_PIPES * 2 +2) ++ ++#define MAX_DPIA 6 ++#define MAX_CONNECTOR 6 ++#define MAX_VIRTUAL_LINKS 4 ++ ++#define MAX_LINKS (MAX_DPIA + MAX_CONNECTOR + MAX_VIRTUAL_LINKS) ++ + #define MAX_DIG_LINK_ENCODERS 7 + #define MAX_DWB_PIPES 1 + #define MAX_HPO_DP2_ENCODERS 4 diff --git a/queue-6.12/fs-notify-call-exportfs_encode_fid-with-s_umount.patch b/queue-6.12/fs-notify-call-exportfs_encode_fid-with-s_umount.patch new file mode 100644 index 0000000000..e3430719c9 --- /dev/null +++ b/queue-6.12/fs-notify-call-exportfs_encode_fid-with-s_umount.patch @@ -0,0 +1,106 @@ +From a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a Mon Sep 17 00:00:00 2001 +From: Jakub Acs +Date: Wed, 1 Oct 2025 10:09:55 +0000 +Subject: fs/notify: call exportfs_encode_fid with s_umount + +From: Jakub Acs + +commit a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a upstream. + +Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while +the overlayfs is being unmounted, can lead to dereferencing NULL ptr. + +This issue was found by syzkaller. + +Race Condition Diagram: + +Thread 1 Thread 2 +-------- -------- + +generic_shutdown_super() + shrink_dcache_for_umount + sb->s_root = NULL + + | + | vfs_read() + | inotify_fdinfo() + | * inode get from mark * + | show_mark_fhandle(m, inode) + | exportfs_encode_fid(inode, ..) + | ovl_encode_fh(inode, ..) + | ovl_check_encode_origin(inode) + | * deref i_sb->s_root * + | + | + v + fsnotify_sb_delete(sb) + +Which then leads to: + +[ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI +[ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +[ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) + + + +[ 32.143353] Call Trace: +[ 32.143732] ovl_encode_fh+0xd5/0x170 +[ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 +[ 32.144425] show_mark_fhandle+0xbe/0x1f0 +[ 32.145805] inotify_fdinfo+0x226/0x2d0 +[ 32.146442] inotify_show_fdinfo+0x1c5/0x350 +[ 32.147168] seq_show+0x530/0x6f0 +[ 32.147449] seq_read_iter+0x503/0x12a0 +[ 32.148419] seq_read+0x31f/0x410 +[ 32.150714] vfs_read+0x1f0/0x9e0 +[ 32.152297] ksys_read+0x125/0x240 + +IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set +to NULL in the unmount path. + +Fix it by protecting calling exportfs_encode_fid() from +show_mark_fhandle() with s_umount lock. + +This form of fix was suggested by Amir in [1]. + +[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/ + +Fixes: c45beebfde34 ("ovl: support encoding fid from inode with no alias") +Signed-off-by: Jakub Acs +Cc: Jan Kara +Cc: Amir Goldstein +Cc: Miklos Szeredi +Cc: Christian Brauner +Cc: linux-unionfs@vger.kernel.org +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fdinfo.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/notify/fdinfo.c ++++ b/fs/notify/fdinfo.c +@@ -17,6 +17,7 @@ + #include "fanotify/fanotify.h" + #include "fdinfo.h" + #include "fsnotify.h" ++#include "../internal.h" + + #if defined(CONFIG_PROC_FS) + +@@ -46,7 +47,12 @@ static void show_mark_fhandle(struct seq + + size = f->handle_bytes >> 2; + ++ if (!super_trylock_shared(inode->i_sb)) ++ return; ++ + ret = exportfs_encode_fid(inode, (struct fid *)f->f_handle, &size); ++ up_read(&inode->i_sb->s_umount); ++ + if ((ret == FILEID_INVALID) || (ret < 0)) + return; + diff --git a/queue-6.12/gpio-104-idio-16-define-maximum-valid-register-address-offset.patch b/queue-6.12/gpio-104-idio-16-define-maximum-valid-register-address-offset.patch new file mode 100644 index 0000000000..5c297bbaa5 --- /dev/null +++ b/queue-6.12/gpio-104-idio-16-define-maximum-valid-register-address-offset.patch @@ -0,0 +1,39 @@ +From c4d35e635f3a65aec291a6045cae8c99cede5bba Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Mon, 20 Oct 2025 17:51:44 +0900 +Subject: gpio: 104-idio-16: Define maximum valid register address offset + +From: William Breathitt Gray + +commit c4d35e635f3a65aec291a6045cae8c99cede5bba upstream. + +Attempting to load the 104-idio-16 module fails during regmap +initialization with a return error -EINVAL. This is a result of the +regmap cache failing initialization. Set the idio_16_regmap_config +max_register member to fix this failure. + +Fixes: 2c210c9a34a3 ("gpio: 104-idio-16: Migrate to the regmap API") +Reported-by: Mark Cave-Ayland +Closes: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com +Suggested-by: Mark Cave-Ayland +Cc: stable@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: William Breathitt Gray +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20251020-fix-gpio-idio-16-regmap-v2-1-ebeb50e93c33@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-104-idio-16.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-104-idio-16.c ++++ b/drivers/gpio/gpio-104-idio-16.c +@@ -59,6 +59,7 @@ static const struct regmap_config idio_1 + .reg_stride = 1, + .val_bits = 8, + .io_port = true, ++ .max_register = 0x5, + .wr_table = &idio_16_wr_table, + .rd_table = &idio_16_rd_table, + .volatile_table = &idio_16_rd_table, diff --git a/queue-6.12/gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch b/queue-6.12/gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch new file mode 100644 index 0000000000..a534bef424 --- /dev/null +++ b/queue-6.12/gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch @@ -0,0 +1,39 @@ +From d37623132a6347b4ab9e2179eb3f2fa77863c364 Mon Sep 17 00:00:00 2001 +From: William Breathitt Gray +Date: Mon, 20 Oct 2025 17:51:45 +0900 +Subject: gpio: pci-idio-16: Define maximum valid register address offset + +From: William Breathitt Gray + +commit d37623132a6347b4ab9e2179eb3f2fa77863c364 upstream. + +Attempting to load the pci-idio-16 module fails during regmap +initialization with a return error -EINVAL. This is a result of the +regmap cache failing initialization. Set the idio_16_regmap_config +max_register member to fix this failure. + +Fixes: 73d8f3efc5c2 ("gpio: pci-idio-16: Migrate to the regmap API") +Reported-by: Mark Cave-Ayland +Closes: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com +Suggested-by: Mark Cave-Ayland +Cc: stable@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: William Breathitt Gray +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20251020-fix-gpio-idio-16-regmap-v2-2-ebeb50e93c33@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-pci-idio-16.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpio/gpio-pci-idio-16.c ++++ b/drivers/gpio/gpio-pci-idio-16.c +@@ -41,6 +41,7 @@ static const struct regmap_config idio_1 + .reg_stride = 1, + .val_bits = 8, + .io_port = true, ++ .max_register = 0x7, + .wr_table = &idio_16_wr_table, + .rd_table = &idio_16_rd_table, + .volatile_table = &idio_16_rd_table, diff --git a/queue-6.12/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch b/queue-6.12/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch new file mode 100644 index 0000000000..1af7706c81 --- /dev/null +++ b/queue-6.12/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch @@ -0,0 +1,65 @@ +From bf5570590a981d0659d0808d2d4bcda21b27a2a5 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 21 Oct 2025 20:38:22 +0100 +Subject: MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej W. Rozycki + +commit bf5570590a981d0659d0808d2d4bcda21b27a2a5 upstream. + +MIPS Malta platform code registers the PCI southbridge legacy port I/O +PS/2 keyboard range as a standard resource marked as busy. It prevents +the i8042 driver from registering as it fails to claim the resource in +a call to i8042_platform_init(). Consequently PS/2 keyboard and mouse +devices cannot be used with this platform. + +Fix the issue by removing the busy marker from the standard reservation, +making the driver register successfully: + + serio: i8042 KBD port at 0x60,0x64 irq 1 + serio: i8042 AUX port at 0x60,0x64 irq 12 + +and the resource show up as expected among the legacy devices: + + 00000000-00ffffff : MSC PCI I/O + 00000000-0000001f : dma1 + 00000020-00000021 : pic1 + 00000040-0000005f : timer + 00000060-0000006f : keyboard + 00000060-0000006f : i8042 + 00000070-00000077 : rtc0 + 00000080-0000008f : dma page reg + 000000a0-000000a1 : pic2 + 000000c0-000000df : dma2 + [...] + +If the i8042 driver has not been configured, then the standard resource +will remain there preventing any conflicting dynamic assignment of this +PCI port I/O address range. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ilpo Järvinen +Acked-by: Thomas Bogendoerfer +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/alpine.DEB.2.21.2510211919240.8377@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mti-malta/malta-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/mti-malta/malta-setup.c ++++ b/arch/mips/mti-malta/malta-setup.c +@@ -47,7 +47,7 @@ static struct resource standard_io_resou + .name = "keyboard", + .start = 0x60, + .end = 0x6f, +- .flags = IORESOURCE_IO | IORESOURCE_BUSY ++ .flags = IORESOURCE_IO + }, + { + .name = "dma page reg", diff --git a/queue-6.12/mm-prevent-poison-consumption-when-splitting-thp.patch b/queue-6.12/mm-prevent-poison-consumption-when-splitting-thp.patch new file mode 100644 index 0000000000..9211fe4938 --- /dev/null +++ b/queue-6.12/mm-prevent-poison-consumption-when-splitting-thp.patch @@ -0,0 +1,125 @@ +From 841a8bfcbad94bb1ba60f59ce34f75259074ae0d Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo +Date: Sat, 11 Oct 2025 15:55:19 +0800 +Subject: mm: prevent poison consumption when splitting THP + +From: Qiuxu Zhuo + +commit 841a8bfcbad94bb1ba60f59ce34f75259074ae0d upstream. + +When performing memory error injection on a THP (Transparent Huge Page) +mapped to userspace on an x86 server, the kernel panics with the following +trace. The expected behavior is to terminate the affected process instead +of panicking the kernel, as the x86 Machine Check code can recover from an +in-userspace #MC. + + mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 + mce: [Hardware Error]: RIP 10: {memchr_inv+0x4c/0xf0} + mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db + mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 + mce: [Hardware Error]: Run the above through 'mcelog --ascii' + mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel + Kernel panic - not syncing: Fatal local machine check + +The root cause of this panic is that handling a memory failure triggered +by an in-userspace #MC necessitates splitting the THP. The splitting +process employs a mechanism, implemented in +try_to_map_unused_to_zeropage(), which reads the pages in the THP to +identify zero-filled pages. However, reading the pages in the THP results +in a second in-kernel #MC, occurring before the initial memory_failure() +completes, ultimately leading to a kernel panic. See the kernel panic +call trace on the two #MCs. + + First Machine Check occurs // [1] + memory_failure() // [2] + try_to_split_thp_page() + split_huge_page() + split_huge_page_to_list_to_order() + __folio_split() // [3] + remap_page() + remove_migration_ptes() + remove_migration_pte() + try_to_map_unused_to_zeropage() // [4] + memchr_inv() // [5] + Second Machine Check occurs // [6] + Kernel panic + +[1] Triggered by accessing a hardware-poisoned THP in userspace, which is + typically recoverable by terminating the affected process. + +[2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). + +[3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). + +[4] Try to map the unused THP to zeropage. + +[5] Re-access pages in the hw-poisoned THP in the kernel. + +[6] Triggered in-kernel, leading to a panic kernel. + +In Step[2], memory_failure() sets the poisoned flag on the page in the THP +by TestSetPageHWPoison() before calling try_to_split_thp_page(). + +As suggested by David Hildenbrand, fix this panic by not accessing to the +poisoned page in the THP during zeropage identification, while continuing +to scan unaffected pages in the THP for possible zeropage mapping. This +prevents a second in-kernel #MC that would cause kernel panic in Step[4]. + +Thanks to Andrew Zaborowski for his initial work on fixing this issue. + +Link: https://lkml.kernel.org/r/20251015064926.1887643-1-qiuxu.zhuo@intel.com +Link: https://lkml.kernel.org/r/20251011075520.320862-1-qiuxu.zhuo@intel.com +Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") +Signed-off-by: Qiuxu Zhuo +Reported-by: Farrah Chen +Suggested-by: David Hildenbrand +Acked-by: David Hildenbrand +Tested-by: Farrah Chen +Tested-by: Qiuxu Zhuo +Acked-by: Lance Yang +Reviewed-by: Wei Yang +Acked-by: Zi Yan +Reviewed-by: Miaohe Lin +Cc: Barry Song +Cc: Dev Jain +Cc: Jiaqi Yan +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: "Luck, Tony" +Cc: Mariano Pache +Cc: Miaohe Lin +Cc: Naoya Horiguchi +Cc: Ryan Roberts +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 3 +++ + mm/migrate.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -3720,6 +3720,9 @@ static bool thp_underused(struct folio * + if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1) + return false; + ++ if (folio_contain_hwpoisoned_page(folio)) ++ return false; ++ + for (i = 0; i < folio_nr_pages(folio); i++) { + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -203,8 +203,9 @@ static bool try_to_map_unused_to_zeropag + struct page *page = folio_page(folio, idx); + pte_t newpte; + +- if (PageCompound(page)) ++ if (PageCompound(page) || PageHWPoison(page)) + return false; ++ + VM_BUG_ON_PAGE(!PageAnon(page), page); + VM_BUG_ON_PAGE(!PageLocked(page), page); + VM_BUG_ON_PAGE(pte_present(old_pte), page); diff --git a/queue-6.12/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch b/queue-6.12/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch new file mode 100644 index 0000000000..c35d4166b8 --- /dev/null +++ b/queue-6.12/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch @@ -0,0 +1,113 @@ +From 10843e1492e474c02b91314963161731fa92af91 Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang +Date: Tue, 21 Oct 2025 13:09:33 +0800 +Subject: net: bonding: fix possible peer notify event loss or dup issue + +From: Tonghao Zhang + +commit 10843e1492e474c02b91314963161731fa92af91 upstream. + +If the send_peer_notif counter and the peer event notify are not synchronized. +It may cause problems such as the loss or dup of peer notify event. + +Before this patch: +- If should_notify_peers is true and the lock for send_peer_notif-- fails, peer + event may be sent again in next mii_monitor loop, because should_notify_peers + is still true. +- If should_notify_peers is true and the lock for send_peer_notif-- succeeded, + but the lock for peer event fails, the peer event will be lost. + +This patch locks the RTNL for send_peer_notif, events, and commit simultaneously. + +Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications") +Cc: Jay Vosburgh +Cc: Andrew Lunn +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Hangbin Liu +Cc: Nikolay Aleksandrov +Cc: Vincent Bernat +Cc: +Signed-off-by: Tonghao Zhang +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20251021050933.46412-1-tonghao@bamaicloud.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2951,7 +2951,7 @@ static void bond_mii_monitor(struct work + { + struct bonding *bond = container_of(work, struct bonding, + mii_work.work); +- bool should_notify_peers = false; ++ bool should_notify_peers; + bool commit; + unsigned long delay; + struct slave *slave; +@@ -2963,30 +2963,33 @@ static void bond_mii_monitor(struct work + goto re_arm; + + rcu_read_lock(); ++ + should_notify_peers = bond_should_notify_peers(bond); + commit = !!bond_miimon_inspect(bond); +- if (bond->send_peer_notif) { +- rcu_read_unlock(); +- if (rtnl_trylock()) { +- bond->send_peer_notif--; +- rtnl_unlock(); +- } +- } else { +- rcu_read_unlock(); +- } + +- if (commit) { ++ rcu_read_unlock(); ++ ++ if (commit || bond->send_peer_notif) { + /* Race avoidance with bond_close cancel of workqueue */ + if (!rtnl_trylock()) { + delay = 1; +- should_notify_peers = false; + goto re_arm; + } + +- bond_for_each_slave(bond, slave, iter) { +- bond_commit_link_state(slave, BOND_SLAVE_NOTIFY_LATER); ++ if (commit) { ++ bond_for_each_slave(bond, slave, iter) { ++ bond_commit_link_state(slave, ++ BOND_SLAVE_NOTIFY_LATER); ++ } ++ bond_miimon_commit(bond); ++ } ++ ++ if (bond->send_peer_notif) { ++ bond->send_peer_notif--; ++ if (should_notify_peers) ++ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, ++ bond->dev); + } +- bond_miimon_commit(bond); + + rtnl_unlock(); /* might sleep, hold no other locks */ + } +@@ -2994,13 +2997,6 @@ static void bond_mii_monitor(struct work + re_arm: + if (bond->params.miimon) + queue_delayed_work(bond->wq, &bond->mii_work, delay); +- +- if (should_notify_peers) { +- if (!rtnl_trylock()) +- return; +- call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, bond->dev); +- rtnl_unlock(); +- } + } + + static int bond_upper_dev_walk(struct net_device *upper, diff --git a/queue-6.12/net-ravb-enforce-descriptor-type-ordering.patch b/queue-6.12/net-ravb-enforce-descriptor-type-ordering.patch new file mode 100644 index 0000000000..e48163e879 --- /dev/null +++ b/queue-6.12/net-ravb-enforce-descriptor-type-ordering.patch @@ -0,0 +1,73 @@ +From 5370c31e84b0e0999c7b5ff949f4e104def35584 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Fri, 17 Oct 2025 16:18:29 +0100 +Subject: net: ravb: Enforce descriptor type ordering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lad Prabhakar + +commit 5370c31e84b0e0999c7b5ff949f4e104def35584 upstream. + +Ensure the TX descriptor type fields are published in a safe order so the +DMA engine never begins processing a descriptor chain before all descriptor +fields are fully initialised. + +For multi-descriptor transmits the driver writes DT_FEND into the last +descriptor and DT_FSTART into the first. The DMA engine begins processing +when it observes DT_FSTART. Move the dma_wmb() barrier so it executes +immediately after DT_FEND and immediately before writing DT_FSTART +(and before DT_FSINGLE in the single-descriptor case). This guarantees +that all prior CPU writes to the descriptor memory are visible to the +device before DT_FSTART is seen. + +This avoids a situation where compiler/CPU reordering could publish +DT_FSTART ahead of DT_FEND or other descriptor fields, allowing the DMA to +start on a partially initialised chain and causing corrupted transmissions +or TX timeouts. Such a failure was observed on RZ/G2L with an RT kernel as +transmit queue timeouts and device resets. + +Fixes: 2f45d1902acf ("ravb: minimize TX data copying") +Cc: stable@vger.kernel.org +Co-developed-by: Fabrizio Castro +Signed-off-by: Fabrizio Castro +Signed-off-by: Lad Prabhakar +Reviewed-by: Niklas Söderlund +Link: https://patch.msgid.link/20251017151830.171062-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2203,13 +2203,25 @@ static netdev_tx_t ravb_start_xmit(struc + + skb_tx_timestamp(skb); + } +- /* Descriptor type must be set after all the above writes */ +- dma_wmb(); ++ + if (num_tx_desc > 1) { + desc->die_dt = DT_FEND; + desc--; ++ /* When using multi-descriptors, DT_FEND needs to get written ++ * before DT_FSTART, but the compiler may reorder the memory ++ * writes in an attempt to optimize the code. ++ * Use a dma_wmb() barrier to make sure DT_FEND and DT_FSTART ++ * are written exactly in the order shown in the code. ++ * This is particularly important for cases where the DMA engine ++ * is already running when we are running this code. If the DMA ++ * sees DT_FSTART without the corresponding DT_FEND it will enter ++ * an error condition. ++ */ ++ dma_wmb(); + desc->die_dt = DT_FSTART; + } else { ++ /* Descriptor type must be set after all the above writes */ ++ dma_wmb(); + desc->die_dt = DT_FSINGLE; + } + ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q); diff --git a/queue-6.12/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch b/queue-6.12/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch new file mode 100644 index 0000000000..f8c6c7290b --- /dev/null +++ b/queue-6.12/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch @@ -0,0 +1,52 @@ +From 706136c5723626fcde8dd8f598a4dcd251e24927 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Fri, 17 Oct 2025 16:18:30 +0100 +Subject: net: ravb: Ensure memory write completes before ringing TX doorbell +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lad Prabhakar + +commit 706136c5723626fcde8dd8f598a4dcd251e24927 upstream. + +Add a final dma_wmb() barrier before triggering the transmit request +(TCCR_TSRQ) to ensure all descriptor and buffer writes are visible to +the DMA engine. + +According to the hardware manual, a read-back operation is required +before writing to the doorbell register to guarantee completion of +previous writes. Instead of performing a dummy read, a dma_wmb() is +used to both enforce the same ordering semantics on the CPU side and +also to ensure completion of writes. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Cc: stable@vger.kernel.org +Co-developed-by: Fabrizio Castro +Signed-off-by: Fabrizio Castro +Signed-off-by: Lad Prabhakar +Reviewed-by: Niklas Söderlund +Link: https://patch.msgid.link/20251017151830.171062-5-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2224,6 +2224,14 @@ static netdev_tx_t ravb_start_xmit(struc + dma_wmb(); + desc->die_dt = DT_FSINGLE; + } ++ ++ /* Before ringing the doorbell we need to make sure that the latest ++ * writes have been committed to memory, otherwise it could delay ++ * things until the doorbell is rang again. ++ * This is in replacement of the read operation mentioned in the HW ++ * manuals. ++ */ ++ dma_wmb(); + ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q); + + priv->cur_tx[q] += num_tx_desc; diff --git a/queue-6.12/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch b/queue-6.12/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch new file mode 100644 index 0000000000..fe7571caf9 --- /dev/null +++ b/queue-6.12/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch @@ -0,0 +1,51 @@ +From 7f864458e9a6d2000b726d14b3d3a706ac92a3b0 Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Tue, 14 Oct 2025 17:49:34 +0200 +Subject: net: stmmac: dwmac-rk: Fix disabling set_clock_selection + +From: Sebastian Reichel + +commit 7f864458e9a6d2000b726d14b3d3a706ac92a3b0 upstream. + +On all platforms set_clock_selection() writes to a GRF register. This +requires certain clocks running and thus should happen before the +clocks are disabled. + +This has been noticed on RK3576 Sige5, which hangs during system suspend +when trying to suspend the second network interface. Note, that +suspending the first interface works, because the second device ensures +that the necessary clocks for the GRF are enabled. + +Cc: stable@vger.kernel.org +Fixes: 2f2b60a0ec28 ("net: ethernet: stmmac: dwmac-rk: Add gmac support for rk3588") +Signed-off-by: Sebastian Reichel +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251014-rockchip-network-clock-fix-v1-1-c257b4afdf75@collabora.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +@@ -1721,14 +1721,15 @@ static int gmac_clk_enable(struct rk_pri + } + } else { + if (bsp_priv->clk_enabled) { ++ if (bsp_priv->ops && bsp_priv->ops->set_clock_selection) { ++ bsp_priv->ops->set_clock_selection(bsp_priv, ++ bsp_priv->clock_input, false); ++ } ++ + clk_bulk_disable_unprepare(bsp_priv->num_clks, + bsp_priv->clks); + clk_disable_unprepare(bsp_priv->clk_phy); + +- if (bsp_priv->ops && bsp_priv->ops->set_clock_selection) +- bsp_priv->ops->set_clock_selection(bsp_priv, +- bsp_priv->clock_input, false); +- + bsp_priv->clk_enabled = false; + } + } diff --git a/queue-6.12/net-usb-rtl8150-fix-frame-padding.patch b/queue-6.12/net-usb-rtl8150-fix-frame-padding.patch new file mode 100644 index 0000000000..e70dd4d295 --- /dev/null +++ b/queue-6.12/net-usb-rtl8150-fix-frame-padding.patch @@ -0,0 +1,54 @@ +From 75cea9860aa6b2350d90a8d78fed114d27c7eca2 Mon Sep 17 00:00:00 2001 +From: Michal Pecio +Date: Tue, 14 Oct 2025 20:35:28 +0200 +Subject: net: usb: rtl8150: Fix frame padding + +From: Michal Pecio + +commit 75cea9860aa6b2350d90a8d78fed114d27c7eca2 upstream. + +TX frames aren't padded and unknown memory is sent into the ether. + +Theoretically, it isn't even guaranteed that the extra memory exists +and can be sent out, which could cause further problems. In practice, +I found that plenty of tailroom exists in the skb itself (in my test +with ping at least) and skb_padto() easily succeeds, so use it here. + +In the event of -ENOMEM drop the frame like other drivers do. + +The use of one more padding byte instead of a USB zero-length packet +is retained to avoid regression. I have a dodgy Etron xHCI controller +which doesn't seem to support sending ZLPs at all. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251014203528.3f9783c4.michal.pecio@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/rtl8150.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -685,9 +685,16 @@ static netdev_tx_t rtl8150_start_xmit(st + rtl8150_t *dev = netdev_priv(netdev); + int count, res; + ++ /* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */ ++ count = max(skb->len, ETH_ZLEN); ++ if (count % 64 == 0) ++ count++; ++ if (skb_padto(skb, count)) { ++ netdev->stats.tx_dropped++; ++ return NETDEV_TX_OK; ++ } ++ + netif_stop_queue(netdev); +- count = (skb->len < 60) ? 60 : skb->len; +- count = (count & 0x3f) ? count : count + 1; + dev->tx_skb = skb; + usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2), + skb->data, count, write_bulk_callback, dev); diff --git a/queue-6.12/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch b/queue-6.12/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch new file mode 100644 index 0000000000..10b603e65c --- /dev/null +++ b/queue-6.12/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch @@ -0,0 +1,62 @@ +From 78a63493f8e352296dbc7cb7b3f4973105e8679e Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Thu, 9 Oct 2025 21:19:03 +0530 +Subject: ocfs2: clear extent cache after moving/defragmenting extents + +From: Deepanshu Kartikey + +commit 78a63493f8e352296dbc7cb7b3f4973105e8679e upstream. + +The extent map cache can become stale when extents are moved or +defragmented, causing subsequent operations to see outdated extent flags. +This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). + +The problem occurs when: +1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED +2. ioctl(FITRIM) triggers ocfs2_move_extents() +3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) +4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() + which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) +5. The extent map cache is not invalidated after the move +6. Later write() operations read stale cached flags (0x2) but disk has + updated flags (0x0), causing a mismatch +7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers + +Fix by clearing the extent map cache after each extent move/defrag +operation in __ocfs2_move_extents_range(). This ensures subsequent +operations read fresh extent data from disk. + +Link: https://lore.kernel.org/all/20251009142917.517229-1-kartikey406@gmail.com/T/ +Link: https://lkml.kernel.org/r/20251009154903.522339-1-kartikey406@gmail.com +Fixes: 53069d4e7695 ("Ocfs2/move_extents: move/defrag extents within a certain range.") +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com +Tested-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=2959889e1f6e216585ce522f7e8bc002b46ad9e7 +Reviewed-by: Mark Fasheh +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/move_extents.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -868,6 +868,11 @@ static int __ocfs2_move_extents_range(st + mlog_errno(ret); + goto out; + } ++ /* ++ * Invalidate extent cache after moving/defragging to prevent ++ * stale cached data with outdated extent flags. ++ */ ++ ocfs2_extent_map_trunc(inode, cpos); + + context->clusters_moved += alloc_size; + next: diff --git a/queue-6.12/revert-cpuidle-menu-avoid-discarding-useful-information.patch b/queue-6.12/revert-cpuidle-menu-avoid-discarding-useful-information.patch new file mode 100644 index 0000000000..9c96d8c556 --- /dev/null +++ b/queue-6.12/revert-cpuidle-menu-avoid-discarding-useful-information.patch @@ -0,0 +1,78 @@ +From 10fad4012234a7dea621ae17c0c9486824f645a0 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Sat, 18 Oct 2025 14:27:15 +0200 +Subject: Revert "cpuidle: menu: Avoid discarding useful information" + +From: Rafael J. Wysocki + +commit 10fad4012234a7dea621ae17c0c9486824f645a0 upstream. + +It is reported that commit 85975daeaa4d ("cpuidle: menu: Avoid discarding +useful information") led to a performance regression on Intel Jasper Lake +systems because it reduced the time spent by CPUs in idle state C7 which +is correlated to the maximum frequency the CPUs can get to because of an +average running power limit [1]. + +Before that commit, get_typical_interval() would have returned UINT_MAX +whenever it had been unable to make a high-confidence prediction which +had led to selecting the deepest available idle state too often and +both power and performance had been inadequate as a result of that on +some systems. However, this had not been a problem on systems with +relatively aggressive average running power limits, like the Jasper Lake +systems in question, because on those systems it was compensated by the +ability to run CPUs faster. + +It was addressed by causing get_typical_interval() to return a number +based on the recent idle duration information available to it even if it +could not make a high-confidence prediction, but that clearly did not +take the possible correlation between idle power and available CPU +capacity into account. + +For this reason, revert most of the changes made by commit 85975daeaa4d, +except for one cosmetic cleanup, and add a comment explaining the +rationale for returning UINT_MAX from get_typical_interval() when it +is unable to make a high-confidence prediction. + +Fixes: 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information") +Closes: https://lore.kernel.org/linux-pm/36iykr223vmcfsoysexug6s274nq2oimcu55ybn6ww4il3g3cv@cohflgdbpnq7/ [1] +Reported-by: Sergey Senozhatsky +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/3663603.iIbC2pHGDl@rafael.j.wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/governors/menu.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +--- a/drivers/cpuidle/governors/menu.c ++++ b/drivers/cpuidle/governors/menu.c +@@ -199,20 +199,17 @@ again: + * + * This can deal with workloads that have long pauses interspersed + * with sporadic activity with a bunch of short pauses. ++ * ++ * However, if the number of remaining samples is too small to exclude ++ * any more outliers, allow the deepest available idle state to be ++ * selected because there are systems where the time spent by CPUs in ++ * deep idle states is correlated to the maximum frequency the CPUs ++ * can get to. On those systems, shallow idle states should be avoided ++ * unless there is a clear indication that the given CPU is most likley ++ * going to be woken up shortly. + */ +- if (divisor * 4 <= INTERVALS * 3) { +- /* +- * If there are sufficiently many data points still under +- * consideration after the outliers have been eliminated, +- * returning without a prediction would be a mistake because it +- * is likely that the next interval will not exceed the current +- * maximum, so return the latter in that case. +- */ +- if (divisor >= INTERVALS / 2) +- return max; +- ++ if (divisor * 4 <= INTERVALS * 3) + return UINT_MAX; +- } + + thresh = max - 1; + goto again; diff --git a/queue-6.12/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch b/queue-6.12/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch new file mode 100644 index 0000000000..e1368736a4 --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch @@ -0,0 +1,36 @@ +From d68460bc31f9c8c6fc81fbb56ec952bec18409f1 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 20 Oct 2025 22:53:27 +0200 +Subject: selftests: mptcp: join: mark 'flush re-add' as skipped if not supported + +From: Matthieu Baerts (NGI0) + +commit d68460bc31f9c8c6fc81fbb56ec952bec18409f1 upstream. + +The call to 'continue_if' was missing: it properly marks a subtest as +'skipped' if the attached condition is not valid. + +Without that, the test is wrongly marked as passed on older kernels. + +Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-2-8207030cb0e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3897,7 +3897,7 @@ endpoint_tests() + + # flush and re-add + if reset_with_tcp_filter "flush re-add" ns2 10.0.3.2 REJECT OUTPUT && +- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then ++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + pm_nl_set_limits $ns1 0 2 + pm_nl_set_limits $ns2 1 2 + # broadcast IP: no packet for this address will be received on ns1 diff --git a/queue-6.12/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch b/queue-6.12/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch new file mode 100644 index 0000000000..5f300008c4 --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch @@ -0,0 +1,45 @@ +From 973f80d715bd2504b4db6e049f292e694145cd79 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 20 Oct 2025 22:53:28 +0200 +Subject: selftests: mptcp: join: mark implicit tests as skipped if not supported + +From: Matthieu Baerts (NGI0) + +commit 973f80d715bd2504b4db6e049f292e694145cd79 upstream. + +The call to 'continue_if' was missing: it properly marks a subtest as +'skipped' if the attached condition is not valid. + +Without that, the test is wrongly marked as passed on older kernels. + +Fixes: 36c4127ae8dd ("selftests: mptcp: join: skip implicit tests if not supported") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-3-8207030cb0e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3722,7 +3722,7 @@ endpoint_tests() + # subflow_rebuild_header is needed to support the implicit flag + # userspace pm type prevents add_addr + if reset "implicit EP" && +- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then ++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + pm_nl_set_limits $ns1 2 2 + pm_nl_set_limits $ns2 2 2 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal +@@ -3747,7 +3747,7 @@ endpoint_tests() + fi + + if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT && +- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then ++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + start_events + pm_nl_set_limits $ns1 0 3 + pm_nl_set_limits $ns2 0 3 diff --git a/queue-6.12/series b/queue-6.12/series index af52b0a957..ea0908d9f5 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -42,3 +42,28 @@ ptp-ocp-fix-typo-using-index-1-instead-of-i-in-sma-i.patch sctp-avoid-null-dereference-when-chunk-data-buffer-i.patch net-phy-micrel-always-set-shared-phydev-for-lan8814.patch net-mlx5-fix-ipsec-cleanup-over-mpv-device.patch +fs-notify-call-exportfs_encode_fid-with-s_umount.patch +net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch +dma-debug-don-t-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch +arch_topology-fix-incorrect-error-check-in-topology_parse_cpu_capacity.patch +btrfs-directly-free-partially-initialized-fs_info-in-btrfs_check_leaked_roots.patch +gpio-pci-idio-16-define-maximum-valid-register-address-offset.patch +gpio-104-idio-16-define-maximum-valid-register-address-offset.patch +xfs-fix-locking-in-xchk_nlinks_collect_dir.patch +revert-cpuidle-menu-avoid-discarding-useful-information.patch +slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch +slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch +acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch +can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch +cifs-fix-tcp_server_info-credits-to-be-signed.patch +mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch +ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch +vsock-fix-lock-inversion-in-vsock_assign_transport.patch +net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch +net-usb-rtl8150-fix-frame-padding.patch +net-ravb-enforce-descriptor-type-ordering.patch +net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch +selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch +selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch +mm-prevent-poison-consumption-when-splitting-thp.patch +drm-amd-display-increase-max-link-count-and-fix-link-enc-null-pointer-access.patch diff --git a/queue-6.12/slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch b/queue-6.12/slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch new file mode 100644 index 0000000000..81944be98f --- /dev/null +++ b/queue-6.12/slab-avoid-race-on-slab-obj_exts-in-alloc_slab_obj_exts.patch @@ -0,0 +1,72 @@ +From 6ed8bfd24ce1cb31742b09a3eb557cd008533eec Mon Sep 17 00:00:00 2001 +From: Hao Ge +Date: Tue, 21 Oct 2025 09:03:53 +0800 +Subject: slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts + +From: Hao Ge + +commit 6ed8bfd24ce1cb31742b09a3eb557cd008533eec upstream. + +If two competing threads enter alloc_slab_obj_exts() and one of them +fails to allocate the object extension vector, it might override the +valid slab->obj_exts allocated by the other thread with +OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and +expects a valid pointer to dereference a NULL pointer later on. + +Update slab->obj_exts atomically using cmpxchg() to avoid +slab->obj_exts overrides by racing threads. + +Thanks for Vlastimil and Suren's help with debugging. + +Fixes: f7381b911640 ("slab: mark slab->obj_exts allocation failures unconditionally") +Cc: +Suggested-by: Suren Baghdasaryan +Signed-off-by: Hao Ge +Reviewed-by: Harry Yoo +Reviewed-by: Suren Baghdasaryan +Link: https://patch.msgid.link/20251021010353.1187193-1-hao.ge@linux.dev +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1943,7 +1943,7 @@ static inline void mark_objexts_empty(st + + static inline void mark_failed_objexts_alloc(struct slab *slab) + { +- slab->obj_exts = OBJEXTS_ALLOC_FAIL; ++ cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL); + } + + static inline void handle_failed_objexts_alloc(unsigned long obj_exts, +@@ -2008,6 +2008,7 @@ int alloc_slab_obj_exts(struct slab *sla + #ifdef CONFIG_MEMCG + new_exts |= MEMCG_DATA_OBJEXTS; + #endif ++retry: + old_exts = READ_ONCE(slab->obj_exts); + handle_failed_objexts_alloc(old_exts, vec, objects); + if (new_slab) { +@@ -2017,8 +2018,7 @@ int alloc_slab_obj_exts(struct slab *sla + * be simply assigned. + */ + slab->obj_exts = new_exts; +- } else if ((old_exts & ~OBJEXTS_FLAGS_MASK) || +- cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) { ++ } else if (old_exts & ~OBJEXTS_FLAGS_MASK) { + /* + * If the slab is already in use, somebody can allocate and + * assign slabobj_exts in parallel. In this case the existing +@@ -2027,6 +2027,9 @@ int alloc_slab_obj_exts(struct slab *sla + mark_objexts_empty(vec); + kfree(vec); + return 0; ++ } else if (cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) { ++ /* Retry if a racing thread changed slab->obj_exts from under us. */ ++ goto retry; + } + + kmemleak_not_leak(vec); diff --git a/queue-6.12/slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch b/queue-6.12/slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch new file mode 100644 index 0000000000..19c6a2d8c8 --- /dev/null +++ b/queue-6.12/slab-fix-obj_ext-mistakenly-considered-null-due-to-race-condition.patch @@ -0,0 +1,73 @@ +From 7f434e1d9a17ca5f567c9796c9c105a65c18db9a Mon Sep 17 00:00:00 2001 +From: Hao Ge +Date: Thu, 23 Oct 2025 22:33:13 +0800 +Subject: slab: Fix obj_ext mistakenly considered NULL due to race condition + +From: Hao Ge + +commit 7f434e1d9a17ca5f567c9796c9c105a65c18db9a upstream. + +If two competing threads enter alloc_slab_obj_exts(), and the one that +allocates the vector wins the cmpxchg(), the other thread that failed +allocation mistakenly assumes that slab->obj_exts is still empty due to +its own allocation failure. This will then trigger warnings with +CONFIG_MEM_ALLOC_PROFILING_DEBUG checks in the subsequent free path. + +Therefore, let's check the result of cmpxchg() to see if marking the +allocation as failed was successful. If it wasn't, check whether the +winning side has succeeded its allocation (it might have been also +marking it as failed) and if yes, return success. + +Suggested-by: Harry Yoo +Fixes: f7381b911640 ("slab: mark slab->obj_exts allocation failures unconditionally") +Cc: +Signed-off-by: Hao Ge +Link: https://patch.msgid.link/20251023143313.1327968-1-hao.ge@linux.dev +Reviewed-by: Suren Baghdasaryan +Reviewed-by: Harry Yoo +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1941,9 +1941,9 @@ static inline void mark_objexts_empty(st + } + } + +-static inline void mark_failed_objexts_alloc(struct slab *slab) ++static inline bool mark_failed_objexts_alloc(struct slab *slab) + { +- cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL); ++ return cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL) == 0; + } + + static inline void handle_failed_objexts_alloc(unsigned long obj_exts, +@@ -1965,7 +1965,7 @@ static inline void handle_failed_objexts + #else /* CONFIG_MEM_ALLOC_PROFILING_DEBUG */ + + static inline void mark_objexts_empty(struct slabobj_ext *obj_exts) {} +-static inline void mark_failed_objexts_alloc(struct slab *slab) {} ++static inline bool mark_failed_objexts_alloc(struct slab *slab) { return false; } + static inline void handle_failed_objexts_alloc(unsigned long obj_exts, + struct slabobj_ext *vec, unsigned int objects) {} + +@@ -1998,8 +1998,14 @@ int alloc_slab_obj_exts(struct slab *sla + vec = kcalloc_node(objects, sizeof(struct slabobj_ext), gfp, + slab_nid(slab)); + if (!vec) { +- /* Mark vectors which failed to allocate */ +- mark_failed_objexts_alloc(slab); ++ /* ++ * Try to mark vectors which failed to allocate. ++ * If this operation fails, there may be a racing process ++ * that has already completed the allocation. ++ */ ++ if (!mark_failed_objexts_alloc(slab) && ++ slab_obj_exts(slab)) ++ return 0; + + return -ENOMEM; + } diff --git a/queue-6.12/vsock-fix-lock-inversion-in-vsock_assign_transport.patch b/queue-6.12/vsock-fix-lock-inversion-in-vsock_assign_transport.patch new file mode 100644 index 0000000000..dad289b401 --- /dev/null +++ b/queue-6.12/vsock-fix-lock-inversion-in-vsock_assign_transport.patch @@ -0,0 +1,95 @@ +From f7c877e7535260cc7a21484c994e8ce7e8cb6780 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Tue, 21 Oct 2025 14:17:18 +0200 +Subject: vsock: fix lock inversion in vsock_assign_transport() + +From: Stefano Garzarella + +commit f7c877e7535260cc7a21484c994e8ce7e8cb6780 upstream. + +Syzbot reported a potential lock inversion deadlock between +vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. + +The issue was introduced by commit 687aa0c5581b ("vsock: Fix +transport_* TOCTOU") which added vsock_register_mutex locking in +vsock_assign_transport() around the transport->release() call, that can +call vsock_linger(). vsock_assign_transport() can be called with sk_lock +held. vsock_linger() calls sk_wait_event() that temporarily releases and +re-acquires sk_lock. During this window, if another thread hold +vsock_register_mutex while trying to acquire sk_lock, a circular +dependency is created. + +Fix this by releasing vsock_register_mutex before calling +transport->release() and vsock_deassign_transport(). This is safe +because we don't need to hold vsock_register_mutex while releasing the +old transport, and we ensure the new transport won't disappear by +obtaining a module reference first via try_module_get(). + +Reported-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com +Tested-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com +Fixes: 687aa0c5581b ("vsock: Fix transport_* TOCTOU") +Cc: mhal@rbox.co +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20251021121718.137668-1-sgarzare@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -487,12 +487,26 @@ int vsock_assign_transport(struct vsock_ + goto err; + } + +- if (vsk->transport) { +- if (vsk->transport == new_transport) { +- ret = 0; +- goto err; +- } ++ if (vsk->transport && vsk->transport == new_transport) { ++ ret = 0; ++ goto err; ++ } ++ ++ /* We increase the module refcnt to prevent the transport unloading ++ * while there are open sockets assigned to it. ++ */ ++ if (!new_transport || !try_module_get(new_transport->module)) { ++ ret = -ENODEV; ++ goto err; ++ } ++ ++ /* It's safe to release the mutex after a successful try_module_get(). ++ * Whichever transport `new_transport` points at, it won't go away until ++ * the last module_put() below or in vsock_deassign_transport(). ++ */ ++ mutex_unlock(&vsock_register_mutex); + ++ if (vsk->transport) { + /* transport->release() must be called with sock lock acquired. + * This path can only be taken during vsock_connect(), where we + * have already held the sock lock. In the other cases, this +@@ -512,20 +526,6 @@ int vsock_assign_transport(struct vsock_ + vsk->peer_shutdown = 0; + } + +- /* We increase the module refcnt to prevent the transport unloading +- * while there are open sockets assigned to it. +- */ +- if (!new_transport || !try_module_get(new_transport->module)) { +- ret = -ENODEV; +- goto err; +- } +- +- /* It's safe to release the mutex after a successful try_module_get(). +- * Whichever transport `new_transport` points at, it won't go away until +- * the last module_put() below or in vsock_deassign_transport(). +- */ +- mutex_unlock(&vsock_register_mutex); +- + if (sk->sk_type == SOCK_SEQPACKET) { + if (!new_transport->seqpacket_allow || + !new_transport->seqpacket_allow(remote_cid)) { diff --git a/queue-6.12/xfs-fix-locking-in-xchk_nlinks_collect_dir.patch b/queue-6.12/xfs-fix-locking-in-xchk_nlinks_collect_dir.patch new file mode 100644 index 0000000000..b149d46e76 --- /dev/null +++ b/queue-6.12/xfs-fix-locking-in-xchk_nlinks_collect_dir.patch @@ -0,0 +1,98 @@ +From f477af0cfa0487eddec66ffe10fd9df628ba6f52 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 21 Oct 2025 11:30:43 -0700 +Subject: xfs: fix locking in xchk_nlinks_collect_dir + +From: Darrick J. Wong + +commit f477af0cfa0487eddec66ffe10fd9df628ba6f52 upstream. + +On a filesystem with parent pointers, xchk_nlinks_collect_dir walks both +the directory entries (data fork) and the parent pointers (attr fork) to +determine the correct link count. Unfortunately I forgot to update the +lock mode logic to handle the case of a directory whose attr fork is in +btree format and has not yet been loaded *and* whose data fork doesn't +need loading. + +This leads to a bunch of assertions from xfs/286 in xfs_iread_extents +because we only took ILOCK_SHARED, not ILOCK_EXCL. You'd need the rare +happenstance of a directory with a large number of non-pptr extended +attributes set and enough memory pressure to cause the directory to be +evicted and partially reloaded from disk. + +I /think/ this only started in 6.18-rc1 because I've started seeing OOM +errors with the maple tree slab using 70% of memory, and this didn't +happen in 6.17. Yay dynamic systems! + +Cc: stable@vger.kernel.org # v6.10 +Fixes: 77ede5f44b0d86 ("xfs: walk directory parent pointers to determine backref count") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/nlinks.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +diff --git a/fs/xfs/scrub/nlinks.c b/fs/xfs/scrub/nlinks.c +index 26721fab5cab..091c79e432e5 100644 +--- a/fs/xfs/scrub/nlinks.c ++++ b/fs/xfs/scrub/nlinks.c +@@ -376,6 +376,36 @@ xchk_nlinks_collect_pptr( + return error; + } + ++static uint ++xchk_nlinks_ilock_dir( ++ struct xfs_inode *ip) ++{ ++ uint lock_mode = XFS_ILOCK_SHARED; ++ ++ /* ++ * We're going to scan the directory entries, so we must be ready to ++ * pull the data fork mappings into memory if they aren't already. ++ */ ++ if (xfs_need_iread_extents(&ip->i_df)) ++ lock_mode = XFS_ILOCK_EXCL; ++ ++ /* ++ * We're going to scan the parent pointers, so we must be ready to ++ * pull the attr fork mappings into memory if they aren't already. ++ */ ++ if (xfs_has_parent(ip->i_mount) && xfs_inode_has_attr_fork(ip) && ++ xfs_need_iread_extents(&ip->i_af)) ++ lock_mode = XFS_ILOCK_EXCL; ++ ++ /* ++ * Take the IOLOCK so that other threads cannot start a directory ++ * update while we're scanning. ++ */ ++ lock_mode |= XFS_IOLOCK_SHARED; ++ xfs_ilock(ip, lock_mode); ++ return lock_mode; ++} ++ + /* Walk a directory to bump the observed link counts of the children. */ + STATIC int + xchk_nlinks_collect_dir( +@@ -394,8 +424,7 @@ xchk_nlinks_collect_dir( + return 0; + + /* Prevent anyone from changing this directory while we walk it. */ +- xfs_ilock(dp, XFS_IOLOCK_SHARED); +- lock_mode = xfs_ilock_data_map_shared(dp); ++ lock_mode = xchk_nlinks_ilock_dir(dp); + + /* + * The dotdot entry of an unlinked directory still points to the last +@@ -452,7 +481,6 @@ xchk_nlinks_collect_dir( + xchk_iscan_abort(&xnc->collect_iscan); + out_unlock: + xfs_iunlock(dp, lock_mode); +- xfs_iunlock(dp, XFS_IOLOCK_SHARED); + return error; + } + +-- +2.51.1 + -- 2.47.3