From: Greg Kroah-Hartman Date: Mon, 20 Apr 2026 13:23:51 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=bbf507bf5e45a4e79185297561178358b3bbd780;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: alsa-ctxfi-limit-ptp-to-a-single-page.patch dcache-limit-the-minimal-number-of-bucket-to-two.patch docs-admin-guide-mm-damon-reclaim-warn-commit_inputs-vs-param-updates-race.patch fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch kvm-sev-disallow-launch_finish-if-vcpus-are-actively-being-created.patch kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch kvm-sev-reject-attempts-to-sync-vmsa-of-an-already-launched-encrypted-vcpu.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch scripts-checkpatch-add-assisted-by-tag-validation.patch scripts-generate_rust_analyzer.py-avoid-fd-leak.patch staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch wifi-rtw88-fix-device-leak-on-probe-failure.patch --- diff --git a/queue-6.12/alsa-ctxfi-limit-ptp-to-a-single-page.patch b/queue-6.12/alsa-ctxfi-limit-ptp-to-a-single-page.patch new file mode 100644 index 0000000000..c6a8fd2c0d --- /dev/null +++ b/queue-6.12/alsa-ctxfi-limit-ptp-to-a-single-page.patch @@ -0,0 +1,58 @@ +From e9418da50d9e5c496c22fe392e4ad74c038a94eb Mon Sep 17 00:00:00 2001 +From: Harin Lee +Date: Mon, 6 Apr 2026 16:48:57 +0900 +Subject: ALSA: ctxfi: Limit PTP to a single page + +From: Harin Lee + +commit e9418da50d9e5c496c22fe392e4ad74c038a94eb upstream. + +Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 +playback streams, but the additional pages are not used by the card +correctly. The CT20K2 hardware already has multiple VMEM_PTPAL +registers, but using them separately would require refactoring the +entire virtual memory allocation logic. + +ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of +CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When +aggregate memory allocations exceed this limit, ct_vm_map() tries to +access beyond the allocated space and causes a page fault: + + BUG: unable to handle page fault for address: ffffd4ae8a10a000 + Oops: Oops: 0002 [#1] SMP PTI + RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] + Call Trace: + atc_pcm_playback_prepare+0x225/0x3b0 + ct_pcm_playback_prepare+0x38/0x60 + snd_pcm_do_prepare+0x2f/0x50 + snd_pcm_action_single+0x36/0x90 + snd_pcm_action_nonatomic+0xbf/0xd0 + snd_pcm_ioctl+0x28/0x40 + __x64_sys_ioctl+0x97/0xe0 + do_syscall_64+0x81/0x610 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count +remain unchanged. + +Fixes: 391e69143d0a ("ALSA: ctxfi: Bump playback substreams to 256") +Cc: stable@vger.kernel.org +Signed-off-by: Harin Lee +Link: https://patch.msgid.link/20260406074857.216034-1-me@harin.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ctxfi/ctvmem.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ctxfi/ctvmem.h ++++ b/sound/pci/ctxfi/ctvmem.h +@@ -15,7 +15,7 @@ + #ifndef CTVMEM_H + #define CTVMEM_H + +-#define CT_PTP_NUM 4 /* num of device page table pages */ ++#define CT_PTP_NUM 1 /* num of device page table pages */ + + #include + #include diff --git a/queue-6.12/dcache-limit-the-minimal-number-of-bucket-to-two.patch b/queue-6.12/dcache-limit-the-minimal-number-of-bucket-to-two.patch new file mode 100644 index 0000000000..4bb8a52103 --- /dev/null +++ b/queue-6.12/dcache-limit-the-minimal-number-of-bucket-to-two.patch @@ -0,0 +1,77 @@ +From f08fe8891c3eeb63b73f9f1f6d97aa629c821579 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Fri, 30 Jan 2026 11:48:53 +0800 +Subject: dcache: Limit the minimal number of bucket to two + +From: Zhihao Cheng + +commit f08fe8891c3eeb63b73f9f1f6d97aa629c821579 upstream. + +There is an OOB read problem on dentry_hashtable when user sets +'dhash_entries=1': + BUG: unable to handle page fault for address: ffff888b30b774b0 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + Oops: Oops: 0000 [#1] SMP PTI + RIP: 0010:__d_lookup+0x56/0x120 + Call Trace: + d_lookup.cold+0x16/0x5d + lookup_dcache+0x27/0xf0 + lookup_one_qstr_excl+0x2a/0x180 + start_dirop+0x55/0xa0 + simple_start_creating+0x8d/0xa0 + debugfs_start_creating+0x8c/0x180 + debugfs_create_dir+0x1d/0x1c0 + pinctrl_init+0x6d/0x140 + do_one_initcall+0x6d/0x3d0 + kernel_init_freeable+0x39f/0x460 + kernel_init+0x2a/0x260 + +There will be only one bucket in dentry_hashtable when dhash_entries is +set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, +following process will access more than one buckets(which memory region +is not allocated) in dentry_hashtable: + d_lookup + b = d_hash(hash) + dentry_hashtable + ((u32)hashlen >> d_hash_shift) + // The C standard defines the behavior of right shift amounts + // exceeding the bit width of the operand as undefined. The + // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', + // so 'b' will point to an unallocated memory region. + hlist_bl_for_each_entry_rcu(b) + hlist_bl_first_rcu(head) + h->first // read OOB! + +Fix it by limiting the minimal number of dentry_hashtable bucket to two, +so that 'd_hash_shift' won't exceeds the bit width of type u32. + +Cc: stable@vger.kernel.org +Signed-off-by: Zhihao Cheng +Link: https://patch.msgid.link/20260130034853.215819-1-chengzhihao1@huawei.com +Reviewed-by: Yang Erkun +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -3127,7 +3127,7 @@ static void __init dcache_init_early(voi + HASH_EARLY | HASH_ZERO, + &d_hash_shift, + NULL, +- 0, ++ 2, + 0); + d_hash_shift = 32 - d_hash_shift; + +@@ -3158,7 +3158,7 @@ static void __init dcache_init(void) + HASH_ZERO, + &d_hash_shift, + NULL, +- 0, ++ 2, + 0); + d_hash_shift = 32 - d_hash_shift; + diff --git a/queue-6.12/docs-admin-guide-mm-damon-reclaim-warn-commit_inputs-vs-param-updates-race.patch b/queue-6.12/docs-admin-guide-mm-damon-reclaim-warn-commit_inputs-vs-param-updates-race.patch new file mode 100644 index 0000000000..a8d86f7e72 --- /dev/null +++ b/queue-6.12/docs-admin-guide-mm-damon-reclaim-warn-commit_inputs-vs-param-updates-race.patch @@ -0,0 +1,58 @@ +From 0beba407d4585a15b0dc09f2064b5b3ddcb0e857 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Sun, 29 Mar 2026 08:30:49 -0700 +Subject: Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race + +From: SeongJae Park + +commit 0beba407d4585a15b0dc09f2064b5b3ddcb0e857 upstream. + +Patch series "Docs/admin-guide/mm/damon: warn commit_inputs vs other +params race". + +Writing 'Y' to the commit_inputs parameter of DAMON_RECLAIM and +DAMON_LRU_SORT, and writing other parameters before the commit_inputs +request is completely processed can cause race conditions. While the +consequence can be bad, the documentation is not clearly describing that. +Add clear warnings. + +The issue was discovered [1,2] by sashiko. + + +This patch (of 2): + +DAMON_RECLAIM handles commit_inputs request inside kdamond thread, +reading the module parameters. If the user updates the module +parameters while the kdamond thread is reading those, races can happen. +To avoid this, the commit_inputs parameter shows whether it is still in +the progress, assuming users wouldn't update parameters in the middle of +the work. Some users might ignore that. Add a warning about the +behavior. + +The issue was discovered in [1] by sashiko. + +Link: https://lore.kernel.org/20260329153052.46657-2-sj@kernel.org +Link: https://lore.kernel.org/20260319161620.189392-3-objecting@objecting.org [1] +Link: https://lore.kernel.org/20260319161620.189392-2-objecting@objecting.org [3] +Fixes: 81a84182c343 ("Docs/admin-guide/mm/damon/reclaim: document 'commit_inputs' parameter") +Signed-off-by: SeongJae Park +Cc: # 5.19.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/admin-guide/mm/damon/reclaim.rst | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/admin-guide/mm/damon/reclaim.rst ++++ b/Documentation/admin-guide/mm/damon/reclaim.rst +@@ -71,6 +71,10 @@ of parametrs except ``enabled`` again. + parameter is set as ``N``. If invalid parameters are found while the + re-reading, DAMON_RECLAIM will be disabled. + ++Once ``Y`` is written to this parameter, the user must not write to any ++parameters until reading ``commit_inputs`` again returns ``N``. If users ++violate this rule, the kernel may exhibit undefined behavior. ++ + min_age + ------- + diff --git a/queue-6.12/fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch b/queue-6.12/fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch new file mode 100644 index 0000000000..755a7e8ec0 --- /dev/null +++ b/queue-6.12/fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch @@ -0,0 +1,37 @@ +From a31e4518bec70333a0a98f2946a12b53b45fe5b9 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:23:46 +0200 +Subject: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO + +From: Greg Kroah-Hartman + +commit a31e4518bec70333a0a98f2946a12b53b45fe5b9 upstream. + +Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide +by zero error"), we also need to prevent that same crash from happening +in the udlfb driver as it uses pixclock directly when dividing, which +will crash. + +Cc: Bernie Thompson +Cc: Helge Deller +Fixes: 59277b679f8b ("Staging: udlfb: add dynamic modeset support") +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1018,6 +1018,9 @@ static int dlfb_ops_check_var(struct fb_ + struct fb_videomode mode; + struct dlfb_data *dlfb = info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + /* set device-specific elements of var unrelated to mode */ + dlfb_var_color_format(var); + diff --git a/queue-6.12/kvm-sev-disallow-launch_finish-if-vcpus-are-actively-being-created.patch b/queue-6.12/kvm-sev-disallow-launch_finish-if-vcpus-are-actively-being-created.patch new file mode 100644 index 0000000000..964a083778 --- /dev/null +++ b/queue-6.12/kvm-sev-disallow-launch_finish-if-vcpus-are-actively-being-created.patch @@ -0,0 +1,85 @@ +From 624bf3440d7214b62c22d698a0a294323f331d5d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 10 Mar 2026 16:48:12 -0700 +Subject: KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created + +From: Sean Christopherson + +commit 624bf3440d7214b62c22d698a0a294323f331d5d upstream. + +Reject LAUNCH_FINISH for SEV-ES and SNP VMs if KVM is actively creating +one or more vCPUs, as KVM needs to process and encrypt each vCPU's VMSA. +Letting userspace create vCPUs while LAUNCH_FINISH is in-progress is +"fine", at least in the current code base, as kvm_for_each_vcpu() operates +on online_vcpus, LAUNCH_FINISH (all SEV+ sub-ioctls) holds kvm->mutex, and +fully onlining a vCPU in kvm_vm_ioctl_create_vcpu() is done under +kvm->mutex. I.e. there's no difference between an in-progress vCPU and a +vCPU that is created entirely after LAUNCH_FINISH. + +However, given that concurrent LAUNCH_FINISH and vCPU creation can't +possibly work (for any reasonable definition of "work"), since userspace +can't guarantee whether a particular vCPU will be encrypted or not, +disallow the combination as a hardening measure, to reduce the probability +of introducing bugs in the future, and to avoid having to reason about the +safety of future changes related to LAUNCH_FINISH. + +Cc: Jethro Beekman +Closes: https://lore.kernel.org/all/b31f7c6e-2807-4662-bcdd-eea2c1e132fa@fortanix.com +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260310234829.2608037-5-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 10 ++++++++-- + include/linux/kvm_host.h | 7 +++++++ + 2 files changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -962,6 +962,9 @@ static int sev_launch_update_vmsa(struct + if (!sev_es_guest(kvm)) + return -ENOTTY; + ++ if (kvm_is_vcpu_creation_in_progress(kvm)) ++ return -EBUSY; ++ + kvm_for_each_vcpu(i, vcpu, kvm) { + ret = mutex_lock_killable(&vcpu->mutex); + if (ret) +@@ -2061,8 +2064,8 @@ static int sev_check_source_vcpus(struct + struct kvm_vcpu *src_vcpu; + unsigned long i; + +- if (src->created_vcpus != atomic_read(&src->online_vcpus) || +- dst->created_vcpus != atomic_read(&dst->online_vcpus)) ++ if (kvm_is_vcpu_creation_in_progress(src) || ++ kvm_is_vcpu_creation_in_progress(dst)) + return -EBUSY; + + if (!sev_es_guest(src)) +@@ -2456,6 +2459,9 @@ static int snp_launch_update_vmsa(struct + unsigned long i; + int ret; + ++ if (kvm_is_vcpu_creation_in_progress(kvm)) ++ return -EBUSY; ++ + data.gctx_paddr = __psp_pa(sev->snp_context); + data.page_type = SNP_PAGE_TYPE_VMSA; + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1017,6 +1017,13 @@ static inline struct kvm_vcpu *kvm_get_v + return NULL; + } + ++static inline bool kvm_is_vcpu_creation_in_progress(struct kvm *kvm) ++{ ++ lockdep_assert_held(&kvm->lock); ++ ++ return kvm->created_vcpus != atomic_read(&kvm->online_vcpus); ++} ++ + void kvm_destroy_vcpus(struct kvm *kvm); + + void vcpu_load(struct kvm_vcpu *vcpu); diff --git a/queue-6.12/kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch b/queue-6.12/kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch new file mode 100644 index 0000000000..36139607d0 --- /dev/null +++ b/queue-6.12/kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch @@ -0,0 +1,71 @@ +From 8acffeef5ef720c35e513e322ab08e32683f32f2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 12 Mar 2026 17:32:58 -0700 +Subject: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION + +From: Sean Christopherson + +commit 8acffeef5ef720c35e513e322ab08e32683f32f2 upstream. + +Drop the WARN in sev_pin_memory() on npages overflowing an int, as the +WARN is comically trivially to trigger from userspace, e.g. by doing: + + struct kvm_enc_region range = { + .addr = 0, + .size = -1ul, + }; + + __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range); + +Note, the checks in sev_mem_enc_register_region() that presumably exist to +verify the incoming address+size are completely worthless, as both "addr" +and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater +than ULONG_MAX. That wart will be cleaned up in the near future. + + if (range->addr > ULONG_MAX || range->size > ULONG_MAX) + return -EINVAL; + +Opportunistically add a comment to explain why the code calculates the +number of pages the "hard" way, e.g. instead of just shifting @ulen. + +Fixes: 78824fabc72e ("KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast()") +Cc: stable@vger.kernel.org +Reviewed-by: Liam Merwick +Tested-by: Liam Merwick +Link: https://patch.msgid.link/20260313003302.3136111-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -642,10 +642,16 @@ static struct page **sev_pin_memory(stru + if (ulen == 0 || uaddr + ulen < uaddr) + return ERR_PTR(-EINVAL); + +- /* Calculate number of pages. */ ++ /* ++ * Calculate the number of pages that need to be pinned to cover the ++ * entire range. Note! This isn't simply ulen >> PAGE_SHIFT, as KVM ++ * doesn't require the incoming address+size to be page aligned! ++ */ + first = (uaddr & PAGE_MASK) >> PAGE_SHIFT; + last = ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT; + npages = (last - first + 1); ++ if (npages > INT_MAX) ++ return ERR_PTR(-EINVAL); + + locked = sev->pages_locked + npages; + lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; +@@ -654,9 +660,6 @@ static struct page **sev_pin_memory(stru + return ERR_PTR(-ENOMEM); + } + +- if (WARN_ON_ONCE(npages > INT_MAX)) +- return ERR_PTR(-EINVAL); +- + /* Avoid using vmalloc for smaller buffers. */ + size = npages * sizeof(struct page *); + if (size > PAGE_SIZE) diff --git a/queue-6.12/kvm-sev-reject-attempts-to-sync-vmsa-of-an-already-launched-encrypted-vcpu.patch b/queue-6.12/kvm-sev-reject-attempts-to-sync-vmsa-of-an-already-launched-encrypted-vcpu.patch new file mode 100644 index 0000000000..987dcb64b6 --- /dev/null +++ b/queue-6.12/kvm-sev-reject-attempts-to-sync-vmsa-of-an-already-launched-encrypted-vcpu.patch @@ -0,0 +1,68 @@ +From 9b9f7962e3e879d12da2bf47e02a24ec51690e3d Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 10 Mar 2026 16:48:10 -0700 +Subject: KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU + +From: Sean Christopherson + +commit 9b9f7962e3e879d12da2bf47e02a24ec51690e3d upstream. + +Reject synchronizing vCPU state to its associated VMSA if the vCPU has +already been launched, i.e. if the VMSA has already been encrypted. On a +host with SNP enabled, accessing guest-private memory generates an RMP #PF +and panics the host. + + BUG: unable to handle page fault for address: ff1276cbfdf36000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x80000003) - RMP violation + PGD 5a31801067 P4D 5a31802067 PUD 40ccfb5063 PMD 40e5954063 PTE 80000040fdf36163 + SEV-SNP: PFN 0x40fdf36, RMP entry: [0x6010fffffffff001 - 0x000000000000001f] + Oops: Oops: 0003 [#1] SMP NOPTI + CPU: 33 UID: 0 PID: 996180 Comm: qemu-system-x86 Tainted: G OE + Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE + Hardware name: Dell Inc. PowerEdge R7625/0H1TJT, BIOS 1.5.8 07/21/2023 + RIP: 0010:sev_es_sync_vmsa+0x54/0x4c0 [kvm_amd] + Call Trace: + + snp_launch_update_vmsa+0x19d/0x290 [kvm_amd] + snp_launch_finish+0xb6/0x380 [kvm_amd] + sev_mem_enc_ioctl+0x14e/0x720 [kvm_amd] + kvm_arch_vm_ioctl+0x837/0xcf0 [kvm] + kvm_vm_ioctl+0x3fd/0xcc0 [kvm] + __x64_sys_ioctl+0xa3/0x100 + x64_sys_call+0xfe0/0x2350 + do_syscall_64+0x81/0x10f0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7ffff673287d + + +Note, the KVM flaw has been present since commit ad73109ae7ec ("KVM: SVM: +Provide support to launch and run an SEV-ES guest"), but has only been +actively dangerous for the host since SNP support was added. With SEV-ES, +KVM would "just" clobber guest state, which is totally fine from a host +kernel perspective since userspace can clobber guest state any time before +sev_launch_update_vmsa(). + +Fixes: ad27ce155566 ("KVM: SEV: Add KVM_SEV_SNP_LAUNCH_FINISH command") +Reported-by: Jethro Beekman +Closes: https://lore.kernel.org/all/d98692e2-d96b-4c36-8089-4bc1e5cc3d57@fortanix.com +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260310234829.2608037-3-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -814,6 +814,9 @@ static int sev_es_sync_vmsa(struct vcpu_ + u8 *d; + int i; + ++ if (vcpu->arch.guest_state_protected) ++ return -EINVAL; ++ + /* Check some debug related fields before encrypting the VMSA */ + if (svm->vcpu.guest_debug || (svm->vmcb->save.dr7 & ~DR7_FIXED_1)) + return -EINVAL; diff --git a/queue-6.12/media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch b/queue-6.12/media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch new file mode 100644 index 0000000000..65417f47b8 --- /dev/null +++ b/queue-6.12/media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch @@ -0,0 +1,56 @@ +From f8e1fc918a9fe67103bcda01d20d745f264d00a7 Mon Sep 17 00:00:00 2001 +From: Ruslan Valiyev +Date: Tue, 3 Mar 2026 11:27:54 +0000 +Subject: media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections + +From: Ruslan Valiyev + +commit f8e1fc918a9fe67103bcda01d20d745f264d00a7 upstream. + +syzbot reported a general protection fault in vidtv_psi_desc_assign [1]. + +vidtv_psi_pmt_stream_init() can return NULL on memory allocation +failure, but vidtv_channel_pmt_match_sections() does not check for +this. When tail is NULL, the subsequent call to +vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL +pointer offset, causing a general protection fault. + +Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean +up the already-allocated stream chain and return. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629 +Call Trace: + + vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline] + vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479 + vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519 + vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] + vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 + +Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver") +Cc: stable@vger.kernel.org +Reported-by: syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a +Signed-off-by: Ruslan Valiyev +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vidtv/vidtv_channel.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c +@@ -341,6 +341,10 @@ vidtv_channel_pmt_match_sections(struct + tail = vidtv_psi_pmt_stream_init(tail, + s->type, + e_pid); ++ if (!tail) { ++ vidtv_psi_pmt_stream_destroy(head); ++ return; ++ } + + if (!head) + head = tail; diff --git a/queue-6.12/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch b/queue-6.12/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch new file mode 100644 index 0000000000..fa8f37fd74 --- /dev/null +++ b/queue-6.12/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch @@ -0,0 +1,82 @@ +From b02da26a992db0c0e2559acbda0fc48d4a2fd337 Mon Sep 17 00:00:00 2001 +From: Joseph Qi +Date: Fri, 6 Mar 2026 11:22:11 +0800 +Subject: ocfs2: fix possible deadlock between unlink and dio_end_io_write + +From: Joseph Qi + +commit b02da26a992db0c0e2559acbda0fc48d4a2fd337 upstream. + +ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, +while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. +This creates an ABBA lock ordering violation on lock classes +ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and +ocfs2_file_ip_alloc_sem_key. + +Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): +ocfs2_unlink + ocfs2_prepare_orphan_dir + ocfs2_lookup_lock_orphan_dir + inode_lock(orphan_dir_inode) <- lock A + __ocfs2_prepare_orphan_dir + ocfs2_prepare_dir_for_insert + ocfs2_extend_dir + ocfs2_expand_inline_dir + down_write(&oi->ip_alloc_sem) <- Lock B + +Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock): +ocfs2_dio_end_io_write + down_write(&oi->ip_alloc_sem) <- Lock B + ocfs2_del_inode_from_orphan() + inode_lock(orphan_dir_inode) <- Lock A + +Deadlock Scenario: + CPU0 (unlink) CPU1 (dio_end_io_write) + ------ ------ + inode_lock(orphan_dir_inode) + down_write(ip_alloc_sem) + down_write(ip_alloc_sem) + inode_lock(orphan_dir_inode) + +Since ip_alloc_sem is to protect allocation changes, which is unrelated +with operations in ocfs2_del_inode_from_orphan. So move +ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock. + +Link: https://lkml.kernel.org/r/20260306032211.1016452-1-joseph.qi@linux.alibaba.com +Reported-by: syzbot+67b90111784a3eac8c04@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=67b90111784a3eac8c04 +Fixes: a86a72a4a4e0 ("ocfs2: take ip_alloc_sem in ocfs2_dio_get_block & ocfs2_dio_end_io_write") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/aops.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -2318,8 +2318,6 @@ static int ocfs2_dio_end_io_write(struct + goto out; + } + +- down_write(&oi->ip_alloc_sem); +- + /* Delete orphan before acquire i_rwsem. */ + if (dwc->dw_orphaned) { + BUG_ON(dwc->dw_writer_pid != task_pid_nr(current)); +@@ -2332,6 +2330,7 @@ static int ocfs2_dio_end_io_write(struct + mlog_errno(ret); + } + ++ down_write(&oi->ip_alloc_sem); + di = (struct ocfs2_dinode *)di_bh->b_data; + + ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh); diff --git a/queue-6.12/ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch b/queue-6.12/ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch new file mode 100644 index 0000000000..51e8ecb028 --- /dev/null +++ b/queue-6.12/ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch @@ -0,0 +1,101 @@ +From 7de554cabf160e331e4442e2a9ad874ca9875921 Mon Sep 17 00:00:00 2001 +From: Tejas Bharambe +Date: Fri, 10 Apr 2026 01:38:16 -0700 +Subject: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY + +From: Tejas Bharambe + +commit 7de554cabf160e331e4442e2a9ad874ca9875921 upstream. + +filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, +as documented in mm/filemap.c: + + "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock + may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." + +When this happens, a concurrent munmap() can call remove_vma() and free +the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then +becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call +dereferences it -- a use-after-free. + +Fix this by saving ip_blkno as a plain integer before calling +filemap_fault(), and removing vma from the trace event. Since +ip_blkno is copied by value before the lock can be dropped, it +remains valid regardless of what happens to the vma or inode +afterward. + +Link: https://lkml.kernel.org/r/20260410083816.34951-1-tejas.bharambe@outlook.com +Fixes: 614a9e849ca6 ("ocfs2: Remove FILE_IO from masklog.") +Signed-off-by: Tejas Bharambe +Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f +Suggested-by: Joseph Qi +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/mmap.c | 7 +++---- + fs/ocfs2/ocfs2_trace.h | 10 ++++------ + 2 files changed, 7 insertions(+), 10 deletions(-) + +--- a/fs/ocfs2/mmap.c ++++ b/fs/ocfs2/mmap.c +@@ -30,7 +30,8 @@ + + static vm_fault_t ocfs2_fault(struct vm_fault *vmf) + { +- struct vm_area_struct *vma = vmf->vma; ++ unsigned long long ip_blkno = ++ OCFS2_I(file_inode(vmf->vma->vm_file))->ip_blkno; + sigset_t oldset; + vm_fault_t ret; + +@@ -38,11 +39,9 @@ static vm_fault_t ocfs2_fault(struct vm_ + ret = filemap_fault(vmf); + ocfs2_unblock_signals(&oldset); + +- trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno, +- vma, vmf->page, vmf->pgoff); ++ trace_ocfs2_fault(ip_blkno, vmf->page, vmf->pgoff); + return ret; + } +- + static vm_fault_t __ocfs2_page_mkwrite(struct file *file, + struct buffer_head *di_bh, struct page *page) + { +--- a/fs/ocfs2/ocfs2_trace.h ++++ b/fs/ocfs2/ocfs2_trace.h +@@ -1246,22 +1246,20 @@ TRACE_EVENT(ocfs2_write_end_inline, + + TRACE_EVENT(ocfs2_fault, + TP_PROTO(unsigned long long ino, +- void *area, void *page, unsigned long pgoff), +- TP_ARGS(ino, area, page, pgoff), ++ void *page, unsigned long pgoff), ++ TP_ARGS(ino, page, pgoff), + TP_STRUCT__entry( + __field(unsigned long long, ino) +- __field(void *, area) + __field(void *, page) + __field(unsigned long, pgoff) + ), + TP_fast_assign( + __entry->ino = ino; +- __entry->area = area; + __entry->page = page; + __entry->pgoff = pgoff; + ), +- TP_printk("%llu %p %p %lu", +- __entry->ino, __entry->area, __entry->page, __entry->pgoff) ++ TP_printk("%llu %p %lu", ++ __entry->ino, __entry->page, __entry->pgoff) + ); + + /* End of trace events for fs/ocfs2/mmap.c. */ diff --git a/queue-6.12/ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch b/queue-6.12/ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch new file mode 100644 index 0000000000..ae1b28702b --- /dev/null +++ b/queue-6.12/ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch @@ -0,0 +1,77 @@ +From 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f Mon Sep 17 00:00:00 2001 +From: ZhengYuan Huang +Date: Wed, 1 Apr 2026 17:23:03 +0800 +Subject: ocfs2: handle invalid dinode in ocfs2_group_extend + +From: ZhengYuan Huang + +commit 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f upstream. + +[BUG] +kernel BUG at fs/ocfs2/resize.c:308! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308 +Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe +Call Trace: + ... + ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 + x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + ... + +[CAUSE] +ocfs2_group_extend() assumes that the global bitmap inode block +returned from ocfs2_inode_lock() has already been validated and +BUG_ONs when the signature is not a dinode. That assumption is too +strong for crafted filesystems because the JBD2-managed buffer path +can bypass structural validation and return an invalid dinode to the +resize ioctl. + +[FIX] +Validate the dinode explicitly in ocfs2_group_extend(). If the global +bitmap buffer does not contain a valid dinode, report filesystem +corruption with ocfs2_error() and fail the resize operation instead of +crashing the kernel. + +Link: https://lkml.kernel.org/r/20260401092303.3709187-1-gality369@gmail.com +Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.") +Signed-off-by: ZhengYuan Huang +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/resize.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/resize.c ++++ b/fs/ocfs2/resize.c +@@ -303,9 +303,13 @@ int ocfs2_group_extend(struct inode * in + + fe = (struct ocfs2_dinode *)main_bm_bh->b_data; + +- /* main_bm_bh is validated by inode read inside ocfs2_inode_lock(), +- * so any corruption is a code bug. */ +- BUG_ON(!OCFS2_IS_VALID_DINODE(fe)); ++ /* JBD-managed buffers can bypass validation, so treat this as corruption. */ ++ if (!OCFS2_IS_VALID_DINODE(fe)) { ++ ret = ocfs2_error(main_bm_inode->i_sb, ++ "Invalid dinode #%llu\n", ++ (unsigned long long)OCFS2_I(main_bm_inode)->ip_blkno); ++ goto out_unlock; ++ } + + if (le16_to_cpu(fe->id2.i_chain.cl_cpg) != + ocfs2_group_bitmap_size(osb->sb, 0, diff --git a/queue-6.12/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch b/queue-6.12/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch new file mode 100644 index 0000000000..d0b5b6b40e --- /dev/null +++ b/queue-6.12/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch @@ -0,0 +1,44 @@ +From d799984233a50abd2667a7d17a9a710a3f10ebe2 Mon Sep 17 00:00:00 2001 +From: Koichiro Den +Date: Thu, 26 Feb 2026 17:41:40 +0900 +Subject: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup + +From: Koichiro Den + +commit d799984233a50abd2667a7d17a9a710a3f10ebe2 upstream. + +Disable the delayed work before clearing BAR mappings and doorbells to +avoid running the handler after resources have been torn down. + + Unable to handle kernel paging request at virtual address ffff800083f46004 + [...] + Internal error: Oops: 0000000096000007 [#1] SMP + [...] + Call trace: + epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) + process_one_work+0x154/0x3b0 + worker_thread+0x2c8/0x400 + kthread+0x148/0x210 + ret_from_fork+0x10/0x20 + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Koichiro Den +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -799,6 +799,7 @@ err_config_interrupt: + */ + static void epf_ntb_epc_cleanup(struct epf_ntb *ntb) + { ++ disable_delayed_work_sync(&ntb->cmd_handler); + epf_ntb_mw_bar_clear(ntb, ntb->num_mws); + epf_ntb_db_bar_clear(ntb); + epf_ntb_config_sspad_bar_clear(ntb); diff --git a/queue-6.12/scripts-checkpatch-add-assisted-by-tag-validation.patch b/queue-6.12/scripts-checkpatch-add-assisted-by-tag-validation.patch new file mode 100644 index 0000000000..0c0cefa31c --- /dev/null +++ b/queue-6.12/scripts-checkpatch-add-assisted-by-tag-validation.patch @@ -0,0 +1,82 @@ +From 8545d9bc4bd0801e0bdfbfdfdc2532ff31236ddf Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Fri, 27 Mar 2026 11:41:57 -0400 +Subject: scripts/checkpatch: add Assisted-by: tag validation + +From: Harry Wentland + +commit 8545d9bc4bd0801e0bdfbfdfdc2532ff31236ddf upstream. + +The coding-assistants.rst documentation defines the Assisted-by: tag +format for AI-assisted contributions as: + + Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2] + +This format does not use an email address, so checkpatch currently +reports a false positive about an invalid email when encountering this +tag. + +Add Assisted-by: to the recognized signature tags and standard signature +list. When an Assisted-by: tag is found, validate it instead of checking +for an email address. + +Examples of passing tags: +- Claude:claude-3-opus coccinelle sparse +- FOO:BAR.baz +- Copilot Github:claude-3-opus +- GitHub Copilot:Claude Opus 4.6 +- My Cool Agent:v1.2.3 coccinelle sparse + +Examples of tags triggering the new warning: +- Claude coccinelle sparse +- JustAName +- :missing-agent + +Cc: Jani Nikula +Assisted-by: Claude:claude-opus-4.6 +Co-developed-by: Alex Hung +Signed-off-by: Alex Hung +Signed-off-by: Harry Wentland +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Message-ID: <20260327154157.162962-1-harry.wentland@amd.com> +Signed-off-by: Greg Kroah-Hartman +--- + scripts/checkpatch.pl | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -622,6 +622,7 @@ our $signature_tags = qr{(?xi: + Reviewed-by:| + Reported-by:| + Suggested-by:| ++ Assisted-by:| + To:| + Cc: + )}; +@@ -715,7 +716,7 @@ sub find_standard_signature { + my ($sign_off) = @_; + my @standard_signature_tags = ( + 'Signed-off-by:', 'Co-developed-by:', 'Acked-by:', 'Tested-by:', +- 'Reviewed-by:', 'Reported-by:', 'Suggested-by:' ++ 'Reviewed-by:', 'Reported-by:', 'Suggested-by:', 'Assisted-by:' + ); + foreach my $signature (@standard_signature_tags) { + return $signature if (get_edit_distance($sign_off, $signature) <= 2); +@@ -3070,6 +3071,15 @@ sub process { + } + } + ++# Assisted-by: uses format AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2] instead of email ++ if ($sign_off =~ /^assisted-by:$/i) { ++ if ($email !~ /^[^:]+:\S+(\s+\S+)*$/) { ++ WARN("BAD_ASSISTED_BY", ++ "Assisted-by: should use format: 'Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]'\n" . $herecurr); ++ } ++ next; ++ } ++ + my ($email_name, $name_comment, $email_address, $comment) = parse_email($email); + my $suggested_email = format_email(($email_name, $name_comment, $email_address, $comment)); + if ($suggested_email eq "") { diff --git a/queue-6.12/scripts-generate_rust_analyzer.py-avoid-fd-leak.patch b/queue-6.12/scripts-generate_rust_analyzer.py-avoid-fd-leak.patch new file mode 100644 index 0000000000..12822e5bb9 --- /dev/null +++ b/queue-6.12/scripts-generate_rust_analyzer.py-avoid-fd-leak.patch @@ -0,0 +1,37 @@ +From 9b4744d8eda2824041064a5639ccbb079850914d Mon Sep 17 00:00:00 2001 +From: Tamir Duberstein +Date: Tue, 27 Jan 2026 11:35:43 -0500 +Subject: scripts: generate_rust_analyzer.py: avoid FD leak + +From: Tamir Duberstein + +commit 9b4744d8eda2824041064a5639ccbb079850914d upstream. + +Use `pathlib.Path.read_text()` to avoid leaking file descriptors. + +Fixes: 8c4555ccc55c ("scripts: add `generate_rust_analyzer.py`") +Cc: stable@vger.kernel.org +Reviewed-by: Daniel Almeida +Reviewed-by: Fiona Behrens +Reviewed-by: Trevor Gross +Link: https://patch.msgid.link/20260127-rust-analyzer-fd-leak-v2-1-1bb55b9b6822@kernel.org +Signed-off-by: Tamir Duberstein +Signed-off-by: Greg Kroah-Hartman +--- + scripts/generate_rust_analyzer.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/scripts/generate_rust_analyzer.py ++++ b/scripts/generate_rust_analyzer.py +@@ -146,9 +146,10 @@ def generate_crates(srctree, objtree, sy + + def is_root_crate(build_file, target): + try: +- return f"{target}.o" in open(build_file).read() ++ contents = build_file.read_text() + except FileNotFoundError: + return False ++ return f"{target}.o" in contents + + # Then, the rest outside of `rust/`. + # diff --git a/queue-6.12/series b/queue-6.12/series index 9fa494015c..9225ba0fe1 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -113,3 +113,20 @@ usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch usb-cdc-acm-add-quirks-for-yoga-book-9-14iah10-ingenic-touchscreen.patch usb-gadget-f_hid-don-t-call-cdev_init-while-cdev-in-use.patch usb-port-add-delay-after-usb_hub_set_port_power.patch +fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch +scripts-checkpatch-add-assisted-by-tag-validation.patch +scripts-generate_rust_analyzer.py-avoid-fd-leak.patch +wifi-rtw88-fix-device-leak-on-probe-failure.patch +staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch +usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch +docs-admin-guide-mm-damon-reclaim-warn-commit_inputs-vs-param-updates-race.patch +alsa-ctxfi-limit-ptp-to-a-single-page.patch +dcache-limit-the-minimal-number-of-bucket-to-two.patch +media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch +ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch +ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch +ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch +pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch +kvm-sev-reject-attempts-to-sync-vmsa-of-an-already-launched-encrypted-vcpu.patch +kvm-sev-disallow-launch_finish-if-vcpus-are-actively-being-created.patch +kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch diff --git a/queue-6.12/staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch b/queue-6.12/staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch new file mode 100644 index 0000000000..da9204bcac --- /dev/null +++ b/queue-6.12/staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch @@ -0,0 +1,38 @@ +From 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Mon, 23 Mar 2026 15:31:56 +0800 +Subject: staging: sm750fb: fix division by zero in ps_to_hz() + +From: Junrui Luo + +commit 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 upstream. + +ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating +that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO +causes a division by zero. + +Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent +with other framebuffer drivers. + +Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881AFBFCE28CCF528B35D0CAF4BA@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/sm750fb/sm750.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/sm750fb/sm750.c ++++ b/drivers/staging/sm750fb/sm750.c +@@ -483,6 +483,9 @@ static int lynxfb_ops_check_var(struct f + struct lynxfb_crtc *crtc; + resource_size_t request; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + ret = 0; + par = info->par; + crtc = &par->crtc; diff --git a/queue-6.12/usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch b/queue-6.12/usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch new file mode 100644 index 0000000000..60a4661935 --- /dev/null +++ b/queue-6.12/usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch @@ -0,0 +1,66 @@ +From f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Thu, 2 Apr 2026 11:57:27 +0200 +Subject: USB: serial: option: add Telit Cinterion FN990A MBIM composition + +From: Fabio Porcedda + +commit f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 upstream. + +Add the following Telit Cinterion FN990A MBIM composition: + +0x1074: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (diag) + + DPL (Data Packet Logging) + adb + +T: Bus=01 Lev=01 Prnt=04 Port=06 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1074 Rev=05.04 +S: Manufacturer=Telit Wireless Solutions +S: Product=FN990 +S: SerialNumber=70628d0c +C: #Ifs= 8 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Porcedda +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1383,6 +1383,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990A (ECM) */ + .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1074, 0xff), /* Telit FN990A (MBIM) */ ++ .driver_info = NCTRL(5) | RSVD(6) | RSVD(7) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */ + .driver_info = RSVD(0) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1077, 0xff), /* Telit FN990A (rmnet + audio) */ diff --git a/queue-6.12/wifi-rtw88-fix-device-leak-on-probe-failure.patch b/queue-6.12/wifi-rtw88-fix-device-leak-on-probe-failure.patch new file mode 100644 index 0000000000..a35fdf9eb7 --- /dev/null +++ b/queue-6.12/wifi-rtw88-fix-device-leak-on-probe-failure.patch @@ -0,0 +1,54 @@ +From bbb15e71156cd9f5e1869eee7207a06ea8e96c39 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 6 Mar 2026 09:51:44 +0100 +Subject: wifi: rtw88: fix device leak on probe failure + +From: Johan Hovold + +commit bbb15e71156cd9f5e1869eee7207a06ea8e96c39 upstream. + +Driver core holds a reference to the USB interface and its parent USB +device while the interface is bound to a driver and there is no need to +take additional references unless the structures are needed after +disconnect. + +This driver takes a reference to the USB device during probe but does +not to release it on all probe errors (e.g. when descriptor parsing +fails). + +Drop the redundant device reference to fix the leak, reduce cargo +culting, make it easier to spot drivers where an extra reference is +needed, and reduce the risk of further memory leaks. + +Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support") +Reported-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/netdev/2026022319-turbofan-darkened-206d@gregkh/ +Cc: stable@vger.kernel.org # 6.2 +Cc: Sascha Hauer +Signed-off-by: Johan Hovold +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20260306085144.12064-19-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/usb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -953,7 +953,7 @@ static int rtw_usb_intf_init(struct rtw_ + struct usb_interface *intf) + { + struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev); +- struct usb_device *udev = usb_get_dev(interface_to_usbdev(intf)); ++ struct usb_device *udev = interface_to_usbdev(intf); + int ret; + + rtwusb->udev = udev; +@@ -979,7 +979,6 @@ static void rtw_usb_intf_deinit(struct r + { + struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev); + +- usb_put_dev(rtwusb->udev); + kfree(rtwusb->usb_data); + usb_set_intfdata(intf, NULL); + }