From: Sasha Levin Date: Wed, 20 May 2026 00:53:42 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v6.6.141~55 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e408b2a5811a7b69ab187aea540b8f61e802962f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch b/queue-6.12/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch new file mode 100644 index 0000000000..172c69a011 --- /dev/null +++ b/queue-6.12/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch @@ -0,0 +1,57 @@ +From 2f12ae7bbd6511b6231eb5ed98145ee7ad3ec633 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:36:37 -0700 +Subject: ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands + +From: Igor Pylypiv + +[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ] + +Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation") +introduced ata_scsi_requeue_deferred_qc() to handle commands deferred +during resets or NCQ failures. This deferral logic completed commands +with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer. + +However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks. +ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set +to zero. This causes the mid-layer to fail the command immediately +instead of retrying, even though the command was never actually issued +to the hardware. + +Switch to DID_REQUEUE to ensure these commands are inserted back into +the request queue regardless of retry limits. + +Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation") +Reviewed-by: Damien Le Moal +Signed-off-by: Igor Pylypiv +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index b55443e31f403..f3d0979082cb5 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -1705,7 +1705,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap) + /* + * If we have a deferred qc when a reset occurs or NCQ commands fail, + * do not try to be smart about what to do with this deferred command +- * and simply retry it by completing it with DID_SOFT_ERROR. ++ * and simply requeue it by completing it with DID_REQUEUE. + */ + if (!qc) + return; +@@ -1714,7 +1714,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap) + ap->deferred_qc = NULL; + cancel_work(&ap->deferred_qc_work); + ata_qc_free(qc); +- scmd->result = (DID_SOFT_ERROR << 16); ++ scmd->result = (DID_REQUEUE << 16); + scsi_done(scmd); + } + +-- +2.53.0 + diff --git a/queue-6.12/netfilter-nf_tables-unconditionally-bump-set-nelems-.patch b/queue-6.12/netfilter-nf_tables-unconditionally-bump-set-nelems-.patch new file mode 100644 index 0000000000..327627f3b7 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-unconditionally-bump-set-nelems-.patch @@ -0,0 +1,108 @@ +From 363a4b85c0423884376ebce00390e50c4d599e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2026 15:55:04 +0800 +Subject: netfilter: nf_tables: unconditionally bump set->nelems before + insertion + +From: Pablo Neira Ayuso + +[ Upstream commit def602e498a4f951da95c95b1b8ce8ae68aa733a ] + +In case that the set is full, a new element gets published then removed +without waiting for the RCU grace period, while RCU reader can be +walking over it already. + +To address this issue, add the element transaction even if set is full, +but toggle the set_full flag to report -ENFILE so the abort path safely +unwinds the set to its previous state. + +As for element updates, decrement set->nelems to restore it. + +A simpler fix is to call synchronize_rcu() in the error path. +However, with a large batch adding elements to already maxed-out set, +this could cause noticeable slowdown of such batches. + +Fixes: 35d0ac9070ef ("netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL") +Reported-by: Inseo An +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e373afdf0f072..838c9f49e4e01 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6981,6 +6981,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + enum nft_registers dreg; + struct nft_trans *trans; + u8 update_flags; ++ bool set_full = false; + u64 expiration; + u64 timeout; + int err, i; +@@ -7267,10 +7268,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (err < 0) + goto err_elem_free; + ++ if (!(flags & NFT_SET_ELEM_CATCHALL)) { ++ unsigned int max = nft_set_maxsize(set), nelems; ++ ++ nelems = atomic_inc_return(&set->nelems); ++ if (nelems > max) ++ set_full = true; ++ } ++ + trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); + if (trans == NULL) { + err = -ENOMEM; +- goto err_elem_free; ++ goto err_set_size; + } + + ext->genmask = nft_genmask_cur(ctx->net); +@@ -7312,7 +7321,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + nft_trans_elem_priv(trans) = elem_priv; + nft_trans_elem_update_flags(trans) = update_flags; + nft_trans_commit_list_add_tail(ctx->net, trans); +- goto err_elem_free; ++ goto err_set_size; + } + } + } +@@ -7330,23 +7339,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + goto err_element_clash; + } + +- if (!(flags & NFT_SET_ELEM_CATCHALL)) { +- unsigned int max = nft_set_maxsize(set); +- +- if (!atomic_add_unless(&set->nelems, 1, max)) { +- err = -ENFILE; +- goto err_set_full; +- } +- } +- + nft_trans_elem_priv(trans) = elem.priv; + nft_trans_commit_list_add_tail(ctx->net, trans); +- return 0; + +-err_set_full: +- nft_setelem_remove(ctx->net, set, elem.priv); ++ return set_full ? -ENFILE : 0; ++ + err_element_clash: + kfree(trans); ++err_set_size: ++ if (!(flags & NFT_SET_ELEM_CATCHALL)) ++ atomic_dec(&set->nelems); + err_elem_free: + nf_tables_set_elem_destroy(ctx, set, elem.priv); + err_parse_data: +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 170fd37d48..e1fc569f54 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -620,3 +620,5 @@ kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch +netfilter-nf_tables-unconditionally-bump-set-nelems-.patch +ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch diff --git a/queue-6.18/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch b/queue-6.18/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch new file mode 100644 index 0000000000..99c3867775 --- /dev/null +++ b/queue-6.18/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch @@ -0,0 +1,57 @@ +From 9f9e67b9f13276d68d001926cca7066a96dc1b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:36:37 -0700 +Subject: ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands + +From: Igor Pylypiv + +[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ] + +Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation") +introduced ata_scsi_requeue_deferred_qc() to handle commands deferred +during resets or NCQ failures. This deferral logic completed commands +with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer. + +However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks. +ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set +to zero. This causes the mid-layer to fail the command immediately +instead of retrying, even though the command was never actually issued +to the hardware. + +Switch to DID_REQUEUE to ensure these commands are inserted back into +the request queue regardless of retry limits. + +Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation") +Reviewed-by: Damien Le Moal +Signed-off-by: Igor Pylypiv +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 88689369db03d..e7c78b8d3c2c0 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -1691,7 +1691,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap) + /* + * If we have a deferred qc when a reset occurs or NCQ commands fail, + * do not try to be smart about what to do with this deferred command +- * and simply retry it by completing it with DID_SOFT_ERROR. ++ * and simply requeue it by completing it with DID_REQUEUE. + */ + if (!qc) + return; +@@ -1700,7 +1700,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap) + ap->deferred_qc = NULL; + cancel_work(&ap->deferred_qc_work); + ata_qc_free(qc); +- scmd->result = (DID_SOFT_ERROR << 16); ++ scmd->result = (DID_REQUEUE << 16); + scsi_done(scmd); + } + +-- +2.53.0 + diff --git a/queue-6.18/fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch b/queue-6.18/fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch new file mode 100644 index 0000000000..4c37ec7c64 --- /dev/null +++ b/queue-6.18/fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch @@ -0,0 +1,90 @@ +From 6b37dea0b15bbd4a1b98f14dd22e5645223e741e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2026 10:48:16 -0700 +Subject: fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0 + +From: Vlad Poenaru + +[ Upstream commit 4ea907108a5c ("fuse: use iomap for readahead") ] + +The upstream fix is the iomap conversion in commit 4ea907108a5c +("fuse: use iomap for readahead"), which rewrote fuse_readahead() +entirely and removed the buggy loop along with it. That refactor +is too invasive to backport to the pre-iomap readahead path still +used by 6.18.y (and earlier stable branches), so this is a minimal, +equivalent fix to the same bug on those branches. + +When fc->max_read is smaller than PAGE_SIZE (common on aarch64 with +64K base pages if the FUSE server advertises a small max_read in INIT), +max_pages = min(fc->max_pages, fc->max_read / PAGE_SIZE) is 0, so +cur_pages is 0 on every outer iteration. + +fuse_io_alloc(NULL, 0) then calls fuse_folios_alloc(0, ...), which +calls kzalloc(0, ...) and gets back ZERO_SIZE_PTR == (void *)16. +The "if (!ia->ap.folios)" guard in fuse_io_alloc does not catch +ZERO_SIZE_PTR, so fuse_io_alloc happily returns an ia whose +ap.folios is 0x10. + +The inner "while (pages < cur_pages)" loop runs zero times, then +fuse_send_readpages(ia, ...) dereferences ap->folios[0] in +folio_pos(), faulting at virtual address 0x10: + + Unable to handle kernel NULL pointer dereference at virtual address + 0000000000000010 + fuse_readahead+0x14c/0x490 + read_pages+0x80/0x318 + page_cache_ra_unbounded+0x1c0/0x2b0 + page_cache_ra_order+0xb8/0x368 + page_cache_sync_ra+0x210/0x320 + filemap_get_pages+0x290/0xdb0 + generic_file_read_iter+0xd0/0x540 + fuse_file_read_iter+0x8c/0x158 + __arm64_sys_read+0x1a0/0x488 + +addr2line on the aarch64 vmlinux maps fuse_readahead+0x14c to +fs/fuse/file.c:897 inlined into :999, i.e. "folio_pos(ap->folios[0])" +inside fuse_send_readpages. The faulting instruction "ldr x8, [x8]" +loads ap->folios[0]; ap->folios was previously loaded as 0x10 +(ZERO_SIZE_PTR). + +Without this fix the function would also spin forever, since +"nr_pages -= pages" makes no progress when pages stays 0; in practice +the NULL deref masks the spin. + +Bail out of the outer loop if cur_pages is 0 -- there is no work we +can issue via FUSE in this iteration, and remaining folios will be +handled by read_pages() falling back to ->read_folio. + +Fixes: 3eab9d7bc2f4 ("fuse: convert readahead to use folios") +Reported-by: Breno Leitao +Reviewed-by: Joanne Koong +Signed-off-by: Vlad Poenaru +Signed-off-by: Sasha Levin +--- + fs/fuse/file.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/fuse/file.c b/fs/fuse/file.c +index 00ff6374dc76b..50ade371298b3 100644 +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -974,6 +974,16 @@ static void fuse_readahead(struct readahead_control *rac) + unsigned cur_pages = min(max_pages, nr_pages); + unsigned int pages = 0; + ++ /* ++ * If max_pages == 0 (e.g. fc->max_read < PAGE_SIZE on a ++ * 64K-page kernel), cur_pages is 0 and we cannot make ++ * progress. Bailing here avoids passing 0 to fuse_io_alloc, ++ * which would return an ia whose ap.folios is ZERO_SIZE_PTR ++ * (0x10) -- later dereferenced by fuse_send_readpages. ++ */ ++ if (!cur_pages) ++ break; ++ + if (fc->num_background >= fc->congestion_threshold && + rac->ra->async_size >= readahead_count(rac)) + /* +-- +2.53.0 + diff --git a/queue-6.18/media-staging-imx-configure-src_mux-in-csi_start.patch b/queue-6.18/media-staging-imx-configure-src_mux-in-csi_start.patch new file mode 100644 index 0000000000..9e8af85c33 --- /dev/null +++ b/queue-6.18/media-staging-imx-configure-src_mux-in-csi_start.patch @@ -0,0 +1,125 @@ +From 37e4cebf1a3f36dbcffff802031f62281981cb84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2026 16:14:36 +0200 +Subject: media: staging: imx: configure src_mux in csi_start + +From: Michael Tretter + +[ Upstream commit ebeec2b000a90cd8aae86d1931ff5ef23af8284e ] + +After media_pipeline_start() was called, the media graph is assumed to +be validated. It won't be validated again if a second stream starts. + +The imx-media-csi driver, however, changes hardware configuration in the +link_validate() callback. This can result in started streams with +misconfigured hardware. + +In the concrete example, the ipu2_csi1 is driven by a parallel video +input. After the media pipeline has been started with this +configuration, a second stream is configured to use ipu1_csi0 with +MIPI-CSI input from imx6-mipi-csi2. This may require the reconfiguration +of ipu1_csi0 with ipu_set_csi_src_mux(). Since the media pipeline is +already running, link_validate won't be called, and the ipu1_csi0 won't +be reconfigured. The resulting video is broken, because the ipu1_csi0 is +misconfigured, but no error is reported. + +Move ipu_set_csi_src_mux from csi_link_validate to csi_start to ensure +that input to ipu1_csi0 is configured correctly when starting the +stream. This is a local reconfiguration in ipu1_csi0 and is possible +while the media pipeline is running. + +Since csi_start() is called with priv->lock already locked, +csi_set_src() must not lock priv->lock again. Thus, the mutex_lock() is +dropped. + +Signed-off-by: Michael Tretter +Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Reviewed-by: Philipp Zabel +Signed-off-by: Frank Li +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-csi.c | 44 ++++++++++++----------- + 1 file changed, 24 insertions(+), 20 deletions(-) + +diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c +index 55a7d8f38465b..1bc644f73a9d1 100644 +--- a/drivers/staging/media/imx/imx-media-csi.c ++++ b/drivers/staging/media/imx/imx-media-csi.c +@@ -744,6 +744,28 @@ static int csi_setup(struct csi_priv *priv, + return 0; + } + ++static void csi_set_src(struct csi_priv *priv, ++ struct v4l2_mbus_config *mbus_cfg) ++{ ++ bool is_csi2; ++ ++ is_csi2 = !is_parallel_bus(mbus_cfg); ++ if (is_csi2) { ++ /* ++ * NOTE! It seems the virtual channels from the mipi csi-2 ++ * receiver are used only for routing by the video mux's, ++ * or for hard-wired routing to the CSI's. Once the stream ++ * enters the CSI's however, they are treated internally ++ * in the IPU as virtual channel 0. ++ */ ++ ipu_csi_set_mipi_datatype(priv->csi, 0, ++ &priv->format_mbus[CSI_SINK_PAD]); ++ } ++ ++ /* select either parallel or MIPI-CSI2 as input to CSI */ ++ ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2); ++} ++ + static int csi_start(struct csi_priv *priv) + { + struct v4l2_mbus_config mbus_cfg = { .type = 0 }; +@@ -760,6 +782,8 @@ static int csi_start(struct csi_priv *priv) + input_fi = &priv->frame_interval[CSI_SINK_PAD]; + output_fi = &priv->frame_interval[priv->active_output_pad]; + ++ csi_set_src(priv, &mbus_cfg); ++ + /* start upstream */ + ret = v4l2_subdev_call(priv->src_sd, video, s_stream, 1); + ret = (ret && ret != -ENOIOCTLCMD) ? ret : 0; +@@ -1130,7 +1154,6 @@ static int csi_link_validate(struct v4l2_subdev *sd, + { + struct csi_priv *priv = v4l2_get_subdevdata(sd); + struct v4l2_mbus_config mbus_cfg = { .type = 0 }; +- bool is_csi2; + int ret; + + ret = v4l2_subdev_link_validate_default(sd, link, +@@ -1145,25 +1168,6 @@ static int csi_link_validate(struct v4l2_subdev *sd, + return ret; + } + +- mutex_lock(&priv->lock); +- +- is_csi2 = !is_parallel_bus(&mbus_cfg); +- if (is_csi2) { +- /* +- * NOTE! It seems the virtual channels from the mipi csi-2 +- * receiver are used only for routing by the video mux's, +- * or for hard-wired routing to the CSI's. Once the stream +- * enters the CSI's however, they are treated internally +- * in the IPU as virtual channel 0. +- */ +- ipu_csi_set_mipi_datatype(priv->csi, 0, +- &priv->format_mbus[CSI_SINK_PAD]); +- } +- +- /* select either parallel or MIPI-CSI2 as input to CSI */ +- ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2); +- +- mutex_unlock(&priv->lock); + return ret; + } + +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 49b876ceae..80d0342a67 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -896,3 +896,6 @@ bluetooth-btmtk-accept-too-short-wmt-func_ctrl-events.patch hid-pass-the-buffer-size-to-hid_report_raw_event.patch hid-core-introduce-hid_safe_input_report.patch hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch +fuse-avoid-0x10-fault-in-fuse_readahead-when-max_pag.patch +ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch +media-staging-imx-configure-src_mux-in-csi_start.patch diff --git a/queue-6.6/asoc-sof-intel-hda-fix-null-pointer-dereference.patch b/queue-6.6/asoc-sof-intel-hda-fix-null-pointer-dereference.patch new file mode 100644 index 0000000000..0ac0056973 --- /dev/null +++ b/queue-6.6/asoc-sof-intel-hda-fix-null-pointer-dereference.patch @@ -0,0 +1,63 @@ +From e49f874445e39df28b17808d9a9dd5d197af1a1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2026 18:44:10 +0800 +Subject: ASoC: SOF: Intel: hda: Fix NULL pointer dereference + +From: Ranjani Sridharan + +[ Upstream commit 16c589567a956d46a7c1363af3f64de3d420af20 ] + +If there's a mismatch between the DAI links in the machine driver and +the topology, it is possible that the playback/capture widget is not +set, especially in the case of loopback capture for echo reference +where we use the dummy DAI link. Return the error when the widget is not +set to avoid a null pointer dereference like below when the topology is +broken. + +RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common] + +Signed-off-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Liam Girdwood +Reviewed-by: Mateusz Redzynia +Signed-off-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260204081833.16630-10-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +[ Minor context conflict resolved. ] +Signed-off-by: Alva Lan +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda-dai.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c +index 19ec1a45737ea..097bcc7822a7d 100644 +--- a/sound/soc/sof/intel/hda-dai.c ++++ b/sound/soc/sof/intel/hda-dai.c +@@ -77,11 +77,22 @@ static const struct hda_dai_widget_dma_ops * + hda_dai_get_ops(struct snd_pcm_substream *substream, struct snd_soc_dai *cpu_dai) + { + struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(cpu_dai, substream->stream); +- struct snd_sof_widget *swidget = w->dobj.private; ++ struct snd_sof_widget *swidget; + struct snd_sof_dev *sdev; + struct snd_sof_dai *sdai; + ++ /* ++ * this is unlikely if the topology and the machine driver DAI links match. ++ * But if there's a missing DAI link in topology, this will prevent a NULL pointer ++ * dereference later on. ++ */ ++ if (!w) { ++ dev_err(cpu_dai->dev, "%s: widget is NULL\n", __func__); ++ return NULL; ++ } ++ + sdev = widget_to_sdev(w); ++ swidget = w->dobj.private; + + /* + * The swidget parameter of hda_select_dai_widget_ops() is ignored in +-- +2.53.0 + diff --git a/queue-6.6/netfilter-nf_tables-unconditionally-bump-set-nelems-.patch b/queue-6.6/netfilter-nf_tables-unconditionally-bump-set-nelems-.patch new file mode 100644 index 0000000000..092b2c475e --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-unconditionally-bump-set-nelems-.patch @@ -0,0 +1,99 @@ +From 1b6a8ce84e356b18b281f75d3902f05cc697fa58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 May 2026 15:55:18 +0800 +Subject: netfilter: nf_tables: unconditionally bump set->nelems before + insertion + +From: Pablo Neira Ayuso + +[ Upstream commit def602e498a4f951da95c95b1b8ce8ae68aa733a ] + +In case that the set is full, a new element gets published then removed +without waiting for the RCU grace period, while RCU reader can be +walking over it already. + +To address this issue, add the element transaction even if set is full, +but toggle the set_full flag to report -ENFILE so the abort path safely +unwinds the set to its previous state. + +As for element updates, decrement set->nelems to restore it. + +A simpler fix is to call synchronize_rcu() in the error path. +However, with a large batch adding elements to already maxed-out set, +this could cause noticeable slowdown of such batches. + +Fixes: 35d0ac9070ef ("netfilter: nf_tables: fix set->nelems counting with no NLM_F_EXCL") +Reported-by: Inseo An +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a0914a92e07dd..6fc88bf511092 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -6803,6 +6803,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + struct nft_data_desc desc; + enum nft_registers dreg; + struct nft_trans *trans; ++ bool set_full = false; + u64 timeout; + u64 expiration; + int err, i; +@@ -7095,10 +7096,18 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + if (err < 0) + goto err_elem_free; + ++ if (!(flags & NFT_SET_ELEM_CATCHALL)) { ++ unsigned int max = nft_set_maxsize(set), nelems; ++ ++ nelems = atomic_inc_return(&set->nelems); ++ if (nelems > max) ++ set_full = true; ++ } ++ + trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); + if (trans == NULL) { + err = -ENOMEM; +- goto err_elem_free; ++ goto err_set_size; + } + + ext->genmask = nft_genmask_cur(ctx->net); +@@ -7130,23 +7139,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, + goto err_element_clash; + } + +- if (!(flags & NFT_SET_ELEM_CATCHALL)) { +- unsigned int max = nft_set_maxsize(set); +- +- if (!atomic_add_unless(&set->nelems, 1, max)) { +- err = -ENFILE; +- goto err_set_full; +- } +- } +- + nft_trans_elem(trans) = elem; + nft_trans_commit_list_add_tail(ctx->net, trans); +- return 0; + +-err_set_full: +- nft_setelem_remove(ctx->net, set, &elem); ++ return set_full ? -ENFILE : 0; ++ + err_element_clash: + kfree(trans); ++err_set_size: ++ if (!(flags & NFT_SET_ELEM_CATCHALL)) ++ atomic_dec(&set->nelems); + err_elem_free: + nf_tables_set_elem_destroy(ctx, set, elem.priv); + err_parse_data: +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 5b38b1eec6..ca3ec569d8 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -459,3 +459,5 @@ audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch +netfilter-nf_tables-unconditionally-bump-set-nelems-.patch +asoc-sof-intel-hda-fix-null-pointer-dereference.patch diff --git a/queue-7.0/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch b/queue-7.0/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch new file mode 100644 index 0000000000..95578632fe --- /dev/null +++ b/queue-7.0/ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch @@ -0,0 +1,57 @@ +From e63aad22143ca1d93dc973e5f8a1643adcc58a4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:36:37 -0700 +Subject: ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands + +From: Igor Pylypiv + +[ Upstream commit 8ebf408e7d463eee02c348a3c8277b95587b710d ] + +Commit 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation") +introduced ata_scsi_requeue_deferred_qc() to handle commands deferred +during resets or NCQ failures. This deferral logic completed commands +with DID_SOFT_ERROR to trigger a retry in the SCSI mid-layer. + +However, DID_SOFT_ERROR is subject to scsi_cmd_retry_allowed() checks. +ATA PASS-THROUGH commands sent via SG_IO ioctl have scmd->allowed set +to zero. This causes the mid-layer to fail the command immediately +instead of retrying, even though the command was never actually issued +to the hardware. + +Switch to DID_REQUEUE to ensure these commands are inserted back into +the request queue regardless of retry limits. + +Fixes: 0ea84089dbf6 ("ata: libata-scsi: avoid Non-NCQ command starvation") +Reviewed-by: Damien Le Moal +Signed-off-by: Igor Pylypiv +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-scsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c +index 3b65df914ebbe..cd607911d7248 100644 +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -1692,7 +1692,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap) + /* + * If we have a deferred qc when a reset occurs or NCQ commands fail, + * do not try to be smart about what to do with this deferred command +- * and simply retry it by completing it with DID_SOFT_ERROR. ++ * and simply requeue it by completing it with DID_REQUEUE. + */ + if (!qc) + return; +@@ -1701,7 +1701,7 @@ void ata_scsi_requeue_deferred_qc(struct ata_port *ap) + ap->deferred_qc = NULL; + cancel_work(&ap->deferred_qc_work); + ata_qc_free(qc); +- scmd->result = (DID_SOFT_ERROR << 16); ++ scmd->result = (DID_REQUEUE << 16); + scsi_done(scmd); + } + +-- +2.53.0 + diff --git a/queue-7.0/media-staging-imx-configure-src_mux-in-csi_start.patch b/queue-7.0/media-staging-imx-configure-src_mux-in-csi_start.patch new file mode 100644 index 0000000000..ec0d20e5d7 --- /dev/null +++ b/queue-7.0/media-staging-imx-configure-src_mux-in-csi_start.patch @@ -0,0 +1,125 @@ +From 0c7e4dc5d4988b94e236a18bb290c3033cdc42cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 11:34:34 +0100 +Subject: media: staging: imx: configure src_mux in csi_start + +From: Michael Tretter + +[ Upstream commit ebeec2b000a90cd8aae86d1931ff5ef23af8284e ] + +After media_pipeline_start() was called, the media graph is assumed to +be validated. It won't be validated again if a second stream starts. + +The imx-media-csi driver, however, changes hardware configuration in the +link_validate() callback. This can result in started streams with +misconfigured hardware. + +In the concrete example, the ipu2_csi1 is driven by a parallel video +input. After the media pipeline has been started with this +configuration, a second stream is configured to use ipu1_csi0 with +MIPI-CSI input from imx6-mipi-csi2. This may require the reconfiguration +of ipu1_csi0 with ipu_set_csi_src_mux(). Since the media pipeline is +already running, link_validate won't be called, and the ipu1_csi0 won't +be reconfigured. The resulting video is broken, because the ipu1_csi0 is +misconfigured, but no error is reported. + +Move ipu_set_csi_src_mux from csi_link_validate to csi_start to ensure +that input to ipu1_csi0 is configured correctly when starting the +stream. This is a local reconfiguration in ipu1_csi0 and is possible +while the media pipeline is running. + +Since csi_start() is called with priv->lock already locked, +csi_set_src() must not lock priv->lock again. Thus, the mutex_lock() is +dropped. + +Signed-off-by: Michael Tretter +Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver") +Cc: stable@vger.kernel.org +Reviewed-by: Frank Li +Reviewed-by: Philipp Zabel +Signed-off-by: Frank Li +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-csi.c | 44 ++++++++++++----------- + 1 file changed, 24 insertions(+), 20 deletions(-) + +diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c +index 55a7d8f38465b..1bc644f73a9d1 100644 +--- a/drivers/staging/media/imx/imx-media-csi.c ++++ b/drivers/staging/media/imx/imx-media-csi.c +@@ -744,6 +744,28 @@ static int csi_setup(struct csi_priv *priv, + return 0; + } + ++static void csi_set_src(struct csi_priv *priv, ++ struct v4l2_mbus_config *mbus_cfg) ++{ ++ bool is_csi2; ++ ++ is_csi2 = !is_parallel_bus(mbus_cfg); ++ if (is_csi2) { ++ /* ++ * NOTE! It seems the virtual channels from the mipi csi-2 ++ * receiver are used only for routing by the video mux's, ++ * or for hard-wired routing to the CSI's. Once the stream ++ * enters the CSI's however, they are treated internally ++ * in the IPU as virtual channel 0. ++ */ ++ ipu_csi_set_mipi_datatype(priv->csi, 0, ++ &priv->format_mbus[CSI_SINK_PAD]); ++ } ++ ++ /* select either parallel or MIPI-CSI2 as input to CSI */ ++ ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2); ++} ++ + static int csi_start(struct csi_priv *priv) + { + struct v4l2_mbus_config mbus_cfg = { .type = 0 }; +@@ -760,6 +782,8 @@ static int csi_start(struct csi_priv *priv) + input_fi = &priv->frame_interval[CSI_SINK_PAD]; + output_fi = &priv->frame_interval[priv->active_output_pad]; + ++ csi_set_src(priv, &mbus_cfg); ++ + /* start upstream */ + ret = v4l2_subdev_call(priv->src_sd, video, s_stream, 1); + ret = (ret && ret != -ENOIOCTLCMD) ? ret : 0; +@@ -1130,7 +1154,6 @@ static int csi_link_validate(struct v4l2_subdev *sd, + { + struct csi_priv *priv = v4l2_get_subdevdata(sd); + struct v4l2_mbus_config mbus_cfg = { .type = 0 }; +- bool is_csi2; + int ret; + + ret = v4l2_subdev_link_validate_default(sd, link, +@@ -1145,25 +1168,6 @@ static int csi_link_validate(struct v4l2_subdev *sd, + return ret; + } + +- mutex_lock(&priv->lock); +- +- is_csi2 = !is_parallel_bus(&mbus_cfg); +- if (is_csi2) { +- /* +- * NOTE! It seems the virtual channels from the mipi csi-2 +- * receiver are used only for routing by the video mux's, +- * or for hard-wired routing to the CSI's. Once the stream +- * enters the CSI's however, they are treated internally +- * in the IPU as virtual channel 0. +- */ +- ipu_csi_set_mipi_datatype(priv->csi, 0, +- &priv->format_mbus[CSI_SINK_PAD]); +- } +- +- /* select either parallel or MIPI-CSI2 as input to CSI */ +- ipu_set_csi_src_mux(priv->ipu, priv->csi_id, is_csi2); +- +- mutex_unlock(&priv->lock); + return ret; + } + +-- +2.53.0 + diff --git a/queue-7.0/series b/queue-7.0/series index 845ebd49ac..fd458a4e36 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1065,3 +1065,5 @@ rseq-revert-to-historical-performance-killing-behavi.patch rseq-implement-read-only-abi-enforcement-for-optimiz.patch rseq-reenable-performance-optimizations-conditionall.patch hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch +ata-libata-scsi-fix-requeue-of-deferred-ata-pass-thr.patch +media-staging-imx-configure-src_mux-in-csi_start.patch