From: Sasha Levin Date: Wed, 10 Jun 2026 16:42:55 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=fbf0ed008d9d25f4e04a90f33c9ac298544936a3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch b/queue-5.10/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch new file mode 100644 index 0000000000..d89a1fc85f --- /dev/null +++ b/queue-5.10/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch @@ -0,0 +1,66 @@ +From 23aec71e2f8de34b33c518d8f213f4b7afad5d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:25:59 +0000 +Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on + linked streams + +From: Ji'an Zhou + +[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ] + +snd_pcm_drain() uses init_waitqueue_entry which does not clear +entry.prev/next, and add_wait_queue with a conditional +remove_wait_queue that is skipped when to_check is no longer +in the group after concurrent UNLINK. The orphaned wait entry +remains on the unlinked substream sleep queue. On the next +drain iteration, add_wait_queue adds the entry to a new queue +while still linked on the old one, corrupting both lists. A +subsequent wake_up dereferences NULL at the func pointer +(mapped from the spinlock at offset 0 of the misinterpreted +wait_queue_head_t), causing a kernel panic. + +Replace init_waitqueue_entry/add_wait_queue/conditional +remove_wait_queue with init_wait_entry/prepare_to_wait/ +finish_wait. init_wait_entry clears prev/next via +INIT_LIST_HEAD on each iteration and sets +autoremove_wake_function which auto-removes the entry on +wake-up. finish_wait safely handles both the already-removed +and still-queued cases. + +Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain") +Signed-off-by: Ji'an Zhou +Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 09b4ad414ffbe0..51e5dd9ee793b5 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2161,9 +2161,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + drain_no_period_wakeup = to_check->no_period_wakeup; + drain_rate = to_check->rate; + drain_bufsz = to_check->buffer_size; +- init_waitqueue_entry(&wait, current); +- set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&to_check->sleep, &wait); ++ init_wait_entry(&wait, 0); ++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE); + snd_pcm_stream_unlock_irq(substream); + if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; +@@ -2181,7 +2180,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + group = snd_pcm_stream_group_ref(substream); + snd_pcm_group_for_each_entry(s, substream) { + if (s->runtime == to_check) { +- remove_wait_queue(&to_check->sleep, &wait); ++ finish_wait(&to_check->sleep, &wait); + break; + } + } +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index b33a51540e..f28961038e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -147,3 +147,6 @@ ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch +alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch diff --git a/queue-5.10/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-5.10/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..fcb92f5c3d --- /dev/null +++ b/queue-5.10/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From 214b5b0ddd9de5745a142e89244fd395a1e094b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 7a9af6d4f2b01e..463b798651b6a6 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1351,6 +1351,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + while_each_thread(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-5.10/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-5.10/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..45eb19e5f6 --- /dev/null +++ b/queue-5.10/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From d26016abff9973dd02112c7313014f552ef0a663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index 37c381607f3729..808ce6f4953572 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index bda8e4893b..26ca9e23a6 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -169,3 +169,5 @@ ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch diff --git a/queue-5.15/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-5.15/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..373cc14e8e --- /dev/null +++ b/queue-5.15/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From 0aa82f45e94235b328082172fa30720bc3dcdbce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 8fc1da382448e0..10a315e461d34b 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1364,6 +1364,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + while_each_thread(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-5.15/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-5.15/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..5216981d35 --- /dev/null +++ b/queue-5.15/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From a2b864946d7b7d2817db601ec3650b505b4085a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index df582f24f0d7b2..b7f6b9dbf940cd 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-6.1/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch b/queue-6.1/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch new file mode 100644 index 0000000000..607e53a984 --- /dev/null +++ b/queue-6.1/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch @@ -0,0 +1,66 @@ +From 6196eaf3ca58a8918cb55386fb49b9559d5c5fce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:25:59 +0000 +Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on + linked streams + +From: Ji'an Zhou + +[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ] + +snd_pcm_drain() uses init_waitqueue_entry which does not clear +entry.prev/next, and add_wait_queue with a conditional +remove_wait_queue that is skipped when to_check is no longer +in the group after concurrent UNLINK. The orphaned wait entry +remains on the unlinked substream sleep queue. On the next +drain iteration, add_wait_queue adds the entry to a new queue +while still linked on the old one, corrupting both lists. A +subsequent wake_up dereferences NULL at the func pointer +(mapped from the spinlock at offset 0 of the misinterpreted +wait_queue_head_t), causing a kernel panic. + +Replace init_waitqueue_entry/add_wait_queue/conditional +remove_wait_queue with init_wait_entry/prepare_to_wait/ +finish_wait. init_wait_entry clears prev/next via +INIT_LIST_HEAD on each iteration and sets +autoremove_wake_function which auto-removes the entry on +wake-up. finish_wait safely handles both the already-removed +and still-queued cases. + +Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain") +Signed-off-by: Ji'an Zhou +Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 7be5f25612b954..2ed9abb911a7aa 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2178,9 +2178,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + drain_no_period_wakeup = to_check->no_period_wakeup; + drain_rate = to_check->rate; + drain_bufsz = to_check->buffer_size; +- init_waitqueue_entry(&wait, current); +- set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&to_check->sleep, &wait); ++ init_wait_entry(&wait, 0); ++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE); + snd_pcm_stream_unlock_irq(substream); + if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; +@@ -2198,7 +2197,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + group = snd_pcm_stream_group_ref(substream); + snd_pcm_group_for_each_entry(s, substream) { + if (s->runtime == to_check) { +- remove_wait_queue(&to_check->sleep, &wait); ++ finish_wait(&to_check->sleep, &wait); + break; + } + } +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 0e495616de..2ca0d63c5e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -224,3 +224,6 @@ net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch +alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch diff --git a/queue-6.1/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-6.1/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..40393b76a6 --- /dev/null +++ b/queue-6.1/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From 549c857db9f361cbd4ee92493e29bb6cbfeacc29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 723c84d162ddba..98dbe713829ec3 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1371,6 +1371,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + while_each_thread(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-6.1/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-6.1/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..64c6fe89d3 --- /dev/null +++ b/queue-6.1/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From d00d2aa5e90153997e5035178224726064881e65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index 170f1f8a0046ce..0e0b54fb34905e 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-6.12/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch b/queue-6.12/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch new file mode 100644 index 0000000000..bf6b351bbe --- /dev/null +++ b/queue-6.12/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch @@ -0,0 +1,66 @@ +From 0ff9b089e6f5f327ad4cb2b8183d48a9764443e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:25:59 +0000 +Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on + linked streams + +From: Ji'an Zhou + +[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ] + +snd_pcm_drain() uses init_waitqueue_entry which does not clear +entry.prev/next, and add_wait_queue with a conditional +remove_wait_queue that is skipped when to_check is no longer +in the group after concurrent UNLINK. The orphaned wait entry +remains on the unlinked substream sleep queue. On the next +drain iteration, add_wait_queue adds the entry to a new queue +while still linked on the old one, corrupting both lists. A +subsequent wake_up dereferences NULL at the func pointer +(mapped from the spinlock at offset 0 of the misinterpreted +wait_queue_head_t), causing a kernel panic. + +Replace init_waitqueue_entry/add_wait_queue/conditional +remove_wait_queue with init_wait_entry/prepare_to_wait/ +finish_wait. init_wait_entry clears prev/next via +INIT_LIST_HEAD on each iteration and sets +autoremove_wake_function which auto-removes the entry on +wake-up. finish_wait safely handles both the already-removed +and still-queued cases. + +Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain") +Signed-off-by: Ji'an Zhou +Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 23708dc02401f6..a57123b1d3369f 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + drain_no_period_wakeup = to_check->no_period_wakeup; + drain_rate = to_check->rate; + drain_bufsz = to_check->buffer_size; +- init_waitqueue_entry(&wait, current); +- set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&to_check->sleep, &wait); ++ init_wait_entry(&wait, 0); ++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE); + snd_pcm_stream_unlock_irq(substream); + if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; +@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + group = snd_pcm_stream_group_ref(substream); + snd_pcm_group_for_each_entry(s, substream) { + if (s->runtime == to_check) { +- remove_wait_queue(&to_check->sleep, &wait); ++ finish_wait(&to_check->sleep, &wait); + break; + } + } +-- +2.53.0 + diff --git a/queue-6.12/alsa-seq-dummy-fix-ump-event-stack-overread.patch b/queue-6.12/alsa-seq-dummy-fix-ump-event-stack-overread.patch new file mode 100644 index 0000000000..07c447d88c --- /dev/null +++ b/queue-6.12/alsa-seq-dummy-fix-ump-event-stack-overread.patch @@ -0,0 +1,77 @@ +From a8de25bc0e60a327a275523a3a7a275e9182508f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2026 01:02:04 -0700 +Subject: ALSA: seq: dummy: fix UMP event stack overread + +From: Kyle Zeng + +[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ] + +The dummy sequencer port forwards events by copying an incoming +struct snd_seq_event into a stack temporary, rewriting source and +destination, and dispatching the temporary to subscribers. That legacy +event storage is smaller than struct snd_seq_ump_event. + +When a UMP event reaches the dummy client, the copy leaves the UMP flag +set but only provides legacy-sized stack storage. The subscriber +delivery path then uses snd_seq_event_packet_size() and copies a +UMP-sized packet from that stack object, reading past the end of the +temporary. + +Use the existing union __snd_seq_event storage and copy the packet size +reported for the incoming event before rewriting the common routing +fields. This preserves the full UMP packet for UMP events while keeping +legacy event handling unchanged. + +Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion") +Signed-off-by: Kyle Zeng +Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_dummy.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c +index 783fc72c2ef673..bc11e4d1edd956 100644 +--- a/sound/core/seq/seq_dummy.c ++++ b/sound/core/seq/seq_dummy.c +@@ -9,6 +9,7 @@ + #include + #include + #include "seq_clientmgr.h" ++#include "seq_memory.h" + #include + #include + +@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data, + int atomic, int hop) + { + struct snd_seq_dummy_port *p; +- struct snd_seq_event tmpev; ++ union __snd_seq_event tmpev; ++ size_t size; + + p = private_data; + if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM || + ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR) + return 0; /* ignore system messages */ +- tmpev = *ev; ++ size = snd_seq_event_packet_size(ev); ++ memcpy(&tmpev, ev, size); + if (p->duplex) +- tmpev.source.port = p->connect; ++ tmpev.legacy.source.port = p->connect; + else +- tmpev.source.port = p->port; +- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS; +- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop); ++ tmpev.legacy.source.port = p->port; ++ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS; ++ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop); + } + + /* +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 78ad79e6b0..180328093b 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -57,3 +57,7 @@ net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch +alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch +alsa-seq-dummy-fix-ump-event-stack-overread.patch diff --git a/queue-6.12/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-6.12/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..1ad1265cc9 --- /dev/null +++ b/queue-6.12/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From 9ae6c85c06782c7b58ca9e29c94c4fde103e5e29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 468b589c39e695..b832158a9c4608 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1371,6 +1371,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + for_other_threads(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-6.12/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-6.12/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..d5af12ed95 --- /dev/null +++ b/queue-6.12/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From ae2a81f46a599026c72735a5f88385a4a98ae45d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index da7e8a02a0964f..a6261fadb92b15 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-6.18/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch b/queue-6.18/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch new file mode 100644 index 0000000000..9ead6693ae --- /dev/null +++ b/queue-6.18/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch @@ -0,0 +1,66 @@ +From 8d834a5183f8b867cdfa9650a5a3e9cab78e8542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:25:59 +0000 +Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on + linked streams + +From: Ji'an Zhou + +[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ] + +snd_pcm_drain() uses init_waitqueue_entry which does not clear +entry.prev/next, and add_wait_queue with a conditional +remove_wait_queue that is skipped when to_check is no longer +in the group after concurrent UNLINK. The orphaned wait entry +remains on the unlinked substream sleep queue. On the next +drain iteration, add_wait_queue adds the entry to a new queue +while still linked on the old one, corrupting both lists. A +subsequent wake_up dereferences NULL at the func pointer +(mapped from the spinlock at offset 0 of the misinterpreted +wait_queue_head_t), causing a kernel panic. + +Replace init_waitqueue_entry/add_wait_queue/conditional +remove_wait_queue with init_wait_entry/prepare_to_wait/ +finish_wait. init_wait_entry clears prev/next via +INIT_LIST_HEAD on each iteration and sets +autoremove_wake_function which auto-removes the entry on +wake-up. finish_wait safely handles both the already-removed +and still-queued cases. + +Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain") +Signed-off-by: Ji'an Zhou +Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 495ff93fcd1db2..0ae95a46708915 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + drain_no_period_wakeup = to_check->no_period_wakeup; + drain_rate = to_check->rate; + drain_bufsz = to_check->buffer_size; +- init_waitqueue_entry(&wait, current); +- set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&to_check->sleep, &wait); ++ init_wait_entry(&wait, 0); ++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE); + snd_pcm_stream_unlock_irq(substream); + if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; +@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + group = snd_pcm_stream_group_ref(substream); + snd_pcm_group_for_each_entry(s, substream) { + if (s->runtime == to_check) { +- remove_wait_queue(&to_check->sleep, &wait); ++ finish_wait(&to_check->sleep, &wait); + break; + } + } +-- +2.53.0 + diff --git a/queue-6.18/alsa-seq-dummy-fix-ump-event-stack-overread.patch b/queue-6.18/alsa-seq-dummy-fix-ump-event-stack-overread.patch new file mode 100644 index 0000000000..25c4d7d525 --- /dev/null +++ b/queue-6.18/alsa-seq-dummy-fix-ump-event-stack-overread.patch @@ -0,0 +1,77 @@ +From 2e25571bd59a6506ad25574692a8a09975455e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2026 01:02:04 -0700 +Subject: ALSA: seq: dummy: fix UMP event stack overread + +From: Kyle Zeng + +[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ] + +The dummy sequencer port forwards events by copying an incoming +struct snd_seq_event into a stack temporary, rewriting source and +destination, and dispatching the temporary to subscribers. That legacy +event storage is smaller than struct snd_seq_ump_event. + +When a UMP event reaches the dummy client, the copy leaves the UMP flag +set but only provides legacy-sized stack storage. The subscriber +delivery path then uses snd_seq_event_packet_size() and copies a +UMP-sized packet from that stack object, reading past the end of the +temporary. + +Use the existing union __snd_seq_event storage and copy the packet size +reported for the incoming event before rewriting the common routing +fields. This preserves the full UMP packet for UMP events while keeping +legacy event handling unchanged. + +Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion") +Signed-off-by: Kyle Zeng +Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_dummy.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c +index 783fc72c2ef673..bc11e4d1edd956 100644 +--- a/sound/core/seq/seq_dummy.c ++++ b/sound/core/seq/seq_dummy.c +@@ -9,6 +9,7 @@ + #include + #include + #include "seq_clientmgr.h" ++#include "seq_memory.h" + #include + #include + +@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data, + int atomic, int hop) + { + struct snd_seq_dummy_port *p; +- struct snd_seq_event tmpev; ++ union __snd_seq_event tmpev; ++ size_t size; + + p = private_data; + if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM || + ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR) + return 0; /* ignore system messages */ +- tmpev = *ev; ++ size = snd_seq_event_packet_size(ev); ++ memcpy(&tmpev, ev, size); + if (p->duplex) +- tmpev.source.port = p->connect; ++ tmpev.legacy.source.port = p->connect; + else +- tmpev.source.port = p->port; +- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS; +- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop); ++ tmpev.legacy.source.port = p->port; ++ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS; ++ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop); + } + + /* +-- +2.53.0 + diff --git a/queue-6.18/drivers-hv-vmbus-protocol-version-6.0.patch b/queue-6.18/drivers-hv-vmbus-protocol-version-6.0.patch new file mode 100644 index 0000000000..c02f9073b3 --- /dev/null +++ b/queue-6.18/drivers-hv-vmbus-protocol-version-6.0.patch @@ -0,0 +1,193 @@ +From e3900e981a2338ad45dafa6b8bcf3c5d291f124a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Oct 2025 16:34:04 -0700 +Subject: Drivers: hv: VMBus protocol version 6.0 + +From: Roman Kisel + +[ Upstream commit 6802d8af47d1dccd9a74a1f708fb9129244ef843 ] + +The confidential VMBus is supported starting from the protocol +version 6.0 onwards. + +Provide the required definitions. No functional changes. + +Signed-off-by: Roman Kisel +Reviewed-by: Alok Tiwari +Reviewed-by: Michael Kelley +Signed-off-by: Wei Liu +Stable-dep-of: c5c3ef8d49e1 ("Drivers: hv: vmbus: Provide option to skip VMBus unload on panic") +Signed-off-by: Sasha Levin +--- + drivers/hv/hyperv_vmbus.h | 2 ++ + drivers/hv/vmbus_drv.c | 12 +++++++ + include/hyperv/hvgdk_mini.h | 1 + + include/linux/hyperv.h | 69 +++++++++++++++++++++++++++---------- + 4 files changed, 65 insertions(+), 19 deletions(-) + +diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h +index 0b450e53161e51..4a01797d485139 100644 +--- a/drivers/hv/hyperv_vmbus.h ++++ b/drivers/hv/hyperv_vmbus.h +@@ -333,6 +333,8 @@ extern const struct vmbus_channel_message_table_entry + + /* General vmbus interface */ + ++bool vmbus_is_confidential(void); ++ + struct hv_device *vmbus_device_create(const guid_t *type, + const guid_t *instance, + struct vmbus_channel *channel); +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 3ab62277b6be6c..6d2bf7a96aa638 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -57,6 +57,18 @@ static long __percpu *vmbus_evt; + int vmbus_irq; + int vmbus_interrupt; + ++/* ++ * If the Confidential VMBus is used, the data on the "wire" is not ++ * visible to either the host or the hypervisor. ++ */ ++static bool is_confidential; ++ ++bool vmbus_is_confidential(void) ++{ ++ return is_confidential; ++} ++EXPORT_SYMBOL_GPL(vmbus_is_confidential); ++ + /* + * The panic notifier below is responsible solely for unloading the + * vmbus connection, which is necessary in a panic event. +diff --git a/include/hyperv/hvgdk_mini.h b/include/hyperv/hvgdk_mini.h +index 77abddfc750e40..7f730a0e54e611 100644 +--- a/include/hyperv/hvgdk_mini.h ++++ b/include/hyperv/hvgdk_mini.h +@@ -260,6 +260,7 @@ union hv_hypervisor_version_info { + #define HYPERV_CPUID_VIRT_STACK_PROPERTIES 0x40000082 + /* Support for the extended IOAPIC RTE format */ + #define HYPERV_VS_PROPERTIES_EAX_EXTENDED_IOAPIC_RTE BIT(2) ++#define HYPERV_VS_PROPERTIES_EAX_CONFIDENTIAL_VMBUS_AVAILABLE BIT(3) + + #define HYPERV_HYPERVISOR_PRESENT_BIT 0x80000000 + #define HYPERV_CPUID_MIN 0x40000005 +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index 59826c89171c79..dfc516c1c7193f 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -265,16 +265,18 @@ static inline u32 hv_get_avail_to_write_percent( + * Linux kernel. + */ + +-#define VERSION_WS2008 ((0 << 16) | (13)) +-#define VERSION_WIN7 ((1 << 16) | (1)) +-#define VERSION_WIN8 ((2 << 16) | (4)) +-#define VERSION_WIN8_1 ((3 << 16) | (0)) +-#define VERSION_WIN10 ((4 << 16) | (0)) +-#define VERSION_WIN10_V4_1 ((4 << 16) | (1)) +-#define VERSION_WIN10_V5 ((5 << 16) | (0)) +-#define VERSION_WIN10_V5_1 ((5 << 16) | (1)) +-#define VERSION_WIN10_V5_2 ((5 << 16) | (2)) +-#define VERSION_WIN10_V5_3 ((5 << 16) | (3)) ++#define VMBUS_MAKE_VERSION(MAJ, MIN) ((((u32)MAJ) << 16) | (MIN)) ++#define VERSION_WS2008 VMBUS_MAKE_VERSION(0, 13) ++#define VERSION_WIN7 VMBUS_MAKE_VERSION(1, 1) ++#define VERSION_WIN8 VMBUS_MAKE_VERSION(2, 4) ++#define VERSION_WIN8_1 VMBUS_MAKE_VERSION(3, 0) ++#define VERSION_WIN10 VMBUS_MAKE_VERSION(4, 0) ++#define VERSION_WIN10_V4_1 VMBUS_MAKE_VERSION(4, 1) ++#define VERSION_WIN10_V5 VMBUS_MAKE_VERSION(5, 0) ++#define VERSION_WIN10_V5_1 VMBUS_MAKE_VERSION(5, 1) ++#define VERSION_WIN10_V5_2 VMBUS_MAKE_VERSION(5, 2) ++#define VERSION_WIN10_V5_3 VMBUS_MAKE_VERSION(5, 3) ++#define VERSION_WIN10_V6_0 VMBUS_MAKE_VERSION(6, 0) + + /* Make maximum size of pipe payload of 16K */ + #define MAX_PIPE_DATA_PAYLOAD (sizeof(u8) * 16384) +@@ -335,14 +337,22 @@ struct vmbus_channel_offer { + } __packed; + + /* Server Flags */ +-#define VMBUS_CHANNEL_ENUMERATE_DEVICE_INTERFACE 1 +-#define VMBUS_CHANNEL_SERVER_SUPPORTS_TRANSFER_PAGES 2 +-#define VMBUS_CHANNEL_SERVER_SUPPORTS_GPADLS 4 +-#define VMBUS_CHANNEL_NAMED_PIPE_MODE 0x10 +-#define VMBUS_CHANNEL_LOOPBACK_OFFER 0x100 +-#define VMBUS_CHANNEL_PARENT_OFFER 0x200 +-#define VMBUS_CHANNEL_REQUEST_MONITORED_NOTIFICATION 0x400 +-#define VMBUS_CHANNEL_TLNPI_PROVIDER_OFFER 0x2000 ++#define VMBUS_CHANNEL_ENUMERATE_DEVICE_INTERFACE 0x0001 ++/* ++ * This flag indicates that the channel is offered by the paravisor, and must ++ * use encrypted memory for the channel ring buffer. ++ */ ++#define VMBUS_CHANNEL_CONFIDENTIAL_RING_BUFFER 0x0002 ++/* ++ * This flag indicates that the channel is offered by the paravisor, and must ++ * use encrypted memory for GPA direct packets and additional GPADLs. ++ */ ++#define VMBUS_CHANNEL_CONFIDENTIAL_EXTERNAL_MEMORY 0x0004 ++#define VMBUS_CHANNEL_NAMED_PIPE_MODE 0x0010 ++#define VMBUS_CHANNEL_LOOPBACK_OFFER 0x0100 ++#define VMBUS_CHANNEL_PARENT_OFFER 0x0200 ++#define VMBUS_CHANNEL_REQUEST_MONITORED_NOTIFICATION 0x0400 ++#define VMBUS_CHANNEL_TLNPI_PROVIDER_OFFER 0x2000 + + struct vmpacket_descriptor { + u16 type; +@@ -621,6 +631,12 @@ struct vmbus_channel_relid_released { + u32 child_relid; + } __packed; + ++/* ++ * Used by the paravisor only, means that the encrypted ring buffers and ++ * the encrypted external memory are supported ++ */ ++#define VMBUS_FEATURE_FLAG_CONFIDENTIAL_CHANNELS 0x10 ++ + struct vmbus_channel_initiate_contact { + struct vmbus_channel_message_header header; + u32 vmbus_version_requested; +@@ -630,7 +646,8 @@ struct vmbus_channel_initiate_contact { + struct { + u8 msg_sint; + u8 msg_vtl; +- u8 reserved[6]; ++ u8 reserved[2]; ++ u32 feature_flags; /* VMBus version 6.0 */ + }; + }; + u64 monitor_page1; +@@ -1003,6 +1020,10 @@ struct vmbus_channel { + + /* boolean to control visibility of sysfs for ring buffer */ + bool ring_sysfs_visible; ++ /* The ring buffer is encrypted */ ++ bool co_ring_buffer; ++ /* The external memory is encrypted */ ++ bool co_external_memory; + }; + + #define lock_requestor(channel, flags) \ +@@ -1027,6 +1048,16 @@ u64 vmbus_request_addr_match(struct vmbus_channel *channel, u64 trans_id, + u64 rqst_addr); + u64 vmbus_request_addr(struct vmbus_channel *channel, u64 trans_id); + ++static inline bool is_co_ring_buffer(const struct vmbus_channel_offer_channel *o) ++{ ++ return !!(o->offer.chn_flags & VMBUS_CHANNEL_CONFIDENTIAL_RING_BUFFER); ++} ++ ++static inline bool is_co_external_memory(const struct vmbus_channel_offer_channel *o) ++{ ++ return !!(o->offer.chn_flags & VMBUS_CHANNEL_CONFIDENTIAL_EXTERNAL_MEMORY); ++} ++ + static inline bool is_hvsock_offer(const struct vmbus_channel_offer_channel *o) + { + return !!(o->offer.chn_flags & VMBUS_CHANNEL_TLNPI_PROVIDER_OFFER); +-- +2.53.0 + diff --git a/queue-6.18/drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch b/queue-6.18/drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch new file mode 100644 index 0000000000..1c8baffef0 --- /dev/null +++ b/queue-6.18/drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch @@ -0,0 +1,129 @@ +From 97e951627071774019d8ea2ee4cd12ddd4f0370d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:23:34 -0800 +Subject: Drivers: hv: vmbus: Provide option to skip VMBus unload on panic + +From: Michael Kelley + +[ Upstream commit c5c3ef8d49e15d2fc1cec4ad7c91d81b99977440 ] + +Currently, VMBus code initiates a VMBus unload in the panic path so +that if a kdump kernel is loaded, it can start fresh in setting up its +own VMBus connection. However, a driver for the VMBus virtual frame +buffer may need to flush dirty portions of the frame buffer back to +the Hyper-V host so that panic information is visible in the graphics +console. To support such flushing, provide exported functions for the +frame buffer driver to specify that the VMBus unload should not be +done by the VMBus driver, and to initiate the VMBus unload itself. +Together these allow a frame buffer driver to delay the VMBus unload +until after it has completed the flush. + +Ideally, the VMBus driver could use its own panic-path callback to do +the unload after all frame buffer drivers have finished. But DRM frame +buffer drivers use the kmsg dump callback, and there are no callbacks +after that in the panic path. Hence this somewhat messy approach to +properly sequencing the frame buffer flush and the VMBus unload. + +Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic") +Signed-off-by: Michael Kelley +Reviewed-by: Long Li +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 1 + + drivers/hv/hyperv_vmbus.h | 1 - + drivers/hv/vmbus_drv.c | 25 ++++++++++++++++++------- + include/linux/hyperv.h | 3 +++ + 4 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 65dd299e2944bd..fd1d675ae37a4f 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -944,6 +944,7 @@ void vmbus_initiate_unload(bool crash) + else + vmbus_wait_for_unload(); + } ++EXPORT_SYMBOL_GPL(vmbus_initiate_unload); + + static void vmbus_setup_channel_state(struct vmbus_channel *channel, + struct vmbus_channel_offer_channel *offer) +diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h +index 4a01797d485139..34943de7d6ac46 100644 +--- a/drivers/hv/hyperv_vmbus.h ++++ b/drivers/hv/hyperv_vmbus.h +@@ -376,7 +376,6 @@ void hv_vss_deinit(void); + int hv_vss_pre_suspend(void); + int hv_vss_pre_resume(void); + void hv_vss_onchannelcallback(void *context); +-void vmbus_initiate_unload(bool crash); + + static inline void hv_poll_channel(struct vmbus_channel *channel, + void (*cb)(void *)) +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 6d2bf7a96aa638..8a090e2a28f928 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -69,19 +69,29 @@ bool vmbus_is_confidential(void) + } + EXPORT_SYMBOL_GPL(vmbus_is_confidential); + ++static bool skip_vmbus_unload; ++ ++/* ++ * Allow a VMBus framebuffer driver to specify that in the case of a panic, ++ * it will do the VMbus unload operation once it has flushed any dirty ++ * portions of the framebuffer to the Hyper-V host. ++ */ ++void vmbus_set_skip_unload(bool skip) ++{ ++ skip_vmbus_unload = skip; ++} ++EXPORT_SYMBOL_GPL(vmbus_set_skip_unload); ++ + /* + * The panic notifier below is responsible solely for unloading the + * vmbus connection, which is necessary in a panic event. +- * +- * Notice an intrincate relation of this notifier with Hyper-V +- * framebuffer panic notifier exists - we need vmbus connection alive +- * there in order to succeed, so we need to order both with each other +- * [see hvfb_on_panic()] - this is done using notifiers' priorities. + */ + static int hv_panic_vmbus_unload(struct notifier_block *nb, unsigned long val, + void *args) + { +- vmbus_initiate_unload(true); ++ if (!skip_vmbus_unload) ++ vmbus_initiate_unload(true); ++ + return NOTIFY_DONE; + } + static struct notifier_block hyperv_panic_vmbus_unload_block = { +@@ -2862,7 +2872,8 @@ static void hv_crash_handler(struct pt_regs *regs) + { + int cpu; + +- vmbus_initiate_unload(true); ++ if (!skip_vmbus_unload) ++ vmbus_initiate_unload(true); + /* + * In crash handler we can't schedule synic cleanup for all CPUs, + * doing the cleanup for current CPU only. This should be sufficient +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index dfc516c1c7193f..b0502a336eb3a5 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1334,6 +1334,9 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj, + bool fb_overlap_ok); + void vmbus_free_mmio(resource_size_t start, resource_size_t size); + ++void vmbus_initiate_unload(bool crash); ++void vmbus_set_skip_unload(bool skip); ++ + /* + * GUID definitions of various offer types - services offered to the guest. + */ +-- +2.53.0 + diff --git a/queue-6.18/drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch b/queue-6.18/drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch new file mode 100644 index 0000000000..c8f785e951 --- /dev/null +++ b/queue-6.18/drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch @@ -0,0 +1,98 @@ +From 0e2f6ac261f05ebf464009b01fe95ee3350c0298 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:23:35 -0800 +Subject: drm/hyperv: During panic do VMBus unload after frame buffer is + flushed + +From: Michael Kelley + +[ Upstream commit 8b35874f56ded0cc1a90a25b87411249a86246cd ] + +In a VM, Linux panic information (reason for the panic, stack trace, +etc.) may be written to a serial console and/or a virtual frame buffer +for a graphics console. The latter may need to be flushed back to the +host hypervisor for display. + +The current Hyper-V DRM driver for the frame buffer does the flushing +*after* the VMBus connection has been unloaded, such that panic messages +are not displayed on the graphics console. A user with a Hyper-V graphics +console is left with just a hung empty screen after a panic. The enhanced +control that DRM provides over the panic display in the graphics console +is similarly non-functional. + +Commit 3671f3777758 ("drm/hyperv: Add support for drm_panic") added +the Hyper-V DRM driver support to flush the virtual frame buffer. It +provided necessary functionality but did not handle the sequencing +problem with VMBus unload. + +Fix the full problem by using VMBus functions to suppress the VMBus +unload that is normally done by the VMBus driver in the panic path. Then +after the frame buffer has been flushed, do the VMBus unload so that a +kdump kernel can start cleanly. As expected, CONFIG_DRM_PANIC must be +selected for these changes to have effect. As a side benefit, the +enhanced features of the DRM panic path are also functional. + +Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic") +Signed-off-by: Michael Kelley +Reviewed-by: Jocelyn Falempe +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 5 +++++ + drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 15 ++++++++------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c +index 0d49f168a919d5..dad8fd5cb1d3b6 100644 +--- a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c ++++ b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c +@@ -149,6 +149,10 @@ static int hyperv_vmbus_probe(struct hv_device *hdev, + goto err_free_mmio; + } + ++ /* If DRM panic path is stubbed out VMBus code must do the unload */ ++ if (IS_ENABLED(CONFIG_DRM_PANIC)) ++ vmbus_set_skip_unload(true); ++ + drm_client_setup(dev, NULL); + + return 0; +@@ -168,6 +172,7 @@ static void hyperv_vmbus_remove(struct hv_device *hdev) + struct drm_device *dev = hv_get_drvdata(hdev); + struct hyperv_drm_device *hv = to_hv(dev); + ++ vmbus_set_skip_unload(false); + drm_dev_unplug(dev); + drm_atomic_helper_shutdown(dev); + vmbus_close(hdev->channel); +diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c +index 945b9482bcb3a9..86696a9a32c559 100644 +--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c ++++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c +@@ -204,15 +204,16 @@ static void hyperv_plane_panic_flush(struct drm_plane *plane) + struct hyperv_drm_device *hv = to_hv(plane->dev); + struct drm_rect rect; + +- if (!plane->state || !plane->state->fb) +- return; ++ if (plane->state && plane->state->fb) { ++ rect.x1 = 0; ++ rect.y1 = 0; ++ rect.x2 = plane->state->fb->width; ++ rect.y2 = plane->state->fb->height; + +- rect.x1 = 0; +- rect.y1 = 0; +- rect.x2 = plane->state->fb->width; +- rect.y2 = plane->state->fb->height; ++ hyperv_update_dirt(hv->hdev, &rect); ++ } + +- hyperv_update_dirt(hv->hdev, &rect); ++ vmbus_initiate_unload(true); + } + + static const struct drm_plane_helper_funcs hyperv_plane_helper_funcs = { +-- +2.53.0 + diff --git a/queue-6.18/hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch b/queue-6.18/hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch new file mode 100644 index 0000000000..7e5e043bcc --- /dev/null +++ b/queue-6.18/hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch @@ -0,0 +1,56 @@ +From f270fd8b458b6479951baf35792e52a812545706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2026 12:21:01 -0700 +Subject: hyperv: Clean up and fix the guest ID comment in hvgdk.h + +From: Dexuan Cui + +[ Upstream commit 83eb00f31eb1b10735d48e469df72cc2b0e06f6d ] + +Change the "64 bit" to "64-bit", and the "Os" to "OS". + +Remove the obsolete paragraph since the guideline has been +published in the Hypervisor Top Level Functional Specification +for many years. + +The "OS Type" is 0x1 for Linux, not 0x100. + +No functional change. + +Fixes: 83ba0c4f3f31 ("Drivers: hv: Cleanup the guest ID computation") +Signed-off-by: Dexuan Cui +Reviewed-by: Hamza Mahfooz +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + include/hyperv/hvgdk.h | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/include/hyperv/hvgdk.h b/include/hyperv/hvgdk.h +index dd6d4939ea29b0..a837a6bc1275bd 100644 +--- a/include/hyperv/hvgdk.h ++++ b/include/hyperv/hvgdk.h +@@ -10,18 +10,12 @@ + + /* + * The guest OS needs to register the guest ID with the hypervisor. +- * The guest ID is a 64 bit entity and the structure of this ID is ++ * The guest ID is a 64-bit entity and the structure of this ID is + * specified in the Hyper-V TLFS specification. + * +- * While the current guideline does not specify how Linux guest ID(s) +- * need to be generated, our plan is to publish the guidelines for +- * Linux and other guest operating systems that currently are hosted +- * on Hyper-V. The implementation here conforms to this yet +- * unpublished guidelines. +- * + * Bit(s) + * 63 - Indicates if the OS is Open Source or not; 1 is Open Source +- * 62:56 - Os Type; Linux is 0x100 ++ * 62:56 - OS Type; Linux is 0x1 + * 55:48 - Distro specific identification + * 47:16 - Linux kernel version number + * 15:0 - Distro specific identification +-- +2.53.0 + diff --git a/queue-6.18/selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch b/queue-6.18/selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch new file mode 100644 index 0000000000..8cde7df1ff --- /dev/null +++ b/queue-6.18/selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch @@ -0,0 +1,40 @@ +From fd1be5163c75c86ddca8ad9e5eab34fc95bb937d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2026 17:45:28 +0800 +Subject: selftests: harness: fix pidfd leak in __wait_for_test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geliang Tang + +[ Upstream commit 0eb307d61317b42b120ab02099b597226318358a ] + +Fix the pidfd leak in kselftest_harness.h's __wait_for_test() where +childfd = syscall(__NR_pidfd_open, t->pid, 0) is never closed. + +Fixes: 73a3cde97677 ("selftests: harness: Implement test timeouts through pidfd") +Signed-off-by: Geliang Tang +Link: https://patch.msgid.link/a82e275ccfb2609a1984d90ab559fa3af78f1e81.1776678050.git.tanggeliang@kylinos.cn +Reviewed-by: Thomas Weißschuh +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index fe162cbfc09121..6928915a643b1e 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -996,6 +996,7 @@ static void __wait_for_test(struct __test_metadata *t) + poll_child.fd = childfd; + poll_child.events = POLLIN; + ret = poll(&poll_child, 1, t->timeout * 1000); ++ close(childfd); + if (ret == -1) { + t->exit_code = KSFT_FAIL; + fprintf(TH_LOG_STREAM, +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 9b60f10d07..8ff79d9ba8 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -64,3 +64,12 @@ net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch +drivers-hv-vmbus-protocol-version-6.0.patch +drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch +drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch +selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch +alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch +alsa-seq-dummy-fix-ump-event-stack-overread.patch diff --git a/queue-6.18/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-6.18/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..22fd22c3f9 --- /dev/null +++ b/queue-6.18/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From b147184cf4b34308d8cabe51829ef341eb5d016d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index fe9190d84f281e..810098300ecdcb 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1340,6 +1340,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + for_other_threads(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-6.18/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-6.18/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..9d7e4a8d0b --- /dev/null +++ b/queue-6.18/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From dba94dcefb323ee964c36feaef8468c03dadacfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index 155cf7def9146d..3c1518a7a52652 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-6.6/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch b/queue-6.6/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch new file mode 100644 index 0000000000..42b9bbde1e --- /dev/null +++ b/queue-6.6/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch @@ -0,0 +1,66 @@ +From 77ccf0054e2879400088f89043088843db90b0ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:25:59 +0000 +Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on + linked streams + +From: Ji'an Zhou + +[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ] + +snd_pcm_drain() uses init_waitqueue_entry which does not clear +entry.prev/next, and add_wait_queue with a conditional +remove_wait_queue that is skipped when to_check is no longer +in the group after concurrent UNLINK. The orphaned wait entry +remains on the unlinked substream sleep queue. On the next +drain iteration, add_wait_queue adds the entry to a new queue +while still linked on the old one, corrupting both lists. A +subsequent wake_up dereferences NULL at the func pointer +(mapped from the spinlock at offset 0 of the misinterpreted +wait_queue_head_t), causing a kernel panic. + +Replace init_waitqueue_entry/add_wait_queue/conditional +remove_wait_queue with init_wait_entry/prepare_to_wait/ +finish_wait. init_wait_entry clears prev/next via +INIT_LIST_HEAD on each iteration and sets +autoremove_wake_function which auto-removes the entry on +wake-up. finish_wait safely handles both the already-removed +and still-queued cases. + +Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain") +Signed-off-by: Ji'an Zhou +Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 214210c8747458..c1b7ee1f3e7463 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2180,9 +2180,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + drain_no_period_wakeup = to_check->no_period_wakeup; + drain_rate = to_check->rate; + drain_bufsz = to_check->buffer_size; +- init_waitqueue_entry(&wait, current); +- set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&to_check->sleep, &wait); ++ init_wait_entry(&wait, 0); ++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE); + snd_pcm_stream_unlock_irq(substream); + if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; +@@ -2200,7 +2199,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + group = snd_pcm_stream_group_ref(substream); + snd_pcm_group_for_each_entry(s, substream) { + if (s->runtime == to_check) { +- remove_wait_queue(&to_check->sleep, &wait); ++ finish_wait(&to_check->sleep, &wait); + break; + } + } +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 6c90603676..3f408cf767 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -244,3 +244,6 @@ net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch +alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch diff --git a/queue-6.6/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-6.6/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..6cfe94eb17 --- /dev/null +++ b/queue-6.6/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From f141038e64aa8546a53cc59cef4df3773a972b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 49c8c24b444d5e..3a484ea4bab658 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1382,6 +1382,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + while_each_thread(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-6.6/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-6.6/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..dc8e0f6272 --- /dev/null +++ b/queue-6.6/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From 20dd1a051ef06269b0abd44c21627f23ebdd1838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index da7e8a02a0964f..a6261fadb92b15 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-7.0/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch b/queue-7.0/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch new file mode 100644 index 0000000000..f1ae0423f9 --- /dev/null +++ b/queue-7.0/alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch @@ -0,0 +1,66 @@ +From 999d85820e4d5fd9c6ce65f9ebd26f5eca742d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:25:59 +0000 +Subject: ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on + linked streams + +From: Ji'an Zhou + +[ Upstream commit 88fe2e3658726cb21ff2dcf9770bf672f9b9d31b ] + +snd_pcm_drain() uses init_waitqueue_entry which does not clear +entry.prev/next, and add_wait_queue with a conditional +remove_wait_queue that is skipped when to_check is no longer +in the group after concurrent UNLINK. The orphaned wait entry +remains on the unlinked substream sleep queue. On the next +drain iteration, add_wait_queue adds the entry to a new queue +while still linked on the old one, corrupting both lists. A +subsequent wake_up dereferences NULL at the func pointer +(mapped from the spinlock at offset 0 of the misinterpreted +wait_queue_head_t), causing a kernel panic. + +Replace init_waitqueue_entry/add_wait_queue/conditional +remove_wait_queue with init_wait_entry/prepare_to_wait/ +finish_wait. init_wait_entry clears prev/next via +INIT_LIST_HEAD on each iteration and sets +autoremove_wake_function which auto-removes the entry on +wake-up. finish_wait safely handles both the already-removed +and still-queued cases. + +Fixes: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain") +Signed-off-by: Ji'an Zhou +Link: https://patch.msgid.link/20260604142559.3840881-1-eilaimemedsnaimel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 5a64453da7283a..6fd479d135a4d1 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2176,9 +2176,8 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + drain_no_period_wakeup = to_check->no_period_wakeup; + drain_rate = to_check->rate; + drain_bufsz = to_check->buffer_size; +- init_waitqueue_entry(&wait, current); +- set_current_state(TASK_INTERRUPTIBLE); +- add_wait_queue(&to_check->sleep, &wait); ++ init_wait_entry(&wait, 0); ++ prepare_to_wait(&to_check->sleep, &wait, TASK_INTERRUPTIBLE); + snd_pcm_stream_unlock_irq(substream); + if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; +@@ -2196,7 +2195,7 @@ static int snd_pcm_drain(struct snd_pcm_substream *substream, + group = snd_pcm_stream_group_ref(substream); + snd_pcm_group_for_each_entry(s, substream) { + if (s->runtime == to_check) { +- remove_wait_queue(&to_check->sleep, &wait); ++ finish_wait(&to_check->sleep, &wait); + break; + } + } +-- +2.53.0 + diff --git a/queue-7.0/alsa-seq-dummy-fix-ump-event-stack-overread.patch b/queue-7.0/alsa-seq-dummy-fix-ump-event-stack-overread.patch new file mode 100644 index 0000000000..6c4ee0e732 --- /dev/null +++ b/queue-7.0/alsa-seq-dummy-fix-ump-event-stack-overread.patch @@ -0,0 +1,77 @@ +From de06b322e9d5b20b975caf2c33d916a95f0502d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2026 01:02:04 -0700 +Subject: ALSA: seq: dummy: fix UMP event stack overread + +From: Kyle Zeng + +[ Upstream commit 2b5ff4db5d7aa5b981d966df02e687f79ad7b311 ] + +The dummy sequencer port forwards events by copying an incoming +struct snd_seq_event into a stack temporary, rewriting source and +destination, and dispatching the temporary to subscribers. That legacy +event storage is smaller than struct snd_seq_ump_event. + +When a UMP event reaches the dummy client, the copy leaves the UMP flag +set but only provides legacy-sized stack storage. The subscriber +delivery path then uses snd_seq_event_packet_size() and copies a +UMP-sized packet from that stack object, reading past the end of the +temporary. + +Use the existing union __snd_seq_event storage and copy the packet size +reported for the incoming event before rewriting the common routing +fields. This preserves the full UMP packet for UMP events while keeping +legacy event handling unchanged. + +Fixes: 32cb23a0f911 ("ALSA: seq: dummy: Allow UMP conversion") +Signed-off-by: Kyle Zeng +Link: https://patch.msgid.link/20260605080204.32045-1-kylebot@openai.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_dummy.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/sound/core/seq/seq_dummy.c b/sound/core/seq/seq_dummy.c +index af45f328ae9901..8abe80985daddb 100644 +--- a/sound/core/seq/seq_dummy.c ++++ b/sound/core/seq/seq_dummy.c +@@ -9,6 +9,7 @@ + #include + #include + #include "seq_clientmgr.h" ++#include "seq_memory.h" + #include + #include + +@@ -81,19 +82,21 @@ dummy_input(struct snd_seq_event *ev, int direct, void *private_data, + int atomic, int hop) + { + struct snd_seq_dummy_port *p; +- struct snd_seq_event tmpev; ++ union __snd_seq_event tmpev; ++ size_t size; + + p = private_data; + if (ev->source.client == SNDRV_SEQ_CLIENT_SYSTEM || + ev->type == SNDRV_SEQ_EVENT_KERNEL_ERROR) + return 0; /* ignore system messages */ +- tmpev = *ev; ++ size = snd_seq_event_packet_size(ev); ++ memcpy(&tmpev, ev, size); + if (p->duplex) +- tmpev.source.port = p->connect; ++ tmpev.legacy.source.port = p->connect; + else +- tmpev.source.port = p->port; +- tmpev.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS; +- return snd_seq_kernel_client_dispatch(p->client, &tmpev, atomic, hop); ++ tmpev.legacy.source.port = p->port; ++ tmpev.legacy.dest.client = SNDRV_SEQ_ADDRESS_SUBSCRIBERS; ++ return snd_seq_kernel_client_dispatch(p->client, &tmpev.legacy, atomic, hop); + } + + /* +-- +2.53.0 + diff --git a/queue-7.0/crypto-s390-add-select-crypto_aead-for-aes.patch b/queue-7.0/crypto-s390-add-select-crypto_aead-for-aes.patch new file mode 100644 index 0000000000..8888856c31 --- /dev/null +++ b/queue-7.0/crypto-s390-add-select-crypto_aead-for-aes.patch @@ -0,0 +1,43 @@ +From 8846d8416cd1b67661d75bb6d10092a1b9e32e7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 May 2026 09:38:44 +0200 +Subject: crypto: s390 - add select CRYPTO_AEAD for aes + +From: Arnd Bergmann + +[ Upstream commit ecf3edd349dfabee9bc8a46c5ff91c9ebd858d48 ] + +The aes driver registers both skcipher and aead algorithms, +but when aead is not enabled this causes a link failure: + +s390-linux-ld: arch/s390/crypto/aes_s390.o: in function `aes_s390_fini': +arch/s390/crypto/aes_s390.c:969:(.text+0x115e): undefined reference to `crypto_unregister_aead' +s390-linux-ld: arch/s390/crypto/aes_s390.o: in function `aes_s390_init': +arch/s390/crypto/aes_s390.c:1028:(.init.text+0x294): undefined reference to `crypto_register_aead' + +Add the missing 'select' statement. + +Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.") +Signed-off-by: Arnd Bergmann +Reviewed-by: Harald Freudenberger +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/s390/crypto/Kconfig b/arch/s390/crypto/Kconfig +index 79a2d0034258b6..1b12856acfbcb7 100644 +--- a/arch/s390/crypto/Kconfig ++++ b/arch/s390/crypto/Kconfig +@@ -14,6 +14,7 @@ config CRYPTO_GHASH_S390 + + config CRYPTO_AES_S390 + tristate "Ciphers: AES, modes: ECB, CBC, CTR, XTS, GCM" ++ select CRYPTO_AEAD + select CRYPTO_SKCIPHER + help + AEAD cipher: AES with GCM +-- +2.53.0 + diff --git a/queue-7.0/drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch b/queue-7.0/drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch new file mode 100644 index 0000000000..f4bff5d861 --- /dev/null +++ b/queue-7.0/drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch @@ -0,0 +1,129 @@ +From f20b91f40fea3153d840236b9ebf00a4e30d2bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:23:34 -0800 +Subject: Drivers: hv: vmbus: Provide option to skip VMBus unload on panic + +From: Michael Kelley + +[ Upstream commit c5c3ef8d49e15d2fc1cec4ad7c91d81b99977440 ] + +Currently, VMBus code initiates a VMBus unload in the panic path so +that if a kdump kernel is loaded, it can start fresh in setting up its +own VMBus connection. However, a driver for the VMBus virtual frame +buffer may need to flush dirty portions of the frame buffer back to +the Hyper-V host so that panic information is visible in the graphics +console. To support such flushing, provide exported functions for the +frame buffer driver to specify that the VMBus unload should not be +done by the VMBus driver, and to initiate the VMBus unload itself. +Together these allow a frame buffer driver to delay the VMBus unload +until after it has completed the flush. + +Ideally, the VMBus driver could use its own panic-path callback to do +the unload after all frame buffer drivers have finished. But DRM frame +buffer drivers use the kmsg dump callback, and there are no callbacks +after that in the panic path. Hence this somewhat messy approach to +properly sequencing the frame buffer flush and the VMBus unload. + +Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic") +Signed-off-by: Michael Kelley +Reviewed-by: Long Li +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 1 + + drivers/hv/hyperv_vmbus.h | 1 - + drivers/hv/vmbus_drv.c | 25 ++++++++++++++++++------- + include/linux/hyperv.h | 3 +++ + 4 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 7c77ada12b2e94..327d05ccf41683 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -944,6 +944,7 @@ void vmbus_initiate_unload(bool crash) + else + vmbus_wait_for_unload(); + } ++EXPORT_SYMBOL_GPL(vmbus_initiate_unload); + + static void vmbus_setup_channel_state(struct vmbus_channel *channel, + struct vmbus_channel_offer_channel *offer) +diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h +index 7bd8f8486e858c..592a16303b3bed 100644 +--- a/drivers/hv/hyperv_vmbus.h ++++ b/drivers/hv/hyperv_vmbus.h +@@ -440,7 +440,6 @@ void hv_vss_deinit(void); + int hv_vss_pre_suspend(void); + int hv_vss_pre_resume(void); + void hv_vss_onchannelcallback(void *context); +-void vmbus_initiate_unload(bool crash); + + static inline void hv_poll_channel(struct vmbus_channel *channel, + void (*cb)(void *)) +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 3d2827477f0a54..59fc09d73a05d0 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -70,19 +70,29 @@ bool vmbus_is_confidential(void) + } + EXPORT_SYMBOL_GPL(vmbus_is_confidential); + ++static bool skip_vmbus_unload; ++ ++/* ++ * Allow a VMBus framebuffer driver to specify that in the case of a panic, ++ * it will do the VMbus unload operation once it has flushed any dirty ++ * portions of the framebuffer to the Hyper-V host. ++ */ ++void vmbus_set_skip_unload(bool skip) ++{ ++ skip_vmbus_unload = skip; ++} ++EXPORT_SYMBOL_GPL(vmbus_set_skip_unload); ++ + /* + * The panic notifier below is responsible solely for unloading the + * vmbus connection, which is necessary in a panic event. +- * +- * Notice an intrincate relation of this notifier with Hyper-V +- * framebuffer panic notifier exists - we need vmbus connection alive +- * there in order to succeed, so we need to order both with each other +- * [see hvfb_on_panic()] - this is done using notifiers' priorities. + */ + static int hv_panic_vmbus_unload(struct notifier_block *nb, unsigned long val, + void *args) + { +- vmbus_initiate_unload(true); ++ if (!skip_vmbus_unload) ++ vmbus_initiate_unload(true); ++ + return NOTIFY_DONE; + } + static struct notifier_block hyperv_panic_vmbus_unload_block = { +@@ -2903,7 +2913,8 @@ static void hv_crash_handler(struct pt_regs *regs) + { + int cpu; + +- vmbus_initiate_unload(true); ++ if (!skip_vmbus_unload) ++ vmbus_initiate_unload(true); + /* + * In crash handler we can't schedule synic cleanup for all CPUs, + * doing the cleanup for current CPU only. This should be sufficient +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index dfc516c1c7193f..b0502a336eb3a5 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1334,6 +1334,9 @@ int vmbus_allocate_mmio(struct resource **new, struct hv_device *device_obj, + bool fb_overlap_ok); + void vmbus_free_mmio(resource_size_t start, resource_size_t size); + ++void vmbus_initiate_unload(bool crash); ++void vmbus_set_skip_unload(bool skip); ++ + /* + * GUID definitions of various offer types - services offered to the guest. + */ +-- +2.53.0 + diff --git a/queue-7.0/drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch b/queue-7.0/drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch new file mode 100644 index 0000000000..e887a6e3bd --- /dev/null +++ b/queue-7.0/drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch @@ -0,0 +1,98 @@ +From 84281d65baede39621f2f0c7dcc018e91e8d737d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:23:35 -0800 +Subject: drm/hyperv: During panic do VMBus unload after frame buffer is + flushed + +From: Michael Kelley + +[ Upstream commit 8b35874f56ded0cc1a90a25b87411249a86246cd ] + +In a VM, Linux panic information (reason for the panic, stack trace, +etc.) may be written to a serial console and/or a virtual frame buffer +for a graphics console. The latter may need to be flushed back to the +host hypervisor for display. + +The current Hyper-V DRM driver for the frame buffer does the flushing +*after* the VMBus connection has been unloaded, such that panic messages +are not displayed on the graphics console. A user with a Hyper-V graphics +console is left with just a hung empty screen after a panic. The enhanced +control that DRM provides over the panic display in the graphics console +is similarly non-functional. + +Commit 3671f3777758 ("drm/hyperv: Add support for drm_panic") added +the Hyper-V DRM driver support to flush the virtual frame buffer. It +provided necessary functionality but did not handle the sequencing +problem with VMBus unload. + +Fix the full problem by using VMBus functions to suppress the VMBus +unload that is normally done by the VMBus driver in the panic path. Then +after the frame buffer has been flushed, do the VMBus unload so that a +kdump kernel can start cleanly. As expected, CONFIG_DRM_PANIC must be +selected for these changes to have effect. As a side benefit, the +enhanced features of the DRM panic path are also functional. + +Fixes: 3671f3777758 ("drm/hyperv: Add support for drm_panic") +Signed-off-by: Michael Kelley +Reviewed-by: Jocelyn Falempe +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 5 +++++ + drivers/gpu/drm/hyperv/hyperv_drm_modeset.c | 15 ++++++++------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c +index 06b5d96e6eaf6b..b6bf6412ae34ac 100644 +--- a/drivers/gpu/drm/hyperv/hyperv_drm_drv.c ++++ b/drivers/gpu/drm/hyperv/hyperv_drm_drv.c +@@ -150,6 +150,10 @@ static int hyperv_vmbus_probe(struct hv_device *hdev, + goto err_free_mmio; + } + ++ /* If DRM panic path is stubbed out VMBus code must do the unload */ ++ if (IS_ENABLED(CONFIG_DRM_PANIC)) ++ vmbus_set_skip_unload(true); ++ + drm_client_setup(dev, NULL); + + return 0; +@@ -169,6 +173,7 @@ static void hyperv_vmbus_remove(struct hv_device *hdev) + struct drm_device *dev = hv_get_drvdata(hdev); + struct hyperv_drm_device *hv = to_hv(dev); + ++ vmbus_set_skip_unload(false); + drm_dev_unplug(dev); + drm_atomic_helper_shutdown(dev); + vmbus_close(hdev->channel); +diff --git a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c +index 7978f8c8108c23..d48ca6c23b7c5e 100644 +--- a/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c ++++ b/drivers/gpu/drm/hyperv/hyperv_drm_modeset.c +@@ -212,15 +212,16 @@ static void hyperv_plane_panic_flush(struct drm_plane *plane) + struct hyperv_drm_device *hv = to_hv(plane->dev); + struct drm_rect rect; + +- if (!plane->state || !plane->state->fb) +- return; ++ if (plane->state && plane->state->fb) { ++ rect.x1 = 0; ++ rect.y1 = 0; ++ rect.x2 = plane->state->fb->width; ++ rect.y2 = plane->state->fb->height; + +- rect.x1 = 0; +- rect.y1 = 0; +- rect.x2 = plane->state->fb->width; +- rect.y2 = plane->state->fb->height; ++ hyperv_update_dirt(hv->hdev, &rect); ++ } + +- hyperv_update_dirt(hv->hdev, &rect); ++ vmbus_initiate_unload(true); + } + + static const struct drm_plane_helper_funcs hyperv_plane_helper_funcs = { +-- +2.53.0 + diff --git a/queue-7.0/hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch b/queue-7.0/hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch new file mode 100644 index 0000000000..b44cd73c4a --- /dev/null +++ b/queue-7.0/hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch @@ -0,0 +1,56 @@ +From bb393c7046fe6e07cb78b109867e72638066a2c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2026 12:21:01 -0700 +Subject: hyperv: Clean up and fix the guest ID comment in hvgdk.h + +From: Dexuan Cui + +[ Upstream commit 83eb00f31eb1b10735d48e469df72cc2b0e06f6d ] + +Change the "64 bit" to "64-bit", and the "Os" to "OS". + +Remove the obsolete paragraph since the guideline has been +published in the Hypervisor Top Level Functional Specification +for many years. + +The "OS Type" is 0x1 for Linux, not 0x100. + +No functional change. + +Fixes: 83ba0c4f3f31 ("Drivers: hv: Cleanup the guest ID computation") +Signed-off-by: Dexuan Cui +Reviewed-by: Hamza Mahfooz +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + include/hyperv/hvgdk.h | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/include/hyperv/hvgdk.h b/include/hyperv/hvgdk.h +index 384c3f3ff4a525..f538144280ca55 100644 +--- a/include/hyperv/hvgdk.h ++++ b/include/hyperv/hvgdk.h +@@ -10,18 +10,12 @@ + + /* + * The guest OS needs to register the guest ID with the hypervisor. +- * The guest ID is a 64 bit entity and the structure of this ID is ++ * The guest ID is a 64-bit entity and the structure of this ID is + * specified in the Hyper-V TLFS specification. + * +- * While the current guideline does not specify how Linux guest ID(s) +- * need to be generated, our plan is to publish the guidelines for +- * Linux and other guest operating systems that currently are hosted +- * on Hyper-V. The implementation here conforms to this yet +- * unpublished guidelines. +- * + * Bit(s) + * 63 - Indicates if the OS is Open Source or not; 1 is Open Source +- * 62:56 - Os Type; Linux is 0x100 ++ * 62:56 - OS Type; Linux is 0x1 + * 55:48 - Distro specific identification + * 47:16 - Linux kernel version number + * 15:0 - Distro specific identification +-- +2.53.0 + diff --git a/queue-7.0/regulator-mt6363-select-config_irq_domain.patch b/queue-7.0/regulator-mt6363-select-config_irq_domain.patch new file mode 100644 index 0000000000..5e9b483e6b --- /dev/null +++ b/queue-7.0/regulator-mt6363-select-config_irq_domain.patch @@ -0,0 +1,56 @@ +From bbefbb454d700d78044c1b5fac269439881a29af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 May 2026 12:19:37 +0200 +Subject: regulator: mt6363: select CONFIG_IRQ_DOMAIN + +From: Arnd Bergmann + +[ Upstream commit 29d87434cb91b7689de2917830ca82acfd2770f5 ] + +When build-testing this driver without CONFIG_IRQ_DOMAIN causes +a compile-time error: + +drivers/regulator/mt6363-regulator.c: In function 'mt6363_regulator_probe': +drivers/regulator/mt6363-regulator.c:884:18: error: implicit declaration of function 'irq_find_host' [-Wimplicit-function-declaration] + 884 | domain = irq_find_host(interrupt_parent); + | ^~~~~~~~~~~~~ +drivers/regulator/mt6363-regulator.c:884:16: error: assignment to 'struct irq_domain *' from 'int' makes pointer from integer without a cast [-Wint-conversion] + 884 | domain = irq_find_host(interrupt_parent); + | ^ +drivers/regulator/mt6363-regulator.c:896:30: error: implicit declaration of function 'irq_create_fwspec_mapping'; did you mean 'irq_create_of_mapping'? [-Wimplicit-function-declaration] + 896 | info->virq = irq_create_fwspec_mapping(&fwspec); + | ^~~~~~~~~~~~~~~~~~~~~~~~~ + | irq_create_of_mapping + +This is rather hard to trigger because so many other drivers +enable IRQ_DOMAIN already, but I ran into this on an s390 +randconfig build. + +Ensure this is always enabled using a Kconfig 'select IRQ_DOMAIN' +entry, as we do for all other users of this. + +Fixes: 3c36965df808 ("regulator: Add support for MediaTek MT6363 SPMI PMIC Regulators") +Signed-off-by: Arnd Bergmann +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patch.msgid.link/20260526102003.2527570-1-arnd@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/Kconfig b/drivers/regulator/Kconfig +index d10b6f9243d515..426642d7a02c0c 100644 +--- a/drivers/regulator/Kconfig ++++ b/drivers/regulator/Kconfig +@@ -977,6 +977,7 @@ config REGULATOR_MT6363 + tristate "MT6363 SPMI PMIC regulator driver" + depends on SPMI + select REGMAP_SPMI ++ select IRQ_DOMAIN + help + Say Y here to enable support for regulators found in the MediaTek + MT6363 SPMI PMIC. +-- +2.53.0 + diff --git a/queue-7.0/rseq-fix-using-an-uninitialized-stack-variable-in-rs.patch b/queue-7.0/rseq-fix-using-an-uninitialized-stack-variable-in-rs.patch new file mode 100644 index 0000000000..e8a71c5248 --- /dev/null +++ b/queue-7.0/rseq-fix-using-an-uninitialized-stack-variable-in-rs.patch @@ -0,0 +1,64 @@ +From 3234a79b5329048297cca3fcd42af15054ed3bdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 11:08:54 +0800 +Subject: rseq: Fix using an uninitialized stack variable in + rseq_exit_user_update() + +From: Qing Wang + +[ Upstream commit 6d99479799c69c3cb588fcda19c81d8f61d64ecd ] + +There is an bug in which an uninitialized stack variable is used in +rseq_exit_user_update() as reported by syzbot: + +BUG: KMSAN: kernel-infoleak in rseq_set_ids_get_csaddr include/linux/rseq_entry.h:502 [inline] + +The local variable: + + struct rseq_ids ids = { + .cpu_id = task_cpu(t), + .mm_cid = task_mm_cid(t), + .node_id = cpu_to_node(ids.cpu_id), + }; + +According to the C standard, the evaluation order of expressions in an +initializer list is indeterminately sequenced. The compiler (Clang, in +this KMSAN build) evaluates `cpu_to_node(ids.cpu_id)` *before* +`ids.cpu_id` is initialized with `task_cpu(t)`. + +This is fixed by moving the assignment of ids.node_id outside the +structure initialization. + +Fixes: 82f572449cfe ("rseq: Implement read only ABI enforcement for optimized RSEQ V2 mode") +Closes: https://syzkaller.appspot.com/bug?extid=185a631927096f9da2fc +Reported-by: syzbot+185a631927096f9da2fc@syzkaller.appspotmail.com +Signed-off-by: Qing Wang +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Mark Rutland +Link: https://patch.msgid.link/20260602030854.574038-1-wangqing7171@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/rseq_entry.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/linux/rseq_entry.h b/include/linux/rseq_entry.h +index 413a3543fbe8ed..69bdb93951b904 100644 +--- a/include/linux/rseq_entry.h ++++ b/include/linux/rseq_entry.h +@@ -625,10 +625,11 @@ static __always_inline bool rseq_exit_user_update(struct pt_regs *regs, struct t + return true; + } + ++ int cpu = task_cpu(t); + struct rseq_ids ids = { +- .cpu_id = task_cpu(t), ++ .cpu_id = cpu, + .mm_cid = task_mm_cid(t), +- .node_id = cpu_to_node(ids.cpu_id), ++ .node_id = cpu_to_node(cpu), + }; + + return rseq_update_usr(t, regs, &ids); +-- +2.53.0 + diff --git a/queue-7.0/selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch b/queue-7.0/selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch new file mode 100644 index 0000000000..9a56e9c957 --- /dev/null +++ b/queue-7.0/selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch @@ -0,0 +1,40 @@ +From 97b4a0962f727acf88d18c07cc5afcda11b66647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2026 17:45:28 +0800 +Subject: selftests: harness: fix pidfd leak in __wait_for_test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geliang Tang + +[ Upstream commit 0eb307d61317b42b120ab02099b597226318358a ] + +Fix the pidfd leak in kselftest_harness.h's __wait_for_test() where +childfd = syscall(__NR_pidfd_open, t->pid, 0) is never closed. + +Fixes: 73a3cde97677 ("selftests: harness: Implement test timeouts through pidfd") +Signed-off-by: Geliang Tang +Link: https://patch.msgid.link/a82e275ccfb2609a1984d90ab559fa3af78f1e81.1776678050.git.tanggeliang@kylinos.cn +Reviewed-by: Thomas Weißschuh +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 4afaef01c22e97..27d1bf5fd86180 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -996,6 +996,7 @@ static void __wait_for_test(struct __test_metadata *t) + poll_child.fd = childfd; + poll_child.events = POLLIN; + ret = poll(&poll_child, 1, t->timeout * 1000); ++ close(childfd); + if (ret == -1) { + t->exit_code = KSFT_FAIL; + fprintf(TH_LOG_STREAM, +-- +2.53.0 + diff --git a/queue-7.0/series b/queue-7.0/series index 2b6ce97883..db5241184d 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -71,3 +71,16 @@ fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch +drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch +drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch +selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch +signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch +regulator-mt6363-select-config_irq_domain.patch +hyperv-clean-up-and-fix-the-guest-id-comment-in-hvgd.patch +vfs-fix-possible-failure-to-unlock-in-nfsd4_create_f.patch +crypto-s390-add-select-crypto_aead-for-aes.patch +rseq-fix-using-an-uninitialized-stack-variable-in-rs.patch +time-fix-off-by-one-in-settimeofday-usec-validation.patch +alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch +alsa-seq-dummy-fix-ump-event-stack-overread.patch +x86-resctrl-only-check-intel-systems-for-snc.patch diff --git a/queue-7.0/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch b/queue-7.0/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch new file mode 100644 index 0000000000..aa285e1788 --- /dev/null +++ b/queue-7.0/signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch @@ -0,0 +1,72 @@ +From 5e8acff25f8aa5346a6040274440b28dd94cbf50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2026 16:22:40 +0200 +Subject: signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() + +From: Aleksandr Nogikh + +[ Upstream commit 90918794a4e2c3b440f8fcf3847765a8b1d81b25 ] + +When a multi-threaded process receives a stop signal (e.g., SIGSTOP), +do_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all +threads and sets signal->group_stop_count to the number of threads. If +one of the threads concurrently calls execve(), de_thread() invokes +zap_other_threads() to kill all other threads. zap_other_threads() +aborts the pending group stop by resetting signal->group_stop_count to 0 +and clears the JOBCTL_PENDING_MASK for all other threads. However, it +fails to clear the job control flags for the calling thread. + +When execve() completes, the calling thread returns to user mode and +checks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag, +it calls do_signal_stop(), which invokes task_participate_group_stop(). +Since JOBCTL_STOP_CONSUME is still set, it attempts to decrement the +already-zero signal->group_stop_count, triggering a warning: + +sig->group_stop_count == 0 +WARNING: CPU: 1 PID: 6475 at kernel/signal.c:373 +task_participate_group_stop+0x215/0x2d0 +Call Trace: + + do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619 + get_signal+0xa8c/0x1330 kernel/signal.c:2884 + arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98 + do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this race condition by clearing the JOBCTL_PENDING_MASK for the +calling thread in zap_other_threads(), ensuring it does not retain any +stale job control state after the thread group is destroyed. This aligns +with other functions that tear down a thread group and abort group +stops, such as zap_process() and complete_signal(), which correctly +clear these flags for all threads including the current one. + +Fixes: 39efa3ef3a37 ("signal: Use GROUP_STOP_PENDING to stop once for a single group stop") +Assisted-by: Gemini:gemini-3.1-pro-preview Gemini:gemini-3-flash-preview syzbot +Reported-by: syzbot+b109633ea805cac54a61@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b109633ea805cac54a61 +Link: https://syzkaller.appspot.com/ai_job?id=d70208cc-862b-4fe3-bf02-3031e10cd0b3 +Signed-off-by: Aleksandr Nogikh +Link: https://patch.msgid.link/20260521142240.2973022-1-nogikh@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + kernel/signal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index d65d0fe24bfb8c..1c9b5bf8126e01 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1340,6 +1340,7 @@ int zap_other_threads(struct task_struct *p) + int count = 0; + + p->signal->group_stop_count = 0; ++ task_clear_jobctl_pending(p, JOBCTL_PENDING_MASK); + + for_other_threads(p, t) { + task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK); +-- +2.53.0 + diff --git a/queue-7.0/time-fix-off-by-one-in-settimeofday-usec-validation.patch b/queue-7.0/time-fix-off-by-one-in-settimeofday-usec-validation.patch new file mode 100644 index 0000000000..7032d415bd --- /dev/null +++ b/queue-7.0/time-fix-off-by-one-in-settimeofday-usec-validation.patch @@ -0,0 +1,44 @@ +From 991b4851c558846043f0acb748aceb046c32ae16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Jun 2026 23:37:37 +0530 +Subject: time: Fix off-by-one in settimeofday() usec validation + +From: Naveen Kumar Chaudhary + +[ Upstream commit ce4abda5e12622f33450159e76c8f56d28d7f03d ] + +The validation check uses '>' instead of '>=' when comparing tv_usec +against USEC_PER_SEC, allowing the value 1000000 through. After +conversion to nanoseconds (*= 1000), this produces tv_nsec == +NSEC_PER_SEC, violating the timespec invariant that tv_nsec must be +less than NSEC_PER_SEC. + +Use '>=' to reject tv_usec values that are not in the valid range of +0 to 999999. + +Fixes: 5e0fb1b57bea ("y2038: time: avoid timespec usage in settimeofday()") +Signed-off-by: Naveen Kumar Chaudhary +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Link: https://patch.msgid.link/4rikk44zew3s6577dugmx4jyblz7o5c57niuap6ct3td5yfm6w@gh7pcumg7qor +Signed-off-by: Sasha Levin +--- + kernel/time/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/time.c b/kernel/time/time.c +index 0d832317d5766a..771cef87ad3b0a 100644 +--- a/kernel/time/time.c ++++ b/kernel/time/time.c +@@ -207,7 +207,7 @@ SYSCALL_DEFINE2(settimeofday, struct __kernel_old_timeval __user *, tv, + get_user(new_ts.tv_nsec, &tv->tv_usec)) + return -EFAULT; + +- if (new_ts.tv_nsec > USEC_PER_SEC || new_ts.tv_nsec < 0) ++ if (new_ts.tv_nsec >= USEC_PER_SEC || new_ts.tv_nsec < 0) + return -EINVAL; + + new_ts.tv_nsec *= NSEC_PER_USEC; +-- +2.53.0 + diff --git a/queue-7.0/vfs-fix-possible-failure-to-unlock-in-nfsd4_create_f.patch b/queue-7.0/vfs-fix-possible-failure-to-unlock-in-nfsd4_create_f.patch new file mode 100644 index 0000000000..618d0b232b --- /dev/null +++ b/queue-7.0/vfs-fix-possible-failure-to-unlock-in-nfsd4_create_f.patch @@ -0,0 +1,85 @@ +From 9cbae74b1410efacb9733c9348cdc17065d7f8e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 16:23:45 +1000 +Subject: VFS: fix possible failure to unlock in nfsd4_create_file() + +From: NeilBrown + +[ Upstream commit e824bbd4d224cce4b5fb59cc9dcd3447fe0b7e44 ] + +atomic_create() in fs/namei.c drops the reference to the dentry +when it returns an error. +This behaviour was imported into dentry_create() so that it +will drop the reference if an error is returned from atomic_create(), +though not if vfs_create() returns an error (in the case where +->atomic_create is not supported). + +The caller - nfsd4_create_file() - is made aware of this by checking +path->dentry, which will either be a counted reference to a dentry, or +an error pointer. + +However the change to use start_creating()/end_creating() (which landed +shortly before the dentry_create() change landed, though was likely +developed around the same time) means that nfsd4_create_file() *needs* a +valid dentry so that it can unlock the parent. + +The net result is that if NFSD exports a filesystem which uses +->atomic_create, and if a call to ->atomic_create returns an error, then +nfsd4_create_file() will pass an error pointer to end_creating() +and the parent will not be unlocked. + +Fix this by changing dentry_create() to make sure path->dentry is always +a valid dentry, never an error-pointer. The actual error is already +returned a different way. + +Note that if ->atomic_create() returns a different dentry (which may not +be possible in practice) we are guaranteed (because it is only ever +provided by d_spliace_alias()) that it will have the same d_parent and +so it will have the same effect when passed to end_creating(). + +Fixes: 64a989dbd144 ("VFS/knfsd: Teach dentry_create() to use atomic_open()") +Signed-off-by: NeilBrown +Link: https://patch.msgid.link/177969022571.3379282.16448744624428323496@noble.neil.brown.name +Reviewed-by: Jeff Layton +Reviewed-by: Benjamin Coddington +Reviewed-by: Jori Koolstra +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Sasha Levin +--- + fs/namei.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/namei.c b/fs/namei.c +index 9e5500dad14f59..d615cd62885198 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -5002,6 +5002,7 @@ struct file *dentry_create(struct path *path, int flags, umode_t mode, + { + struct file *file __free(fput) = NULL; + struct dentry *dentry = path->dentry; ++ struct dentry *orig_dentry = dentry; + struct dentry *dir = dentry->d_parent; + struct inode *dir_inode = d_inode(dir); + struct mnt_idmap *idmap; +@@ -5021,9 +5022,18 @@ struct file *dentry_create(struct path *path, int flags, umode_t mode, + if (create_error) + flags &= ~O_CREAT; + ++ /* atomic_open will dput(dentry) on error */ ++ dget(orig_dentry); + dentry = atomic_open(path, dentry, file, flags, mode); + error = PTR_ERR_OR_ZERO(dentry); + ++ if (IS_ERR(dentry)) ++ /* keep the original */ ++ dentry = orig_dentry; ++ else ++ /* Drop the extra reference */ ++ dput(orig_dentry); ++ + if (unlikely(create_error) && error == -ENOENT) + error = create_error; + +-- +2.53.0 + diff --git a/queue-7.0/x86-resctrl-only-check-intel-systems-for-snc.patch b/queue-7.0/x86-resctrl-only-check-intel-systems-for-snc.patch new file mode 100644 index 0000000000..41734b9e52 --- /dev/null +++ b/queue-7.0/x86-resctrl-only-check-intel-systems-for-snc.patch @@ -0,0 +1,53 @@ +From 090b5b243ddbe79e44566c83f6f85164b36fe371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 21:46:49 -0700 +Subject: x86/resctrl: Only check Intel systems for SNC + +From: Tony Luck + +[ Upstream commit 6f6947b2387e94e405f80d472f8a189bfbf2bd6c ] + +topology_num_nodes_per_package() reports values greater than one on certain +AMD systems resulting in resctrl's Intel model specific SNC detection +printing the confusing message: + + "CoD enabled system? Resctrl not supported" + +Add a check for Intel systems before looking at the topology. + +[ reinette: Add Closes tag, fix tag typos, rework changelog ] + +Fixes: 59674fc9d0bf ("x86/resctrl: Fix SNC detection") +Reported-by: Babu Moger +Signed-off-by: Tony Luck +Signed-off-by: Reinette Chatre +Signed-off-by: Ingo Molnar +Tested-by: Babu Moger +Link: https://patch.msgid.link/9849330f45ac86344cc5ac54df2d313906d70bc4.1780634584.git.reinette.chatre@intel.com +Closes: https://lore.kernel.org/lkml/37ac0376-43a3-4283-a3d5-4d57b3bec578@amd.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/monitor.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/monitor.c b/arch/x86/kernel/cpu/resctrl/monitor.c +index 9bd87bae498342..59215fef3924c8 100644 +--- a/arch/x86/kernel/cpu/resctrl/monitor.c ++++ b/arch/x86/kernel/cpu/resctrl/monitor.c +@@ -377,7 +377,12 @@ static const struct x86_cpu_id snc_cpu_ids[] __initconst = { + + static __init int snc_get_config(void) + { +- int ret = topology_num_nodes_per_package(); ++ int ret; ++ ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL) ++ return 1; ++ ++ ret = topology_num_nodes_per_package(); + + if (ret > 1 && !x86_match_cpu(snc_cpu_ids)) { + pr_warn("CoD enabled system? Resctrl not supported\n"); +-- +2.53.0 +