diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 41599a084f..0b16729cb7 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "linux-6.12.44.tar.gz": "fac0ed5371cbd46ebc8a2a1e152ac5fbb5fc2660e748a7fc1d28b8e399854a1a" + "linux-6.12.55.tar.gz": "c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3" } } diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 93ab6ccdec..67f060e93d 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -13,14 +13,14 @@ Summary: Linux API header files Name: kernel-headers -Version: 6.12.44 -Release: 6%{?dist} +Version: 6.12.55 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit Group: System Environment/Kernel URL: https://www.kernel.org/pub/linux/kernel -Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.44.tar.gz +Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz # Historical name shipped by other distros Provides: glibc-kernheaders = %{version}-%{release} BuildArch: noarch @@ -41,7 +41,7 @@ cross-glibc package. %endif %prep -%setup -q -n linux-6.12.44 +%setup -q -n linux-6.12.55 %build make mrproper @@ -76,6 +76,9 @@ done %endif %changelog +* Tue Nov 18 2025 Lishan Liu - 6.12.55-1 +- Update kernel to 6.12.55 + * Fri Nov 14 2025 Lishan Liu - 6.12.44-6 - Update audio support in kernel config diff --git a/SPECS/kernel-rt/0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac b/SPECS/kernel-rt/0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac new file mode 100644 index 0000000000..df65fb0cad --- /dev/null +++ b/SPECS/kernel-rt/0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac @@ -0,0 +1,40 @@ +From 2660ff568ce93b0810d5105c68aca7f46f280f3e Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo +Date: Tue, 8 Apr 2025 21:24:55 +0800 +Subject: [PATCH 1/2] EDAC/igen6: Add Intel Amston Lake SoCs support + +Intel Amston Lake is a series of SoCs tailored for edge computing needs. +The Amston Lake SoCs, equipped with IBECC(In-Band ECC) capability, share +the same IBECC registers with Alder Lake-N SoCs. Add the Intel Amston Lake +SoC compute die ID for EDAC support. + +Signed-off-by: Qiuxu Zhuo +--- + drivers/edac/igen6_edac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c +index 77f8e003b5b27..5a26472459a68 100644 +--- a/drivers/edac/igen6_edac.c ++++ b/drivers/edac/igen6_edac.c +@@ -241,6 +241,9 @@ static struct work_struct ecclog_work; + #define DID_ADL_N_SKU11 0x467c + #define DID_ADL_N_SKU12 0x4632 + ++/* Compute did IDs for Amston Lake with IBECC */ ++#define DID_ASL_SKU1 0x464a ++ + /* Compute die IDs for Raptor Lake-P with IBECC */ + #define DID_RPL_P_SKU1 0xa706 + #define DID_RPL_P_SKU2 0xa707 +@@ -596,6 +599,7 @@ static const struct pci_device_id igen6_pci_tbl[] = { + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU10), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU11), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU12), (kernel_ulong_t)&adl_n_cfg }, ++ { PCI_VDEVICE(INTEL, DID_ASL_SKU1), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU1), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU2), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU3), (kernel_ulong_t)&rpl_p_cfg }, +-- +2.43.0 + diff --git a/SPECS/kernel-rt/0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu b/SPECS/kernel-rt/0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu new file mode 100644 index 0000000000..56f440a2e2 --- /dev/null +++ b/SPECS/kernel-rt/0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu @@ -0,0 +1,403 @@ +From eedbf8ed82ccc3ccb52f2073ec0cec157dbb230d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 10 Feb 2025 13:30:25 +0100 +Subject: [PATCH 1/2] driver core: add a faux bus for use when a simple + device/bus is needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Many drivers abuse the platform driver/bus system as it provides a +simple way to create and bind a device to a driver-specific set of +probe/release functions. Instead of doing that, and wasting all of the +memory associated with a platform device, here is a "faux" bus that +can be used instead. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Danilo Krummrich +Reviewed-by: Lyude Paul +Reviewed-by: Thomas Weißschuh +Reviewed-by: Zijun Hu +Link: https://lore.kernel.org/r/2025021026-atlantic-gibberish-3f0c@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/driver-api/infrastructure.rst | 6 + + drivers/base/Makefile | 2 +- + drivers/base/base.h | 1 + + drivers/base/faux.c | 232 ++++++++++++++++++++ + drivers/base/init.c | 1 + + include/linux/device/faux.h | 69 ++++++ + 6 files changed, 310 insertions(+), 1 deletion(-) + create mode 100644 drivers/base/faux.c + create mode 100644 include/linux/device/faux.h + +diff --git a/Documentation/driver-api/infrastructure.rst b/Documentation/driver-api/infrastructure.rst +index 3d52dfdfa9fdf..35e36fee4238a 100644 +--- a/Documentation/driver-api/infrastructure.rst ++++ b/Documentation/driver-api/infrastructure.rst +@@ -41,6 +41,12 @@ Device Drivers Base + .. kernel-doc:: drivers/base/class.c + :export: + ++.. kernel-doc:: include/linux/device/faux.h ++ :internal: ++ ++.. kernel-doc:: drivers/base/faux.c ++ :export: ++ + .. kernel-doc:: drivers/base/node.c + :internal: + +diff --git a/drivers/base/Makefile b/drivers/base/Makefile +index 7fb21768ca36d..8074a10183dcb 100644 +--- a/drivers/base/Makefile ++++ b/drivers/base/Makefile +@@ -6,7 +6,7 @@ obj-y := component.o core.o bus.o dd.o syscore.o \ + cpu.o firmware.o init.o map.o devres.o \ + attribute_container.o transport_class.o \ + topology.o container.o property.o cacheinfo.o \ +- swnode.o ++ swnode.o faux.o + obj-$(CONFIG_AUXILIARY_BUS) += auxiliary.o + obj-$(CONFIG_DEVTMPFS) += devtmpfs.o + obj-y += power/ +diff --git a/drivers/base/base.h b/drivers/base/base.h +index c4ffd09950433..123031a757d91 100644 +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -138,6 +138,7 @@ int hypervisor_init(void); + static inline int hypervisor_init(void) { return 0; } + #endif + int platform_bus_init(void); ++int faux_bus_init(void); + void cpu_dev_init(void); + void container_dev_init(void); + #ifdef CONFIG_AUXILIARY_BUS +diff --git a/drivers/base/faux.c b/drivers/base/faux.c +new file mode 100644 +index 0000000000000..531e9d789ee04 +--- /dev/null ++++ b/drivers/base/faux.c +@@ -0,0 +1,232 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * Copyright (c) 2025 Greg Kroah-Hartman ++ * Copyright (c) 2025 The Linux Foundation ++ * ++ * A "simple" faux bus that allows devices to be created and added ++ * automatically to it. This is to be used whenever you need to create a ++ * device that is not associated with any "real" system resources, and do ++ * not want to have to deal with a bus/driver binding logic. It is ++ * intended to be very simple, with only a create and a destroy function ++ * available. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "base.h" ++ ++/* ++ * Internal wrapper structure so we can hold a pointer to the ++ * faux_device_ops for this device. ++ */ ++struct faux_object { ++ struct faux_device faux_dev; ++ const struct faux_device_ops *faux_ops; ++}; ++#define to_faux_object(dev) container_of_const(dev, struct faux_object, faux_dev.dev) ++ ++static struct device faux_bus_root = { ++ .init_name = "faux", ++}; ++ ++static int faux_match(struct device *dev, const struct device_driver *drv) ++{ ++ /* Match always succeeds, we only have one driver */ ++ return 1; ++} ++ ++static int faux_probe(struct device *dev) ++{ ++ struct faux_object *faux_obj = to_faux_object(dev); ++ struct faux_device *faux_dev = &faux_obj->faux_dev; ++ const struct faux_device_ops *faux_ops = faux_obj->faux_ops; ++ int ret = 0; ++ ++ if (faux_ops && faux_ops->probe) ++ ret = faux_ops->probe(faux_dev); ++ ++ return ret; ++} ++ ++static void faux_remove(struct device *dev) ++{ ++ struct faux_object *faux_obj = to_faux_object(dev); ++ struct faux_device *faux_dev = &faux_obj->faux_dev; ++ const struct faux_device_ops *faux_ops = faux_obj->faux_ops; ++ ++ if (faux_ops && faux_ops->remove) ++ faux_ops->remove(faux_dev); ++} ++ ++static const struct bus_type faux_bus_type = { ++ .name = "faux", ++ .match = faux_match, ++ .probe = faux_probe, ++ .remove = faux_remove, ++}; ++ ++static struct device_driver faux_driver = { ++ .name = "faux_driver", ++ .bus = &faux_bus_type, ++ .probe_type = PROBE_FORCE_SYNCHRONOUS, ++}; ++ ++static void faux_device_release(struct device *dev) ++{ ++ struct faux_object *faux_obj = to_faux_object(dev); ++ ++ kfree(faux_obj); ++} ++ ++/** ++ * faux_device_create_with_groups - Create and register with the driver ++ * core a faux device and populate the device with an initial ++ * set of sysfs attributes. ++ * @name: The name of the device we are adding, must be unique for ++ * all faux devices. ++ * @parent: Pointer to a potential parent struct device. If set to ++ * NULL, the device will be created in the "root" of the faux ++ * device tree in sysfs. ++ * @faux_ops: struct faux_device_ops that the new device will call back ++ * into, can be NULL. ++ * @groups: The set of sysfs attributes that will be created for this ++ * device when it is registered with the driver core. ++ * ++ * Create a new faux device and register it in the driver core properly. ++ * If present, callbacks in @faux_ops will be called with the device that ++ * for the caller to do something with at the proper time given the ++ * device's lifecycle. ++ * ++ * Note, when this function is called, the functions specified in struct ++ * faux_ops can be called before the function returns, so be prepared for ++ * everything to be properly initialized before that point in time. ++ * ++ * Return: ++ * * NULL if an error happened with creating the device ++ * * pointer to a valid struct faux_device that is registered with sysfs ++ */ ++struct faux_device *faux_device_create_with_groups(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops, ++ const struct attribute_group **groups) ++{ ++ struct faux_object *faux_obj; ++ struct faux_device *faux_dev; ++ struct device *dev; ++ int ret; ++ ++ faux_obj = kzalloc(sizeof(*faux_obj), GFP_KERNEL); ++ if (!faux_obj) ++ return NULL; ++ ++ /* Save off the callbacks so we can use them in the future */ ++ faux_obj->faux_ops = faux_ops; ++ ++ /* Initialize the device portion and register it with the driver core */ ++ faux_dev = &faux_obj->faux_dev; ++ dev = &faux_dev->dev; ++ ++ device_initialize(dev); ++ dev->release = faux_device_release; ++ if (parent) ++ dev->parent = parent; ++ else ++ dev->parent = &faux_bus_root; ++ dev->bus = &faux_bus_type; ++ dev->groups = groups; ++ dev_set_name(dev, "%s", name); ++ ++ ret = device_add(dev); ++ if (ret) { ++ pr_err("%s: device_add for faux device '%s' failed with %d\n", ++ __func__, name, ret); ++ put_device(dev); ++ return NULL; ++ } ++ ++ return faux_dev; ++} ++EXPORT_SYMBOL_GPL(faux_device_create_with_groups); ++ ++/** ++ * faux_device_create - create and register with the driver core a faux device ++ * @name: The name of the device we are adding, must be unique for all ++ * faux devices. ++ * @parent: Pointer to a potential parent struct device. If set to ++ * NULL, the device will be created in the "root" of the faux ++ * device tree in sysfs. ++ * @faux_ops: struct faux_device_ops that the new device will call back ++ * into, can be NULL. ++ * ++ * Create a new faux device and register it in the driver core properly. ++ * If present, callbacks in @faux_ops will be called with the device that ++ * for the caller to do something with at the proper time given the ++ * device's lifecycle. ++ * ++ * Note, when this function is called, the functions specified in struct ++ * faux_ops can be called before the function returns, so be prepared for ++ * everything to be properly initialized before that point in time. ++ * ++ * Return: ++ * * NULL if an error happened with creating the device ++ * * pointer to a valid struct faux_device that is registered with sysfs ++ */ ++struct faux_device *faux_device_create(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops) ++{ ++ return faux_device_create_with_groups(name, parent, faux_ops, NULL); ++} ++EXPORT_SYMBOL_GPL(faux_device_create); ++ ++/** ++ * faux_device_destroy - destroy a faux device ++ * @faux_dev: faux device to destroy ++ * ++ * Unregisters and cleans up a device that was created with a call to ++ * faux_device_create() ++ */ ++void faux_device_destroy(struct faux_device *faux_dev) ++{ ++ struct device *dev = &faux_dev->dev; ++ ++ if (!faux_dev) ++ return; ++ ++ device_del(dev); ++ ++ /* The final put_device() will clean up the memory we allocated for this device. */ ++ put_device(dev); ++} ++EXPORT_SYMBOL_GPL(faux_device_destroy); ++ ++int __init faux_bus_init(void) ++{ ++ int ret; ++ ++ ret = device_register(&faux_bus_root); ++ if (ret) { ++ put_device(&faux_bus_root); ++ return ret; ++ } ++ ++ ret = bus_register(&faux_bus_type); ++ if (ret) ++ goto error_bus; ++ ++ ret = driver_register(&faux_driver); ++ if (ret) ++ goto error_driver; ++ ++ return ret; ++ ++error_driver: ++ bus_unregister(&faux_bus_type); ++ ++error_bus: ++ device_unregister(&faux_bus_root); ++ return ret; ++} +diff --git a/drivers/base/init.c b/drivers/base/init.c +index c4954835128cf..9d2b06d65dfc6 100644 +--- a/drivers/base/init.c ++++ b/drivers/base/init.c +@@ -32,6 +32,7 @@ void __init driver_init(void) + /* These are also core pieces, but must come after the + * core core pieces. + */ ++ faux_bus_init(); + of_core_init(); + platform_bus_init(); + auxiliary_bus_init(); +diff --git a/include/linux/device/faux.h b/include/linux/device/faux.h +new file mode 100644 +index 0000000000000..9f43c0e46aa45 +--- /dev/null ++++ b/include/linux/device/faux.h +@@ -0,0 +1,69 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Copyright (c) 2025 Greg Kroah-Hartman ++ * Copyright (c) 2025 The Linux Foundation ++ * ++ * A "simple" faux bus that allows devices to be created and added ++ * automatically to it. This is to be used whenever you need to create a ++ * device that is not associated with any "real" system resources, and do ++ * not want to have to deal with a bus/driver binding logic. It is ++ * intended to be very simple, with only a create and a destroy function ++ * available. ++ */ ++#ifndef _FAUX_DEVICE_H_ ++#define _FAUX_DEVICE_H_ ++ ++#include ++#include ++ ++/** ++ * struct faux_device - a "faux" device ++ * @dev: internal struct device of the object ++ * ++ * A simple faux device that can be created/destroyed. To be used when a ++ * driver only needs to have a device to "hang" something off. This can be ++ * used for downloading firmware or other basic tasks. Use this instead of ++ * a struct platform_device if the device has no resources assigned to ++ * it at all. ++ */ ++struct faux_device { ++ struct device dev; ++}; ++#define to_faux_device(x) container_of_const((x), struct faux_device, dev) ++ ++/** ++ * struct faux_device_ops - a set of callbacks for a struct faux_device ++ * @probe: called when a faux device is probed by the driver core ++ * before the device is fully bound to the internal faux bus ++ * code. If probe succeeds, return 0, otherwise return a ++ * negative error number to stop the probe sequence from ++ * succeeding. ++ * @remove: called when a faux device is removed from the system ++ * ++ * Both @probe and @remove are optional, if not needed, set to NULL. ++ */ ++struct faux_device_ops { ++ int (*probe)(struct faux_device *faux_dev); ++ void (*remove)(struct faux_device *faux_dev); ++}; ++ ++struct faux_device *faux_device_create(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops); ++struct faux_device *faux_device_create_with_groups(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops, ++ const struct attribute_group **groups); ++void faux_device_destroy(struct faux_device *faux_dev); ++ ++static inline void *faux_device_get_drvdata(const struct faux_device *faux_dev) ++{ ++ return dev_get_drvdata(&faux_dev->dev); ++} ++ ++static inline void faux_device_set_drvdata(struct faux_device *faux_dev, void *data) ++{ ++ dev_set_drvdata(&faux_dev->dev, data); ++} ++ ++#endif /* _FAUX_DEVICE_H_ */ +-- +2.43.0 + diff --git a/SPECS/kernel-rt/0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov b/SPECS/kernel-rt/0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov new file mode 100644 index 0000000000..fe7381259b --- /dev/null +++ b/SPECS/kernel-rt/0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov @@ -0,0 +1,68 @@ +From 140444823a5e75b687391abcd563af8d068c931f Mon Sep 17 00:00:00 2001 +From: Junxiao Chang +Date: Thu, 25 Sep 2025 18:29:57 +0800 +Subject: [PATCH] drm/i915: move sriov selftest buffer out of stack + +this is to fix i915 sriov selftest buffer limit issue. + +Signed-off-by: Junxiao Chang +--- + .../drm/i915/gt/iov/selftests/selftest_live_iov_relay.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c b/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c +index b3ef7dcedf534..d6f7b461302df 100644 +--- a/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c ++++ b/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c +@@ -348,6 +348,7 @@ static int pf_loopback_one_way_to_vf(void *arg) + return ret; + } + ++static u32 pf_full_loopback_to_vf_buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + static int pf_full_loopback_to_vf(void *arg) + { + struct intel_iov *iov = arg; +@@ -356,7 +357,6 @@ static int pf_full_loopback_to_vf(void *arg) + FIELD_PREP(GUC_HXG_REQUEST_MSG_n_DATAn, SELFTEST_RELAY_DATA), + /* ... */ + }; +- u32 buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + unsigned int n; + int ret = 0; + +@@ -365,7 +365,7 @@ static int pf_full_loopback_to_vf(void *arg) + for (n = GUC_HXG_MSG_MIN_LEN; n <= ARRAY_SIZE(msg); n++) { + + ret = intel_iov_relay_send_to_vf(&iov->relay, PFID, msg, n, +- buf, ARRAY_SIZE(buf)); ++ pf_full_loopback_to_vf_buf, ARRAY_SIZE(pf_full_loopback_to_vf_buf)); + + if (ret < 0) { + IOV_SELFTEST_ERROR(iov, "failed to send msg len=%u, %d\n", n, ret); +@@ -438,6 +438,7 @@ static int pf_loopback_one_way_to_pf(void *arg) + return ret; + } + ++static u32 relay_request_to_pf_buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + static int relay_request_to_pf(struct intel_iov *iov) + { + u32 msg[VF2GUC_RELAY_TO_PF_REQUEST_MSG_NUM_RELAY_DATA] = { +@@ -445,14 +446,13 @@ static int relay_request_to_pf(struct intel_iov *iov) + FIELD_PREP(GUC_HXG_REQUEST_MSG_n_DATAn, SELFTEST_RELAY_DATA), + /* ... */ + }; +- u32 buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + unsigned int n; + int ret = 0; + + for (n = GUC_HXG_MSG_MIN_LEN; n <= ARRAY_SIZE(msg); n++) { + + ret = intel_iov_relay_send_to_pf(&iov->relay, msg, n, +- buf, ARRAY_SIZE(buf)); ++ relay_request_to_pf_buf, ARRAY_SIZE(relay_request_to_pf_buf)); + + if (ret < 0) { + IOV_SELFTEST_ERROR(iov, "failed to send len=%u, %d\n", n, ret); +-- +2.43.0 + diff --git a/SPECS/kernel-rt/0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov b/SPECS/kernel-rt/0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov new file mode 100644 index 0000000000..cbe23fa5a7 --- /dev/null +++ b/SPECS/kernel-rt/0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov @@ -0,0 +1,35 @@ +From c907329d449811f5aa58f2b2a3633b6012774e37 Mon Sep 17 00:00:00 2001 +From: Dongwon Kim +Date: Wed, 10 Sep 2025 20:48:45 -0700 +Subject: [PATCH] drm/virtio: Wait until the control and cursor queues are + fully emptied + +It is needed to wait until the queues are fully emptied before +doing freeze/suspend. + +Signed-off-by: Dongwon Kim +--- + drivers/gpu/drm/virtio/virtgpu_drv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c +index d6fb1dbfaa27e..d1b189b1a9b75 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_drv.c ++++ b/drivers/gpu/drm/virtio/virtgpu_drv.c +@@ -176,6 +176,13 @@ static int virtgpu_freeze(struct virtio_device *vdev) + flush_work(&vgdev->ctrlq.dequeue_work); + flush_work(&vgdev->cursorq.dequeue_work); + flush_work(&vgdev->config_changed_work); ++ ++ wait_event(vgdev->ctrlq.ack_queue, ++ vgdev->ctrlq.vq->num_free == vgdev->ctrlq.vq->num_max); ++ ++ wait_event(vgdev->cursorq.ack_queue, ++ vgdev->cursorq.vq->num_free == vgdev->cursorq.vq->num_max); ++ + vdev->config->del_vqs(vdev); + + return 0; +-- +2.43.0 + diff --git a/SPECS/kernel-rt/0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac b/SPECS/kernel-rt/0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac new file mode 100644 index 0000000000..6de1aa49ca --- /dev/null +++ b/SPECS/kernel-rt/0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac @@ -0,0 +1,42 @@ +From 5f97c9c7f42efdede7a9a8aeb76dfb5fec616a98 Mon Sep 17 00:00:00 2001 +From: Jie Wang +Date: Thu, 9 Oct 2025 14:41:21 +0000 +Subject: [PATCH 2/2] EDAC/igen6: Add additional Intel Amston Lake SoC compute + die IDs + +Add two more Intel Amston Lake SoC compute die IDs for EDAC support. +These SoCs also feature IBECC (In-Band ECC) capability and share the +same IBECC registers with Alder Lake-N SoCs. + +Signed-off-by: Jie Wang +--- + drivers/edac/igen6_edac.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c +index 5a26472459a68..28a168cc56938 100644 +--- a/drivers/edac/igen6_edac.c ++++ b/drivers/edac/igen6_edac.c +@@ -242,7 +242,9 @@ static struct work_struct ecclog_work; + #define DID_ADL_N_SKU12 0x4632 + + /* Compute did IDs for Amston Lake with IBECC */ +-#define DID_ASL_SKU1 0x464a ++#define DID_ASL_SKU1 0x4646 ++#define DID_ASL_SKU2 0x464a ++#define DID_ASL_SKU3 0x4652 + + /* Compute die IDs for Raptor Lake-P with IBECC */ + #define DID_RPL_P_SKU1 0xa706 +@@ -600,6 +602,8 @@ static const struct pci_device_id igen6_pci_tbl[] = { + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU11), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU12), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ASL_SKU1), (kernel_ulong_t)&adl_n_cfg }, ++ { PCI_VDEVICE(INTEL, DID_ASL_SKU2), (kernel_ulong_t)&adl_n_cfg }, ++ { PCI_VDEVICE(INTEL, DID_ASL_SKU3), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU1), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU2), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU3), (kernel_ulong_t)&rpl_p_cfg }, +-- +2.43.0 + diff --git a/SPECS/kernel-rt/0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu b/SPECS/kernel-rt/0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu new file mode 100644 index 0000000000..c6c4f119f8 --- /dev/null +++ b/SPECS/kernel-rt/0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu @@ -0,0 +1,75 @@ +From c12224181515440d5b54af8dc9ecd1afdb762f24 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 23 Apr 2025 18:48:16 +0200 +Subject: [PATCH 2/2] iommu/io-pgtable-arm: dynamically allocate selftest + device struct + +In general a 'struct device' is way too large to be put on the kernel +stack. Apparently something just caused it to grow a slightly larger, +which pushed the arm_lpae_do_selftests() function over the warning +limit in some configurations: + +drivers/iommu/io-pgtable-arm.c:1423:19: error: stack frame size (1032) exceeds limit (1024) in 'arm_lpae_do_selftests' [-Werror,-Wframe-larger-than] + 1423 | static int __init arm_lpae_do_selftests(void) + | ^ + +Change the function to use a dynamically allocated faux_device +instead of the on-stack device structure. + +Fixes: ca25ec247aad ("iommu/io-pgtable-arm: Remove iommu_dev==NULL special case") +Link: https://lore.kernel.org/all/ab75a444-22a1-47f5-b3c0-253660395b5a@arm.com/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20250423164826.2931382-1-arnd@kernel.org +Signed-off-by: Joerg Roedel +--- + drivers/iommu/io-pgtable-arm.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c +index a286c5404ea70..2c660ed4eacaf 100644 +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1414,16 +1415,18 @@ static int __init arm_lpae_do_selftests(void) + }; + + int i, j, pass = 0, fail = 0; +- struct device dev; ++ struct faux_device *dev; + struct io_pgtable_cfg cfg = { + .tlb = &dummy_tlb_ops, + .oas = 48, + .coherent_walk = true, +- .iommu_dev = &dev, + }; + +- /* __arm_lpae_alloc_pages() merely needs dev_to_node() to work */ +- set_dev_node(&dev, NUMA_NO_NODE); ++ dev = faux_device_create("io-pgtable-test", NULL, 0); ++ if (!dev) ++ return -ENOMEM; ++ ++ cfg.iommu_dev = &dev->dev; + + for (i = 0; i < ARRAY_SIZE(pgsize); ++i) { + for (j = 0; j < ARRAY_SIZE(ias); ++j) { +@@ -1439,6 +1442,8 @@ static int __init arm_lpae_do_selftests(void) + } + + pr_info("selftest: completed with %d PASS %d FAIL\n", pass, fail); ++ faux_device_destroy(dev); ++ + return fail ? -EFAULT : 0; + } + subsys_initcall(arm_lpae_do_selftests); +-- +2.43.0 + diff --git a/SPECS/kernel-rt/0008-igc-Add-support-for-Frame-Preemption-verification.tsn b/SPECS/kernel-rt/0008-igc-Add-support-for-Frame-Preemption-verification.tsn index 816b09b967..bc143a1966 100644 --- a/SPECS/kernel-rt/0008-igc-Add-support-for-Frame-Preemption-verification.tsn +++ b/SPECS/kernel-rt/0008-igc-Add-support-for-Frame-Preemption-verification.tsn @@ -30,8 +30,8 @@ Signed-off-by: Aravindhan Gunasekaran drivers/net/ethernet/intel/igc/igc_main.c | 216 +++++++++++++++++++ 4 files changed, 261 insertions(+), 3 deletions(-) -diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h -index b2b6da3e9c8d3..479dcd7500f56 100644 +Index: b/drivers/net/ethernet/intel/igc/igc.h +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc.h +++ b/drivers/net/ethernet/intel/igc/igc.h @@ -198,6 +198,13 @@ struct igc_ring { @@ -48,10 +48,10 @@ index b2b6da3e9c8d3..479dcd7500f56 100644 /* Board specific private data structure */ struct igc_adapter { struct net_device *netdev; -@@ -339,6 +346,14 @@ struct igc_adapter { - /* LEDs */ +@@ -341,6 +348,14 @@ struct igc_adapter { struct mutex led_mutex; struct igc_led_classdev *leds; + bool leds_available; + + struct delayed_work fp_verification_work; + unsigned long fp_start; @@ -63,8 +63,8 @@ index b2b6da3e9c8d3..479dcd7500f56 100644 }; void igc_up(struct igc_adapter *adapter); -diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h -index e08dfba0ea69d..45da4ffd4ec75 100644 +Index: b/drivers/net/ethernet/intel/igc/igc_defines.h +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc_defines.h +++ b/drivers/net/ethernet/intel/igc/igc_defines.h @@ -308,6 +308,8 @@ @@ -97,11 +97,11 @@ index e08dfba0ea69d..45da4ffd4ec75 100644 #define IGC_RXDEXT_STATERR_L4E 0x20000000 #define IGC_RXDEXT_STATERR_IPE 0x40000000 #define IGC_RXDEXT_STATERR_RXE 0x80000000 -diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c -index 52ca64569cb59..761bafd585b37 100644 +Index: b/drivers/net/ethernet/intel/igc/igc_ethtool.c +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc_ethtool.c +++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c -@@ -1789,6 +1789,8 @@ static int igc_ethtool_get_preempt(struct net_device *netdev, +@@ -1789,6 +1789,8 @@ static int igc_ethtool_get_preempt(struc fpcmd->enabled = adapter->frame_preemption_active; fpcmd->add_frag_size = adapter->add_frag_size; @@ -110,7 +110,7 @@ index 52ca64569cb59..761bafd585b37 100644 return 0; } -@@ -1805,10 +1807,22 @@ static int igc_ethtool_set_preempt(struct net_device *netdev, +@@ -1805,10 +1807,22 @@ static int igc_ethtool_set_preempt(struc return -EINVAL; } @@ -136,8 +136,8 @@ index 52ca64569cb59..761bafd585b37 100644 } static int igc_ethtool_get_link_ksettings(struct net_device *netdev, -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index ca720ddff3af8..a81e9240cf6c8 100644 +Index: b/drivers/net/ethernet/intel/igc/igc_main.c +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc_main.c +++ b/drivers/net/ethernet/intel/igc/igc_main.c @@ -30,6 +30,11 @@ @@ -152,7 +152,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static int debug = -1; MODULE_DESCRIPTION(DRV_SUMMARY); -@@ -2448,6 +2453,79 @@ static int igc_xdp_init_tx_descriptor(struct igc_ring *ring, +@@ -2449,6 +2454,79 @@ unmap: return -ENOMEM; } @@ -232,7 +232,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static struct igc_ring *igc_xdp_get_tx_ring(struct igc_adapter *adapter, int cpu) { -@@ -2577,6 +2655,19 @@ static void igc_update_rx_stats(struct igc_q_vector *q_vector, +@@ -2578,6 +2656,19 @@ static void igc_update_rx_stats(struct i q_vector->rx.total_bytes += bytes; } @@ -252,7 +252,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) { unsigned int total_bytes = 0, total_packets = 0; -@@ -2592,6 +2683,7 @@ static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) +@@ -2593,6 +2684,7 @@ static int igc_clean_rx_irq(struct igc_q union igc_adv_rx_desc *rx_desc; unsigned int size, truesize; int pkt_offset = 0; @@ -260,7 +260,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 void *pktbuf; /* return some buffers to hardware, one at a time is too slow */ -@@ -2622,6 +2714,22 @@ static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) +@@ -2623,6 +2715,22 @@ static int igc_clean_rx_irq(struct igc_q size -= IGC_TS_HDR_LEN; } @@ -283,7 +283,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 if (!skb) { xdp_init_buff(&ctx.xdp, truesize, &rx_ring->xdp_rxq); xdp_prepare_buff(&ctx.xdp, pktbuf - igc_rx_offset(rx_ring), -@@ -6548,6 +6656,107 @@ static int igc_tsn_enable_cbs(struct igc_adapter *adapter, +@@ -6552,6 +6660,107 @@ static int igc_tsn_enable_cbs(struct igc return igc_tsn_offload_apply(adapter); } @@ -391,7 +391,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static int igc_tc_query_caps(struct igc_adapter *adapter, struct tc_query_caps_base *base) { -@@ -7122,6 +7331,7 @@ static int igc_probe(struct pci_dev *pdev, +@@ -7130,6 +7339,7 @@ static int igc_probe(struct pci_dev *pde INIT_WORK(&adapter->reset_task, igc_reset_task); INIT_WORK(&adapter->watchdog_task, igc_watchdog_task); @@ -399,7 +399,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 hrtimer_init(&adapter->hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); adapter->hrtimer.function = &igc_qbv_scheduling_timer; -@@ -7148,6 +7358,12 @@ static int igc_probe(struct pci_dev *pdev, +@@ -7156,6 +7366,12 @@ static int igc_probe(struct pci_dev *pde igc_tsn_clear_schedule(adapter); @@ -412,6 +412,3 @@ index ca720ddff3af8..a81e9240cf6c8 100644 /* reset the hardware with the new settings */ igc_reset(adapter); --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-21807.patch b/SPECS/kernel-rt/CVE-2025-21807.patch deleted file mode 100644 index 08da1ab981..0000000000 --- a/SPECS/kernel-rt/CVE-2025-21807.patch +++ /dev/null @@ -1,169 +0,0 @@ -From dd680ab1ce367fde34fb89faaad97e92929a7f34 Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig -Date: Fri, 10 Jan 2025 06:47:14 +0100 -Subject: [PATCH 3/4] block: fix queue freeze vs limits lock order in sysfs - store methods - -queue_attr_store() always freezes a device queue before calling the -attribute store operation. For attributes that control queue limits, the -store operation will also lock the queue limits with a call to -queue_limits_start_update(). However, some drivers (e.g. SCSI sd) may -need to issue commands to a device to obtain limit values from the -hardware with the queue limits locked. This creates a potential ABBA -deadlock situation if a user attempts to modify a limit (thus freezing -the device queue) while the device driver starts a revalidation of the -device queue limits. - -Avoid such deadlock by not freezing the queue before calling the -->store_limit() method in struct queue_sysfs_entry and instead use the -queue_limits_commit_update_frozen helper to freeze the queue after taking -the limits lock. - -This also removes taking the sysfs lock for the store_limit method as -it doesn't protect anything here, but creates even more nesting. -Hopefully it will go away from the actual sysfs methods entirely soon. - -(commit log adapted from a similar patch from Damien Le Moal) - -Fixes: ff956a3be95b ("block: use queue_limits_commit_update in queue_discard_max_store") -Fixes: 0327ca9d53bf ("block: use queue_limits_commit_update in queue_max_sectors_store") -Signed-off-by: Christoph Hellwig -Reviewed-by: Ming Lei -Reviewed-by: Damien Le Moal -Reviewed-by: Martin K. Petersen -Reviewed-by: Nilay Shroff -Reviewed-by: Johannes Thumshirn -Link: https://lore.kernel.org/r/20250110054726.1499538-7-hch@lst.de -Signed-off-by: Jens Axboe ---- - block/blk-settings.c | 26 ++++++++++++++++++++++++++ - block/blk-sysfs.c | 33 +++++++++++++++++++++++++++------ - include/linux/blkdev.h | 2 ++ - 3 files changed, 55 insertions(+), 6 deletions(-) - -diff --git a/block/blk-settings.c b/block/blk-settings.c -index 7abf034089cd..3907ea71213f 100644 ---- a/block/blk-settings.c -+++ b/block/blk-settings.c -@@ -426,6 +426,32 @@ int queue_limits_commit_update(struct request_queue *q, - } - EXPORT_SYMBOL_GPL(queue_limits_commit_update); - -+ -+/** -+ * queue_limits_commit_update_frozen - commit an atomic update of queue limits -+ * @q: queue to update -+ * @lim: limits to apply -+ * -+ * Apply the limits in @lim that were obtained from queue_limits_start_update() -+ * and updated with the new values by the caller to @q. Freezes the queue -+ * before the update and unfreezes it after. -+ * -+ * Returns 0 if successful, else a negative error code. -+ */ -+int queue_limits_commit_update_frozen(struct request_queue *q, -+ struct queue_limits *lim) -+{ -+ int ret; -+ -+ blk_mq_freeze_queue(q); -+ ret = queue_limits_commit_update(q, lim); -+ blk_mq_unfreeze_queue(q); -+ -+ return ret; -+} -+EXPORT_SYMBOL_GPL(queue_limits_commit_update_frozen); -+ -+ - /** - * queue_limits_set - apply queue limits to queue - * @q: queue to update -diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c -index 692b27266220..69bdd48ceae2 100644 ---- a/block/blk-sysfs.c -+++ b/block/blk-sysfs.c -@@ -23,8 +23,10 @@ - struct queue_sysfs_entry { - struct attribute attr; - ssize_t (*show)(struct gendisk *disk, char *page); -- int (*load_module)(struct gendisk *disk, const char *page, size_t count); - ssize_t (*store)(struct gendisk *disk, const char *page, size_t count); -+ int (*store_limit)(struct gendisk *disk, const char *page, -+ size_t count, struct queue_limits *lim); -+ int (*load_module)(struct gendisk *disk, const char *page, size_t count); - }; - - static ssize_t -@@ -421,6 +423,13 @@ static struct queue_sysfs_entry _prefix##_entry = { \ - .store = _prefix##_store, \ - }; - -+#define QUEUE_LIM_RW_ENTRY(_prefix, _name) \ -+static struct queue_sysfs_entry _prefix##_entry = { \ -+ .attr = { .name = _name, .mode = 0644 }, \ -+ .show = _prefix##_show, \ -+ .store_limit = _prefix##_store, \ -+} -+ - #define QUEUE_RW_LOAD_MODULE_ENTRY(_prefix, _name) \ - static struct queue_sysfs_entry _prefix##_entry = { \ - .attr = { .name = _name, .mode = 0644 }, \ -@@ -683,7 +692,7 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, - struct request_queue *q = disk->queue; - ssize_t res; - -- if (!entry->store) -+ if (!entry->store_limit && !entry->store) - return -EIO; - - /* -@@ -691,17 +700,29 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, - * queue to ensure that the module file can be read when the request - * queue is the one for the device storing the module file. - */ -- if (entry->load_module) { -- res = entry->load_module(disk, page, length); -+ if (entry->load_module) -+ entry->load_module(disk, page, length); -+ -+ if (entry->store_limit) { -+ struct queue_limits lim = queue_limits_start_update(q); -+ -+ res = entry->store_limit(disk, page, length, &lim); -+ if (res < 0) { -+ queue_limits_cancel_update(q); -+ return res; -+ } -+ -+ res = queue_limits_commit_update_frozen(q, &lim); - if (res) - return res; -+ return length; - } - -- blk_mq_freeze_queue(q); - mutex_lock(&q->sysfs_lock); -+ blk_mq_freeze_queue(q); - res = entry->store(disk, page, length); -- mutex_unlock(&q->sysfs_lock); - blk_mq_unfreeze_queue(q); -+ mutex_unlock(&q->sysfs_lock); - return res; - } - -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index 8f37c5dd52b2..69737a1551fe 100644 ---- a/include/linux/blkdev.h -+++ b/include/linux/blkdev.h -@@ -935,6 +935,8 @@ queue_limits_start_update(struct request_queue *q) - mutex_lock(&q->limits_lock); - return q->limits; - } -+int queue_limits_commit_update_frozen(struct request_queue *q, -+ struct queue_limits *lim); - int queue_limits_commit_update(struct request_queue *q, - struct queue_limits *lim); - int queue_limits_set(struct request_queue *q, struct queue_limits *lim); --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-21817.patch b/SPECS/kernel-rt/CVE-2025-21817.patch index ae8a91cef0..717fe82547 100644 --- a/SPECS/kernel-rt/CVE-2025-21817.patch +++ b/SPECS/kernel-rt/CVE-2025-21817.patch @@ -1,7 +1,7 @@ -From 961a8f3d5f63a1c4b1d93f9d12c2dc7264d4434e Mon Sep 17 00:00:00 2001 +From 1605aaf3ed80ecc295f493c28946af971d36389e Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Mon, 13 Jan 2025 09:58:33 +0800 -Subject: [PATCH 4/4] block: mark GFP_NOIO around sysfs ->store() +Subject: [PATCH] block: mark GFP_NOIO around sysfs ->store() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -26,27 +26,27 @@ Signed-off-by: Jens Axboe 1 file changed, 3 insertions(+) diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c -index 69bdd48ceae2..496564485bad 100644 +index 6a38f312e385..063c578d3e4b 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c -@@ -690,6 +690,7 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, +@@ -681,6 +681,7 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, struct queue_sysfs_entry *entry = to_queue(attr); struct gendisk *disk = container_of(kobj, struct gendisk, queue_kobj); struct request_queue *q = disk->queue; + unsigned int noio_flag; ssize_t res; - if (!entry->store_limit && !entry->store) -@@ -720,7 +721,9 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, + if (!entry->store) +@@ -699,7 +700,9 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, - mutex_lock(&q->sysfs_lock); blk_mq_freeze_queue(q); + mutex_lock(&q->sysfs_lock); + noio_flag = memalloc_noio_save(); res = entry->store(disk, page, length); + memalloc_noio_restore(noio_flag); - blk_mq_unfreeze_queue(q); mutex_unlock(&q->sysfs_lock); + blk_mq_unfreeze_queue(q); return res; -- -2.25.1 +2.43.0 diff --git a/SPECS/kernel-rt/CVE-2025-22103.patch b/SPECS/kernel-rt/CVE-2025-22103.patch deleted file mode 100644 index 0758824ca2..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22103.patch +++ /dev/null @@ -1,61 +0,0 @@ -From a7feb0e9dda0ebb66c810ad9bd0bbeb2823bd89f Mon Sep 17 00:00:00 2001 -From: Wang Liang -Date: Fri, 21 Mar 2025 17:03:53 +0800 -Subject: [PATCH] net: fix NULL pointer dereference in l3mdev_l3_rcv - -When delete l3s ipvlan: - - ip link del link eth0 ipvlan1 type ipvlan mode l3s - -This may cause a null pointer dereference: - - Call trace: - ip_rcv_finish+0x48/0xd0 - ip_rcv+0x5c/0x100 - __netif_receive_skb_one_core+0x64/0xb0 - __netif_receive_skb+0x20/0x80 - process_backlog+0xb4/0x204 - napi_poll+0xe8/0x294 - net_rx_action+0xd8/0x22c - __do_softirq+0x12c/0x354 - -This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after -ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process -like this: - - (CPU1) | (CPU2) - l3mdev_l3_rcv() | - check dev->priv_flags: | - master = skb->dev; | - | - | ipvlan_l3s_unregister() - | set dev->priv_flags - | dev->l3mdev_ops = NULL; - | - visit master->l3mdev_ops | - -To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan. - -Suggested-by: David Ahern -Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") -Signed-off-by: Wang Liang -Reviewed-by: Simon Horman -Link: https://patch.msgid.link/20250321090353.1170545-1-wangliang74@huawei.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/ipvlan/ipvlan_l3s.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c -index d5b05e803219..ca35a50bb640 100644 ---- a/drivers/net/ipvlan/ipvlan_l3s.c -+++ b/drivers/net/ipvlan/ipvlan_l3s.c -@@ -224,5 +224,4 @@ void ipvlan_l3s_unregister(struct ipvl_port *port) - - dev->priv_flags &= ~IFF_L3MDEV_RX_HANDLER; - ipvlan_unregister_nf_hook(read_pnet(&port->pnet)); -- dev->l3mdev_ops = NULL; - } --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-22106.patch b/SPECS/kernel-rt/CVE-2025-22106.patch deleted file mode 100644 index d714e67a0b..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22106.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ea875d82b9d342e8b3257e11d0ffaf2d2c533dcc Mon Sep 17 00:00:00 2001 -From: Sankararaman Jayaraman -Date: Thu, 20 Mar 2025 10:25:22 +0530 -Subject: [PATCH] vmxnet3: unregister xdp rxq info in the reset path - -vmxnet3 does not unregister xdp rxq info in the -vmxnet3_reset_work() code path as vmxnet3_rq_destroy() -is not invoked in this code path. So, we get below message with a -backtrace. - -Missing unregister, handled but fix driver -WARNING: CPU:48 PID: 500 at net/core/xdp.c:182 -__xdp_rxq_info_reg+0x93/0xf0 - -This patch fixes the problem by moving the unregister -code of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup(). - -Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.") -Signed-off-by: Sankararaman Jayaraman -Signed-off-by: Ronak Doshi -Link: https://patch.msgid.link/20250320045522.57892-1-sankararaman.jayaraman@broadcom.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/vmxnet3/vmxnet3_drv.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c -index b70654c7ad34..3a7279e74c6b 100644 ---- a/drivers/net/vmxnet3/vmxnet3_drv.c -+++ b/drivers/net/vmxnet3/vmxnet3_drv.c -@@ -2025,6 +2025,11 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, - - rq->comp_ring.gen = VMXNET3_INIT_GEN; - rq->comp_ring.next2proc = 0; -+ -+ if (xdp_rxq_info_is_reg(&rq->xdp_rxq)) -+ xdp_rxq_info_unreg(&rq->xdp_rxq); -+ page_pool_destroy(rq->page_pool); -+ rq->page_pool = NULL; - } - - -@@ -2065,11 +2070,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq, - } - } - -- if (xdp_rxq_info_is_reg(&rq->xdp_rxq)) -- xdp_rxq_info_unreg(&rq->xdp_rxq); -- page_pool_destroy(rq->page_pool); -- rq->page_pool = NULL; -- - if (rq->data_ring.base) { - dma_free_coherent(&adapter->pdev->dev, - rq->rx_ring[0].size * rq->data_ring.desc_size, --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-22113-1.patch b/SPECS/kernel-rt/CVE-2025-22113-1.patch deleted file mode 100644 index 4a1c1cb639..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22113-1.patch +++ /dev/null @@ -1,169 +0,0 @@ -From a38f34dafdd0c30fb3d2b3f35e1164f51442c215 Mon Sep 17 00:00:00 2001 -From: Ojaswin Mujoo -Date: Tue, 18 Mar 2025 13:22:56 +0530 -Subject: [PATCH 2/2] ext4: avoid journaling sb update on error if journal is - destroying - -Presently we always BUG_ON if trying to start a transaction on a journal marked -with JBD2_UNMOUNT, since this should never happen. However, while ltp running -stress tests, it was observed that in case of some error handling paths, it is -possible for update_super_work to start a transaction after the journal is -destroyed eg: - -(umount) -ext4_kill_sb - kill_block_super - generic_shutdown_super - sync_filesystem /* commits all txns */ - evict_inodes - /* might start a new txn */ - ext4_put_super - flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ - jbd2_journal_destroy - journal_kill_thread - journal->j_flags |= JBD2_UNMOUNT; - jbd2_journal_commit_transaction - jbd2_journal_get_descriptor_buffer - jbd2_journal_bmap - ext4_journal_bmap - ext4_map_blocks - ... - ext4_inode_error - ext4_handle_error - schedule_work(&sbi->s_sb_upd_work) - - /* work queue kicks in */ - update_super_work - jbd2_journal_start - start_this_handle - BUG_ON(journal->j_flags & - JBD2_UNMOUNT) - -Hence, introduce a new mount flag to indicate journal is destroying and only do -a journaled (and deferred) update of sb if this flag is not set. Otherwise, just -fallback to an un-journaled commit. - -Further, in the journal destroy path, we have the following sequence: - - 1. Set mount flag indicating journal is destroying - 2. force a commit and wait for it - 3. flush pending sb updates - -This sequence is important as it ensures that, after this point, there is no sb -update that might be journaled so it is safe to update the sb outside the -journal. (To avoid race discussed in 2d01ddc86606) - -Also, we don't need a similar check in ext4_grp_locked_error since it is only -called from mballoc and AFAICT it would be always valid to schedule work here. - -Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available") -Reported-by: Mahesh Kumar -Signed-off-by: Ojaswin Mujoo -Reviewed-by: Jan Kara -Link: https://patch.msgid.link/9613c465d6ff00cd315602f99283d5f24018c3f7.1742279837.git.ojaswin@linux.ibm.com -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4.h | 3 ++- - fs/ext4/ext4_jbd2.h | 15 +++++++++++++++ - fs/ext4/super.c | 16 ++++++++-------- - 3 files changed, 25 insertions(+), 9 deletions(-) - -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index bbffb76d9a90..27b633928eb1 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -1820,7 +1820,8 @@ static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) - */ - enum { - EXT4_MF_MNTDIR_SAMPLED, -- EXT4_MF_FC_INELIGIBLE /* Fast commit ineligible */ -+ EXT4_MF_FC_INELIGIBLE, /* Fast commit ineligible */ -+ EXT4_MF_JOURNAL_DESTROY /* Journal is in process of destroying */ - }; - - static inline void ext4_set_mount_flag(struct super_block *sb, int bit) -diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h -index 930778e507cc..ada46189b086 100644 ---- a/fs/ext4/ext4_jbd2.h -+++ b/fs/ext4/ext4_jbd2.h -@@ -521,6 +521,21 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour - { - int err = 0; - -+ /* -+ * At this point only two things can be operating on the journal. -+ * JBD2 thread performing transaction commit and s_sb_upd_work -+ * issuing sb update through the journal. Once we set -+ * EXT4_JOURNAL_DESTROY, new ext4_handle_error() calls will not -+ * queue s_sb_upd_work and ext4_force_commit() makes sure any -+ * ext4_handle_error() calls from the running transaction commit are -+ * finished. Hence no new s_sb_upd_work can be queued after we -+ * flush it here. -+ */ -+ ext4_set_mount_flag(sbi->s_sb, EXT4_MF_JOURNAL_DESTROY); -+ -+ ext4_force_commit(sbi->s_sb); -+ flush_work(&sbi->s_sb_upd_work); -+ - err = jbd2_journal_destroy(journal); - sbi->s_journal = NULL; - -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index f26816854dd5..b10872abb9c9 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -719,9 +719,13 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error, - * In case the fs should keep running, we need to writeout - * superblock through the journal. Due to lock ordering - * constraints, it may not be safe to do it right here so we -- * defer superblock flushing to a workqueue. -+ * defer superblock flushing to a workqueue. We just need to be -+ * careful when the journal is already shutting down. If we get -+ * here in that case, just update the sb directly as the last -+ * transaction won't commit anyway. - */ -- if (continue_fs && journal) -+ if (continue_fs && journal && -+ !ext4_test_mount_flag(sb, EXT4_MF_JOURNAL_DESTROY)) - schedule_work(&EXT4_SB(sb)->s_sb_upd_work); - else - ext4_commit_super(sb); -@@ -1306,7 +1310,6 @@ static void ext4_put_super(struct super_block *sb) - ext4_unregister_li_request(sb); - ext4_quotas_off(sb, EXT4_MAXQUOTAS); - -- flush_work(&sbi->s_sb_upd_work); - destroy_workqueue(sbi->rsv_conversion_wq); - ext4_release_orphan_info(sb); - -@@ -1316,7 +1319,8 @@ static void ext4_put_super(struct super_block *sb) - if ((err < 0) && !aborted) { - ext4_abort(sb, -err, "Couldn't clean up the journal"); - } -- } -+ } else -+ flush_work(&sbi->s_sb_upd_work); - - ext4_es_unregister_shrinker(sbi); - timer_shutdown_sync(&sbi->s_err_report); -@@ -4944,8 +4948,6 @@ static int ext4_load_and_init_journal(struct super_block *sb, - return 0; - - out: -- /* flush s_sb_upd_work before destroying the journal. */ -- flush_work(&sbi->s_sb_upd_work); - ext4_journal_destroy(sbi, sbi->s_journal); - return -EINVAL; - } -@@ -5631,8 +5633,6 @@ failed_mount8: __maybe_unused - sbi->s_ea_block_cache = NULL; - - if (sbi->s_journal) { -- /* flush s_sb_upd_work before journal destroy. */ -- flush_work(&sbi->s_sb_upd_work); - ext4_journal_destroy(sbi, sbi->s_journal); - } - failed_mount3a: --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-22113.patch b/SPECS/kernel-rt/CVE-2025-22113.patch deleted file mode 100644 index 42b4dd4f27..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22113.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 1cb42376c3bb339074fd4d72232156af50dbd0a8 Mon Sep 17 00:00:00 2001 -From: Ojaswin Mujoo -Date: Tue, 18 Mar 2025 13:22:55 +0530 -Subject: [PATCH 1/2] ext4: define ext4_journal_destroy wrapper - -Define an ext4 wrapper over jbd2_journal_destroy to make sure we -have consistent behavior during journal destruction. This will also -come useful in the next patch where we add some ext4 specific logic -in the destroy path. - -Reviewed-by: Jan Kara -Reviewed-by: Baokun Li -Signed-off-by: Ojaswin Mujoo -Link: https://patch.msgid.link/c3ba78c5c419757e6d5f2d8ebb4a8ce9d21da86a.1742279837.git.ojaswin@linux.ibm.com -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4_jbd2.h | 14 ++++++++++++++ - fs/ext4/super.c | 16 ++++++---------- - 2 files changed, 20 insertions(+), 10 deletions(-) - -diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h -index 0c77697d5e90..930778e507cc 100644 ---- a/fs/ext4/ext4_jbd2.h -+++ b/fs/ext4/ext4_jbd2.h -@@ -513,4 +513,18 @@ static inline int ext4_should_dioread_nolock(struct inode *inode) - return 1; - } - -+/* -+ * Pass journal explicitly as it may not be cached in the sbi->s_journal in some -+ * cases -+ */ -+static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *journal) -+{ -+ int err = 0; -+ -+ err = jbd2_journal_destroy(journal); -+ sbi->s_journal = NULL; -+ -+ return err; -+} -+ - #endif /* _EXT4_JBD2_H */ -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 4291ab3c20be..f26816854dd5 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -1312,8 +1312,7 @@ static void ext4_put_super(struct super_block *sb) - - if (sbi->s_journal) { - aborted = is_journal_aborted(sbi->s_journal); -- err = jbd2_journal_destroy(sbi->s_journal); -- sbi->s_journal = NULL; -+ err = ext4_journal_destroy(sbi, sbi->s_journal); - if ((err < 0) && !aborted) { - ext4_abort(sb, -err, "Couldn't clean up the journal"); - } -@@ -4947,8 +4946,7 @@ static int ext4_load_and_init_journal(struct super_block *sb, - out: - /* flush s_sb_upd_work before destroying the journal. */ - flush_work(&sbi->s_sb_upd_work); -- jbd2_journal_destroy(sbi->s_journal); -- sbi->s_journal = NULL; -+ ext4_journal_destroy(sbi, sbi->s_journal); - return -EINVAL; - } - -@@ -5635,8 +5633,7 @@ failed_mount8: __maybe_unused - if (sbi->s_journal) { - /* flush s_sb_upd_work before journal destroy. */ - flush_work(&sbi->s_sb_upd_work); -- jbd2_journal_destroy(sbi->s_journal); -- sbi->s_journal = NULL; -+ ext4_journal_destroy(sbi, sbi->s_journal); - } - failed_mount3a: - ext4_es_unregister_shrinker(sbi); -@@ -5944,7 +5941,7 @@ static journal_t *ext4_open_dev_journal(struct super_block *sb, - return journal; - - out_journal: -- jbd2_journal_destroy(journal); -+ ext4_journal_destroy(EXT4_SB(sb), journal); - out_bdev: - bdev_fput(bdev_file); - return ERR_PTR(errno); -@@ -6061,8 +6058,7 @@ static int ext4_load_journal(struct super_block *sb, - EXT4_SB(sb)->s_journal = journal; - err = ext4_clear_journal_err(sb, es); - if (err) { -- EXT4_SB(sb)->s_journal = NULL; -- jbd2_journal_destroy(journal); -+ ext4_journal_destroy(EXT4_SB(sb), journal); - return err; - } - -@@ -6080,7 +6076,7 @@ static int ext4_load_journal(struct super_block *sb, - return 0; - - err_out: -- jbd2_journal_destroy(journal); -+ ext4_journal_destroy(EXT4_SB(sb), journal); - return err; - } - --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-22124.patch b/SPECS/kernel-rt/CVE-2025-22124.patch deleted file mode 100644 index ba717d0c64..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22124.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 31ea5fb2dc95a5ddc9ad67d53b5d1f151775f194 Mon Sep 17 00:00:00 2001 -From: Su Yue -Date: Mon, 3 Mar 2025 11:39:18 +0800 -Subject: [PATCH] md/md-bitmap: fix wrong bitmap_limit for clustermd when write - sb - -In clustermd, separate write-intent-bitmaps are used for each cluster -node: - -0 4k 8k 12k -------------------------------------------------------------------- -| idle | md super | bm super [0] + bits | -| bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] | -| bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits | -| bm bits [3, contd] | | | - -So in node 1, pg_index in __write_sb_page() could equal to -bitmap->storage.file_pages. Then bitmap_limit will be calculated to -0. md_super_write() will be called with 0 size. -That means the first 4k sb area of node 1 will never be updated -through filemap_write_page(). -This bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize. - -Here use (pg_index % bitmap->storage.file_pages) to make calculation -of bitmap_limit correct. - -Fixes: ab99a87542f1 ("md/md-bitmap: fix writing non bitmap pages") -Signed-off-by: Su Yue -Reviewed-by: Heming Zhao -Link: https://lore.kernel.org/linux-raid/20250303033918.32136-1-glass.su@suse.com -Signed-off-by: Yu Kuai ---- - drivers/md/md-bitmap.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c -index 2e3087556adb..4ab69fd1745a 100644 ---- a/drivers/md/md-bitmap.c -+++ b/drivers/md/md-bitmap.c -@@ -426,8 +426,8 @@ static int __write_sb_page(struct md_rdev *rdev, struct bitmap *bitmap, - struct block_device *bdev; - struct mddev *mddev = bitmap->mddev; - struct bitmap_storage *store = &bitmap->storage; -- unsigned int bitmap_limit = (bitmap->storage.file_pages - pg_index) << -- PAGE_SHIFT; -+ unsigned long num_pages = bitmap->storage.file_pages; -+ unsigned int bitmap_limit = (num_pages - pg_index % num_pages) << PAGE_SHIFT; - loff_t sboff, offset = mddev->bitmap_info.offset; - sector_t ps = pg_index * PAGE_SIZE / SECTOR_SIZE; - unsigned int size = PAGE_SIZE; -@@ -436,7 +436,7 @@ static int __write_sb_page(struct md_rdev *rdev, struct bitmap *bitmap, - - bdev = (rdev->meta_bdev) ? rdev->meta_bdev : rdev->bdev; - /* we compare length (page numbers), not page offset. */ -- if ((pg_index - store->sb_index) == store->file_pages - 1) { -+ if ((pg_index - store->sb_index) == num_pages - 1) { - unsigned int last_page_size = store->bytes & (PAGE_SIZE - 1); - - if (last_page_size == 0) --- -2.25.1 - diff --git a/SPECS/kernel-rt/CVE-2025-22125.patch b/SPECS/kernel-rt/CVE-2025-22125.patch deleted file mode 100644 index 6fffcf2b4d..0000000000 --- a/SPECS/kernel-rt/CVE-2025-22125.patch +++ /dev/null @@ -1,98 +0,0 @@ -From d6da5b46c7ccd873b769212a88ab847026a0ecbc Mon Sep 17 00:00:00 2001 -From: Yu Kuai -Date: Thu, 27 Feb 2025 20:16:57 +0800 -Subject: [PATCH 18/27] md/raid1,raid10: don't ignore IO flags - -If blk-wbt is enabled by default, it's found that raid write performance -is quite bad because all IO are throttled by wbt of underlying disks, -due to flag REQ_IDLE is ignored. And turns out this behaviour exist since -blk-wbt is introduced. - -Other than REQ_IDLE, other flags should not be ignored as well, for -example REQ_META can be set for filesystems, clearing it can cause priority -reverse problems; And REQ_NOWAIT should not be cleared as well, because -io will wait instead of failing directly in underlying disks. - -Fix those problems by keep IO flags from master bio. - -Fises: f51d46d0e7cb ("md: add support for REQ_NOWAIT") -Fixes: e34cbd307477 ("blk-wbt: add general throttling mechanism") -Fixes: 5404bc7a87b9 ("[PATCH] Allow file systems to differentiate between data and meta reads") -Link: https://lore.kernel.org/linux-raid/20250227121657.832356-1-yukuai1@huaweicloud.com -Signed-off-by: Yu Kuai ---- - drivers/md/raid1.c | 4 ---- - drivers/md/raid10.c | 7 ------- - 2 files changed, 11 deletions(-) - -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index fe1599db69c8..6e93e3b6bd8c 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -1315,8 +1315,6 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, - struct r1conf *conf = mddev->private; - struct raid1_info *mirror; - struct bio *read_bio; -- const enum req_op op = bio_op(bio); -- const blk_opf_t do_sync = bio->bi_opf & REQ_SYNC; - int max_sectors; - int rdisk; - bool r1bio_existed = !!r1_bio; -@@ -1399,7 +1397,6 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, - read_bio->bi_iter.bi_sector = r1_bio->sector + - mirror->rdev->data_offset; - read_bio->bi_end_io = raid1_end_read_request; -- read_bio->bi_opf = op | do_sync; - if (test_bit(FailFast, &mirror->rdev->flags) && - test_bit(R1BIO_FailFast, &r1_bio->state)) - read_bio->bi_opf |= MD_FAILFAST; -@@ -1619,7 +1616,6 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, - - mbio->bi_iter.bi_sector = (r1_bio->sector + rdev->data_offset); - mbio->bi_end_io = raid1_end_write_request; -- mbio->bi_opf = bio_op(bio) | (bio->bi_opf & (REQ_SYNC | REQ_FUA)); - if (test_bit(FailFast, &rdev->flags) && - !test_bit(WriteMostly, &rdev->flags) && - conf->raid_disks - mddev->degraded > 1) -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 8825457f6a70..e2c6487456c1 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1146,8 +1146,6 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, - { - struct r10conf *conf = mddev->private; - struct bio *read_bio; -- const enum req_op op = bio_op(bio); -- const blk_opf_t do_sync = bio->bi_opf & REQ_SYNC; - int max_sectors; - struct md_rdev *rdev; - char b[BDEVNAME_SIZE]; -@@ -1226,7 +1224,6 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, - read_bio->bi_iter.bi_sector = r10_bio->devs[slot].addr + - choose_data_offset(r10_bio, rdev); - read_bio->bi_end_io = raid10_end_read_request; -- read_bio->bi_opf = op | do_sync; - if (test_bit(FailFast, &rdev->flags) && - test_bit(R10BIO_FailFast, &r10_bio->state)) - read_bio->bi_opf |= MD_FAILFAST; -@@ -1240,9 +1237,6 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, - struct bio *bio, bool replacement, - int n_copy) - { -- const enum req_op op = bio_op(bio); -- const blk_opf_t do_sync = bio->bi_opf & REQ_SYNC; -- const blk_opf_t do_fua = bio->bi_opf & REQ_FUA; - unsigned long flags; - struct r10conf *conf = mddev->private; - struct md_rdev *rdev; -@@ -1261,7 +1255,6 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, - mbio->bi_iter.bi_sector = (r10_bio->devs[n_copy].addr + - choose_data_offset(r10_bio, rdev)); - mbio->bi_end_io = raid10_end_write_request; -- mbio->bi_opf = op | do_sync | do_fua; - if (!replacement && test_bit(FailFast, - &conf->mirrors[devnum].rdev->flags) - && enough(conf, devnum)) --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-23133.patch b/SPECS/kernel-rt/CVE-2025-23133.patch deleted file mode 100644 index 000000ed36..0000000000 --- a/SPECS/kernel-rt/CVE-2025-23133.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 73cb277b4f7485c9b3c2e4490474ec7708808b32 Mon Sep 17 00:00:00 2001 -From: Wen Gong -Date: Fri, 17 Jan 2025 14:17:36 +0800 -Subject: [PATCH 13/27] wifi: ath11k: update channel list in reg notifier - instead reg worker - -Currently when ath11k gets a new channel list, it will be processed -according to the following steps: -1. update new channel list to cfg80211 and queue reg_work. -2. cfg80211 handles new channel list during reg_work. -3. update cfg80211's handled channel list to firmware by -ath11k_reg_update_chan_list(). - -But ath11k will immediately execute step 3 after reg_work is just -queued. Since step 2 is asynchronous, cfg80211 may not have completed -handling the new channel list, which may leading to an out-of-bounds -write error: -BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list -Call Trace: - ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] - kfree+0x109/0x3a0 - ath11k_regd_update+0x1cf/0x350 [ath11k] - ath11k_regd_update_work+0x14/0x20 [ath11k] - process_one_work+0xe35/0x14c0 - -Should ensure step 2 is completely done before executing step 3. Thus -Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, -cfg80211 will notify ath11k after step 2 is done. - -So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will -notify ath11k after step 2 is done. At this time, there will be no -KASAN bug during the execution of the step 3. - -[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ - -Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 - -Fixes: f45cb6b29cd3 ("wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()") -Signed-off-by: Wen Gong -Signed-off-by: Kang Yang -Reviewed-by: Aditya Kumar Singh -Link: https://patch.msgid.link/20250117061737.1921-2-quic_kangyang@quicinc.com -Signed-off-by: Jeff Johnson ---- - drivers/net/wireless/ath/ath11k/reg.c | 22 +++++++++++++++------- - 1 file changed, 15 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c -index b0f289784dd3..7bfe47ad62a0 100644 ---- a/drivers/net/wireless/ath/ath11k/reg.c -+++ b/drivers/net/wireless/ath/ath11k/reg.c -@@ -1,7 +1,7 @@ - // SPDX-License-Identifier: BSD-3-Clause-Clear - /* - * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. -- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. -+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. - */ - #include - -@@ -55,6 +55,19 @@ ath11k_reg_notifier(struct wiphy *wiphy, struct regulatory_request *request) - ath11k_dbg(ar->ab, ATH11K_DBG_REG, - "Regulatory Notification received for %s\n", wiphy_name(wiphy)); - -+ if (request->initiator == NL80211_REGDOM_SET_BY_DRIVER) { -+ ath11k_dbg(ar->ab, ATH11K_DBG_REG, -+ "driver initiated regd update\n"); -+ if (ar->state != ATH11K_STATE_ON) -+ return; -+ -+ ret = ath11k_reg_update_chan_list(ar, true); -+ if (ret) -+ ath11k_warn(ar->ab, "failed to update channel list: %d\n", ret); -+ -+ return; -+ } -+ - /* Currently supporting only General User Hints. Cell base user - * hints to be handled later. - * Hints from other sources like Core, Beacons are not expected for -@@ -293,12 +306,6 @@ int ath11k_regd_update(struct ath11k *ar) - if (ret) - goto err; - -- if (ar->state == ATH11K_STATE_ON) { -- ret = ath11k_reg_update_chan_list(ar, true); -- if (ret) -- goto err; -- } -- - return 0; - err: - ath11k_warn(ab, "failed to perform regd update : %d\n", ret); -@@ -977,6 +984,7 @@ void ath11k_regd_update_work(struct work_struct *work) - void ath11k_reg_init(struct ath11k *ar) - { - ar->hw->wiphy->regulatory_flags = REGULATORY_WIPHY_SELF_MANAGED; -+ ar->hw->wiphy->flags |= WIPHY_FLAG_NOTIFY_REGDOM_BY_DRIVER; - ar->hw->wiphy->reg_notifier = ath11k_reg_notifier; - } - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38105.patch b/SPECS/kernel-rt/CVE-2025-38105.patch deleted file mode 100644 index 4040614167..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38105.patch +++ /dev/null @@ -1,49 +0,0 @@ -From ee91ba3155f050613d89811c1d84c1b93a7093ca Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Mon, 19 May 2025 23:20:30 +0200 -Subject: [PATCH 7/8] ALSA: usb-audio: Kill timer properly at removal - -The USB-audio MIDI code initializes the timer, but in a rare case, the -driver might be freed without the disconnect call. This leaves the -timer in an active state while the assigned object is released via -snd_usbmidi_free(), which ends up with a kernel warning when the debug -configuration is enabled, as spotted by fuzzer. - -For avoiding the problem, put timer_shutdown_sync() at -snd_usbmidi_free(), so that the timer can be killed properly. -While we're at it, replace the existing timer_delete_sync() at the -disconnect callback with timer_shutdown_sync(), too. - -Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com -Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com -Cc: -Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de -Signed-off-by: Takashi Iwai ---- - sound/usb/midi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/sound/usb/midi.c b/sound/usb/midi.c -index a792ada18863..c3de2b137435 100644 ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) - snd_usbmidi_in_endpoint_delete(ep->in); - } - mutex_destroy(&umidi->mutex); -+ timer_shutdown_sync(&umidi->error_timer); - kfree(umidi); - } - -@@ -1553,7 +1554,7 @@ void snd_usbmidi_disconnect(struct list_head *p) - spin_unlock_irq(&umidi->disc_lock); - up_write(&umidi->disc_rwsem); - -- del_timer_sync(&umidi->error_timer); -+ timer_shutdown_sync(&umidi->error_timer); - - for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { - struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38272-1.patch b/SPECS/kernel-rt/CVE-2025-38272-1.patch deleted file mode 100644 index f39cee293a..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38272-1.patch +++ /dev/null @@ -1,89 +0,0 @@ -From adcc861c6c71dfa145c2cc86a306060438899793 Mon Sep 17 00:00:00 2001 -From: "Russell King (Oracle)" -Date: Tue, 10 Dec 2024 14:18:26 +0000 -Subject: [PATCH 06/27] net: dsa: b53/bcm_sf2: implement .support_eee() method - -Implement the .support_eee() method to indicate that EEE is not -supported by two switch variants, rather than making these checks in -the .set_mac_eee() and .get_mac_eee() methods. - -Signed-off-by: Russell King (Oracle) -Reviewed-by: Florian Fainelli -Reviewed-by: Vladimir Oltean -Link: https://patch.msgid.link/E1tL14E-006cZU-Nc@rmk-PC.armlinux.org.uk -Signed-off-by: Jakub Kicinski ---- - drivers/net/dsa/b53/b53_common.c | 13 +++++++------ - drivers/net/dsa/b53/b53_priv.h | 1 + - drivers/net/dsa/bcm_sf2.c | 1 + - 3 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c -index 71c30a81c36d..f36dae40d70c 100644 ---- a/drivers/net/dsa/b53/b53_common.c -+++ b/drivers/net/dsa/b53/b53_common.c -@@ -2344,13 +2344,16 @@ int b53_eee_init(struct dsa_switch *ds, int port, struct phy_device *phy) - } - EXPORT_SYMBOL(b53_eee_init); - --int b53_get_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e) -+bool b53_support_eee(struct dsa_switch *ds, int port) - { - struct b53_device *dev = ds->priv; - -- if (is5325(dev) || is5365(dev)) -- return -EOPNOTSUPP; -+ return !is5325(dev) && !is5365(dev); -+} -+EXPORT_SYMBOL(b53_support_eee); - -+int b53_get_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e) -+{ - return 0; - } - EXPORT_SYMBOL(b53_get_mac_eee); -@@ -2360,9 +2363,6 @@ int b53_set_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e) - struct b53_device *dev = ds->priv; - struct ethtool_keee *p = &dev->ports[port].eee; - -- if (is5325(dev) || is5365(dev)) -- return -EOPNOTSUPP; -- - p->eee_enabled = e->eee_enabled; - b53_eee_enable_set(ds, port, e->eee_enabled); - -@@ -2419,6 +2419,7 @@ static const struct dsa_switch_ops b53_switch_ops = { - .port_setup = b53_setup_port, - .port_enable = b53_enable_port, - .port_disable = b53_disable_port, -+ .support_eee = b53_support_eee, - .get_mac_eee = b53_get_mac_eee, - .set_mac_eee = b53_set_mac_eee, - .port_bridge_join = b53_br_join, -diff --git a/drivers/net/dsa/b53/b53_priv.h b/drivers/net/dsa/b53/b53_priv.h -index 4f8c97098d2a..e908397e8b9a 100644 ---- a/drivers/net/dsa/b53/b53_priv.h -+++ b/drivers/net/dsa/b53/b53_priv.h -@@ -387,6 +387,7 @@ int b53_enable_port(struct dsa_switch *ds, int port, struct phy_device *phy); - void b53_disable_port(struct dsa_switch *ds, int port); - void b53_brcm_hdr_setup(struct dsa_switch *ds, int port); - int b53_eee_init(struct dsa_switch *ds, int port, struct phy_device *phy); -+bool b53_support_eee(struct dsa_switch *ds, int port); - int b53_get_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e); - int b53_set_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e); - -diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c -index c4771a07878e..f1372830d5fa 100644 ---- a/drivers/net/dsa/bcm_sf2.c -+++ b/drivers/net/dsa/bcm_sf2.c -@@ -1233,6 +1233,7 @@ static const struct dsa_switch_ops bcm_sf2_ops = { - .port_setup = b53_setup_port, - .port_enable = bcm_sf2_port_setup, - .port_disable = bcm_sf2_port_disable, -+ .support_eee = b53_support_eee, - .get_mac_eee = b53_get_mac_eee, - .set_mac_eee = b53_set_mac_eee, - .port_bridge_join = b53_br_join, --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38272-2.patch b/SPECS/kernel-rt/CVE-2025-38272-2.patch deleted file mode 100644 index b5abe20ba0..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38272-2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e6ce4c185e8582c3627f71245ded22194363f954 Mon Sep 17 00:00:00 2001 -From: Jonas Gorski -Date: Mon, 2 Jun 2025 21:39:49 +0200 -Subject: [PATCH 07/27] net: dsa: b53: do not enable EEE on bcm63xx -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BCM63xx internal switches do not support EEE, but provide multiple RGMII -ports where external PHYs may be connected. If one of these PHYs are EEE -capable, we may try to enable EEE for the MACs, which then hangs the -system on access of the (non-existent) EEE registers. - -Fix this by checking if the switch actually supports EEE before -attempting to configure it. - -Fixes: 22256b0afb12 ("net: dsa: b53: Move EEE functions to b53") -Reviewed-by: Florian Fainelli -Tested-by: Álvaro Fernández Rojas -Signed-off-by: Jonas Gorski -Link: https://patch.msgid.link/20250602193953.1010487-2-jonas.gorski@gmail.com -Signed-off-by: Paolo Abeni ---- - drivers/net/dsa/b53/b53_common.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c -index f36dae40d70c..daee9302b56f 100644 ---- a/drivers/net/dsa/b53/b53_common.c -+++ b/drivers/net/dsa/b53/b53_common.c -@@ -2334,6 +2334,9 @@ int b53_eee_init(struct dsa_switch *ds, int port, struct phy_device *phy) - { - int ret; - -+ if (!b53_support_eee(ds, port)) -+ return 0; -+ - ret = phy_init_eee(phy, false); - if (ret) - return 0; -@@ -2348,7 +2351,7 @@ bool b53_support_eee(struct dsa_switch *ds, int port) - { - struct b53_device *dev = ds->priv; - -- return !is5325(dev) && !is5365(dev); -+ return !is5325(dev) && !is5365(dev) && !is63xx(dev); - } - EXPORT_SYMBOL(b53_support_eee); - --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38272.patch b/SPECS/kernel-rt/CVE-2025-38272.patch deleted file mode 100644 index d8bb66ec17..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38272.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 232555317cddf41ff4f9c8ec66c5ff89547ea1e7 Mon Sep 17 00:00:00 2001 -From: "Russell King (Oracle)" -Date: Tue, 10 Dec 2024 14:18:16 +0000 -Subject: [PATCH 05/27] net: dsa: add hook to determine whether EEE is - supported - -Add a hook to determine whether the switch supports EEE. This will -return false if the switch does not, or true if it does. If the -method is not implemented, we assume (currently) that the switch -supports EEE. - -Signed-off-by: Russell King (Oracle) -Reviewed-by: Florian Fainelli -Reviewed-by: Vladimir Oltean -Link: https://patch.msgid.link/E1tL144-006cZD-El@rmk-PC.armlinux.org.uk -Signed-off-by: Jakub Kicinski ---- - include/net/dsa.h | 1 + - net/dsa/user.c | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/include/net/dsa.h b/include/net/dsa.h -index d7a6c2930277..fa99fc5249e9 100644 ---- a/include/net/dsa.h -+++ b/include/net/dsa.h -@@ -1003,6 +1003,7 @@ struct dsa_switch_ops { - /* - * Port's MAC EEE settings - */ -+ bool (*support_eee)(struct dsa_switch *ds, int port); - int (*set_mac_eee)(struct dsa_switch *ds, int port, - struct ethtool_keee *e); - int (*get_mac_eee)(struct dsa_switch *ds, int port, -diff --git a/net/dsa/user.c b/net/dsa/user.c -index 64f660d2334b..06267c526dc4 100644 ---- a/net/dsa/user.c -+++ b/net/dsa/user.c -@@ -1231,6 +1231,10 @@ static int dsa_user_set_eee(struct net_device *dev, struct ethtool_keee *e) - struct dsa_switch *ds = dp->ds; - int ret; - -+ /* Check whether the switch supports EEE */ -+ if (ds->ops->support_eee && !ds->ops->support_eee(ds, dp->index)) -+ return -EOPNOTSUPP; -+ - /* Port's PHY and MAC both need to be EEE capable */ - if (!dev->phydev || !dp->pl) - return -ENODEV; -@@ -1251,6 +1255,10 @@ static int dsa_user_get_eee(struct net_device *dev, struct ethtool_keee *e) - struct dsa_switch *ds = dp->ds; - int ret; - -+ /* Check whether the switch supports EEE */ -+ if (ds->ops->support_eee && !ds->ops->support_eee(ds, dp->index)) -+ return -EOPNOTSUPP; -+ - /* Port's PHY and MAC both need to be EEE capable */ - if (!dev->phydev || !dp->pl) - return -ENODEV; --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38306.patch b/SPECS/kernel-rt/CVE-2025-38306.patch deleted file mode 100644 index 2725894164..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38306.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 53ca1616118eb6c5c4e21109c6b5426535e12eb2 Mon Sep 17 00:00:00 2001 -From: Al Viro -Date: Sun, 1 Jun 2025 14:23:52 -0400 -Subject: [PATCH] fs/fhandle.c: fix a race in call of has_locked_children() - -may_decode_fh() is calling has_locked_children() while holding no locks. -That's an oopsable race... - -The rest of the callers are safe since they are holding namespace_sem and -are guaranteed a positive refcount on the mount in question. - -Rename the current has_locked_children() to __has_locked_children(), make -it static and switch the fs/namespace.c users to it. - -Make has_locked_children() a wrapper for __has_locked_children(), calling -the latter under read_seqlock_excl(&mount_lock). - -Reviewed-by: Christian Brauner -Reviewed-by: Jeff Layton -Fixes: 620c266f3949 ("fhandle: relax open_by_handle_at() permission checks") -Signed-off-by: Al Viro ---- - fs/namespace.c | 62 +++++++++++++++++++++++++++++--------------------- - 1 file changed, 36 insertions(+), 26 deletions(-) - -diff --git a/fs/namespace.c b/fs/namespace.c -index 962fda4fa246..066c06c8a188 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -2227,7 +2227,7 @@ void drop_collected_mounts(struct vfsmount *mnt) - namespace_unlock(); - } - --bool has_locked_children(struct mount *mnt, struct dentry *dentry) -+static bool __has_locked_children(struct mount *mnt, struct dentry *dentry) - { - struct mount *child; - -@@ -2241,6 +2241,38 @@ bool has_locked_children(struct mount *mnt, struct dentry *dentry) - return false; - } - -+bool has_locked_children(struct mount *mnt, struct dentry *dentry) -+{ -+ bool res; -+ -+ read_seqlock_excl(&mount_lock); -+ res = __has_locked_children(mnt, dentry); -+ read_sequnlock_excl(&mount_lock); -+ return res; -+} -+ -+/* -+ * Check that there aren't references to earlier/same mount namespaces in the -+ * specified subtree. Such references can act as pins for mount namespaces -+ * that aren't checked by the mount-cycle checking code, thereby allowing -+ * cycles to be made. -+ */ -+static bool check_for_nsfs_mounts(struct mount *subtree) -+{ -+ struct mount *p; -+ bool ret = false; -+ -+ lock_mount_hash(); -+ for (p = subtree; p; p = next_mnt(p, subtree)) -+ if (mnt_ns_loop(p->mnt.mnt_root)) -+ goto out; -+ -+ ret = true; -+out: -+ unlock_mount_hash(); -+ return ret; -+} -+ - /** - * clone_private_mount - create a private clone of a path - * @path: path to clone -@@ -2268,7 +2300,7 @@ struct vfsmount *clone_private_mount(const struct path *path) - return ERR_PTR(-EPERM); - } - -- if (has_locked_children(old_mnt, path->dentry)) -+ if (__has_locked_children(old_mnt, path->dentry)) - goto invalid; - - new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE); -@@ -2762,7 +2794,7 @@ static struct mount *__do_loopback(struct path *old_path, int recurse) - if (!check_mnt(old) && old_path->dentry->d_op != &ns_dentry_operations) - return mnt; - -- if (!recurse && has_locked_children(old, old_path->dentry)) -+ if (!recurse && __has_locked_children(old, old_path->dentry)) - return mnt; - - if (recurse) -@@ -3097,28 +3129,6 @@ static inline int tree_contains_unbindable(struct mount *mnt) - return 0; - } - --/* -- * Check that there aren't references to earlier/same mount namespaces in the -- * specified subtree. Such references can act as pins for mount namespaces -- * that aren't checked by the mount-cycle checking code, thereby allowing -- * cycles to be made. -- */ --static bool check_for_nsfs_mounts(struct mount *subtree) --{ -- struct mount *p; -- bool ret = false; -- -- lock_mount_hash(); -- for (p = subtree; p; p = next_mnt(p, subtree)) -- if (mnt_ns_loop(p->mnt.mnt_root)) -- goto out; -- -- ret = true; --out: -- unlock_mount_hash(); -- return ret; --} -- - static int do_set_group(struct path *from_path, struct path *to_path) - { - struct mount *from, *to; -@@ -3152,7 +3162,7 @@ static int do_set_group(struct path *from_path, struct path *to_path) - goto out; - - /* From mount should not have locked children in place of To's root */ -- if (has_locked_children(from, to->mnt.mnt_root)) -+ if (__has_locked_children(from, to->mnt.mnt_root)) - goto out; - - /* Setting sharing groups is only allowed on private mounts */ --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-38502.patch b/SPECS/kernel-rt/CVE-2025-38502.patch deleted file mode 100644 index ada07fcfbf..0000000000 --- a/SPECS/kernel-rt/CVE-2025-38502.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 948ea4b9d31826977c5bd558e47de2322afeb52b Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Thu, 31 Jul 2025 01:47:33 +0200 -Subject: [PATCH 2/4] bpf: Fix oob access in cgroup local storage - -Lonial reported that an out-of-bounds access in cgroup local storage -can be crafted via tail calls. Given two programs each utilizing a -cgroup local storage with a different value size, and one program -doing a tail call into the other. The verifier will validate each of -the indivial programs just fine. However, in the runtime context -the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the -BPF program as well as any cgroup local storage flavor the program -uses. Helpers such as bpf_get_local_storage() pick this up from the -runtime context: - - ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); - storage = ctx->prog_item->cgroup_storage[stype]; - - if (stype == BPF_CGROUP_STORAGE_SHARED) - ptr = &READ_ONCE(storage->buf)->data[0]; - else - ptr = this_cpu_ptr(storage->percpu_buf); - -For the second program which was called from the originally attached -one, this means bpf_get_local_storage() will pick up the former -program's map, not its own. With mismatching sizes, this can result -in an unintended out-of-bounds access. - -To fix this issue, we need to extend bpf_map_owner with an array of -storage_cookie[] to match on i) the exact maps from the original -program if the second program was using bpf_get_local_storage(), or -ii) allow the tail call combination if the second program was not -using any of the cgroup local storage maps. - -Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup") -Reported-by: Lonial Con -Signed-off-by: Daniel Borkmann -Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net -Signed-off-by: Alexei Starovoitov ---- ---- - include/linux/bpf.h | 25 +++++++++++++++++-------- - kernel/bpf/core.c | 15 +++++++++++++++ - 2 files changed, 32 insertions(+), 8 deletions(-) - -diff --git a/include/linux/bpf.h b/include/linux/bpf.h -index 1150a595aa54..66a0ffe9bae3 100644 ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -205,6 +205,21 @@ enum btf_field_type { - BPF_WORKQUEUE = (1 << 10), - }; - -+enum bpf_cgroup_storage_type { -+ BPF_CGROUP_STORAGE_SHARED, -+ BPF_CGROUP_STORAGE_PERCPU, -+ __BPF_CGROUP_STORAGE_MAX -+}; -+ -+#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX -+ -+#ifdef CONFIG_CGROUP_BPF -+# define for_each_cgroup_storage_type(stype) \ -+ for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++) -+#else -+# define for_each_cgroup_storage_type(stype) for (; false; ) -+#endif /* CONFIG_CGROUP_BPF */ -+ - typedef void (*btf_dtor_kfunc_t)(void *); - - struct btf_field_kptr { -@@ -298,6 +313,7 @@ struct bpf_map { - spinlock_t lock; - enum bpf_prog_type type; - bool jited; -+ u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; - bool xdp_has_frags; - } owner; - bool bypass_spec_v1; -@@ -306,6 +322,7 @@ struct bpf_map { - bool free_after_rcu_gp; - atomic64_t sleepable_refcnt; - s64 __percpu *elem_count; -+ u64 cookie; /* write-once */ - }; - - static inline const char *btf_field_type_name(enum btf_field_type type) -@@ -1025,14 +1042,6 @@ struct bpf_prog_offload { - u32 jited_len; - }; - --enum bpf_cgroup_storage_type { -- BPF_CGROUP_STORAGE_SHARED, -- BPF_CGROUP_STORAGE_PERCPU, -- __BPF_CGROUP_STORAGE_MAX --}; -- --#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX -- - /* The longest tracepoint has 12 args. - * See include/trace/bpf_probe.h - */ -diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c -index 767dcb8471f6..b714362a297c 100644 ---- a/kernel/bpf/core.c -+++ b/kernel/bpf/core.c -@@ -2312,6 +2312,8 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, - enum bpf_prog_type prog_type = resolve_prog_type(fp); - bool ret; - struct bpf_prog_aux *aux = fp->aux; -+ enum bpf_cgroup_storage_type i; -+ u64 cookie; - - if (fp->kprobe_override) - return false; -@@ -2325,11 +2327,24 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, - map->owner.jited = fp->jited; - map->owner.xdp_has_frags = aux->xdp_has_frags; - map->owner.attach_func_proto = aux->attach_func_proto; -+ for_each_cgroup_storage_type(i) { -+ map->owner.storage_cookie[i] = -+ aux->cgroup_storage[i] ? -+ aux->cgroup_storage[i]->cookie : 0; -+ } - ret = true; - } else { - ret = map->owner.type == prog_type && - map->owner.jited == fp->jited && - map->owner.xdp_has_frags == aux->xdp_has_frags; -+ for_each_cgroup_storage_type(i) { -+ if (!ret) -+ break; -+ cookie = aux->cgroup_storage[i] ? -+ aux->cgroup_storage[i]->cookie : 0; -+ ret = map->owner.storage_cookie[i] == cookie || -+ !cookie; -+ } - if (ret && - map->owner.attach_func_proto != aux->attach_func_proto) { - switch (prog_type) { --- -2.43.0 - diff --git a/SPECS/kernel-rt/CVE-2025-39677.patch b/SPECS/kernel-rt/CVE-2025-39677.patch new file mode 100644 index 0000000000..6f075526c7 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39677.patch @@ -0,0 +1,313 @@ +From 6475c4fdc534ff8302069efc313e47a9617963fc Mon Sep 17 00:00:00 2001 +From: William Liu +Date: Tue, 12 Aug 2025 23:57:57 +0000 +Subject: [PATCH 4/4] net/sched: Fix backlog accounting in + qdisc_dequeue_internal + +This issue applies for the following qdiscs: hhf, fq, fq_codel, and +fq_pie, and occurs in their change handlers when adjusting to the new +limit. The problem is the following in the values passed to the +subsequent qdisc_tree_reduce_backlog call given a tbf parent: + + When the tbf parent runs out of tokens, skbs of these qdiscs will + be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued, + which accounts for both qlen and backlog. However, in the case of + qdisc_dequeue_internal, ONLY qlen is accounted for when pulling + from gso_skb. This means that these qdiscs are missing a + qdisc_qstats_backlog_dec when dropping packets to satisfy the + new limit in their change handlers. + + One can observe this issue with the following (with tc patched to + support a limit of 0): + + export TARGET=fq + tc qdisc del dev lo root + tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms + tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 + echo ''; echo 'add child'; tc -s -d qdisc show dev lo + ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null + echo ''; echo 'after ping'; tc -s -d qdisc show dev lo + tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 + echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo + tc qdisc replace dev lo handle 2: parent 1:1 sfq + echo ''; echo 'post graft'; tc -s -d qdisc show dev lo + + The second to last show command shows 0 packets but a positive + number (74) of backlog bytes. The problem becomes clearer in the + last show command, where qdisc_purge_queue triggers + qdisc_tree_reduce_backlog with the positive backlog and causes an + underflow in the tbf parent's backlog (4096 Mb instead of 0). + +To fix this issue, the codepath for all clients of qdisc_dequeue_internal +has been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel. +qdisc_dequeue_internal handles the backlog adjustments for all cases that +do not directly use the dequeue handler. + +The old fq_codel_change limit adjustment loop accumulated the arguments to +the subsequent qdisc_tree_reduce_backlog call through the cstats field. +However, this is confusing and error prone as fq_codel_dequeue could also +potentially mutate this field (which qdisc_dequeue_internal calls in the +non gso_skb case), so we have unified the code here with other qdiscs. + +Fixes: 2d3cbfd6d54a ("net_sched: Flush gso_skb list too during ->change()") +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") +Signed-off-by: William Liu +Reviewed-by: Savino Dicanosa +Link: https://patch.msgid.link/20250812235725.45243-1-will@willsroot.io +Signed-off-by: Jakub Kicinski +--- + include/net/sch_generic.h | 11 ++++++++--- + net/sched/sch_codel.c | 12 +++++++----- + net/sched/sch_fq.c | 12 +++++++----- + net/sched/sch_fq_codel.c | 12 +++++++----- + net/sched/sch_fq_pie.c | 12 +++++++----- + net/sched/sch_hhf.c | 12 +++++++----- + net/sched/sch_pie.c | 12 +++++++----- + 7 files changed, 50 insertions(+), 33 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index a9d7e9ecee6b5..f0f64beb9486f 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1038,12 +1038,17 @@ static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool dir + skb = __skb_dequeue(&sch->gso_skb); + if (skb) { + sch->q.qlen--; ++ qdisc_qstats_backlog_dec(sch, skb); + return skb; + } +- if (direct) +- return __qdisc_dequeue_head(&sch->q); +- else ++ if (direct) { ++ skb = __qdisc_dequeue_head(&sch->q); ++ if (skb) ++ qdisc_qstats_backlog_dec(sch, skb); ++ return skb; ++ } else { + return sch->dequeue(sch); ++ } + } + + static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch) +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index afd9805cb68e2..655eb64cd1761 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -100,9 +100,9 @@ static const struct nla_policy codel_policy[TCA_CODEL_MAX + 1] = { + static int codel_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct codel_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_CODEL_MAX + 1]; +- unsigned int qlen, dropped = 0; + int err; + + err = nla_parse_nested_deprecated(tb, TCA_CODEL_MAX, opt, +@@ -141,15 +141,17 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt, + WRITE_ONCE(q->params.ecn, + !!nla_get_u32(tb[TCA_CODEL_ECN])); + +- qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + +- dropped += qdisc_pkt_len(skb); +- qdisc_qstats_backlog_dec(sch, skb); ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_qdisc_drop(skb, sch); + } +- qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index 1af9768cd8ff6..df11a54e390cf 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -1001,11 +1001,11 @@ static int fq_load_priomap(struct fq_sched_data *q, + static int fq_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct fq_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_MAX + 1]; +- int err, drop_count = 0; +- unsigned drop_len = 0; + u32 fq_log; ++ int err; + + err = nla_parse_nested_deprecated(tb, TCA_FQ_MAX, opt, fq_policy, + NULL); +@@ -1112,16 +1112,18 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt, + err = fq_resize(sch, fq_log); + sch_tree_lock(sch); + } ++ + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + if (!skb) + break; +- drop_len += qdisc_pkt_len(skb); ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +- drop_count++; + } +- qdisc_tree_reduce_backlog(sch, drop_count, drop_len); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return err; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 551b7cbdae90c..5e4c69d4df419 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -365,6 +365,7 @@ static const struct nla_policy fq_codel_policy[TCA_FQ_CODEL_MAX + 1] = { + static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct fq_codel_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_CODEL_MAX + 1]; + u32 quantum = 0; +@@ -442,13 +443,14 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + q->memory_usage > q->memory_limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + +- q->cstats.drop_len += qdisc_pkt_len(skb); ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +- q->cstats.drop_count++; + } +- qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, q->cstats.drop_len); +- q->cstats.drop_count = 0; +- q->cstats.drop_len = 0; ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index 6ed08b705f8a5..5881d34d58b49 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -285,10 +285,9 @@ static struct sk_buff *fq_pie_qdisc_dequeue(struct Qdisc *sch) + static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct fq_pie_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_PIE_MAX + 1]; +- unsigned int len_dropped = 0; +- unsigned int num_dropped = 0; + int err; + + err = nla_parse_nested(tb, TCA_FQ_PIE_MAX, opt, fq_pie_policy, extack); +@@ -366,11 +365,14 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + +- len_dropped += qdisc_pkt_len(skb); +- num_dropped += 1; ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); + } +- qdisc_tree_reduce_backlog(sch, num_dropped, len_dropped); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index 5aa434b467073..2d4855e28a286 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -508,9 +508,9 @@ static const struct nla_policy hhf_policy[TCA_HHF_MAX + 1] = { + static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct hhf_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_HHF_MAX + 1]; +- unsigned int qlen, prev_backlog; + int err; + u64 non_hh_quantum; + u32 new_quantum = q->quantum; +@@ -561,15 +561,17 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + usecs_to_jiffies(us)); + } + +- qlen = sch->q.qlen; +- prev_backlog = sch->qstats.backlog; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); + } +- qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, +- prev_backlog - sch->qstats.backlog); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c +index db61cbc21b138..a6a5874f4c3a9 100644 +--- a/net/sched/sch_pie.c ++++ b/net/sched/sch_pie.c +@@ -138,9 +138,9 @@ static const struct nla_policy pie_policy[TCA_PIE_MAX + 1] = { + static int pie_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct pie_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_PIE_MAX + 1]; +- unsigned int qlen, dropped = 0; + int err; + + err = nla_parse_nested_deprecated(tb, TCA_PIE_MAX, opt, pie_policy, +@@ -190,15 +190,17 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt, + nla_get_u32(tb[TCA_PIE_DQ_RATE_ESTIMATOR])); + + /* Drop excess packets if new limit is lower */ +- qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + +- dropped += qdisc_pkt_len(skb); +- qdisc_qstats_backlog_dec(sch, skb); ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_qdisc_drop(skb, sch); + } +- qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39745.patch b/SPECS/kernel-rt/CVE-2025-39745.patch new file mode 100644 index 0000000000..86b7b34554 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39745.patch @@ -0,0 +1,52 @@ +From 75aa7cb87d85ed76966c409bd5d80266d9c77b17 Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Wed, 7 May 2025 19:26:03 +0800 +Subject: [PATCH 3/4] rcutorture: Fix rcutorture_one_extend_check() splat in RT + kernels + +For built with CONFIG_PREEMPT_RT=y kernels, running rcutorture +tests resulted in the following splat: + +[ 68.797425] rcutorture_one_extend_check during change: Current 0x1 To add 0x1 To remove 0x0 preempt_count() 0x0 +[ 68.797533] WARNING: CPU: 2 PID: 512 at kernel/rcu/rcutorture.c:1993 rcutorture_one_extend_check+0x419/0x560 [rcutorture] +[ 68.797601] Call Trace: +[ 68.797602] +[ 68.797619] ? lockdep_softirqs_off+0xa5/0x160 +[ 68.797631] rcutorture_one_extend+0x18e/0xcc0 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797646] ? local_clock+0x19/0x40 +[ 68.797659] rcu_torture_one_read+0xf0/0x280 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797678] ? __pfx_rcu_torture_one_read+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797804] ? __pfx_rcu_torture_timer+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797815] rcu-torture: rcu_torture_reader task started +[ 68.797824] rcu-torture: Creating rcu_torture_reader task +[ 68.797824] rcu_torture_reader+0x238/0x580 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797836] ? kvm_sched_clock_read+0x15/0x30 + +Disable BH does not change the SOFTIRQ corresponding bits in +preempt_count() for RT kernels, this commit therefore use +softirq_count() to check the if BH is disabled. + +Reviewed-by: Paul E. McKenney +Signed-off-by: Zqiang +Signed-off-by: Joel Fernandes +Signed-off-by: Neeraj Upadhyay (AMD) +--- + kernel/rcu/rcutorture.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index 609687fd742d5..b3c8651f14729 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -430,7 +430,7 @@ rcu_read_delay(struct torture_random_state *rrsp, struct rt_read_seg *rtrsp) + !(torture_random(rrsp) % (nrealreaders * 2000 * longdelay_ms))) { + started = cur_ops->get_gp_seq(); + ts = rcu_trace_clock_local(); +- if (preempt_count() & (SOFTIRQ_MASK | HARDIRQ_MASK)) ++ if ((preempt_count() & HARDIRQ_MASK) || softirq_count()) + longdelay_ms = 5; /* Avoid triggering BH limits. */ + mdelay(longdelay_ms); + rtrsp->rt_delay_ms = longdelay_ms; +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39764.patch b/SPECS/kernel-rt/CVE-2025-39764.patch new file mode 100644 index 0000000000..51b13efc30 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39764.patch @@ -0,0 +1,160 @@ +From 8dbe282d028de5d53c830caa6f801089803b0dbf Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: [PATCH 2/4] netfilter: ctnetlink: remove refcounting in expectation + dumpers + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 18a91c031554c..13836723223e0 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3146,23 +3146,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3174,7 +3178,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3183,9 +3187,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3196,32 +3198,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3229,9 +3229,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3242,9 +3240,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3263,7 +3258,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3313,7 +3307,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(info->sk, skb, info->nlh, &c); + } +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39789.patch b/SPECS/kernel-rt/CVE-2025-39789.patch new file mode 100644 index 0000000000..10a29845b4 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39789.patch @@ -0,0 +1,119 @@ +From b3cebc12805fd709f20b6c0bbe9bbeffce7169ce Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 15 Sep 2025 15:51:56 +0800 +Subject: [PATCH 1/4] crypto: x86/aegis - Add missing error checks + +The skcipher_walk functions can allocate memory and can fail, so +checking for errors is necessary. + +Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +--- + arch/x86/crypto/aegis128-aesni-glue.c | 36 +++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c +index 4623189000d89..f3a8f0c4d0b07 100644 +--- a/arch/x86/crypto/aegis128-aesni-glue.c ++++ b/arch/x86/crypto/aegis128-aesni-glue.c +@@ -114,22 +114,27 @@ static void crypto_aegis128_aesni_process_ad( + } + } + +-static void crypto_aegis128_aesni_process_crypt( ++static int crypto_aegis128_aesni_process_crypt( + struct aegis_state *state, struct skcipher_walk *walk, + const struct aegis_crypt_ops *ops) + { ++ int err = 0; ++ + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { + ops->crypt_blocks(state, + round_down(walk->nbytes, AEGIS128_BLOCK_SIZE), + walk->src.virt.addr, walk->dst.virt.addr); +- skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); ++ err = skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); ++ if (err) ++ break; + } + +- if (walk->nbytes) { ++ if (walk->nbytes && !err) { + ops->crypt_tail(state, walk->nbytes, walk->src.virt.addr, + walk->dst.virt.addr); +- skcipher_walk_done(walk, 0); ++ err = skcipher_walk_done(walk, 0); + } ++ return err; + } + + static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) +@@ -162,7 +167,7 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, + return 0; + } + +-static void crypto_aegis128_aesni_crypt(struct aead_request *req, ++static int crypto_aegis128_aesni_crypt(struct aead_request *req, + struct aegis_block *tag_xor, + unsigned int cryptlen, + const struct aegis_crypt_ops *ops) +@@ -171,17 +176,22 @@ static void crypto_aegis128_aesni_crypt(struct aead_request *req, + struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); + struct skcipher_walk walk; + struct aegis_state state; ++ int err; + +- ops->skcipher_walk_init(&walk, req, true); ++ err = ops->skcipher_walk_init(&walk, req, true); ++ if (err) ++ return err; + + kernel_fpu_begin(); + + crypto_aegis128_aesni_init(&state, ctx->key.bytes, req->iv); + crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); +- crypto_aegis128_aesni_process_crypt(&state, &walk, ops); +- crypto_aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); ++ err = crypto_aegis128_aesni_process_crypt(&state, &walk, ops); ++ if (err == 0) ++ crypto_aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); + + kernel_fpu_end(); ++ return err; + } + + static int crypto_aegis128_aesni_encrypt(struct aead_request *req) +@@ -196,8 +206,11 @@ static int crypto_aegis128_aesni_encrypt(struct aead_request *req) + struct aegis_block tag = {}; + unsigned int authsize = crypto_aead_authsize(tfm); + unsigned int cryptlen = req->cryptlen; ++ int err; + +- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ if (err) ++ return err; + + scatterwalk_map_and_copy(tag.bytes, req->dst, + req->assoclen + cryptlen, authsize, 1); +@@ -218,11 +231,14 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) + struct aegis_block tag; + unsigned int authsize = crypto_aead_authsize(tfm); + unsigned int cryptlen = req->cryptlen - authsize; ++ int err; + + scatterwalk_map_and_copy(tag.bytes, req->src, + req->assoclen + cryptlen, authsize, 0); + +- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ if (err) ++ return err; + + return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; + } +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39833.patch b/SPECS/kernel-rt/CVE-2025-39833.patch new file mode 100644 index 0000000000..e5caa06f96 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39833.patch @@ -0,0 +1,100 @@ +From 47b3584e3e6b3d19aec5cda2a453c5ef9a117b27 Mon Sep 17 00:00:00 2001 +From: Vladimir Riabchun +Date: Fri, 22 Aug 2025 20:11:36 +0200 +Subject: [PATCH 2/5] mISDN: hfcpci: Fix warning when deleting uninitialized + timer + +With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads +to the following splat: + +[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0 +[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0 +[ 250.218775] Modules linked in: hfcpci(-) mISDN_core +[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary) +[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0 +[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d +[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286 +[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95 +[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0 +[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39 +[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001 +[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8 +[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000 +[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0 +[ 250.236117] Call Trace: +[ 250.236599] +[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130 +[ 250.237920] debug_object_assert_init+0x1f6/0x310 +[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10 +[ 250.239658] ? __lock_acquire+0xdea/0x1c70 +[ 250.240369] __try_to_del_timer_sync+0x69/0x140 +[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10 +[ 250.242058] ? __timer_delete_sync+0xc6/0x120 +[ 250.242842] ? lock_acquire+0x30/0x80 +[ 250.243474] ? __timer_delete_sync+0xc6/0x120 +[ 250.244262] __timer_delete_sync+0x98/0x120 +[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci] +[ 250.245704] __do_sys_delete_module+0x348/0x510 +[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10 +[ 250.247338] do_syscall_64+0xc1/0x360 +[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fix this by initializing hfc_tl timer with DEFINE_TIMER macro. +Also, use mod_timer instead of manual timeout update. + +Fixes: 87c5fa1bb426 ("mISDN: Add different different timer settings for hfc-pci") +Fixes: 175302f6b79e ("mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq") +Signed-off-by: Vladimir Riabchun +Link: https://patch.msgid.link/aKiy2D_LiWpQ5kXq@vova-pc +Signed-off-by: Jakub Kicinski +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index ce7bccc9faa3..465503e966b9 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -39,12 +39,13 @@ + + #include "hfc_pci.h" + ++static void hfcpci_softirq(struct timer_list *unused); + static const char *hfcpci_revision = "2.0"; + + static int HFC_cnt; + static uint debug; + static uint poll, tics; +-static struct timer_list hfc_tl; ++static DEFINE_TIMER(hfc_tl, hfcpci_softirq); + static unsigned long hfc_jiffies; + + MODULE_AUTHOR("Karsten Keil"); +@@ -2305,8 +2306,7 @@ hfcpci_softirq(struct timer_list *unused) + hfc_jiffies = jiffies + 1; + else + hfc_jiffies += tics; +- hfc_tl.expires = hfc_jiffies; +- add_timer(&hfc_tl); ++ mod_timer(&hfc_tl, hfc_jiffies); + } + + static int __init +@@ -2332,10 +2332,8 @@ HFC_init(void) + if (poll != HFCPCI_BTRANS_THRESHOLD) { + printk(KERN_INFO "%s: Using alternative poll value of %d\n", + __func__, poll); +- timer_setup(&hfc_tl, hfcpci_softirq, 0); +- hfc_tl.expires = jiffies + tics; +- hfc_jiffies = hfc_tl.expires; +- add_timer(&hfc_tl); ++ hfc_jiffies = jiffies + tics; ++ mod_timer(&hfc_tl, hfc_jiffies); + } else + tics = 0; /* indicate the use of controller's timer */ + +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39859.patch b/SPECS/kernel-rt/CVE-2025-39859.patch new file mode 100644 index 0000000000..46cc8aa06e --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39859.patch @@ -0,0 +1,51 @@ +From 43f5728e5be5317c53cb12bcf03bcac59a555f2d Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Thu, 28 Aug 2025 16:29:49 +0800 +Subject: [PATCH 5/5] ptp: ocp: fix use-after-free bugs causing by + ptp_ocp_watchdog + +The ptp_ocp_detach() only shuts down the watchdog timer if it is +pending. However, if the timer handler is already running, the +timer_delete_sync() is not called. This leads to race conditions +where the devlink that contains the ptp_ocp is deallocated while +the timer handler is still accessing it, resulting in use-after-free +bugs. The following details one of the race scenarios. + +(thread 1) | (thread 2) +ptp_ocp_remove() | + ptp_ocp_detach() | ptp_ocp_watchdog() + if (timer_pending(&bp->watchdog))| bp = timer_container_of() + timer_delete_sync() | + | + devlink_free(devlink) //free | + | bp-> //use + +Resolve this by unconditionally calling timer_delete_sync() to ensure +the timer is reliably deactivated, preventing any access after free. + +Fixes: 773bda964921 ("ptp: ocp: Expose various resources on the timecard.") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250828082949.28189-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +--- + drivers/ptp/ptp_ocp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c +index efbd80db778d..8d0a679119d9 100644 +--- a/drivers/ptp/ptp_ocp.c ++++ b/drivers/ptp/ptp_ocp.c +@@ -4556,8 +4556,7 @@ ptp_ocp_detach(struct ptp_ocp *bp) + ptp_ocp_debugfs_remove_device(bp); + ptp_ocp_detach_sysfs(bp); + ptp_ocp_attr_group_del(bp); +- if (timer_pending(&bp->watchdog)) +- del_timer_sync(&bp->watchdog); ++ timer_delete_sync(&bp->watchdog); + if (bp->ts0) + ptp_ocp_unregister_ext(bp->ts0); + if (bp->ts1) +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39905.patch b/SPECS/kernel-rt/CVE-2025-39905.patch new file mode 100644 index 0000000000..20c2bb27bd --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39905.patch @@ -0,0 +1,160 @@ +From f80b8625e8c4738ab34e0e5711d774ccfee9397a Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Thu, 4 Sep 2025 15:52:37 +0300 +Subject: [PATCH 4/5] net: phylink: add lock for serializing concurrent + pl->phydev writes with resolver + +Currently phylink_resolve() protects itself against concurrent +phylink_bringup_phy() or phylink_disconnect_phy() calls which modify +pl->phydev by relying on pl->state_mutex. + +The problem is that in phylink_resolve(), pl->state_mutex is in a lock +inversion state with pl->phydev->lock. So pl->phydev->lock needs to be +acquired prior to pl->state_mutex. But that requires dereferencing +pl->phydev in the first place, and without pl->state_mutex, that is +racy. + +Hence the reason for the extra lock. Currently it is redundant, but it +will serve a functional purpose once mutex_lock(&phy->lock) will be +moved outside of the mutex_lock(&pl->state_mutex) section. + +Another alternative considered would have been to let phylink_resolve() +acquire the rtnl_mutex, which is also held when phylink_bringup_phy() +and phylink_disconnect_phy() are called. But since phylink_disconnect_phy() +runs under rtnl_lock(), it would deadlock with phylink_resolve() when +calling flush_work(&pl->resolve). Additionally, it would have been +undesirable because it would have unnecessarily blocked many other call +paths as well in the entire kernel, so the smaller-scoped lock was +preferred. + +Link: https://lore.kernel.org/netdev/aLb6puGVzR29GpPx@shell.armlinux.org.uk/ +Signed-off-by: Vladimir Oltean +Reviewed-by: Russell King (Oracle) +Link: https://patch.msgid.link/20250904125238.193990-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/phy/phylink.c | 48 ++++++++++++++++++++++++--------------- + 1 file changed, 30 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 9fc70e108883..c980f59d756f 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -73,6 +73,8 @@ struct phylink { + struct phylink_link_state *s); + + struct mutex state_mutex; ++ /* Serialize updates to pl->phydev with phylink_resolve() */ ++ struct mutex phydev_mutex; + struct phylink_link_state phy_state; + struct work_struct resolve; + unsigned int pcs_neg_mode; +@@ -1475,8 +1477,11 @@ static void phylink_resolve(struct work_struct *w) + struct net_device *ndev = pl->netdev; + bool mac_config = false; + bool retrigger = false; ++ struct phy_device *phy; + bool cur_link_state; + ++ mutex_lock(&pl->phydev_mutex); ++ phy = pl->phydev; + mutex_lock(&pl->state_mutex); + if (pl->netdev) + cur_link_state = netif_carrier_ok(ndev); +@@ -1518,24 +1523,23 @@ static void phylink_resolve(struct work_struct *w) + &link_state); + } + +- /* If we have a phy, the "up" state is the union of +- * both the PHY and the MAC ++ /* If we have a phy, the "up" state is the union of both the ++ * PHY and the MAC ++ */ ++ if (phy) ++ link_state.link &= pl->phy_state.link; ++ ++ /* Only update if the PHY link is up */ ++ if (phy && pl->phy_state.link) { ++ /* If the interface has changed, force a link down ++ * event if the link isn't already down, and re-resolve. + */ +- if (pl->phydev) +- link_state.link &= pl->phy_state.link; +- +- /* Only update if the PHY link is up */ +- if (pl->phydev && pl->phy_state.link) { +- /* If the interface has changed, force a +- * link down event if the link isn't already +- * down, and re-resolve. +- */ +- if (link_state.interface != +- pl->phy_state.interface) { +- retrigger = true; +- link_state.link = false; +- } +- link_state.interface = pl->phy_state.interface; ++ if (link_state.interface != pl->phy_state.interface) { ++ retrigger = true; ++ link_state.link = false; ++ } ++ ++ link_state.interface = pl->phy_state.interface; + + /* If we are doing rate matching, then the + * link speed/duplex comes from the PHY +@@ -1585,6 +1589,7 @@ static void phylink_resolve(struct work_struct *w) + queue_work(system_power_efficient_wq, &pl->resolve); + } + mutex_unlock(&pl->state_mutex); ++ mutex_unlock(&pl->phydev_mutex); + } + + static void phylink_run_resolve(struct phylink *pl) +@@ -1727,6 +1732,7 @@ struct phylink *phylink_create(struct phylink_config *config, + if (!pl) + return ERR_PTR(-ENOMEM); + ++ mutex_init(&pl->phydev_mutex); + mutex_init(&pl->state_mutex); + INIT_WORK(&pl->resolve, phylink_resolve); + +@@ -1972,6 +1978,7 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy, + dev_name(&phy->mdio.dev), phy->drv->name, irq_str); + kfree(irq_str); + ++ mutex_lock(&pl->phydev_mutex); + mutex_lock(&phy->lock); + mutex_lock(&pl->state_mutex); + pl->phydev = phy; +@@ -1987,6 +1994,7 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy, + linkmode_copy(phy->advertising, config.advertising); + mutex_unlock(&pl->state_mutex); + mutex_unlock(&phy->lock); ++ mutex_unlock(&pl->phydev_mutex); + + phylink_dbg(pl, + "phy: %s setting supported %*pb advertising %*pb\n", +@@ -2152,6 +2160,7 @@ void phylink_disconnect_phy(struct phylink *pl) + + ASSERT_RTNL(); + ++ mutex_lock(&pl->phydev_mutex); + phy = pl->phydev; + if (phy) { + mutex_lock(&phy->lock); +@@ -2159,8 +2168,11 @@ void phylink_disconnect_phy(struct phylink *pl) + pl->phydev = NULL; + mutex_unlock(&pl->state_mutex); + mutex_unlock(&phy->lock); +- flush_work(&pl->resolve); ++ } ++ mutex_unlock(&pl->phydev_mutex); + ++ if (phy) { ++ flush_work(&pl->resolve); + phy_disconnect(phy); + } + } +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39910.patch b/SPECS/kernel-rt/CVE-2025-39910.patch new file mode 100644 index 0000000000..667e25520a --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39910.patch @@ -0,0 +1,205 @@ +From 04ba72d9f91cd5c66a5be498d53f8d1a5712fd47 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Sun, 31 Aug 2025 14:10:58 +0200 +Subject: [PATCH] mm/vmalloc, mm/kasan: respect gfp mask in + kasan_populate_vmalloc() + +kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and +always allocate memory using the hardcoded GFP_KERNEL flag. This makes +them inconsistent with vmalloc(), which was recently extended to support +GFP_NOFS and GFP_NOIO allocations. + +Page table allocations performed during shadow population also ignore the +external gfp_mask. To preserve the intended semantics of GFP_NOFS and +GFP_NOIO, wrap the apply_to_page_range() calls into the appropriate +memalloc scope. + +xfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock. + +There was a report here +https://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com + +This patch: + - Extends kasan_populate_vmalloc() and helpers to take gfp_mask; + - Passes gfp_mask down to alloc_pages_bulk() and __get_free_page(); + - Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore() + around apply_to_page_range(); + - Updates vmalloc.c and percpu allocator call sites accordingly. + +Link: https://lkml.kernel.org/r/20250831121058.92971-1-urezki@gmail.com +Fixes: 451769ebb7e7 ("mm/vmalloc: alloc GFP_NO{FS,IO} for vmalloc") +Signed-off-by: Uladzislau Rezki (Sony) +Reported-by: syzbot+3470c9ffee63e4abafeb@syzkaller.appspotmail.com +Reviewed-by: Andrey Ryabinin +Cc: Baoquan He +Cc: Michal Hocko +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Dmitry Vyukov +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +--- + include/linux/kasan.h | 6 +++--- + mm/kasan/shadow.c | 31 ++++++++++++++++++++++++------- + mm/vmalloc.c | 8 ++++---- + 3 files changed, 31 insertions(+), 14 deletions(-) + +diff --git a/include/linux/kasan.h b/include/linux/kasan.h +index 6bbfc8aa42e8f..ef81c543ea2a0 100644 +--- a/include/linux/kasan.h ++++ b/include/linux/kasan.h +@@ -564,7 +564,7 @@ static inline void kasan_init_hw_tags(void) { } + #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) + + void kasan_populate_early_vm_area_shadow(void *start, unsigned long size); +-int kasan_populate_vmalloc(unsigned long addr, unsigned long size); ++int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask); + void kasan_release_vmalloc(unsigned long start, unsigned long end, + unsigned long free_region_start, + unsigned long free_region_end, +@@ -576,7 +576,7 @@ static inline void kasan_populate_early_vm_area_shadow(void *start, + unsigned long size) + { } + static inline int kasan_populate_vmalloc(unsigned long start, +- unsigned long size) ++ unsigned long size, gfp_t gfp_mask) + { + return 0; + } +@@ -612,7 +612,7 @@ static __always_inline void kasan_poison_vmalloc(const void *start, + static inline void kasan_populate_early_vm_area_shadow(void *start, + unsigned long size) { } + static inline int kasan_populate_vmalloc(unsigned long start, +- unsigned long size) ++ unsigned long size, gfp_t gfp_mask) + { + return 0; + } +diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c +index d2c70cd2afb1d..f934816e9dad3 100644 +--- a/mm/kasan/shadow.c ++++ b/mm/kasan/shadow.c +@@ -335,13 +335,13 @@ static void ___free_pages_bulk(struct page **pages, int nr_pages) + } + } + +-static int ___alloc_pages_bulk(struct page **pages, int nr_pages) ++static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask) + { + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { +- nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); ++ nr_populated = alloc_pages_bulk_array(gfp_mask, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; +@@ -353,25 +353,42 @@ static int ___alloc_pages_bulk(struct page **pages, int nr_pages) + return 0; + } + +-static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) ++static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask) + { + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; ++ unsigned int flags; + int ret = 0; + +- data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); ++ data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); +- ret = ___alloc_pages_bulk(data.pages, nr_pages); ++ ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask); + if (ret) + break; + + data.start = start; ++ ++ /* ++ * page tables allocations ignore external gfp mask, enforce it ++ * by the scope API ++ */ ++ if ((gfp_mask & (__GFP_FS | __GFP_IO)) == __GFP_IO) ++ flags = memalloc_nofs_save(); ++ else if ((gfp_mask & (__GFP_FS | __GFP_IO)) == 0) ++ flags = memalloc_noio_save(); ++ + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); ++ ++ if ((gfp_mask & (__GFP_FS | __GFP_IO)) == __GFP_IO) ++ memalloc_nofs_restore(flags); ++ else if ((gfp_mask & (__GFP_FS | __GFP_IO)) == 0) ++ memalloc_noio_restore(flags); ++ + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; +@@ -385,7 +402,7 @@ static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) + return ret; + } + +-int kasan_populate_vmalloc(unsigned long addr, unsigned long size) ++int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask) + { + unsigned long shadow_start, shadow_end; + int ret; +@@ -414,7 +431,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) + shadow_start = PAGE_ALIGN_DOWN(shadow_start); + shadow_end = PAGE_ALIGN(shadow_end); + +- ret = __kasan_populate_vmalloc(shadow_start, shadow_end); ++ ret = __kasan_populate_vmalloc(shadow_start, shadow_end, gfp_mask); + if (ret) + return ret; + +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 3519c4e4f841d..79e6c0e599f5f 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1977,6 +1977,8 @@ static struct vmap_area *alloc_vmap_area(unsigned long size, + if (unlikely(!vmap_initialized)) + return ERR_PTR(-EBUSY); + ++ /* Only reclaim behaviour flags are relevant. */ ++ gfp_mask = gfp_mask & GFP_RECLAIM_MASK; + might_sleep(); + + /* +@@ -1989,8 +1991,6 @@ static struct vmap_area *alloc_vmap_area(unsigned long size, + */ + va = node_alloc(size, align, vstart, vend, &addr, &vn_id); + if (!va) { +- gfp_mask = gfp_mask & GFP_RECLAIM_MASK; +- + va = kmem_cache_alloc_node(vmap_area_cachep, gfp_mask, node); + if (unlikely(!va)) + return ERR_PTR(-ENOMEM); +@@ -2040,7 +2040,7 @@ static struct vmap_area *alloc_vmap_area(unsigned long size, + BUG_ON(va->va_start < vstart); + BUG_ON(va->va_end > vend); + +- ret = kasan_populate_vmalloc(addr, size); ++ ret = kasan_populate_vmalloc(addr, size, gfp_mask); + if (ret) { + free_vmap_area(va); + return ERR_PTR(ret); +@@ -4789,7 +4789,7 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, + + /* populate the kasan shadow space */ + for (area = 0; area < nr_vms; area++) { +- if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area])) ++ if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area], GFP_KERNEL)) + goto err_free_shadow; + } + +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39925.patch b/SPECS/kernel-rt/CVE-2025-39925.patch new file mode 100644 index 0000000000..7c6a463b3c --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39925.patch @@ -0,0 +1,130 @@ +From 9c9badcf05fae5f58bbe1d6d7bafa56d5be2d6a2 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 25 Aug 2025 23:07:24 +0900 +Subject: [PATCH 3/5] can: j1939: implement NETDEV_UNREGISTER notification + handler + +syzbot is reporting + + unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 + +problem, for j1939 protocol did not have NETDEV_UNREGISTER notification +handler for undoing changes made by j1939_sk_bind(). + +Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct +callback") expects that a call to j1939_priv_put() can be unconditionally +delayed until j1939_sk_sock_destruct() is called. But we need to call +j1939_priv_put() against an extra ref held by j1939_sk_bind() call +(as a part of undoing changes made by j1939_sk_bind()) as soon as +NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct() +is called via j1939_sk_release()). Otherwise, the extra ref on "struct +j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from +dropping the usage count to 1; making it impossible for +unregister_netdevice() to continue. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 +Tested-by: syzbot +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") +Signed-off-by: Tetsuo Handa +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Link: https://patch.msgid.link/ac9db9a4-6c30-416e-8b94-96e6559d55b2@I-love.SAKURA.ne.jp +[mkl: remove space in front of label] +Signed-off-by: Marc Kleine-Budde +--- + net/can/j1939/j1939-priv.h | 1 + + net/can/j1939/main.c | 3 +++ + net/can/j1939/socket.c | 49 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 53 insertions(+) + +diff --git a/net/can/j1939/j1939-priv.h b/net/can/j1939/j1939-priv.h +index 31a93cae5111..81f58924b4ac 100644 +--- a/net/can/j1939/j1939-priv.h ++++ b/net/can/j1939/j1939-priv.h +@@ -212,6 +212,7 @@ void j1939_priv_get(struct j1939_priv *priv); + + /* notify/alert all j1939 sockets bound to ifindex */ + void j1939_sk_netdev_event_netdown(struct j1939_priv *priv); ++void j1939_sk_netdev_event_unregister(struct j1939_priv *priv); + int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk); + void j1939_tp_init(struct j1939_priv *priv); + +diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c +index 7e8a20f2fc42..3706a872ecaf 100644 +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -377,6 +377,9 @@ static int j1939_netdev_notify(struct notifier_block *nb, + j1939_sk_netdev_event_netdown(priv); + j1939_ecu_unmap_all(priv); + break; ++ case NETDEV_UNREGISTER: ++ j1939_sk_netdev_event_unregister(priv); ++ break; + } + + j1939_priv_put(priv); +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 75c2b9b23390..15380255969c 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -1301,6 +1301,55 @@ void j1939_sk_netdev_event_netdown(struct j1939_priv *priv) + read_unlock_bh(&priv->j1939_socks_lock); + } + ++void j1939_sk_netdev_event_unregister(struct j1939_priv *priv) ++{ ++ struct sock *sk; ++ struct j1939_sock *jsk; ++ bool wait_rcu = false; ++ ++rescan: /* The caller is holding a ref on this "priv" via j1939_priv_get_by_ndev(). */ ++ read_lock_bh(&priv->j1939_socks_lock); ++ list_for_each_entry(jsk, &priv->j1939_socks, list) { ++ /* Skip if j1939_jsk_add() is not called on this socket. */ ++ if (!(jsk->state & J1939_SOCK_BOUND)) ++ continue; ++ sk = &jsk->sk; ++ sock_hold(sk); ++ read_unlock_bh(&priv->j1939_socks_lock); ++ /* Check if j1939_jsk_del() is not yet called on this socket after holding ++ * socket's lock, for both j1939_sk_bind() and j1939_sk_release() call ++ * j1939_jsk_del() with socket's lock held. ++ */ ++ lock_sock(sk); ++ if (jsk->state & J1939_SOCK_BOUND) { ++ /* Neither j1939_sk_bind() nor j1939_sk_release() called j1939_jsk_del(). ++ * Make this socket no longer bound, by pretending as if j1939_sk_bind() ++ * dropped old references but did not get new references. ++ */ ++ j1939_jsk_del(priv, jsk); ++ j1939_local_ecu_put(priv, jsk->addr.src_name, jsk->addr.sa); ++ j1939_netdev_stop(priv); ++ /* Call j1939_priv_put() now and prevent j1939_sk_sock_destruct() from ++ * calling the corresponding j1939_priv_put(). ++ * ++ * j1939_sk_sock_destruct() is supposed to call j1939_priv_put() after ++ * an RCU grace period. But since the caller is holding a ref on this ++ * "priv", we can defer synchronize_rcu() until immediately before ++ * the caller calls j1939_priv_put(). ++ */ ++ j1939_priv_put(priv); ++ jsk->priv = NULL; ++ wait_rcu = true; ++ } ++ release_sock(sk); ++ sock_put(sk); ++ goto rescan; ++ } ++ read_unlock_bh(&priv->j1939_socks_lock); ++ if (wait_rcu) ++ synchronize_rcu(); ++} ++ + static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd, + unsigned long arg) + { +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39933.patch b/SPECS/kernel-rt/CVE-2025-39933.patch new file mode 100644 index 0000000000..d209d0b957 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39933.patch @@ -0,0 +1,63 @@ +From 4fd5128a1bd2ecd10acd8c33e9e3fcefaa8ce927 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 10 Sep 2025 11:49:05 +0200 +Subject: [PATCH 1/5] smb: client: let recv_done verify data_offset, + data_length and remaining_data_length + +This is inspired by the related server fixes. + +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Reviewed-by: Namjae Jeon +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +--- + fs/smb/client/smbdirect.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c +index b1548269c308..b9b49cb501ee 100644 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -445,7 +445,11 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + struct smbd_response *response = + container_of(wc->wr_cqe, struct smbd_response, cqe); + struct smbd_connection *info = response->info; +- int data_length = 0; ++ struct smbdirect_socket *sc = &info->socket; ++ struct smbdirect_socket_parameters *sp = &sc->parameters; ++ u32 data_offset = 0; ++ u32 data_length = 0; ++ u32 remaining_data_length = 0; + + log_rdma_recv(INFO, "response=0x%p type=%d wc status=%d wc opcode %d byte_len=%d pkey_index=%u\n", + response, response->type, wc->status, wc->opcode, +@@ -477,7 +481,22 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + /* SMBD data transfer packet */ + case SMBD_TRANSFER_DATA: + data_transfer = smbd_response_payload(response); ++ ++ if (wc->byte_len < ++ offsetof(struct smbdirect_data_transfer, padding)) ++ goto error; ++ ++ remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); ++ data_offset = le32_to_cpu(data_transfer->data_offset); + data_length = le32_to_cpu(data_transfer->data_length); ++ if (wc->byte_len < data_offset || ++ (u64)wc->byte_len < (u64)data_offset + data_length) ++ goto error; ++ ++ if (remaining_data_length > sp->max_fragmented_recv_size || ++ data_length > sp->max_fragmented_recv_size || ++ (u64)remaining_data_length + (u64)data_length > (u64)sp->max_fragmented_recv_size) ++ goto error; + + if (data_length) { + if (info->full_packet_received) +-- +2.43.0 + diff --git a/SPECS/kernel-rt/CVE-2025-39981.patch b/SPECS/kernel-rt/CVE-2025-39981.patch new file mode 100644 index 0000000000..604d2ef847 --- /dev/null +++ b/SPECS/kernel-rt/CVE-2025-39981.patch @@ -0,0 +1,770 @@ +From df40aa342d6e076b8800cce0a596d98ea61cc02a Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 25 Aug 2025 10:03:07 -0400 +Subject: [PATCH] Bluetooth: MGMT: Fix possible UAFs + +This attemps to fix possible UAFs caused by struct mgmt_pending being +freed while still being processed like in the following trace, in order +to fix mgmt_pending_valid is introduce and use to check if the +mgmt_pending hasn't been removed from the pending list, on the complete +callbacks it is used to check and in addtion remove the cmd from the list +while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd +is left on the list it can still be accessed and freed. + +BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 +Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55 + +CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Workqueue: hci0 hci_cmd_sync_work +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 + hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 + process_one_work kernel/workqueue.c:3238 [inline] + process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 + kthread+0x711/0x8a0 kernel/kthread.c:464 + ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245 + + +Allocated by task 12210: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364 + kmalloc_noprof include/linux/slab.h:905 [inline] + kzalloc_noprof include/linux/slab.h:1039 [inline] + mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269 + mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 + __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247 + add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364 + hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 + hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 + sock_sendmsg_nosec net/socket.c:714 [inline] + __sock_sendmsg+0x219/0x270 net/socket.c:729 + sock_write_iter+0x258/0x330 net/socket.c:1133 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x5c9/0xb30 fs/read_write.c:686 + ksys_write+0x145/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 12221: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2381 [inline] + slab_free mm/slub.c:4648 [inline] + kfree+0x18e/0x440 mm/slub.c:4847 + mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] + mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 + __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444 + hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290 + hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] + hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526 + sock_do_ioctl+0xd9/0x300 net/socket.c:1192 + sock_ioctl+0x576/0x790 net/socket.c:1313 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED") +Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync") +Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync") +Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP") +Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE") +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME") +Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION") +Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor") +Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY") +Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING") +Reported-by: cen zhang +Signed-off-by: Luiz Augusto von Dentz +--- + net/bluetooth/mgmt.c | 259 ++++++++++++++++++++++++++------------ + net/bluetooth/mgmt_util.c | 46 +++++++ + net/bluetooth/mgmt_util.h | 3 + + 3 files changed, 231 insertions(+), 77 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 563cae4f76b0..bc14b9410bcf 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) + struct mgmt_mode *cp; + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + cp = cmd->param; +@@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) + mgmt_status(err)); + } + +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int set_powered_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp; ++ struct mgmt_mode cp; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); + + /* Make sure cmd still outstanding. */ +- if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; ++ } + +- cp = cmd->param; ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); + + BT_DBG("%s", hdev->name); + +- return hci_set_powered_sync(hdev, cp->val); ++ return hci_set_powered_sync(hdev, cp.val); + } + + static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data, +@@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data, + bt_dev_dbg(hdev, "err %d", err); + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + hci_dev_lock(hdev); +@@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data, + new_settings(hdev, cmd->sk); + + done: +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + hci_dev_unlock(hdev); + } + + static int set_discoverable_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + BT_DBG("%s", hdev->name); + + return hci_update_discoverable_sync(hdev); +@@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data, + bt_dev_dbg(hdev, "err %d", err); + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + hci_dev_lock(hdev); +@@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data, + new_settings(hdev, cmd->sk); + + done: +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_dev_unlock(hdev); + } +@@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev, + + static int set_connectable_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + BT_DBG("%s", hdev->name); + + return hci_update_connectable_sync(hdev); +@@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + { + struct cmd_lookup match = { NULL, hdev }; + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; +- u8 enable = cp->val; ++ struct mgmt_mode *cp; ++ u8 enable; + bool changed; + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + ++ cp = cmd->param; ++ enable = cp->val; ++ + if (err) { + u8 mgmt_err = mgmt_status(err); + +@@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + new_settings(hdev, NULL); + } + +- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, +- cmd_status_rsp, &mgmt_err); ++ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); + return; + } + +@@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED); + } + +- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match); ++ settings_rsp(cmd, &match); + + if (changed) + new_settings(hdev, match.sk); +@@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + static int set_ssp_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; ++ struct mgmt_mode cp; + bool changed = false; + int err; + +- if (cp->val) ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ if (cp.val) + changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED); + +- err = hci_write_ssp_mode_sync(hdev, cp->val); ++ err = hci_write_ssp_mode_sync(hdev, cp.val); + + if (!err && changed) + hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); +@@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) + + static void set_le_complete(struct hci_dev *hdev, void *data, int err) + { ++ struct mgmt_pending_cmd *cmd = data; + struct cmd_lookup match = { NULL, hdev }; + u8 status = mgmt_status(err); + + bt_dev_dbg(hdev, "err %d", err); + +- if (status) { +- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp, +- &status); ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) + return; ++ ++ if (status) { ++ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); ++ goto done; + } + +- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match); ++ settings_rsp(cmd, &match); + + new_settings(hdev, match.sk); + + if (match.sk) + sock_put(match.sk); ++ ++done: ++ mgmt_pending_free(cmd); + } + + static int set_le_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; +- u8 val = !!cp->val; ++ struct mgmt_mode cp; ++ u8 val; + int err; + ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ val = !!cp.val; ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ + if (!val) { + hci_clear_adv_instance_sync(hdev, NULL, 0x00, true); + +@@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; + u8 status = mgmt_status(err); +- struct sock *sk = cmd->sk; ++ struct sock *sk; ++ ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) ++ return; ++ ++ sk = cmd->sk; + + if (status) { + mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, +@@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + static int set_mesh_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_mesh *cp = cmd->param; +- size_t len = cmd->param_len; ++ struct mgmt_cp_set_mesh cp; ++ size_t len; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ len = cmd->param_len; + + memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types)); + +- if (cp->enable) ++ if (cp.enable) + hci_dev_set_flag(hdev, HCI_MESH); + else + hci_dev_clear_flag(hdev, HCI_MESH); + +- hdev->le_scan_interval = __le16_to_cpu(cp->period); +- hdev->le_scan_window = __le16_to_cpu(cp->window); ++ hdev->le_scan_interval = __le16_to_cpu(cp.period); ++ hdev->le_scan_window = __le16_to_cpu(cp.window); + +- len -= sizeof(*cp); ++ len -= sizeof(cp); + + /* If filters don't fit, forward all adv pkts */ + if (len <= sizeof(hdev->mesh_ad_types)) +- memcpy(hdev->mesh_ad_types, cp->ad_types, len); ++ memcpy(hdev->mesh_ad_types, cp.ad_types, len); + + hci_update_passive_scan_sync(hdev); + return 0; +@@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data) + static void set_name_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_local_name *cp = cmd->param; ++ struct mgmt_cp_set_local_name *cp; + u8 status = mgmt_status(err); + + bt_dev_dbg(hdev, "err %d", err); + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + ++ cp = cmd->param; ++ + if (status) { + mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, + status); +@@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err) + hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL); + } + +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int set_name_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_local_name *cp = cmd->param; ++ struct mgmt_cp_set_local_name cp; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); + + if (lmp_bredr_capable(hdev)) { +- hci_update_name_sync(hdev, cp->name); ++ hci_update_name_sync(hdev, cp.name); + hci_update_eir_sync(hdev); + } + +@@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip) + static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; +- struct sk_buff *skb = cmd->skb; ++ struct sk_buff *skb; + u8 status = mgmt_status(err); + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) +- return; ++ skb = cmd->skb; + + if (!status) { + if (!skb) +@@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) + if (skb && !IS_ERR(skb)) + kfree_skb(skb); + +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int set_default_phy_sync(struct hci_dev *hdev, void *data) +@@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data) + struct mgmt_pending_cmd *cmd = data; + struct mgmt_cp_set_phy_configuration *cp = cmd->param; + struct hci_cp_le_set_default_phy cp_phy; +- u32 selected_phys = __le32_to_cpu(cp->selected_phys); ++ u32 selected_phys; ++ ++ selected_phys = __le32_to_cpu(cp->selected_phys); + + memset(&cp_phy, 0, sizeof(cp_phy)); + +@@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev, + goto unlock; + } + +- cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, ++ cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, + len); + if (!cmd) + err = -ENOMEM; +@@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + { + struct mgmt_rp_add_adv_patterns_monitor rp; + struct mgmt_pending_cmd *cmd = data; +- struct adv_monitor *monitor = cmd->user_data; ++ struct adv_monitor *monitor; ++ ++ /* This is likely the result of hdev being closed and mgmt_index_removed ++ * is attempting to clean up any pending command so ++ * hci_adv_monitors_clear is about to be called which will take care of ++ * freeing the adv_monitor instances. ++ */ ++ if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)) ++ return; ++ ++ monitor = cmd->user_data; + + hci_dev_lock(hdev); + +@@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct adv_monitor *monitor = cmd->user_data; ++ struct adv_monitor *mon; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ mon = cmd->user_data; ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); + +- return hci_add_adv_monitor(hdev, monitor); ++ return hci_add_adv_monitor(hdev, mon); + } + + static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, +@@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev, + status); + } + +-static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err) ++static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, ++ int err) + { + struct mgmt_rp_read_local_oob_data mgmt_rp; + size_t rp_size = sizeof(mgmt_rp); +@@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e + bt_dev_dbg(hdev, "status %d", status); + + if (status) { +- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status); ++ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, ++ status); + goto remove; + } + +@@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err) + + bt_dev_dbg(hdev, "err %d", err); + +- if (err == -ECANCELED) +- return; +- +- if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) && +- cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) && +- cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), + cmd->param, 1); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED: + DISCOVERY_FINDING); +@@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err) + + static int start_discovery_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + return hci_start_discovery_sync(hdev); + } + +@@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + bt_dev_dbg(hdev, "err %d", err); + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), + cmd->param, 1); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + if (!err) + hci_discovery_set_state(hdev, DISCOVERY_STOPPED); +@@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err) + + static int stop_discovery_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + return hci_stop_discovery_sync(hdev); + } + +@@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err) + + static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + { ++ struct mgmt_pending_cmd *cmd = data; + struct cmd_lookup match = { NULL, hdev }; + u8 instance; + struct adv_info *adv_instance; + u8 status = mgmt_status(err); + ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) ++ return; ++ + if (status) { +- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, +- cmd_status_rsp, &status); ++ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); ++ mgmt_pending_free(cmd); + return; + } + +@@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + else + hci_dev_clear_flag(hdev, HCI_ADVERTISING); + +- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp, +- &match); ++ settings_rsp(cmd, &match); + + new_settings(hdev, match.sk); + +@@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + static int set_adv_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; +- u8 val = !!cp->val; ++ struct mgmt_mode cp; ++ u8 val; + +- if (cp->val == 0x02) ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ val = !!cp.val; ++ ++ if (cp.val == 0x02) + hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE); + else + hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE); +@@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data, + u8 status = mgmt_status(err); + u16 eir_len; + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev)) +- return; +- + if (!status) { + if (!skb) + status = MGMT_STATUS_FAILED; +@@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data, + kfree_skb(skb); + + kfree(mgmt_rp); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, +@@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, + struct mgmt_pending_cmd *cmd; + int err; + +- cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, ++ cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, + cp, sizeof(*cp)); + if (!cmd) + return -ENOMEM; +diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c +index a88a07da3947..aa7b5585cb26 100644 +--- a/net/bluetooth/mgmt_util.c ++++ b/net/bluetooth/mgmt_util.c +@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd) + mgmt_pending_free(cmd); + } + ++bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) ++{ ++ struct mgmt_pending_cmd *tmp; ++ ++ lockdep_assert_held(&hdev->mgmt_pending_lock); ++ ++ if (!cmd) ++ return false; ++ ++ list_for_each_entry(tmp, &hdev->mgmt_pending, list) { ++ if (cmd == tmp) ++ return true; ++ } ++ ++ return false; ++} ++ ++bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) ++{ ++ bool listed; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ listed = __mgmt_pending_listed(hdev, cmd); ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ return listed; ++} ++ ++bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) ++{ ++ bool listed; ++ ++ if (!cmd) ++ return false; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ listed = __mgmt_pending_listed(hdev, cmd); ++ if (listed) ++ list_del(&cmd->list); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ return listed; ++} ++ + void mgmt_mesh_foreach(struct hci_dev *hdev, + void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), + void *data, struct sock *sk) +diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h +index 024e51dd6937..bcba8c9d8952 100644 +--- a/net/bluetooth/mgmt_util.h ++++ b/net/bluetooth/mgmt_util.h +@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode, + void *data, u16 len); + void mgmt_pending_free(struct mgmt_pending_cmd *cmd); + void mgmt_pending_remove(struct mgmt_pending_cmd *cmd); ++bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); ++bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); ++bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); + void mgmt_mesh_foreach(struct hci_dev *hdev, + void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), + void *data, struct sock *sk); +-- +2.43.0 + diff --git a/SPECS/kernel-rt/kernel-rt.signatures.json b/SPECS/kernel-rt/kernel-rt.signatures.json index 7b29d2520d..390592ef82 100644 --- a/SPECS/kernel-rt/kernel-rt.signatures.json +++ b/SPECS/kernel-rt/kernel-rt.signatures.json @@ -5,6 +5,6 @@ "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "linux-6.12.44.tar.gz": "fac0ed5371cbd46ebc8a2a1e152ac5fbb5fc2660e748a7fc1d28b8e399854a1a" + "linux-6.12.55.tar.gz": "c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3" } } diff --git a/SPECS/kernel-rt/kernel-rt.spec b/SPECS/kernel-rt/kernel-rt.spec index ee3a923932..314e16b16a 100644 --- a/SPECS/kernel-rt/kernel-rt.spec +++ b/SPECS/kernel-rt/kernel-rt.spec @@ -1,19 +1,20 @@ Summary: Preempt RT Linux Kernel Name: kernel-rt -Version: 6.12.44 -Release: 6%{?dist} +Version: 6.12.55 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit Group: System Environment/Kernel URL: https://www.kernel.org/pub/linux/kernel -Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.44.tar.gz +Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz Source1: config Source3: sha512hmac-openssl.sh Source4: emt-ca-20211013.pem Source5: cpupower Source6: cpupower.service + # Intel not-upstreamed kernel features #sriov Patch0: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov @@ -73,369 +74,364 @@ Patch53: 0001-virtio-hookup-irq_get_affinity-callback.sriov Patch54: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov Patch55: 0003-virtgpu-don-t-reset-on-shutdown.sriov Patch56: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov +Patch57: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov +Patch58: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov #security -Patch57: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security -Patch58: 0002-mei-virtio-virtualization-frontend-driver.security -Patch59: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security -Patch60: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security -Patch61: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security -Patch62: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security -Patch63: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security -Patch64: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security -Patch65: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security -Patch66: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security -Patch67: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security -Patch68: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security -Patch69: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security -Patch70: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security -Patch71: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security -Patch72: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security -Patch73: 0017-INTEL_DII-mei-optimize-force-wake-wait.security -Patch74: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security -Patch75: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security +Patch59: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security +Patch60: 0002-mei-virtio-virtualization-frontend-driver.security +Patch61: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security +Patch62: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security +Patch63: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security +Patch64: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security +Patch65: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security +Patch66: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security +Patch67: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security +Patch68: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security +Patch69: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security +Patch70: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security +Patch71: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security +Patch72: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security +Patch73: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security +Patch74: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security +Patch75: 0017-INTEL_DII-mei-optimize-force-wake-wait.security +Patch76: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security +Patch77: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security #tgpio -Patch76: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio -Patch77: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio -Patch78: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio -Patch79: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio -Patch80: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio -Patch81: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio -Patch82: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio -Patch83: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio -Patch84: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio -Patch85: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio -Patch86: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio -Patch87: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio -Patch88: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio -Patch89: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio -Patch90: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio -Patch91: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio -Patch92: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio -Patch93: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio -Patch94: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio -Patch95: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio -Patch96: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio -Patch97: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio -Patch98: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio -Patch99: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio -Patch100: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio -Patch101: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio -Patch102: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio -Patch103: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio -Patch104: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio -Patch105: 0030-Added-an-example-to-poll-for-edges.tgpio -Patch106: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio -Patch107: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio -Patch108: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio -Patch109: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio -Patch110: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio -Patch111: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio -Patch112: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio -Patch113: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio -Patch114: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio -Patch115: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio -Patch116: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio -Patch117: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio -Patch118: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio +Patch78: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio +Patch79: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio +Patch80: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio +Patch81: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio +Patch82: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio +Patch83: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio +Patch84: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio +Patch85: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio +Patch86: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio +Patch87: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio +Patch88: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio +Patch89: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio +Patch90: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio +Patch91: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio +Patch92: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio +Patch93: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio +Patch94: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio +Patch95: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio +Patch96: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio +Patch97: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio +Patch98: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio +Patch99: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio +Patch100: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio +Patch101: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio +Patch102: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio +Patch103: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio +Patch104: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio +Patch105: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio +Patch106: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio +Patch107: 0030-Added-an-example-to-poll-for-edges.tgpio +Patch108: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio +Patch109: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio +Patch110: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio +Patch111: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio +Patch112: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio +Patch113: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio +Patch114: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio +Patch115: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio +Patch116: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio +Patch117: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio +Patch118: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio +Patch119: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio +Patch120: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio #edac -Patch119: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac -Patch120: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac -Patch121: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac -Patch122: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac -Patch123: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac -Patch124: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac -Patch125: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac -Patch126: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac -Patch127: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac -Patch128: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac -Patch129: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac -Patch130: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac -Patch131: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac -Patch132: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac -Patch133: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac -Patch134: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac -Patch135: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac -Patch136: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac -Patch137: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac -Patch138: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +Patch121: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac +Patch122: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac +Patch123: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac +Patch124: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac +Patch125: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac +Patch126: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac +Patch127: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac +Patch128: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac +Patch129: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac +Patch130: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac +Patch131: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac +Patch132: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac +Patch133: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac +Patch134: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac +Patch135: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac +Patch136: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac +Patch137: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac +Patch138: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac +Patch139: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac +Patch140: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +Patch141: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac +Patch142: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac #tsn -Patch139: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn -Patch140: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn -Patch141: 0003-net-phy-increase-gpy-loopback-test-delay.tsn -Patch142: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn -Patch143: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn -Patch144: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn -Patch145: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn -Patch146: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn -Patch147: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn -Patch148: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn -Patch149: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn -Patch150: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn -Patch151: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn -Patch152: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn -Patch153: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn -Patch154: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn -Patch155: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn -Patch156: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn -Patch157: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn -Patch158: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn -Patch159: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn -Patch160: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn -Patch161: 0023-net-phylink-Add-module_exit.tsn -Patch162: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn -Patch163: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn -Patch164: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn -Patch165: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn -Patch166: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn -Patch167: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn -Patch168: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn -Patch169: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch170: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch171: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch172: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn -Patch173: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch174: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn -Patch175: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn -Patch176: 0038-taprio-Add-support-for-frame-preemption-offload.tsn -Patch177: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn -Patch178: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn -Patch179: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn -Patch180: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn -Patch181: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn -Patch182: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn -Patch183: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn -Patch184: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn -Patch185: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn -Patch186: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn -Patch187: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn -Patch188: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn -Patch189: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn -Patch190: 0010-igc-Optimize-the-packet-buffer-utilization.tsn -Patch191: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn -Patch192: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn -Patch193: 0013-bpf-add-btf-register-unregister-API.tsn -Patch194: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn -Patch195: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn -Patch196: 0016-rtnetlink-Add-return-value-check.tsn -Patch197: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn -Patch198: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn -Patch199: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn -Patch200: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn -Patch201: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn -Patch202: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn -Patch203: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn -Patch204: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn -Patch205: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn -Patch206: 0026-taprio-Replace-tc_map_to_queue_mask.tsn -Patch207: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn -Patch208: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn -Patch209: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn -Patch210: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn -Patch211: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn -Patch212: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn -Patch213: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn -Patch214: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn -Patch215: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn -Patch216: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch217: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn -Patch218: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch219: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch220: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch221: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn +Patch143: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn +Patch144: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn +Patch145: 0003-net-phy-increase-gpy-loopback-test-delay.tsn +Patch146: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn +Patch147: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn +Patch148: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn +Patch149: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn +Patch150: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn +Patch151: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn +Patch152: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn +Patch153: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn +Patch154: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn +Patch155: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn +Patch156: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn +Patch157: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn +Patch158: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn +Patch159: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn +Patch160: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn +Patch161: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn +Patch162: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn +Patch163: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn +Patch164: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn +Patch165: 0023-net-phylink-Add-module_exit.tsn +Patch166: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn +Patch167: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn +Patch168: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn +Patch169: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn +Patch170: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn +Patch171: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn +Patch172: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn +Patch173: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch174: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch175: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch176: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn +Patch177: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch178: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn +Patch179: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn +Patch180: 0038-taprio-Add-support-for-frame-preemption-offload.tsn +Patch181: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn +Patch182: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn +Patch183: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn +Patch184: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn +Patch185: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn +Patch186: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn +Patch187: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn +Patch188: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn +Patch189: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn +Patch190: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn +Patch191: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn +Patch192: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn +Patch193: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn +Patch194: 0010-igc-Optimize-the-packet-buffer-utilization.tsn +Patch195: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn +Patch196: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn +Patch197: 0013-bpf-add-btf-register-unregister-API.tsn +Patch198: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn +Patch199: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn +Patch200: 0016-rtnetlink-Add-return-value-check.tsn +Patch201: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn +Patch202: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn +Patch203: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn +Patch204: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn +Patch205: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn +Patch206: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn +Patch207: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn +Patch208: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn +Patch209: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn +Patch210: 0026-taprio-Replace-tc_map_to_queue_mask.tsn +Patch211: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn +Patch212: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn +Patch213: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn +Patch214: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn +Patch215: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn +Patch216: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn +Patch217: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn +Patch218: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn +Patch219: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn +Patch220: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch221: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn +Patch222: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch223: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch224: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch225: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn #camera -Patch222: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera -Patch223: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera -Patch224: 0002-media-i2c-add-support-for-lt6911uxe.camera -Patch225: 0003-INT3472-Support-LT6911UXE.camera -Patch226: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera -Patch227: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera -Patch228: 0006-media-pci-Enable-ISYS-reset.camera -Patch229: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera -Patch230: 0008-driver-media-i2c-remove-useless-header-file.camera -Patch231: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera -Patch232: 0010-media-i2c-add-support-for-lt6911uxc.camera -Patch233: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera -Patch234: 0012-media-pci-intel-psys-driver.camera -Patch235: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera -Patch236: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera -Patch237: 0002-media-pci-intel-include-psys-driver.camera -Patch238: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera -Patch239: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera -Patch240: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera -Patch241: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera -Patch242: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera -Patch243: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera -Patch244: 0001-media-pci-update-IPU6-PSYS-driver.camera -Patch245: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera -Patch246: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera -Patch247: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera -Patch248: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch249: 0006-media-i2c-some-changes-in-lt6911uxe.camera -Patch250: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch251: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera -Patch252: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera -Patch253: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch254: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera -Patch255: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera -Patch256: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera -Patch257: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera -Patch258: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera -Patch259: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera -Patch260: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera -Patch261: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera -Patch262: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera -Patch263: 0004-i2c-media-fix-cov-issue.camera -Patch264: 0005-mv-ipu-acpi-module-to-linux-drivers.camera -Patch265: 0006-kernel-enable-VC-support-in-v4l2.camera -Patch266: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera -Patch267: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera -Patch268: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera -Patch269: 0010-media-pci-add-missing-if-for-PDATA.camera -Patch270: 0011-media-platform-fix-allyesconfig-build-error.camera -Patch271: 0012-media-pci-refine-PDATA-related-config.camera -Patch272: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera -Patch273: 0014-media-i2c-add-gmsl-isx031-support.camera -Patch274: 0015-media-i2c-add-support-for-isx031-max9296.camera -Patch275: 0016-fix-S4-issue-on-TWL.camera -Patch276: 0017-code-changes-for-link-frequency-and-sensor-physical.camera +Patch226: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera +Patch227: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera +Patch228: 0002-media-i2c-add-support-for-lt6911uxe.camera +Patch229: 0003-INT3472-Support-LT6911UXE.camera +Patch230: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera +Patch231: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera +Patch232: 0006-media-pci-Enable-ISYS-reset.camera +Patch233: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera +Patch234: 0008-driver-media-i2c-remove-useless-header-file.camera +Patch235: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera +Patch236: 0010-media-i2c-add-support-for-lt6911uxc.camera +Patch237: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera +Patch238: 0012-media-pci-intel-psys-driver.camera +Patch239: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera +Patch240: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera +Patch241: 0002-media-pci-intel-include-psys-driver.camera +Patch242: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera +Patch243: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera +Patch244: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera +Patch245: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera +Patch246: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera +Patch247: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera +Patch248: 0001-media-pci-update-IPU6-PSYS-driver.camera +Patch249: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera +Patch250: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera +Patch251: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera +Patch252: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch253: 0006-media-i2c-some-changes-in-lt6911uxe.camera +Patch254: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch255: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera +Patch256: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera +Patch257: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch258: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera +Patch259: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera +Patch260: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera +Patch261: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera +Patch262: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera +Patch263: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera +Patch264: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera +Patch265: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera +Patch266: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera +Patch267: 0004-i2c-media-fix-cov-issue.camera +Patch268: 0005-mv-ipu-acpi-module-to-linux-drivers.camera +Patch269: 0006-kernel-enable-VC-support-in-v4l2.camera +Patch270: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera +Patch271: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera +Patch272: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera +Patch273: 0010-media-pci-add-missing-if-for-PDATA.camera +Patch274: 0011-media-platform-fix-allyesconfig-build-error.camera +Patch275: 0012-media-pci-refine-PDATA-related-config.camera +Patch276: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera +Patch277: 0014-media-i2c-add-gmsl-isx031-support.camera +Patch278: 0015-media-i2c-add-support-for-isx031-max9296.camera +Patch279: 0016-fix-S4-issue-on-TWL.camera +Patch280: 0017-code-changes-for-link-frequency-and-sensor-physical.camera #wwan -Patch277: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan -Patch278: 0002-wwan-add-SAHARA-device.wwan -Patch279: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch280: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan -Patch281: 0005-wwan-add-NMEA-type.wwan -Patch282: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch283: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan -Patch284: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch285: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan -Patch286: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan -Patch287: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch288: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan -Patch289: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch290: 0005-Revert-wwan-add-NMEA-type.wwan -Patch291: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan -Patch292: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch293: 0008-Revert-wwan-add-SAHARA-device.wwan -Patch294: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan +Patch281: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan +Patch282: 0002-wwan-add-SAHARA-device.wwan +Patch283: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch284: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan +Patch285: 0005-wwan-add-NMEA-type.wwan +Patch286: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch287: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan +Patch288: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch289: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan +Patch290: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan +Patch291: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch292: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan +Patch293: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch294: 0005-Revert-wwan-add-NMEA-type.wwan +Patch295: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan +Patch296: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch297: 0008-Revert-wwan-add-SAHARA-device.wwan +Patch298: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan #pmc_core -Patch295: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core -Patch296: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core -Patch297: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core +Patch299: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core +Patch300: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core +Patch301: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core #lpss -Patch298: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss -Patch299: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss -Patch300: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss -Patch301: 0004-spi-intel-Add-protected-and-locked-attributes.lpss +Patch302: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss +Patch303: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss +Patch304: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss +Patch305: 0004-spi-intel-Add-protected-and-locked-attributes.lpss #preempt_rt patches backported -Patch302: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt -Patch303: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch304: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch305: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt -Patch306: 0004-serial-8250-Switch-to-nbcon-console.rt -Patch307: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt -Patch308: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt -Patch309: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt -Patch310: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt -Patch311: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt -Patch312: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt -Patch313: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt -Patch314: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt -Patch315: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt -Patch316: 0014-drm-i915-Drop-the-irqs_disabled-check.rt -Patch317: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt -Patch318: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt -Patch319: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt -Patch320: 0018-sched-Add-Lazy-preemption-model.rt -Patch321: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt -Patch322: 0020-sched-x86-Enable-Lazy-preemption.rt -Patch323: 0021-sched-Add-laziest-preempt-model.rt -Patch324: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt -Patch325: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt -Patch326: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt -Patch327: 0025-sysfs-Add-sys-kernel-realtime-entry.rt -Patch328: 0001-serial-8250-enable-original-console-by-default.rt -Patch329: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt -Patch330: 0002-Revert-scripts-remove-bin2c.rt -Patch331: 0003-extend-uio-driver-to-supports-msix.rt -Patch332: 0004-virtio-add-VIRTIO_PMD-support.rt -Patch333: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt -Patch334: 0006-Add-hypercall-to-access-MSR.rt -Patch335: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt -Patch336: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt -Patch337: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt -Patch338: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt -Patch339: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt -Patch340: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt -Patch341: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt -Patch342: 0014-igb-Add-BTF-based-metadata-for-XDP.rt -Patch343: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt -Patch344: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt -Patch345: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt -Patch346: 0018-virtio-fix-VIRTIO_PMD-support.rt -Patch347: 0019-drm-i915-add-i915-perf-event-capacity.rt -Patch348: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt +Patch306: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt +Patch307: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch308: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch309: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt +Patch310: 0004-serial-8250-Switch-to-nbcon-console.rt +Patch311: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt +Patch312: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt +Patch313: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt +Patch314: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt +Patch315: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt +Patch316: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt +Patch317: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt +Patch318: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt +Patch319: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt +Patch320: 0014-drm-i915-Drop-the-irqs_disabled-check.rt +Patch321: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt +Patch322: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt +Patch323: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt +Patch324: 0018-sched-Add-Lazy-preemption-model.rt +Patch325: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt +Patch326: 0020-sched-x86-Enable-Lazy-preemption.rt +Patch327: 0021-sched-Add-laziest-preempt-model.rt +Patch328: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt +Patch329: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt +Patch330: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt +Patch331: 0025-sysfs-Add-sys-kernel-realtime-entry.rt +Patch332: 0001-serial-8250-enable-original-console-by-default.rt +Patch333: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt +Patch334: 0002-Revert-scripts-remove-bin2c.rt +Patch335: 0003-extend-uio-driver-to-supports-msix.rt +Patch336: 0004-virtio-add-VIRTIO_PMD-support.rt +Patch337: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt +Patch338: 0006-Add-hypercall-to-access-MSR.rt +Patch339: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt +Patch340: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt +Patch341: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt +Patch342: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt +Patch343: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt +Patch344: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt +Patch345: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt +Patch346: 0014-igb-Add-BTF-based-metadata-for-XDP.rt +Patch347: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt +Patch348: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt +Patch349: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt +Patch350: 0018-virtio-fix-VIRTIO_PMD-support.rt +Patch351: 0019-drm-i915-add-i915-perf-event-capacity.rt +Patch352: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt #drm -Patch349: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm -Patch350: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm -Patch351: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch352: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm -Patch353: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch354: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm -Patch355: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm -Patch356: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm -Patch357: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm -Patch358: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm -Patch359: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm -Patch360: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm -Patch361: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm -Patch362: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm -Patch363: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm -Patch364: 0011-drm-i915-gt-Store-active-CCS-mask.drm -Patch365: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm -Patch366: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm -Patch367: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm -Patch368: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm -Patch369: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm -Patch370: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm -Patch371: 0001-Remove-unneeded-files.patch +Patch353: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm +Patch354: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm +Patch355: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch356: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm +Patch357: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch358: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm +Patch359: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm +Patch360: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm +Patch361: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm +Patch362: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm +Patch363: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm +Patch364: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm +Patch365: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm +Patch366: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm +Patch367: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm +Patch368: 0011-drm-i915-gt-Store-active-CCS-mask.drm +Patch369: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm +Patch370: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm +Patch371: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm +Patch372: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm +Patch373: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm +Patch374: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm +Patch375: 0001-Remove-unneeded-files.patch #rapl -Patch372: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl +Patch376: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl #misc -Patch373: 0001-Add-security.md-file.misc +Patch377: 0001-Add-security.md-file.misc +#iommu +Patch378: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu +Patch379: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm -Patch374: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch -# CVE Patches +Patch380: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 -Patch375: CVE-2025-21709.patch -#CVE-2025-21807 -Patch376: CVE-2025-21807.patch +Patch381: CVE-2025-21709.patch #CVE-2025-21817 -Patch377: CVE-2025-21817.patch -#CVE-2025-22103 -Patch378: CVE-2025-22103.patch +Patch382: CVE-2025-21817.patch #CVE-2025-22104 -Patch379: CVE-2025-22104.patch +Patch383: CVE-2025-22104.patch #CVE-2025-22105 -Patch380: CVE-2025-22105.patch -Patch381: CVE-2025-22105-1.patch -#CVE-2025-22106 -Patch382: CVE-2025-22106.patch +Patch384: CVE-2025-22105.patch +Patch385: CVE-2025-22105-1.patch #CVE-2025-22108 -Patch383: CVE-2025-22108.patch +Patch386: CVE-2025-22108.patch #CVE-2025-22111 -Patch384: CVE-2025-22111.patch -#CVE-2025-22113 -Patch385: CVE-2025-22113.patch -Patch386: CVE-2025-22113-1.patch +Patch387: CVE-2025-22111.patch #CVE-2025-22116 -Patch387: CVE-2025-22116.patch +Patch388: CVE-2025-22116.patch #CVE-2025-22117 -Patch388: CVE-2025-22117.patch +Patch389: CVE-2025-22117.patch #CVE-2025-22121 -Patch389: CVE-2025-22121.patch -Patch390: CVE-2025-22121-1.patch -#CVE-2025-22124 -Patch391: CVE-2025-22124.patch +Patch390: CVE-2025-22121.patch +Patch391: CVE-2025-22121-1.patch #CVE-2025-23131 Patch392: CVE-2025-23131.patch #CVE-2025-37746 @@ -451,73 +447,82 @@ Patch398: CVE-2025-38041-2.patch Patch399: CVE-2025-38029.patch #CVE-2025-38311 Patch400: CVE-2025-38311.patch -#CVE-2025-38306 -Patch401: CVE-2025-38306.patch #CVE-2025-38248 -Patch402: CVE-2025-38248.patch +Patch401: CVE-2025-38248.patch #CVE-2025-38234 -Patch403: CVE-2025-38234.patch +Patch402: CVE-2025-38234.patch #CVE-2025-38207 -Patch404: CVE-2025-38207.patch +Patch403: CVE-2025-38207.patch #CVE-2025-38137 -Patch405: CVE-2025-38137.patch -#CVE-2025-38105 -Patch406: CVE-2025-38105.patch +Patch404: CVE-2025-38137.patch #CVE-2025-40325 -Patch407: CVE-2025-40325.patch +Patch405: CVE-2025-40325.patch #CVE-2025-38284 -Patch408: CVE-2025-38284.patch -Patch409: CVE-2025-38284-1.patch -Patch410: CVE-2025-38284-2.patch -#CVE-2025-38272 -Patch411: CVE-2025-38272.patch -Patch412: CVE-2025-38272-1.patch -Patch413: CVE-2025-38272-2.patch +Patch406: CVE-2025-38284.patch +Patch407: CVE-2025-38284-1.patch +Patch408: CVE-2025-38284-2.patch #CVE-2025-38199 -Patch414: CVE-2025-38199.patch +Patch409: CVE-2025-38199.patch #CVE-2025-38140 -Patch415: CVE-2025-38140.patch +Patch410: CVE-2025-38140.patch #CVE-2025-38132 -Patch416: CVE-2025-38132.patch -Patch417: CVE-2025-38132-1.patch +Patch411: CVE-2025-38132.patch +Patch412: CVE-2025-38132-1.patch #CVE-2025-37743 -Patch418: CVE-2025-37743.patch -#CVE-2025-23133 -Patch419: CVE-2025-23133.patch +Patch413: CVE-2025-37743.patch #CVE-2025-23132 -Patch420: CVE-2025-23132.patch +Patch414: CVE-2025-23132.patch #CVE-2025-23130 -Patch421: CVE-2025-23130.patch +Patch415: CVE-2025-23130.patch #CVE-2025-23129 -Patch422: CVE-2025-23129.patch +Patch416: CVE-2025-23129.patch #CVE-2025-22127 -Patch423: CVE-2025-22127.patch -#CVE-2025-22125 -Patch424: CVE-2025-22125.patch +Patch417: CVE-2025-22127.patch #CVE-2025-22109 -Patch425: CVE-2025-22109.patch +Patch418: CVE-2025-22109.patch #CVE-2025-21752 -Patch426: CVE-2025-21752.patch -Patch427: CVE-2025-21752-1.patch +Patch419: CVE-2025-21752.patch +Patch420: CVE-2025-21752-1.patch #CVE-2025-37860 -Patch428: CVE-2025-37860.patch +Patch421: CVE-2025-37860.patch #CVE-2024-58095 -Patch429: CVE-2024-58095.patch +Patch422: CVE-2024-58095.patch #CVE-2024-58094 -Patch430: CVE-2024-58094.patch +Patch423: CVE-2024-58094.patch #CVE-2024-57995 -Patch431: CVE-2024-57995.patch +Patch424: CVE-2024-57995.patch #CVE-2024-52560 -Patch432: CVE-2024-52560.patch -Patch433: CVE-2024-52560-1.patch +Patch425: CVE-2024-52560.patch +Patch426: CVE-2024-52560-1.patch #CVE-2025-38621 -Patch434: CVE-2025-38621.patch -#CVE-2025-38502 -Patch435: CVE-2025-38502.patch +Patch427: CVE-2025-38621.patch #CVE-2025-38627 -Patch436: CVE-2025-38627.patch +Patch428: CVE-2025-38627.patch #CVE-2025-38643 -Patch437: CVE-2025-38643.patch +Patch429: CVE-2025-38643.patch +#CVE-2025-39789 +Patch430: CVE-2025-39789.patch +#CVE-2025-39764 +Patch431: CVE-2025-39764.patch +#CVE-2025-39745 +Patch432: CVE-2025-39745.patch +#CVE-2025-39677 +Patch433: CVE-2025-39677.patch +#CVE-2025-39933 +Patch434: CVE-2025-39933.patch +#CVE-2025-39833 +Patch435: CVE-2025-39833.patch +#CVE-2025-39925 +Patch436: CVE-2025-39925.patch +#CVE-2025-39905 +Patch437: CVE-2025-39905.patch +#CVE-2025-39859 +Patch438: CVE-2025-39859.patch +#CVE-2025-39910 +Patch439: CVE-2025-39910.patch +#CVE-2025-39981 +Patch440: CVE-2025-39981.patch +# CVE Patches %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh @@ -665,8 +670,8 @@ manipulation of eBPF programs and maps. %prep %define _default_patch_flags -p1 --fuzz=3 --force -%setup -q -n linux-6.12.44 -%autosetup -p1 -n linux-6.12.44 +%setup -q -n linux-6.12.55 +%autosetup -p1 -n linux-6.12.55 # %patch 0 -p1 make mrproper @@ -678,7 +683,7 @@ sed -i 's#CONFIG_SYSTEM_TRUSTED_KEYS=""#CONFIG_SYSTEM_TRUSTED_KEYS="certs/emt.pe cp .config current_config sed -i 's/CONFIG_LOCALVERSION=""/CONFIG_LOCALVERSION="-%{release}"/' .config -make LC_ALL= ARCH=%{arch} oldconfig +make LC_ALL= ARCH=%{arch} olddefconfig # Verify the config files match cp .config new_config @@ -938,6 +943,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Nov 18 2025 Lishan Liu - 6.12.55-1 +- Update kernel to 6.12.55 + * Fri Nov 14 2025 Lishan Liu - 6.12.44-6 - Update audio support in kernel config diff --git a/SPECS/kernel-rt/series b/SPECS/kernel-rt/series index 77137c69c1..38b1f51a3e 100644 --- a/SPECS/kernel-rt/series +++ b/SPECS/kernel-rt/series @@ -1,5 +1,5 @@ -# Series file for v6.12.44 linux kernel -# 11a24528d080a Linux 6.12.44 +# Series file for v6.12.55 linux kernel +# 4fc43debf5047 Linux 6.12.55 #sriov 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov @@ -58,6 +58,8 @@ 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov 0003-virtgpu-don-t-reset-on-shutdown.sriov 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov +0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov +0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov #security 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security 0002-mei-virtio-virtualization-frontend-driver.security @@ -143,6 +145,8 @@ 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac +0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac #tsn 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn @@ -387,20 +391,17 @@ 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl #misc 0001-Add-security.md-file.misc +#iommu +0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu +0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 CVE-2025-21709.patch -#CVE-2025-21807 -CVE-2025-21807.patch - #CVE-2025-21817 CVE-2025-21817.patch -#CVE-2025-22103 -CVE-2025-22103.patch - #CVE-2025-22104 CVE-2025-22104.patch @@ -408,19 +409,12 @@ CVE-2025-22104.patch CVE-2025-22105.patch CVE-2025-22105-1.patch -#CVE-2025-22106 -CVE-2025-22106.patch - #CVE-2025-22108 CVE-2025-22108.patch #CVE-2025-22111 CVE-2025-22111.patch -#CVE-2025-22113 -CVE-2025-22113.patch -CVE-2025-22113-1.patch - #CVE-2025-22116 CVE-2025-22116.patch @@ -431,9 +425,6 @@ CVE-2025-22117.patch CVE-2025-22121.patch CVE-2025-22121-1.patch -#CVE-2025-22124 -CVE-2025-22124.patch - #CVE-2025-23131 CVE-2025-23131.patch @@ -455,9 +446,6 @@ CVE-2025-38029.patch #CVE-2025-38311 CVE-2025-38311.patch -#CVE-2025-38306 -CVE-2025-38306.patch - #CVE-2025-38248 CVE-2025-38248.patch @@ -470,9 +458,6 @@ CVE-2025-38207.patch #CVE-2025-38137 CVE-2025-38137.patch -#CVE-2025-38105 -CVE-2025-38105.patch - #CVE-2025-40325 CVE-2025-40325.patch @@ -481,11 +466,6 @@ CVE-2025-38284.patch CVE-2025-38284-1.patch CVE-2025-38284-2.patch -#CVE-2025-38272 -CVE-2025-38272.patch -CVE-2025-38272-1.patch -CVE-2025-38272-2.patch - #CVE-2025-38199 CVE-2025-38199.patch @@ -499,9 +479,6 @@ CVE-2025-38132-1.patch #CVE-2025-37743 CVE-2025-37743.patch -#CVE-2025-23133 -CVE-2025-23133.patch - #CVE-2025-23132 CVE-2025-23132.patch @@ -514,9 +491,6 @@ CVE-2025-23129.patch #CVE-2025-22127 CVE-2025-22127.patch -#CVE-2025-22125 -CVE-2025-22125.patch - #CVE-2025-22109 CVE-2025-22109.patch @@ -543,11 +517,41 @@ CVE-2024-52560-1.patch #CVE-2025-38621 CVE-2025-38621.patch -#CVE-2025-38502 -CVE-2025-38502.patch - #CVE-2025-38627 CVE-2025-38627.patch #CVE-2025-38643 CVE-2025-38643.patch + +#CVE-2025-39789 +CVE-2025-39789.patch + +#CVE-2025-39764 +CVE-2025-39764.patch + +#CVE-2025-39745 +CVE-2025-39745.patch + +#CVE-2025-39677 +CVE-2025-39677.patch + +#CVE-2025-39933 +CVE-2025-39933.patch + +#CVE-2025-39833 +CVE-2025-39833.patch + +#CVE-2025-39925 +CVE-2025-39925.patch + +#CVE-2025-39905 +CVE-2025-39905.patch + +#CVE-2025-39859 +CVE-2025-39859.patch + +#CVE-2025-39910 +CVE-2025-39910.patch + +#CVE-2025-39981 +CVE-2025-39981.patch diff --git a/SPECS/kernel/0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac b/SPECS/kernel/0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac new file mode 100644 index 0000000000..df65fb0cad --- /dev/null +++ b/SPECS/kernel/0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac @@ -0,0 +1,40 @@ +From 2660ff568ce93b0810d5105c68aca7f46f280f3e Mon Sep 17 00:00:00 2001 +From: Qiuxu Zhuo +Date: Tue, 8 Apr 2025 21:24:55 +0800 +Subject: [PATCH 1/2] EDAC/igen6: Add Intel Amston Lake SoCs support + +Intel Amston Lake is a series of SoCs tailored for edge computing needs. +The Amston Lake SoCs, equipped with IBECC(In-Band ECC) capability, share +the same IBECC registers with Alder Lake-N SoCs. Add the Intel Amston Lake +SoC compute die ID for EDAC support. + +Signed-off-by: Qiuxu Zhuo +--- + drivers/edac/igen6_edac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c +index 77f8e003b5b27..5a26472459a68 100644 +--- a/drivers/edac/igen6_edac.c ++++ b/drivers/edac/igen6_edac.c +@@ -241,6 +241,9 @@ static struct work_struct ecclog_work; + #define DID_ADL_N_SKU11 0x467c + #define DID_ADL_N_SKU12 0x4632 + ++/* Compute did IDs for Amston Lake with IBECC */ ++#define DID_ASL_SKU1 0x464a ++ + /* Compute die IDs for Raptor Lake-P with IBECC */ + #define DID_RPL_P_SKU1 0xa706 + #define DID_RPL_P_SKU2 0xa707 +@@ -596,6 +599,7 @@ static const struct pci_device_id igen6_pci_tbl[] = { + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU10), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU11), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU12), (kernel_ulong_t)&adl_n_cfg }, ++ { PCI_VDEVICE(INTEL, DID_ASL_SKU1), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU1), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU2), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU3), (kernel_ulong_t)&rpl_p_cfg }, +-- +2.43.0 + diff --git a/SPECS/kernel/0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu b/SPECS/kernel/0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu new file mode 100644 index 0000000000..56f440a2e2 --- /dev/null +++ b/SPECS/kernel/0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu @@ -0,0 +1,403 @@ +From eedbf8ed82ccc3ccb52f2073ec0cec157dbb230d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 10 Feb 2025 13:30:25 +0100 +Subject: [PATCH 1/2] driver core: add a faux bus for use when a simple + device/bus is needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Many drivers abuse the platform driver/bus system as it provides a +simple way to create and bind a device to a driver-specific set of +probe/release functions. Instead of doing that, and wasting all of the +memory associated with a platform device, here is a "faux" bus that +can be used instead. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Danilo Krummrich +Reviewed-by: Lyude Paul +Reviewed-by: Thomas Weißschuh +Reviewed-by: Zijun Hu +Link: https://lore.kernel.org/r/2025021026-atlantic-gibberish-3f0c@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/driver-api/infrastructure.rst | 6 + + drivers/base/Makefile | 2 +- + drivers/base/base.h | 1 + + drivers/base/faux.c | 232 ++++++++++++++++++++ + drivers/base/init.c | 1 + + include/linux/device/faux.h | 69 ++++++ + 6 files changed, 310 insertions(+), 1 deletion(-) + create mode 100644 drivers/base/faux.c + create mode 100644 include/linux/device/faux.h + +diff --git a/Documentation/driver-api/infrastructure.rst b/Documentation/driver-api/infrastructure.rst +index 3d52dfdfa9fdf..35e36fee4238a 100644 +--- a/Documentation/driver-api/infrastructure.rst ++++ b/Documentation/driver-api/infrastructure.rst +@@ -41,6 +41,12 @@ Device Drivers Base + .. kernel-doc:: drivers/base/class.c + :export: + ++.. kernel-doc:: include/linux/device/faux.h ++ :internal: ++ ++.. kernel-doc:: drivers/base/faux.c ++ :export: ++ + .. kernel-doc:: drivers/base/node.c + :internal: + +diff --git a/drivers/base/Makefile b/drivers/base/Makefile +index 7fb21768ca36d..8074a10183dcb 100644 +--- a/drivers/base/Makefile ++++ b/drivers/base/Makefile +@@ -6,7 +6,7 @@ obj-y := component.o core.o bus.o dd.o syscore.o \ + cpu.o firmware.o init.o map.o devres.o \ + attribute_container.o transport_class.o \ + topology.o container.o property.o cacheinfo.o \ +- swnode.o ++ swnode.o faux.o + obj-$(CONFIG_AUXILIARY_BUS) += auxiliary.o + obj-$(CONFIG_DEVTMPFS) += devtmpfs.o + obj-y += power/ +diff --git a/drivers/base/base.h b/drivers/base/base.h +index c4ffd09950433..123031a757d91 100644 +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -138,6 +138,7 @@ int hypervisor_init(void); + static inline int hypervisor_init(void) { return 0; } + #endif + int platform_bus_init(void); ++int faux_bus_init(void); + void cpu_dev_init(void); + void container_dev_init(void); + #ifdef CONFIG_AUXILIARY_BUS +diff --git a/drivers/base/faux.c b/drivers/base/faux.c +new file mode 100644 +index 0000000000000..531e9d789ee04 +--- /dev/null ++++ b/drivers/base/faux.c +@@ -0,0 +1,232 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * Copyright (c) 2025 Greg Kroah-Hartman ++ * Copyright (c) 2025 The Linux Foundation ++ * ++ * A "simple" faux bus that allows devices to be created and added ++ * automatically to it. This is to be used whenever you need to create a ++ * device that is not associated with any "real" system resources, and do ++ * not want to have to deal with a bus/driver binding logic. It is ++ * intended to be very simple, with only a create and a destroy function ++ * available. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "base.h" ++ ++/* ++ * Internal wrapper structure so we can hold a pointer to the ++ * faux_device_ops for this device. ++ */ ++struct faux_object { ++ struct faux_device faux_dev; ++ const struct faux_device_ops *faux_ops; ++}; ++#define to_faux_object(dev) container_of_const(dev, struct faux_object, faux_dev.dev) ++ ++static struct device faux_bus_root = { ++ .init_name = "faux", ++}; ++ ++static int faux_match(struct device *dev, const struct device_driver *drv) ++{ ++ /* Match always succeeds, we only have one driver */ ++ return 1; ++} ++ ++static int faux_probe(struct device *dev) ++{ ++ struct faux_object *faux_obj = to_faux_object(dev); ++ struct faux_device *faux_dev = &faux_obj->faux_dev; ++ const struct faux_device_ops *faux_ops = faux_obj->faux_ops; ++ int ret = 0; ++ ++ if (faux_ops && faux_ops->probe) ++ ret = faux_ops->probe(faux_dev); ++ ++ return ret; ++} ++ ++static void faux_remove(struct device *dev) ++{ ++ struct faux_object *faux_obj = to_faux_object(dev); ++ struct faux_device *faux_dev = &faux_obj->faux_dev; ++ const struct faux_device_ops *faux_ops = faux_obj->faux_ops; ++ ++ if (faux_ops && faux_ops->remove) ++ faux_ops->remove(faux_dev); ++} ++ ++static const struct bus_type faux_bus_type = { ++ .name = "faux", ++ .match = faux_match, ++ .probe = faux_probe, ++ .remove = faux_remove, ++}; ++ ++static struct device_driver faux_driver = { ++ .name = "faux_driver", ++ .bus = &faux_bus_type, ++ .probe_type = PROBE_FORCE_SYNCHRONOUS, ++}; ++ ++static void faux_device_release(struct device *dev) ++{ ++ struct faux_object *faux_obj = to_faux_object(dev); ++ ++ kfree(faux_obj); ++} ++ ++/** ++ * faux_device_create_with_groups - Create and register with the driver ++ * core a faux device and populate the device with an initial ++ * set of sysfs attributes. ++ * @name: The name of the device we are adding, must be unique for ++ * all faux devices. ++ * @parent: Pointer to a potential parent struct device. If set to ++ * NULL, the device will be created in the "root" of the faux ++ * device tree in sysfs. ++ * @faux_ops: struct faux_device_ops that the new device will call back ++ * into, can be NULL. ++ * @groups: The set of sysfs attributes that will be created for this ++ * device when it is registered with the driver core. ++ * ++ * Create a new faux device and register it in the driver core properly. ++ * If present, callbacks in @faux_ops will be called with the device that ++ * for the caller to do something with at the proper time given the ++ * device's lifecycle. ++ * ++ * Note, when this function is called, the functions specified in struct ++ * faux_ops can be called before the function returns, so be prepared for ++ * everything to be properly initialized before that point in time. ++ * ++ * Return: ++ * * NULL if an error happened with creating the device ++ * * pointer to a valid struct faux_device that is registered with sysfs ++ */ ++struct faux_device *faux_device_create_with_groups(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops, ++ const struct attribute_group **groups) ++{ ++ struct faux_object *faux_obj; ++ struct faux_device *faux_dev; ++ struct device *dev; ++ int ret; ++ ++ faux_obj = kzalloc(sizeof(*faux_obj), GFP_KERNEL); ++ if (!faux_obj) ++ return NULL; ++ ++ /* Save off the callbacks so we can use them in the future */ ++ faux_obj->faux_ops = faux_ops; ++ ++ /* Initialize the device portion and register it with the driver core */ ++ faux_dev = &faux_obj->faux_dev; ++ dev = &faux_dev->dev; ++ ++ device_initialize(dev); ++ dev->release = faux_device_release; ++ if (parent) ++ dev->parent = parent; ++ else ++ dev->parent = &faux_bus_root; ++ dev->bus = &faux_bus_type; ++ dev->groups = groups; ++ dev_set_name(dev, "%s", name); ++ ++ ret = device_add(dev); ++ if (ret) { ++ pr_err("%s: device_add for faux device '%s' failed with %d\n", ++ __func__, name, ret); ++ put_device(dev); ++ return NULL; ++ } ++ ++ return faux_dev; ++} ++EXPORT_SYMBOL_GPL(faux_device_create_with_groups); ++ ++/** ++ * faux_device_create - create and register with the driver core a faux device ++ * @name: The name of the device we are adding, must be unique for all ++ * faux devices. ++ * @parent: Pointer to a potential parent struct device. If set to ++ * NULL, the device will be created in the "root" of the faux ++ * device tree in sysfs. ++ * @faux_ops: struct faux_device_ops that the new device will call back ++ * into, can be NULL. ++ * ++ * Create a new faux device and register it in the driver core properly. ++ * If present, callbacks in @faux_ops will be called with the device that ++ * for the caller to do something with at the proper time given the ++ * device's lifecycle. ++ * ++ * Note, when this function is called, the functions specified in struct ++ * faux_ops can be called before the function returns, so be prepared for ++ * everything to be properly initialized before that point in time. ++ * ++ * Return: ++ * * NULL if an error happened with creating the device ++ * * pointer to a valid struct faux_device that is registered with sysfs ++ */ ++struct faux_device *faux_device_create(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops) ++{ ++ return faux_device_create_with_groups(name, parent, faux_ops, NULL); ++} ++EXPORT_SYMBOL_GPL(faux_device_create); ++ ++/** ++ * faux_device_destroy - destroy a faux device ++ * @faux_dev: faux device to destroy ++ * ++ * Unregisters and cleans up a device that was created with a call to ++ * faux_device_create() ++ */ ++void faux_device_destroy(struct faux_device *faux_dev) ++{ ++ struct device *dev = &faux_dev->dev; ++ ++ if (!faux_dev) ++ return; ++ ++ device_del(dev); ++ ++ /* The final put_device() will clean up the memory we allocated for this device. */ ++ put_device(dev); ++} ++EXPORT_SYMBOL_GPL(faux_device_destroy); ++ ++int __init faux_bus_init(void) ++{ ++ int ret; ++ ++ ret = device_register(&faux_bus_root); ++ if (ret) { ++ put_device(&faux_bus_root); ++ return ret; ++ } ++ ++ ret = bus_register(&faux_bus_type); ++ if (ret) ++ goto error_bus; ++ ++ ret = driver_register(&faux_driver); ++ if (ret) ++ goto error_driver; ++ ++ return ret; ++ ++error_driver: ++ bus_unregister(&faux_bus_type); ++ ++error_bus: ++ device_unregister(&faux_bus_root); ++ return ret; ++} +diff --git a/drivers/base/init.c b/drivers/base/init.c +index c4954835128cf..9d2b06d65dfc6 100644 +--- a/drivers/base/init.c ++++ b/drivers/base/init.c +@@ -32,6 +32,7 @@ void __init driver_init(void) + /* These are also core pieces, but must come after the + * core core pieces. + */ ++ faux_bus_init(); + of_core_init(); + platform_bus_init(); + auxiliary_bus_init(); +diff --git a/include/linux/device/faux.h b/include/linux/device/faux.h +new file mode 100644 +index 0000000000000..9f43c0e46aa45 +--- /dev/null ++++ b/include/linux/device/faux.h +@@ -0,0 +1,69 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Copyright (c) 2025 Greg Kroah-Hartman ++ * Copyright (c) 2025 The Linux Foundation ++ * ++ * A "simple" faux bus that allows devices to be created and added ++ * automatically to it. This is to be used whenever you need to create a ++ * device that is not associated with any "real" system resources, and do ++ * not want to have to deal with a bus/driver binding logic. It is ++ * intended to be very simple, with only a create and a destroy function ++ * available. ++ */ ++#ifndef _FAUX_DEVICE_H_ ++#define _FAUX_DEVICE_H_ ++ ++#include ++#include ++ ++/** ++ * struct faux_device - a "faux" device ++ * @dev: internal struct device of the object ++ * ++ * A simple faux device that can be created/destroyed. To be used when a ++ * driver only needs to have a device to "hang" something off. This can be ++ * used for downloading firmware or other basic tasks. Use this instead of ++ * a struct platform_device if the device has no resources assigned to ++ * it at all. ++ */ ++struct faux_device { ++ struct device dev; ++}; ++#define to_faux_device(x) container_of_const((x), struct faux_device, dev) ++ ++/** ++ * struct faux_device_ops - a set of callbacks for a struct faux_device ++ * @probe: called when a faux device is probed by the driver core ++ * before the device is fully bound to the internal faux bus ++ * code. If probe succeeds, return 0, otherwise return a ++ * negative error number to stop the probe sequence from ++ * succeeding. ++ * @remove: called when a faux device is removed from the system ++ * ++ * Both @probe and @remove are optional, if not needed, set to NULL. ++ */ ++struct faux_device_ops { ++ int (*probe)(struct faux_device *faux_dev); ++ void (*remove)(struct faux_device *faux_dev); ++}; ++ ++struct faux_device *faux_device_create(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops); ++struct faux_device *faux_device_create_with_groups(const char *name, ++ struct device *parent, ++ const struct faux_device_ops *faux_ops, ++ const struct attribute_group **groups); ++void faux_device_destroy(struct faux_device *faux_dev); ++ ++static inline void *faux_device_get_drvdata(const struct faux_device *faux_dev) ++{ ++ return dev_get_drvdata(&faux_dev->dev); ++} ++ ++static inline void faux_device_set_drvdata(struct faux_device *faux_dev, void *data) ++{ ++ dev_set_drvdata(&faux_dev->dev, data); ++} ++ ++#endif /* _FAUX_DEVICE_H_ */ +-- +2.43.0 + diff --git a/SPECS/kernel/0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov b/SPECS/kernel/0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov new file mode 100644 index 0000000000..fe7381259b --- /dev/null +++ b/SPECS/kernel/0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov @@ -0,0 +1,68 @@ +From 140444823a5e75b687391abcd563af8d068c931f Mon Sep 17 00:00:00 2001 +From: Junxiao Chang +Date: Thu, 25 Sep 2025 18:29:57 +0800 +Subject: [PATCH] drm/i915: move sriov selftest buffer out of stack + +this is to fix i915 sriov selftest buffer limit issue. + +Signed-off-by: Junxiao Chang +--- + .../drm/i915/gt/iov/selftests/selftest_live_iov_relay.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c b/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c +index b3ef7dcedf534..d6f7b461302df 100644 +--- a/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c ++++ b/drivers/gpu/drm/i915/gt/iov/selftests/selftest_live_iov_relay.c +@@ -348,6 +348,7 @@ static int pf_loopback_one_way_to_vf(void *arg) + return ret; + } + ++static u32 pf_full_loopback_to_vf_buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + static int pf_full_loopback_to_vf(void *arg) + { + struct intel_iov *iov = arg; +@@ -356,7 +357,6 @@ static int pf_full_loopback_to_vf(void *arg) + FIELD_PREP(GUC_HXG_REQUEST_MSG_n_DATAn, SELFTEST_RELAY_DATA), + /* ... */ + }; +- u32 buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + unsigned int n; + int ret = 0; + +@@ -365,7 +365,7 @@ static int pf_full_loopback_to_vf(void *arg) + for (n = GUC_HXG_MSG_MIN_LEN; n <= ARRAY_SIZE(msg); n++) { + + ret = intel_iov_relay_send_to_vf(&iov->relay, PFID, msg, n, +- buf, ARRAY_SIZE(buf)); ++ pf_full_loopback_to_vf_buf, ARRAY_SIZE(pf_full_loopback_to_vf_buf)); + + if (ret < 0) { + IOV_SELFTEST_ERROR(iov, "failed to send msg len=%u, %d\n", n, ret); +@@ -438,6 +438,7 @@ static int pf_loopback_one_way_to_pf(void *arg) + return ret; + } + ++static u32 relay_request_to_pf_buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + static int relay_request_to_pf(struct intel_iov *iov) + { + u32 msg[VF2GUC_RELAY_TO_PF_REQUEST_MSG_NUM_RELAY_DATA] = { +@@ -445,14 +446,13 @@ static int relay_request_to_pf(struct intel_iov *iov) + FIELD_PREP(GUC_HXG_REQUEST_MSG_n_DATAn, SELFTEST_RELAY_DATA), + /* ... */ + }; +- u32 buf[PF2GUC_RELAY_TO_VF_REQUEST_MSG_NUM_RELAY_DATA]; + unsigned int n; + int ret = 0; + + for (n = GUC_HXG_MSG_MIN_LEN; n <= ARRAY_SIZE(msg); n++) { + + ret = intel_iov_relay_send_to_pf(&iov->relay, msg, n, +- buf, ARRAY_SIZE(buf)); ++ relay_request_to_pf_buf, ARRAY_SIZE(relay_request_to_pf_buf)); + + if (ret < 0) { + IOV_SELFTEST_ERROR(iov, "failed to send len=%u, %d\n", n, ret); +-- +2.43.0 + diff --git a/SPECS/kernel/0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov b/SPECS/kernel/0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov new file mode 100644 index 0000000000..cbe23fa5a7 --- /dev/null +++ b/SPECS/kernel/0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov @@ -0,0 +1,35 @@ +From c907329d449811f5aa58f2b2a3633b6012774e37 Mon Sep 17 00:00:00 2001 +From: Dongwon Kim +Date: Wed, 10 Sep 2025 20:48:45 -0700 +Subject: [PATCH] drm/virtio: Wait until the control and cursor queues are + fully emptied + +It is needed to wait until the queues are fully emptied before +doing freeze/suspend. + +Signed-off-by: Dongwon Kim +--- + drivers/gpu/drm/virtio/virtgpu_drv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.c b/drivers/gpu/drm/virtio/virtgpu_drv.c +index d6fb1dbfaa27e..d1b189b1a9b75 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_drv.c ++++ b/drivers/gpu/drm/virtio/virtgpu_drv.c +@@ -176,6 +176,13 @@ static int virtgpu_freeze(struct virtio_device *vdev) + flush_work(&vgdev->ctrlq.dequeue_work); + flush_work(&vgdev->cursorq.dequeue_work); + flush_work(&vgdev->config_changed_work); ++ ++ wait_event(vgdev->ctrlq.ack_queue, ++ vgdev->ctrlq.vq->num_free == vgdev->ctrlq.vq->num_max); ++ ++ wait_event(vgdev->cursorq.ack_queue, ++ vgdev->cursorq.vq->num_free == vgdev->cursorq.vq->num_max); ++ + vdev->config->del_vqs(vdev); + + return 0; +-- +2.43.0 + diff --git a/SPECS/kernel/0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac b/SPECS/kernel/0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac new file mode 100644 index 0000000000..6de1aa49ca --- /dev/null +++ b/SPECS/kernel/0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac @@ -0,0 +1,42 @@ +From 5f97c9c7f42efdede7a9a8aeb76dfb5fec616a98 Mon Sep 17 00:00:00 2001 +From: Jie Wang +Date: Thu, 9 Oct 2025 14:41:21 +0000 +Subject: [PATCH 2/2] EDAC/igen6: Add additional Intel Amston Lake SoC compute + die IDs + +Add two more Intel Amston Lake SoC compute die IDs for EDAC support. +These SoCs also feature IBECC (In-Band ECC) capability and share the +same IBECC registers with Alder Lake-N SoCs. + +Signed-off-by: Jie Wang +--- + drivers/edac/igen6_edac.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c +index 5a26472459a68..28a168cc56938 100644 +--- a/drivers/edac/igen6_edac.c ++++ b/drivers/edac/igen6_edac.c +@@ -242,7 +242,9 @@ static struct work_struct ecclog_work; + #define DID_ADL_N_SKU12 0x4632 + + /* Compute did IDs for Amston Lake with IBECC */ +-#define DID_ASL_SKU1 0x464a ++#define DID_ASL_SKU1 0x4646 ++#define DID_ASL_SKU2 0x464a ++#define DID_ASL_SKU3 0x4652 + + /* Compute die IDs for Raptor Lake-P with IBECC */ + #define DID_RPL_P_SKU1 0xa706 +@@ -600,6 +602,8 @@ static const struct pci_device_id igen6_pci_tbl[] = { + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU11), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ADL_N_SKU12), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_ASL_SKU1), (kernel_ulong_t)&adl_n_cfg }, ++ { PCI_VDEVICE(INTEL, DID_ASL_SKU2), (kernel_ulong_t)&adl_n_cfg }, ++ { PCI_VDEVICE(INTEL, DID_ASL_SKU3), (kernel_ulong_t)&adl_n_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU1), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU2), (kernel_ulong_t)&rpl_p_cfg }, + { PCI_VDEVICE(INTEL, DID_RPL_P_SKU3), (kernel_ulong_t)&rpl_p_cfg }, +-- +2.43.0 + diff --git a/SPECS/kernel/0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu b/SPECS/kernel/0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu new file mode 100644 index 0000000000..c6c4f119f8 --- /dev/null +++ b/SPECS/kernel/0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu @@ -0,0 +1,75 @@ +From c12224181515440d5b54af8dc9ecd1afdb762f24 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 23 Apr 2025 18:48:16 +0200 +Subject: [PATCH 2/2] iommu/io-pgtable-arm: dynamically allocate selftest + device struct + +In general a 'struct device' is way too large to be put on the kernel +stack. Apparently something just caused it to grow a slightly larger, +which pushed the arm_lpae_do_selftests() function over the warning +limit in some configurations: + +drivers/iommu/io-pgtable-arm.c:1423:19: error: stack frame size (1032) exceeds limit (1024) in 'arm_lpae_do_selftests' [-Werror,-Wframe-larger-than] + 1423 | static int __init arm_lpae_do_selftests(void) + | ^ + +Change the function to use a dynamically allocated faux_device +instead of the on-stack device structure. + +Fixes: ca25ec247aad ("iommu/io-pgtable-arm: Remove iommu_dev==NULL special case") +Link: https://lore.kernel.org/all/ab75a444-22a1-47f5-b3c0-253660395b5a@arm.com/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20250423164826.2931382-1-arnd@kernel.org +Signed-off-by: Joerg Roedel +--- + drivers/iommu/io-pgtable-arm.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c +index a286c5404ea70..2c660ed4eacaf 100644 +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1414,16 +1415,18 @@ static int __init arm_lpae_do_selftests(void) + }; + + int i, j, pass = 0, fail = 0; +- struct device dev; ++ struct faux_device *dev; + struct io_pgtable_cfg cfg = { + .tlb = &dummy_tlb_ops, + .oas = 48, + .coherent_walk = true, +- .iommu_dev = &dev, + }; + +- /* __arm_lpae_alloc_pages() merely needs dev_to_node() to work */ +- set_dev_node(&dev, NUMA_NO_NODE); ++ dev = faux_device_create("io-pgtable-test", NULL, 0); ++ if (!dev) ++ return -ENOMEM; ++ ++ cfg.iommu_dev = &dev->dev; + + for (i = 0; i < ARRAY_SIZE(pgsize); ++i) { + for (j = 0; j < ARRAY_SIZE(ias); ++j) { +@@ -1439,6 +1442,8 @@ static int __init arm_lpae_do_selftests(void) + } + + pr_info("selftest: completed with %d PASS %d FAIL\n", pass, fail); ++ faux_device_destroy(dev); ++ + return fail ? -EFAULT : 0; + } + subsys_initcall(arm_lpae_do_selftests); +-- +2.43.0 + diff --git a/SPECS/kernel/0008-igc-Add-support-for-Frame-Preemption-verification.tsn b/SPECS/kernel/0008-igc-Add-support-for-Frame-Preemption-verification.tsn index 816b09b967..bc143a1966 100644 --- a/SPECS/kernel/0008-igc-Add-support-for-Frame-Preemption-verification.tsn +++ b/SPECS/kernel/0008-igc-Add-support-for-Frame-Preemption-verification.tsn @@ -30,8 +30,8 @@ Signed-off-by: Aravindhan Gunasekaran drivers/net/ethernet/intel/igc/igc_main.c | 216 +++++++++++++++++++ 4 files changed, 261 insertions(+), 3 deletions(-) -diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h -index b2b6da3e9c8d3..479dcd7500f56 100644 +Index: b/drivers/net/ethernet/intel/igc/igc.h +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc.h +++ b/drivers/net/ethernet/intel/igc/igc.h @@ -198,6 +198,13 @@ struct igc_ring { @@ -48,10 +48,10 @@ index b2b6da3e9c8d3..479dcd7500f56 100644 /* Board specific private data structure */ struct igc_adapter { struct net_device *netdev; -@@ -339,6 +346,14 @@ struct igc_adapter { - /* LEDs */ +@@ -341,6 +348,14 @@ struct igc_adapter { struct mutex led_mutex; struct igc_led_classdev *leds; + bool leds_available; + + struct delayed_work fp_verification_work; + unsigned long fp_start; @@ -63,8 +63,8 @@ index b2b6da3e9c8d3..479dcd7500f56 100644 }; void igc_up(struct igc_adapter *adapter); -diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h -index e08dfba0ea69d..45da4ffd4ec75 100644 +Index: b/drivers/net/ethernet/intel/igc/igc_defines.h +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc_defines.h +++ b/drivers/net/ethernet/intel/igc/igc_defines.h @@ -308,6 +308,8 @@ @@ -97,11 +97,11 @@ index e08dfba0ea69d..45da4ffd4ec75 100644 #define IGC_RXDEXT_STATERR_L4E 0x20000000 #define IGC_RXDEXT_STATERR_IPE 0x40000000 #define IGC_RXDEXT_STATERR_RXE 0x80000000 -diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c -index 52ca64569cb59..761bafd585b37 100644 +Index: b/drivers/net/ethernet/intel/igc/igc_ethtool.c +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc_ethtool.c +++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c -@@ -1789,6 +1789,8 @@ static int igc_ethtool_get_preempt(struct net_device *netdev, +@@ -1789,6 +1789,8 @@ static int igc_ethtool_get_preempt(struc fpcmd->enabled = adapter->frame_preemption_active; fpcmd->add_frag_size = adapter->add_frag_size; @@ -110,7 +110,7 @@ index 52ca64569cb59..761bafd585b37 100644 return 0; } -@@ -1805,10 +1807,22 @@ static int igc_ethtool_set_preempt(struct net_device *netdev, +@@ -1805,10 +1807,22 @@ static int igc_ethtool_set_preempt(struc return -EINVAL; } @@ -136,8 +136,8 @@ index 52ca64569cb59..761bafd585b37 100644 } static int igc_ethtool_get_link_ksettings(struct net_device *netdev, -diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c -index ca720ddff3af8..a81e9240cf6c8 100644 +Index: b/drivers/net/ethernet/intel/igc/igc_main.c +=================================================================== --- a/drivers/net/ethernet/intel/igc/igc_main.c +++ b/drivers/net/ethernet/intel/igc/igc_main.c @@ -30,6 +30,11 @@ @@ -152,7 +152,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static int debug = -1; MODULE_DESCRIPTION(DRV_SUMMARY); -@@ -2448,6 +2453,79 @@ static int igc_xdp_init_tx_descriptor(struct igc_ring *ring, +@@ -2449,6 +2454,79 @@ unmap: return -ENOMEM; } @@ -232,7 +232,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static struct igc_ring *igc_xdp_get_tx_ring(struct igc_adapter *adapter, int cpu) { -@@ -2577,6 +2655,19 @@ static void igc_update_rx_stats(struct igc_q_vector *q_vector, +@@ -2578,6 +2656,19 @@ static void igc_update_rx_stats(struct i q_vector->rx.total_bytes += bytes; } @@ -252,7 +252,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) { unsigned int total_bytes = 0, total_packets = 0; -@@ -2592,6 +2683,7 @@ static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) +@@ -2593,6 +2684,7 @@ static int igc_clean_rx_irq(struct igc_q union igc_adv_rx_desc *rx_desc; unsigned int size, truesize; int pkt_offset = 0; @@ -260,7 +260,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 void *pktbuf; /* return some buffers to hardware, one at a time is too slow */ -@@ -2622,6 +2714,22 @@ static int igc_clean_rx_irq(struct igc_q_vector *q_vector, const int budget) +@@ -2623,6 +2715,22 @@ static int igc_clean_rx_irq(struct igc_q size -= IGC_TS_HDR_LEN; } @@ -283,7 +283,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 if (!skb) { xdp_init_buff(&ctx.xdp, truesize, &rx_ring->xdp_rxq); xdp_prepare_buff(&ctx.xdp, pktbuf - igc_rx_offset(rx_ring), -@@ -6548,6 +6656,107 @@ static int igc_tsn_enable_cbs(struct igc_adapter *adapter, +@@ -6552,6 +6660,107 @@ static int igc_tsn_enable_cbs(struct igc return igc_tsn_offload_apply(adapter); } @@ -391,7 +391,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 static int igc_tc_query_caps(struct igc_adapter *adapter, struct tc_query_caps_base *base) { -@@ -7122,6 +7331,7 @@ static int igc_probe(struct pci_dev *pdev, +@@ -7130,6 +7339,7 @@ static int igc_probe(struct pci_dev *pde INIT_WORK(&adapter->reset_task, igc_reset_task); INIT_WORK(&adapter->watchdog_task, igc_watchdog_task); @@ -399,7 +399,7 @@ index ca720ddff3af8..a81e9240cf6c8 100644 hrtimer_init(&adapter->hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); adapter->hrtimer.function = &igc_qbv_scheduling_timer; -@@ -7148,6 +7358,12 @@ static int igc_probe(struct pci_dev *pdev, +@@ -7156,6 +7366,12 @@ static int igc_probe(struct pci_dev *pde igc_tsn_clear_schedule(adapter); @@ -412,6 +412,3 @@ index ca720ddff3af8..a81e9240cf6c8 100644 /* reset the hardware with the new settings */ igc_reset(adapter); --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-21807.patch b/SPECS/kernel/CVE-2025-21807.patch deleted file mode 100644 index 08da1ab981..0000000000 --- a/SPECS/kernel/CVE-2025-21807.patch +++ /dev/null @@ -1,169 +0,0 @@ -From dd680ab1ce367fde34fb89faaad97e92929a7f34 Mon Sep 17 00:00:00 2001 -From: Christoph Hellwig -Date: Fri, 10 Jan 2025 06:47:14 +0100 -Subject: [PATCH 3/4] block: fix queue freeze vs limits lock order in sysfs - store methods - -queue_attr_store() always freezes a device queue before calling the -attribute store operation. For attributes that control queue limits, the -store operation will also lock the queue limits with a call to -queue_limits_start_update(). However, some drivers (e.g. SCSI sd) may -need to issue commands to a device to obtain limit values from the -hardware with the queue limits locked. This creates a potential ABBA -deadlock situation if a user attempts to modify a limit (thus freezing -the device queue) while the device driver starts a revalidation of the -device queue limits. - -Avoid such deadlock by not freezing the queue before calling the -->store_limit() method in struct queue_sysfs_entry and instead use the -queue_limits_commit_update_frozen helper to freeze the queue after taking -the limits lock. - -This also removes taking the sysfs lock for the store_limit method as -it doesn't protect anything here, but creates even more nesting. -Hopefully it will go away from the actual sysfs methods entirely soon. - -(commit log adapted from a similar patch from Damien Le Moal) - -Fixes: ff956a3be95b ("block: use queue_limits_commit_update in queue_discard_max_store") -Fixes: 0327ca9d53bf ("block: use queue_limits_commit_update in queue_max_sectors_store") -Signed-off-by: Christoph Hellwig -Reviewed-by: Ming Lei -Reviewed-by: Damien Le Moal -Reviewed-by: Martin K. Petersen -Reviewed-by: Nilay Shroff -Reviewed-by: Johannes Thumshirn -Link: https://lore.kernel.org/r/20250110054726.1499538-7-hch@lst.de -Signed-off-by: Jens Axboe ---- - block/blk-settings.c | 26 ++++++++++++++++++++++++++ - block/blk-sysfs.c | 33 +++++++++++++++++++++++++++------ - include/linux/blkdev.h | 2 ++ - 3 files changed, 55 insertions(+), 6 deletions(-) - -diff --git a/block/blk-settings.c b/block/blk-settings.c -index 7abf034089cd..3907ea71213f 100644 ---- a/block/blk-settings.c -+++ b/block/blk-settings.c -@@ -426,6 +426,32 @@ int queue_limits_commit_update(struct request_queue *q, - } - EXPORT_SYMBOL_GPL(queue_limits_commit_update); - -+ -+/** -+ * queue_limits_commit_update_frozen - commit an atomic update of queue limits -+ * @q: queue to update -+ * @lim: limits to apply -+ * -+ * Apply the limits in @lim that were obtained from queue_limits_start_update() -+ * and updated with the new values by the caller to @q. Freezes the queue -+ * before the update and unfreezes it after. -+ * -+ * Returns 0 if successful, else a negative error code. -+ */ -+int queue_limits_commit_update_frozen(struct request_queue *q, -+ struct queue_limits *lim) -+{ -+ int ret; -+ -+ blk_mq_freeze_queue(q); -+ ret = queue_limits_commit_update(q, lim); -+ blk_mq_unfreeze_queue(q); -+ -+ return ret; -+} -+EXPORT_SYMBOL_GPL(queue_limits_commit_update_frozen); -+ -+ - /** - * queue_limits_set - apply queue limits to queue - * @q: queue to update -diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c -index 692b27266220..69bdd48ceae2 100644 ---- a/block/blk-sysfs.c -+++ b/block/blk-sysfs.c -@@ -23,8 +23,10 @@ - struct queue_sysfs_entry { - struct attribute attr; - ssize_t (*show)(struct gendisk *disk, char *page); -- int (*load_module)(struct gendisk *disk, const char *page, size_t count); - ssize_t (*store)(struct gendisk *disk, const char *page, size_t count); -+ int (*store_limit)(struct gendisk *disk, const char *page, -+ size_t count, struct queue_limits *lim); -+ int (*load_module)(struct gendisk *disk, const char *page, size_t count); - }; - - static ssize_t -@@ -421,6 +423,13 @@ static struct queue_sysfs_entry _prefix##_entry = { \ - .store = _prefix##_store, \ - }; - -+#define QUEUE_LIM_RW_ENTRY(_prefix, _name) \ -+static struct queue_sysfs_entry _prefix##_entry = { \ -+ .attr = { .name = _name, .mode = 0644 }, \ -+ .show = _prefix##_show, \ -+ .store_limit = _prefix##_store, \ -+} -+ - #define QUEUE_RW_LOAD_MODULE_ENTRY(_prefix, _name) \ - static struct queue_sysfs_entry _prefix##_entry = { \ - .attr = { .name = _name, .mode = 0644 }, \ -@@ -683,7 +692,7 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, - struct request_queue *q = disk->queue; - ssize_t res; - -- if (!entry->store) -+ if (!entry->store_limit && !entry->store) - return -EIO; - - /* -@@ -691,17 +700,29 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, - * queue to ensure that the module file can be read when the request - * queue is the one for the device storing the module file. - */ -- if (entry->load_module) { -- res = entry->load_module(disk, page, length); -+ if (entry->load_module) -+ entry->load_module(disk, page, length); -+ -+ if (entry->store_limit) { -+ struct queue_limits lim = queue_limits_start_update(q); -+ -+ res = entry->store_limit(disk, page, length, &lim); -+ if (res < 0) { -+ queue_limits_cancel_update(q); -+ return res; -+ } -+ -+ res = queue_limits_commit_update_frozen(q, &lim); - if (res) - return res; -+ return length; - } - -- blk_mq_freeze_queue(q); - mutex_lock(&q->sysfs_lock); -+ blk_mq_freeze_queue(q); - res = entry->store(disk, page, length); -- mutex_unlock(&q->sysfs_lock); - blk_mq_unfreeze_queue(q); -+ mutex_unlock(&q->sysfs_lock); - return res; - } - -diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h -index 8f37c5dd52b2..69737a1551fe 100644 ---- a/include/linux/blkdev.h -+++ b/include/linux/blkdev.h -@@ -935,6 +935,8 @@ queue_limits_start_update(struct request_queue *q) - mutex_lock(&q->limits_lock); - return q->limits; - } -+int queue_limits_commit_update_frozen(struct request_queue *q, -+ struct queue_limits *lim); - int queue_limits_commit_update(struct request_queue *q, - struct queue_limits *lim); - int queue_limits_set(struct request_queue *q, struct queue_limits *lim); --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-21817.patch b/SPECS/kernel/CVE-2025-21817.patch index ae8a91cef0..717fe82547 100644 --- a/SPECS/kernel/CVE-2025-21817.patch +++ b/SPECS/kernel/CVE-2025-21817.patch @@ -1,7 +1,7 @@ -From 961a8f3d5f63a1c4b1d93f9d12c2dc7264d4434e Mon Sep 17 00:00:00 2001 +From 1605aaf3ed80ecc295f493c28946af971d36389e Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Mon, 13 Jan 2025 09:58:33 +0800 -Subject: [PATCH 4/4] block: mark GFP_NOIO around sysfs ->store() +Subject: [PATCH] block: mark GFP_NOIO around sysfs ->store() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -26,27 +26,27 @@ Signed-off-by: Jens Axboe 1 file changed, 3 insertions(+) diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c -index 69bdd48ceae2..496564485bad 100644 +index 6a38f312e385..063c578d3e4b 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c -@@ -690,6 +690,7 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, +@@ -681,6 +681,7 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, struct queue_sysfs_entry *entry = to_queue(attr); struct gendisk *disk = container_of(kobj, struct gendisk, queue_kobj); struct request_queue *q = disk->queue; + unsigned int noio_flag; ssize_t res; - if (!entry->store_limit && !entry->store) -@@ -720,7 +721,9 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, + if (!entry->store) +@@ -699,7 +700,9 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr, - mutex_lock(&q->sysfs_lock); blk_mq_freeze_queue(q); + mutex_lock(&q->sysfs_lock); + noio_flag = memalloc_noio_save(); res = entry->store(disk, page, length); + memalloc_noio_restore(noio_flag); - blk_mq_unfreeze_queue(q); mutex_unlock(&q->sysfs_lock); + blk_mq_unfreeze_queue(q); return res; -- -2.25.1 +2.43.0 diff --git a/SPECS/kernel/CVE-2025-22103.patch b/SPECS/kernel/CVE-2025-22103.patch deleted file mode 100644 index 0758824ca2..0000000000 --- a/SPECS/kernel/CVE-2025-22103.patch +++ /dev/null @@ -1,61 +0,0 @@ -From a7feb0e9dda0ebb66c810ad9bd0bbeb2823bd89f Mon Sep 17 00:00:00 2001 -From: Wang Liang -Date: Fri, 21 Mar 2025 17:03:53 +0800 -Subject: [PATCH] net: fix NULL pointer dereference in l3mdev_l3_rcv - -When delete l3s ipvlan: - - ip link del link eth0 ipvlan1 type ipvlan mode l3s - -This may cause a null pointer dereference: - - Call trace: - ip_rcv_finish+0x48/0xd0 - ip_rcv+0x5c/0x100 - __netif_receive_skb_one_core+0x64/0xb0 - __netif_receive_skb+0x20/0x80 - process_backlog+0xb4/0x204 - napi_poll+0xe8/0x294 - net_rx_action+0xd8/0x22c - __do_softirq+0x12c/0x354 - -This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after -ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process -like this: - - (CPU1) | (CPU2) - l3mdev_l3_rcv() | - check dev->priv_flags: | - master = skb->dev; | - | - | ipvlan_l3s_unregister() - | set dev->priv_flags - | dev->l3mdev_ops = NULL; - | - visit master->l3mdev_ops | - -To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan. - -Suggested-by: David Ahern -Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes") -Signed-off-by: Wang Liang -Reviewed-by: Simon Horman -Link: https://patch.msgid.link/20250321090353.1170545-1-wangliang74@huawei.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/ipvlan/ipvlan_l3s.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c -index d5b05e803219..ca35a50bb640 100644 ---- a/drivers/net/ipvlan/ipvlan_l3s.c -+++ b/drivers/net/ipvlan/ipvlan_l3s.c -@@ -224,5 +224,4 @@ void ipvlan_l3s_unregister(struct ipvl_port *port) - - dev->priv_flags &= ~IFF_L3MDEV_RX_HANDLER; - ipvlan_unregister_nf_hook(read_pnet(&port->pnet)); -- dev->l3mdev_ops = NULL; - } --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-22106.patch b/SPECS/kernel/CVE-2025-22106.patch deleted file mode 100644 index d714e67a0b..0000000000 --- a/SPECS/kernel/CVE-2025-22106.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ea875d82b9d342e8b3257e11d0ffaf2d2c533dcc Mon Sep 17 00:00:00 2001 -From: Sankararaman Jayaraman -Date: Thu, 20 Mar 2025 10:25:22 +0530 -Subject: [PATCH] vmxnet3: unregister xdp rxq info in the reset path - -vmxnet3 does not unregister xdp rxq info in the -vmxnet3_reset_work() code path as vmxnet3_rq_destroy() -is not invoked in this code path. So, we get below message with a -backtrace. - -Missing unregister, handled but fix driver -WARNING: CPU:48 PID: 500 at net/core/xdp.c:182 -__xdp_rxq_info_reg+0x93/0xf0 - -This patch fixes the problem by moving the unregister -code of XDP from vmxnet3_rq_destroy() to vmxnet3_rq_cleanup(). - -Fixes: 54f00cce1178 ("vmxnet3: Add XDP support.") -Signed-off-by: Sankararaman Jayaraman -Signed-off-by: Ronak Doshi -Link: https://patch.msgid.link/20250320045522.57892-1-sankararaman.jayaraman@broadcom.com -Signed-off-by: Jakub Kicinski ---- - drivers/net/vmxnet3/vmxnet3_drv.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c -index b70654c7ad34..3a7279e74c6b 100644 ---- a/drivers/net/vmxnet3/vmxnet3_drv.c -+++ b/drivers/net/vmxnet3/vmxnet3_drv.c -@@ -2025,6 +2025,11 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq, - - rq->comp_ring.gen = VMXNET3_INIT_GEN; - rq->comp_ring.next2proc = 0; -+ -+ if (xdp_rxq_info_is_reg(&rq->xdp_rxq)) -+ xdp_rxq_info_unreg(&rq->xdp_rxq); -+ page_pool_destroy(rq->page_pool); -+ rq->page_pool = NULL; - } - - -@@ -2065,11 +2070,6 @@ static void vmxnet3_rq_destroy(struct vmxnet3_rx_queue *rq, - } - } - -- if (xdp_rxq_info_is_reg(&rq->xdp_rxq)) -- xdp_rxq_info_unreg(&rq->xdp_rxq); -- page_pool_destroy(rq->page_pool); -- rq->page_pool = NULL; -- - if (rq->data_ring.base) { - dma_free_coherent(&adapter->pdev->dev, - rq->rx_ring[0].size * rq->data_ring.desc_size, --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-22113-1.patch b/SPECS/kernel/CVE-2025-22113-1.patch deleted file mode 100644 index 4a1c1cb639..0000000000 --- a/SPECS/kernel/CVE-2025-22113-1.patch +++ /dev/null @@ -1,169 +0,0 @@ -From a38f34dafdd0c30fb3d2b3f35e1164f51442c215 Mon Sep 17 00:00:00 2001 -From: Ojaswin Mujoo -Date: Tue, 18 Mar 2025 13:22:56 +0530 -Subject: [PATCH 2/2] ext4: avoid journaling sb update on error if journal is - destroying - -Presently we always BUG_ON if trying to start a transaction on a journal marked -with JBD2_UNMOUNT, since this should never happen. However, while ltp running -stress tests, it was observed that in case of some error handling paths, it is -possible for update_super_work to start a transaction after the journal is -destroyed eg: - -(umount) -ext4_kill_sb - kill_block_super - generic_shutdown_super - sync_filesystem /* commits all txns */ - evict_inodes - /* might start a new txn */ - ext4_put_super - flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ - jbd2_journal_destroy - journal_kill_thread - journal->j_flags |= JBD2_UNMOUNT; - jbd2_journal_commit_transaction - jbd2_journal_get_descriptor_buffer - jbd2_journal_bmap - ext4_journal_bmap - ext4_map_blocks - ... - ext4_inode_error - ext4_handle_error - schedule_work(&sbi->s_sb_upd_work) - - /* work queue kicks in */ - update_super_work - jbd2_journal_start - start_this_handle - BUG_ON(journal->j_flags & - JBD2_UNMOUNT) - -Hence, introduce a new mount flag to indicate journal is destroying and only do -a journaled (and deferred) update of sb if this flag is not set. Otherwise, just -fallback to an un-journaled commit. - -Further, in the journal destroy path, we have the following sequence: - - 1. Set mount flag indicating journal is destroying - 2. force a commit and wait for it - 3. flush pending sb updates - -This sequence is important as it ensures that, after this point, there is no sb -update that might be journaled so it is safe to update the sb outside the -journal. (To avoid race discussed in 2d01ddc86606) - -Also, we don't need a similar check in ext4_grp_locked_error since it is only -called from mballoc and AFAICT it would be always valid to schedule work here. - -Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available") -Reported-by: Mahesh Kumar -Signed-off-by: Ojaswin Mujoo -Reviewed-by: Jan Kara -Link: https://patch.msgid.link/9613c465d6ff00cd315602f99283d5f24018c3f7.1742279837.git.ojaswin@linux.ibm.com -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4.h | 3 ++- - fs/ext4/ext4_jbd2.h | 15 +++++++++++++++ - fs/ext4/super.c | 16 ++++++++-------- - 3 files changed, 25 insertions(+), 9 deletions(-) - -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index bbffb76d9a90..27b633928eb1 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -1820,7 +1820,8 @@ static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) - */ - enum { - EXT4_MF_MNTDIR_SAMPLED, -- EXT4_MF_FC_INELIGIBLE /* Fast commit ineligible */ -+ EXT4_MF_FC_INELIGIBLE, /* Fast commit ineligible */ -+ EXT4_MF_JOURNAL_DESTROY /* Journal is in process of destroying */ - }; - - static inline void ext4_set_mount_flag(struct super_block *sb, int bit) -diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h -index 930778e507cc..ada46189b086 100644 ---- a/fs/ext4/ext4_jbd2.h -+++ b/fs/ext4/ext4_jbd2.h -@@ -521,6 +521,21 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour - { - int err = 0; - -+ /* -+ * At this point only two things can be operating on the journal. -+ * JBD2 thread performing transaction commit and s_sb_upd_work -+ * issuing sb update through the journal. Once we set -+ * EXT4_JOURNAL_DESTROY, new ext4_handle_error() calls will not -+ * queue s_sb_upd_work and ext4_force_commit() makes sure any -+ * ext4_handle_error() calls from the running transaction commit are -+ * finished. Hence no new s_sb_upd_work can be queued after we -+ * flush it here. -+ */ -+ ext4_set_mount_flag(sbi->s_sb, EXT4_MF_JOURNAL_DESTROY); -+ -+ ext4_force_commit(sbi->s_sb); -+ flush_work(&sbi->s_sb_upd_work); -+ - err = jbd2_journal_destroy(journal); - sbi->s_journal = NULL; - -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index f26816854dd5..b10872abb9c9 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -719,9 +719,13 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error, - * In case the fs should keep running, we need to writeout - * superblock through the journal. Due to lock ordering - * constraints, it may not be safe to do it right here so we -- * defer superblock flushing to a workqueue. -+ * defer superblock flushing to a workqueue. We just need to be -+ * careful when the journal is already shutting down. If we get -+ * here in that case, just update the sb directly as the last -+ * transaction won't commit anyway. - */ -- if (continue_fs && journal) -+ if (continue_fs && journal && -+ !ext4_test_mount_flag(sb, EXT4_MF_JOURNAL_DESTROY)) - schedule_work(&EXT4_SB(sb)->s_sb_upd_work); - else - ext4_commit_super(sb); -@@ -1306,7 +1310,6 @@ static void ext4_put_super(struct super_block *sb) - ext4_unregister_li_request(sb); - ext4_quotas_off(sb, EXT4_MAXQUOTAS); - -- flush_work(&sbi->s_sb_upd_work); - destroy_workqueue(sbi->rsv_conversion_wq); - ext4_release_orphan_info(sb); - -@@ -1316,7 +1319,8 @@ static void ext4_put_super(struct super_block *sb) - if ((err < 0) && !aborted) { - ext4_abort(sb, -err, "Couldn't clean up the journal"); - } -- } -+ } else -+ flush_work(&sbi->s_sb_upd_work); - - ext4_es_unregister_shrinker(sbi); - timer_shutdown_sync(&sbi->s_err_report); -@@ -4944,8 +4948,6 @@ static int ext4_load_and_init_journal(struct super_block *sb, - return 0; - - out: -- /* flush s_sb_upd_work before destroying the journal. */ -- flush_work(&sbi->s_sb_upd_work); - ext4_journal_destroy(sbi, sbi->s_journal); - return -EINVAL; - } -@@ -5631,8 +5633,6 @@ failed_mount8: __maybe_unused - sbi->s_ea_block_cache = NULL; - - if (sbi->s_journal) { -- /* flush s_sb_upd_work before journal destroy. */ -- flush_work(&sbi->s_sb_upd_work); - ext4_journal_destroy(sbi, sbi->s_journal); - } - failed_mount3a: --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-22113.patch b/SPECS/kernel/CVE-2025-22113.patch deleted file mode 100644 index 42b4dd4f27..0000000000 --- a/SPECS/kernel/CVE-2025-22113.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 1cb42376c3bb339074fd4d72232156af50dbd0a8 Mon Sep 17 00:00:00 2001 -From: Ojaswin Mujoo -Date: Tue, 18 Mar 2025 13:22:55 +0530 -Subject: [PATCH 1/2] ext4: define ext4_journal_destroy wrapper - -Define an ext4 wrapper over jbd2_journal_destroy to make sure we -have consistent behavior during journal destruction. This will also -come useful in the next patch where we add some ext4 specific logic -in the destroy path. - -Reviewed-by: Jan Kara -Reviewed-by: Baokun Li -Signed-off-by: Ojaswin Mujoo -Link: https://patch.msgid.link/c3ba78c5c419757e6d5f2d8ebb4a8ce9d21da86a.1742279837.git.ojaswin@linux.ibm.com -Signed-off-by: Theodore Ts'o ---- - fs/ext4/ext4_jbd2.h | 14 ++++++++++++++ - fs/ext4/super.c | 16 ++++++---------- - 2 files changed, 20 insertions(+), 10 deletions(-) - -diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h -index 0c77697d5e90..930778e507cc 100644 ---- a/fs/ext4/ext4_jbd2.h -+++ b/fs/ext4/ext4_jbd2.h -@@ -513,4 +513,18 @@ static inline int ext4_should_dioread_nolock(struct inode *inode) - return 1; - } - -+/* -+ * Pass journal explicitly as it may not be cached in the sbi->s_journal in some -+ * cases -+ */ -+static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *journal) -+{ -+ int err = 0; -+ -+ err = jbd2_journal_destroy(journal); -+ sbi->s_journal = NULL; -+ -+ return err; -+} -+ - #endif /* _EXT4_JBD2_H */ -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 4291ab3c20be..f26816854dd5 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -1312,8 +1312,7 @@ static void ext4_put_super(struct super_block *sb) - - if (sbi->s_journal) { - aborted = is_journal_aborted(sbi->s_journal); -- err = jbd2_journal_destroy(sbi->s_journal); -- sbi->s_journal = NULL; -+ err = ext4_journal_destroy(sbi, sbi->s_journal); - if ((err < 0) && !aborted) { - ext4_abort(sb, -err, "Couldn't clean up the journal"); - } -@@ -4947,8 +4946,7 @@ static int ext4_load_and_init_journal(struct super_block *sb, - out: - /* flush s_sb_upd_work before destroying the journal. */ - flush_work(&sbi->s_sb_upd_work); -- jbd2_journal_destroy(sbi->s_journal); -- sbi->s_journal = NULL; -+ ext4_journal_destroy(sbi, sbi->s_journal); - return -EINVAL; - } - -@@ -5635,8 +5633,7 @@ failed_mount8: __maybe_unused - if (sbi->s_journal) { - /* flush s_sb_upd_work before journal destroy. */ - flush_work(&sbi->s_sb_upd_work); -- jbd2_journal_destroy(sbi->s_journal); -- sbi->s_journal = NULL; -+ ext4_journal_destroy(sbi, sbi->s_journal); - } - failed_mount3a: - ext4_es_unregister_shrinker(sbi); -@@ -5944,7 +5941,7 @@ static journal_t *ext4_open_dev_journal(struct super_block *sb, - return journal; - - out_journal: -- jbd2_journal_destroy(journal); -+ ext4_journal_destroy(EXT4_SB(sb), journal); - out_bdev: - bdev_fput(bdev_file); - return ERR_PTR(errno); -@@ -6061,8 +6058,7 @@ static int ext4_load_journal(struct super_block *sb, - EXT4_SB(sb)->s_journal = journal; - err = ext4_clear_journal_err(sb, es); - if (err) { -- EXT4_SB(sb)->s_journal = NULL; -- jbd2_journal_destroy(journal); -+ ext4_journal_destroy(EXT4_SB(sb), journal); - return err; - } - -@@ -6080,7 +6076,7 @@ static int ext4_load_journal(struct super_block *sb, - return 0; - - err_out: -- jbd2_journal_destroy(journal); -+ ext4_journal_destroy(EXT4_SB(sb), journal); - return err; - } - --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-22124.patch b/SPECS/kernel/CVE-2025-22124.patch deleted file mode 100644 index ba717d0c64..0000000000 --- a/SPECS/kernel/CVE-2025-22124.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 31ea5fb2dc95a5ddc9ad67d53b5d1f151775f194 Mon Sep 17 00:00:00 2001 -From: Su Yue -Date: Mon, 3 Mar 2025 11:39:18 +0800 -Subject: [PATCH] md/md-bitmap: fix wrong bitmap_limit for clustermd when write - sb - -In clustermd, separate write-intent-bitmaps are used for each cluster -node: - -0 4k 8k 12k -------------------------------------------------------------------- -| idle | md super | bm super [0] + bits | -| bm bits[0, contd] | bm super[1] + bits | bm bits[1, contd] | -| bm super[2] + bits | bm bits [2, contd] | bm super[3] + bits | -| bm bits [3, contd] | | | - -So in node 1, pg_index in __write_sb_page() could equal to -bitmap->storage.file_pages. Then bitmap_limit will be calculated to -0. md_super_write() will be called with 0 size. -That means the first 4k sb area of node 1 will never be updated -through filemap_write_page(). -This bug causes hang of mdadm/clustermd_tests/01r1_Grow_resize. - -Here use (pg_index % bitmap->storage.file_pages) to make calculation -of bitmap_limit correct. - -Fixes: ab99a87542f1 ("md/md-bitmap: fix writing non bitmap pages") -Signed-off-by: Su Yue -Reviewed-by: Heming Zhao -Link: https://lore.kernel.org/linux-raid/20250303033918.32136-1-glass.su@suse.com -Signed-off-by: Yu Kuai ---- - drivers/md/md-bitmap.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c -index 2e3087556adb..4ab69fd1745a 100644 ---- a/drivers/md/md-bitmap.c -+++ b/drivers/md/md-bitmap.c -@@ -426,8 +426,8 @@ static int __write_sb_page(struct md_rdev *rdev, struct bitmap *bitmap, - struct block_device *bdev; - struct mddev *mddev = bitmap->mddev; - struct bitmap_storage *store = &bitmap->storage; -- unsigned int bitmap_limit = (bitmap->storage.file_pages - pg_index) << -- PAGE_SHIFT; -+ unsigned long num_pages = bitmap->storage.file_pages; -+ unsigned int bitmap_limit = (num_pages - pg_index % num_pages) << PAGE_SHIFT; - loff_t sboff, offset = mddev->bitmap_info.offset; - sector_t ps = pg_index * PAGE_SIZE / SECTOR_SIZE; - unsigned int size = PAGE_SIZE; -@@ -436,7 +436,7 @@ static int __write_sb_page(struct md_rdev *rdev, struct bitmap *bitmap, - - bdev = (rdev->meta_bdev) ? rdev->meta_bdev : rdev->bdev; - /* we compare length (page numbers), not page offset. */ -- if ((pg_index - store->sb_index) == store->file_pages - 1) { -+ if ((pg_index - store->sb_index) == num_pages - 1) { - unsigned int last_page_size = store->bytes & (PAGE_SIZE - 1); - - if (last_page_size == 0) --- -2.25.1 - diff --git a/SPECS/kernel/CVE-2025-22125.patch b/SPECS/kernel/CVE-2025-22125.patch deleted file mode 100644 index 6fffcf2b4d..0000000000 --- a/SPECS/kernel/CVE-2025-22125.patch +++ /dev/null @@ -1,98 +0,0 @@ -From d6da5b46c7ccd873b769212a88ab847026a0ecbc Mon Sep 17 00:00:00 2001 -From: Yu Kuai -Date: Thu, 27 Feb 2025 20:16:57 +0800 -Subject: [PATCH 18/27] md/raid1,raid10: don't ignore IO flags - -If blk-wbt is enabled by default, it's found that raid write performance -is quite bad because all IO are throttled by wbt of underlying disks, -due to flag REQ_IDLE is ignored. And turns out this behaviour exist since -blk-wbt is introduced. - -Other than REQ_IDLE, other flags should not be ignored as well, for -example REQ_META can be set for filesystems, clearing it can cause priority -reverse problems; And REQ_NOWAIT should not be cleared as well, because -io will wait instead of failing directly in underlying disks. - -Fix those problems by keep IO flags from master bio. - -Fises: f51d46d0e7cb ("md: add support for REQ_NOWAIT") -Fixes: e34cbd307477 ("blk-wbt: add general throttling mechanism") -Fixes: 5404bc7a87b9 ("[PATCH] Allow file systems to differentiate between data and meta reads") -Link: https://lore.kernel.org/linux-raid/20250227121657.832356-1-yukuai1@huaweicloud.com -Signed-off-by: Yu Kuai ---- - drivers/md/raid1.c | 4 ---- - drivers/md/raid10.c | 7 ------- - 2 files changed, 11 deletions(-) - -diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c -index fe1599db69c8..6e93e3b6bd8c 100644 ---- a/drivers/md/raid1.c -+++ b/drivers/md/raid1.c -@@ -1315,8 +1315,6 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, - struct r1conf *conf = mddev->private; - struct raid1_info *mirror; - struct bio *read_bio; -- const enum req_op op = bio_op(bio); -- const blk_opf_t do_sync = bio->bi_opf & REQ_SYNC; - int max_sectors; - int rdisk; - bool r1bio_existed = !!r1_bio; -@@ -1399,7 +1397,6 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, - read_bio->bi_iter.bi_sector = r1_bio->sector + - mirror->rdev->data_offset; - read_bio->bi_end_io = raid1_end_read_request; -- read_bio->bi_opf = op | do_sync; - if (test_bit(FailFast, &mirror->rdev->flags) && - test_bit(R1BIO_FailFast, &r1_bio->state)) - read_bio->bi_opf |= MD_FAILFAST; -@@ -1619,7 +1616,6 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, - - mbio->bi_iter.bi_sector = (r1_bio->sector + rdev->data_offset); - mbio->bi_end_io = raid1_end_write_request; -- mbio->bi_opf = bio_op(bio) | (bio->bi_opf & (REQ_SYNC | REQ_FUA)); - if (test_bit(FailFast, &rdev->flags) && - !test_bit(WriteMostly, &rdev->flags) && - conf->raid_disks - mddev->degraded > 1) -diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 8825457f6a70..e2c6487456c1 100644 ---- a/drivers/md/raid10.c -+++ b/drivers/md/raid10.c -@@ -1146,8 +1146,6 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, - { - struct r10conf *conf = mddev->private; - struct bio *read_bio; -- const enum req_op op = bio_op(bio); -- const blk_opf_t do_sync = bio->bi_opf & REQ_SYNC; - int max_sectors; - struct md_rdev *rdev; - char b[BDEVNAME_SIZE]; -@@ -1226,7 +1224,6 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, - read_bio->bi_iter.bi_sector = r10_bio->devs[slot].addr + - choose_data_offset(r10_bio, rdev); - read_bio->bi_end_io = raid10_end_read_request; -- read_bio->bi_opf = op | do_sync; - if (test_bit(FailFast, &rdev->flags) && - test_bit(R10BIO_FailFast, &r10_bio->state)) - read_bio->bi_opf |= MD_FAILFAST; -@@ -1240,9 +1237,6 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, - struct bio *bio, bool replacement, - int n_copy) - { -- const enum req_op op = bio_op(bio); -- const blk_opf_t do_sync = bio->bi_opf & REQ_SYNC; -- const blk_opf_t do_fua = bio->bi_opf & REQ_FUA; - unsigned long flags; - struct r10conf *conf = mddev->private; - struct md_rdev *rdev; -@@ -1261,7 +1255,6 @@ static void raid10_write_one_disk(struct mddev *mddev, struct r10bio *r10_bio, - mbio->bi_iter.bi_sector = (r10_bio->devs[n_copy].addr + - choose_data_offset(r10_bio, rdev)); - mbio->bi_end_io = raid10_end_write_request; -- mbio->bi_opf = op | do_sync | do_fua; - if (!replacement && test_bit(FailFast, - &conf->mirrors[devnum].rdev->flags) - && enough(conf, devnum)) --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-23133.patch b/SPECS/kernel/CVE-2025-23133.patch deleted file mode 100644 index 000000ed36..0000000000 --- a/SPECS/kernel/CVE-2025-23133.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 73cb277b4f7485c9b3c2e4490474ec7708808b32 Mon Sep 17 00:00:00 2001 -From: Wen Gong -Date: Fri, 17 Jan 2025 14:17:36 +0800 -Subject: [PATCH 13/27] wifi: ath11k: update channel list in reg notifier - instead reg worker - -Currently when ath11k gets a new channel list, it will be processed -according to the following steps: -1. update new channel list to cfg80211 and queue reg_work. -2. cfg80211 handles new channel list during reg_work. -3. update cfg80211's handled channel list to firmware by -ath11k_reg_update_chan_list(). - -But ath11k will immediately execute step 3 after reg_work is just -queued. Since step 2 is asynchronous, cfg80211 may not have completed -handling the new channel list, which may leading to an out-of-bounds -write error: -BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list -Call Trace: - ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] - kfree+0x109/0x3a0 - ath11k_regd_update+0x1cf/0x350 [ath11k] - ath11k_regd_update_work+0x14/0x20 [ath11k] - process_one_work+0xe35/0x14c0 - -Should ensure step 2 is completely done before executing step 3. Thus -Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, -cfg80211 will notify ath11k after step 2 is done. - -So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will -notify ath11k after step 2 is done. At this time, there will be no -KASAN bug during the execution of the step 3. - -[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ - -Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 - -Fixes: f45cb6b29cd3 ("wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()") -Signed-off-by: Wen Gong -Signed-off-by: Kang Yang -Reviewed-by: Aditya Kumar Singh -Link: https://patch.msgid.link/20250117061737.1921-2-quic_kangyang@quicinc.com -Signed-off-by: Jeff Johnson ---- - drivers/net/wireless/ath/ath11k/reg.c | 22 +++++++++++++++------- - 1 file changed, 15 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c -index b0f289784dd3..7bfe47ad62a0 100644 ---- a/drivers/net/wireless/ath/ath11k/reg.c -+++ b/drivers/net/wireless/ath/ath11k/reg.c -@@ -1,7 +1,7 @@ - // SPDX-License-Identifier: BSD-3-Clause-Clear - /* - * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. -- * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved. -+ * Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved. - */ - #include - -@@ -55,6 +55,19 @@ ath11k_reg_notifier(struct wiphy *wiphy, struct regulatory_request *request) - ath11k_dbg(ar->ab, ATH11K_DBG_REG, - "Regulatory Notification received for %s\n", wiphy_name(wiphy)); - -+ if (request->initiator == NL80211_REGDOM_SET_BY_DRIVER) { -+ ath11k_dbg(ar->ab, ATH11K_DBG_REG, -+ "driver initiated regd update\n"); -+ if (ar->state != ATH11K_STATE_ON) -+ return; -+ -+ ret = ath11k_reg_update_chan_list(ar, true); -+ if (ret) -+ ath11k_warn(ar->ab, "failed to update channel list: %d\n", ret); -+ -+ return; -+ } -+ - /* Currently supporting only General User Hints. Cell base user - * hints to be handled later. - * Hints from other sources like Core, Beacons are not expected for -@@ -293,12 +306,6 @@ int ath11k_regd_update(struct ath11k *ar) - if (ret) - goto err; - -- if (ar->state == ATH11K_STATE_ON) { -- ret = ath11k_reg_update_chan_list(ar, true); -- if (ret) -- goto err; -- } -- - return 0; - err: - ath11k_warn(ab, "failed to perform regd update : %d\n", ret); -@@ -977,6 +984,7 @@ void ath11k_regd_update_work(struct work_struct *work) - void ath11k_reg_init(struct ath11k *ar) - { - ar->hw->wiphy->regulatory_flags = REGULATORY_WIPHY_SELF_MANAGED; -+ ar->hw->wiphy->flags |= WIPHY_FLAG_NOTIFY_REGDOM_BY_DRIVER; - ar->hw->wiphy->reg_notifier = ath11k_reg_notifier; - } - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38105.patch b/SPECS/kernel/CVE-2025-38105.patch deleted file mode 100644 index 4040614167..0000000000 --- a/SPECS/kernel/CVE-2025-38105.patch +++ /dev/null @@ -1,49 +0,0 @@ -From ee91ba3155f050613d89811c1d84c1b93a7093ca Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Mon, 19 May 2025 23:20:30 +0200 -Subject: [PATCH 7/8] ALSA: usb-audio: Kill timer properly at removal - -The USB-audio MIDI code initializes the timer, but in a rare case, the -driver might be freed without the disconnect call. This leaves the -timer in an active state while the assigned object is released via -snd_usbmidi_free(), which ends up with a kernel warning when the debug -configuration is enabled, as spotted by fuzzer. - -For avoiding the problem, put timer_shutdown_sync() at -snd_usbmidi_free(), so that the timer can be killed properly. -While we're at it, replace the existing timer_delete_sync() at the -disconnect callback with timer_shutdown_sync(), too. - -Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com -Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com -Cc: -Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de -Signed-off-by: Takashi Iwai ---- - sound/usb/midi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/sound/usb/midi.c b/sound/usb/midi.c -index a792ada18863..c3de2b137435 100644 ---- a/sound/usb/midi.c -+++ b/sound/usb/midi.c -@@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) - snd_usbmidi_in_endpoint_delete(ep->in); - } - mutex_destroy(&umidi->mutex); -+ timer_shutdown_sync(&umidi->error_timer); - kfree(umidi); - } - -@@ -1553,7 +1554,7 @@ void snd_usbmidi_disconnect(struct list_head *p) - spin_unlock_irq(&umidi->disc_lock); - up_write(&umidi->disc_rwsem); - -- del_timer_sync(&umidi->error_timer); -+ timer_shutdown_sync(&umidi->error_timer); - - for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { - struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38272-1.patch b/SPECS/kernel/CVE-2025-38272-1.patch deleted file mode 100644 index f39cee293a..0000000000 --- a/SPECS/kernel/CVE-2025-38272-1.patch +++ /dev/null @@ -1,89 +0,0 @@ -From adcc861c6c71dfa145c2cc86a306060438899793 Mon Sep 17 00:00:00 2001 -From: "Russell King (Oracle)" -Date: Tue, 10 Dec 2024 14:18:26 +0000 -Subject: [PATCH 06/27] net: dsa: b53/bcm_sf2: implement .support_eee() method - -Implement the .support_eee() method to indicate that EEE is not -supported by two switch variants, rather than making these checks in -the .set_mac_eee() and .get_mac_eee() methods. - -Signed-off-by: Russell King (Oracle) -Reviewed-by: Florian Fainelli -Reviewed-by: Vladimir Oltean -Link: https://patch.msgid.link/E1tL14E-006cZU-Nc@rmk-PC.armlinux.org.uk -Signed-off-by: Jakub Kicinski ---- - drivers/net/dsa/b53/b53_common.c | 13 +++++++------ - drivers/net/dsa/b53/b53_priv.h | 1 + - drivers/net/dsa/bcm_sf2.c | 1 + - 3 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c -index 71c30a81c36d..f36dae40d70c 100644 ---- a/drivers/net/dsa/b53/b53_common.c -+++ b/drivers/net/dsa/b53/b53_common.c -@@ -2344,13 +2344,16 @@ int b53_eee_init(struct dsa_switch *ds, int port, struct phy_device *phy) - } - EXPORT_SYMBOL(b53_eee_init); - --int b53_get_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e) -+bool b53_support_eee(struct dsa_switch *ds, int port) - { - struct b53_device *dev = ds->priv; - -- if (is5325(dev) || is5365(dev)) -- return -EOPNOTSUPP; -+ return !is5325(dev) && !is5365(dev); -+} -+EXPORT_SYMBOL(b53_support_eee); - -+int b53_get_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e) -+{ - return 0; - } - EXPORT_SYMBOL(b53_get_mac_eee); -@@ -2360,9 +2363,6 @@ int b53_set_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e) - struct b53_device *dev = ds->priv; - struct ethtool_keee *p = &dev->ports[port].eee; - -- if (is5325(dev) || is5365(dev)) -- return -EOPNOTSUPP; -- - p->eee_enabled = e->eee_enabled; - b53_eee_enable_set(ds, port, e->eee_enabled); - -@@ -2419,6 +2419,7 @@ static const struct dsa_switch_ops b53_switch_ops = { - .port_setup = b53_setup_port, - .port_enable = b53_enable_port, - .port_disable = b53_disable_port, -+ .support_eee = b53_support_eee, - .get_mac_eee = b53_get_mac_eee, - .set_mac_eee = b53_set_mac_eee, - .port_bridge_join = b53_br_join, -diff --git a/drivers/net/dsa/b53/b53_priv.h b/drivers/net/dsa/b53/b53_priv.h -index 4f8c97098d2a..e908397e8b9a 100644 ---- a/drivers/net/dsa/b53/b53_priv.h -+++ b/drivers/net/dsa/b53/b53_priv.h -@@ -387,6 +387,7 @@ int b53_enable_port(struct dsa_switch *ds, int port, struct phy_device *phy); - void b53_disable_port(struct dsa_switch *ds, int port); - void b53_brcm_hdr_setup(struct dsa_switch *ds, int port); - int b53_eee_init(struct dsa_switch *ds, int port, struct phy_device *phy); -+bool b53_support_eee(struct dsa_switch *ds, int port); - int b53_get_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e); - int b53_set_mac_eee(struct dsa_switch *ds, int port, struct ethtool_keee *e); - -diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c -index c4771a07878e..f1372830d5fa 100644 ---- a/drivers/net/dsa/bcm_sf2.c -+++ b/drivers/net/dsa/bcm_sf2.c -@@ -1233,6 +1233,7 @@ static const struct dsa_switch_ops bcm_sf2_ops = { - .port_setup = b53_setup_port, - .port_enable = bcm_sf2_port_setup, - .port_disable = bcm_sf2_port_disable, -+ .support_eee = b53_support_eee, - .get_mac_eee = b53_get_mac_eee, - .set_mac_eee = b53_set_mac_eee, - .port_bridge_join = b53_br_join, --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38272-2.patch b/SPECS/kernel/CVE-2025-38272-2.patch deleted file mode 100644 index b5abe20ba0..0000000000 --- a/SPECS/kernel/CVE-2025-38272-2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e6ce4c185e8582c3627f71245ded22194363f954 Mon Sep 17 00:00:00 2001 -From: Jonas Gorski -Date: Mon, 2 Jun 2025 21:39:49 +0200 -Subject: [PATCH 07/27] net: dsa: b53: do not enable EEE on bcm63xx -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BCM63xx internal switches do not support EEE, but provide multiple RGMII -ports where external PHYs may be connected. If one of these PHYs are EEE -capable, we may try to enable EEE for the MACs, which then hangs the -system on access of the (non-existent) EEE registers. - -Fix this by checking if the switch actually supports EEE before -attempting to configure it. - -Fixes: 22256b0afb12 ("net: dsa: b53: Move EEE functions to b53") -Reviewed-by: Florian Fainelli -Tested-by: Álvaro Fernández Rojas -Signed-off-by: Jonas Gorski -Link: https://patch.msgid.link/20250602193953.1010487-2-jonas.gorski@gmail.com -Signed-off-by: Paolo Abeni ---- - drivers/net/dsa/b53/b53_common.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c -index f36dae40d70c..daee9302b56f 100644 ---- a/drivers/net/dsa/b53/b53_common.c -+++ b/drivers/net/dsa/b53/b53_common.c -@@ -2334,6 +2334,9 @@ int b53_eee_init(struct dsa_switch *ds, int port, struct phy_device *phy) - { - int ret; - -+ if (!b53_support_eee(ds, port)) -+ return 0; -+ - ret = phy_init_eee(phy, false); - if (ret) - return 0; -@@ -2348,7 +2351,7 @@ bool b53_support_eee(struct dsa_switch *ds, int port) - { - struct b53_device *dev = ds->priv; - -- return !is5325(dev) && !is5365(dev); -+ return !is5325(dev) && !is5365(dev) && !is63xx(dev); - } - EXPORT_SYMBOL(b53_support_eee); - --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38272.patch b/SPECS/kernel/CVE-2025-38272.patch deleted file mode 100644 index d8bb66ec17..0000000000 --- a/SPECS/kernel/CVE-2025-38272.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 232555317cddf41ff4f9c8ec66c5ff89547ea1e7 Mon Sep 17 00:00:00 2001 -From: "Russell King (Oracle)" -Date: Tue, 10 Dec 2024 14:18:16 +0000 -Subject: [PATCH 05/27] net: dsa: add hook to determine whether EEE is - supported - -Add a hook to determine whether the switch supports EEE. This will -return false if the switch does not, or true if it does. If the -method is not implemented, we assume (currently) that the switch -supports EEE. - -Signed-off-by: Russell King (Oracle) -Reviewed-by: Florian Fainelli -Reviewed-by: Vladimir Oltean -Link: https://patch.msgid.link/E1tL144-006cZD-El@rmk-PC.armlinux.org.uk -Signed-off-by: Jakub Kicinski ---- - include/net/dsa.h | 1 + - net/dsa/user.c | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/include/net/dsa.h b/include/net/dsa.h -index d7a6c2930277..fa99fc5249e9 100644 ---- a/include/net/dsa.h -+++ b/include/net/dsa.h -@@ -1003,6 +1003,7 @@ struct dsa_switch_ops { - /* - * Port's MAC EEE settings - */ -+ bool (*support_eee)(struct dsa_switch *ds, int port); - int (*set_mac_eee)(struct dsa_switch *ds, int port, - struct ethtool_keee *e); - int (*get_mac_eee)(struct dsa_switch *ds, int port, -diff --git a/net/dsa/user.c b/net/dsa/user.c -index 64f660d2334b..06267c526dc4 100644 ---- a/net/dsa/user.c -+++ b/net/dsa/user.c -@@ -1231,6 +1231,10 @@ static int dsa_user_set_eee(struct net_device *dev, struct ethtool_keee *e) - struct dsa_switch *ds = dp->ds; - int ret; - -+ /* Check whether the switch supports EEE */ -+ if (ds->ops->support_eee && !ds->ops->support_eee(ds, dp->index)) -+ return -EOPNOTSUPP; -+ - /* Port's PHY and MAC both need to be EEE capable */ - if (!dev->phydev || !dp->pl) - return -ENODEV; -@@ -1251,6 +1255,10 @@ static int dsa_user_get_eee(struct net_device *dev, struct ethtool_keee *e) - struct dsa_switch *ds = dp->ds; - int ret; - -+ /* Check whether the switch supports EEE */ -+ if (ds->ops->support_eee && !ds->ops->support_eee(ds, dp->index)) -+ return -EOPNOTSUPP; -+ - /* Port's PHY and MAC both need to be EEE capable */ - if (!dev->phydev || !dp->pl) - return -ENODEV; --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38306.patch b/SPECS/kernel/CVE-2025-38306.patch deleted file mode 100644 index 2725894164..0000000000 --- a/SPECS/kernel/CVE-2025-38306.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 53ca1616118eb6c5c4e21109c6b5426535e12eb2 Mon Sep 17 00:00:00 2001 -From: Al Viro -Date: Sun, 1 Jun 2025 14:23:52 -0400 -Subject: [PATCH] fs/fhandle.c: fix a race in call of has_locked_children() - -may_decode_fh() is calling has_locked_children() while holding no locks. -That's an oopsable race... - -The rest of the callers are safe since they are holding namespace_sem and -are guaranteed a positive refcount on the mount in question. - -Rename the current has_locked_children() to __has_locked_children(), make -it static and switch the fs/namespace.c users to it. - -Make has_locked_children() a wrapper for __has_locked_children(), calling -the latter under read_seqlock_excl(&mount_lock). - -Reviewed-by: Christian Brauner -Reviewed-by: Jeff Layton -Fixes: 620c266f3949 ("fhandle: relax open_by_handle_at() permission checks") -Signed-off-by: Al Viro ---- - fs/namespace.c | 62 +++++++++++++++++++++++++++++--------------------- - 1 file changed, 36 insertions(+), 26 deletions(-) - -diff --git a/fs/namespace.c b/fs/namespace.c -index 962fda4fa246..066c06c8a188 100644 ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -2227,7 +2227,7 @@ void drop_collected_mounts(struct vfsmount *mnt) - namespace_unlock(); - } - --bool has_locked_children(struct mount *mnt, struct dentry *dentry) -+static bool __has_locked_children(struct mount *mnt, struct dentry *dentry) - { - struct mount *child; - -@@ -2241,6 +2241,38 @@ bool has_locked_children(struct mount *mnt, struct dentry *dentry) - return false; - } - -+bool has_locked_children(struct mount *mnt, struct dentry *dentry) -+{ -+ bool res; -+ -+ read_seqlock_excl(&mount_lock); -+ res = __has_locked_children(mnt, dentry); -+ read_sequnlock_excl(&mount_lock); -+ return res; -+} -+ -+/* -+ * Check that there aren't references to earlier/same mount namespaces in the -+ * specified subtree. Such references can act as pins for mount namespaces -+ * that aren't checked by the mount-cycle checking code, thereby allowing -+ * cycles to be made. -+ */ -+static bool check_for_nsfs_mounts(struct mount *subtree) -+{ -+ struct mount *p; -+ bool ret = false; -+ -+ lock_mount_hash(); -+ for (p = subtree; p; p = next_mnt(p, subtree)) -+ if (mnt_ns_loop(p->mnt.mnt_root)) -+ goto out; -+ -+ ret = true; -+out: -+ unlock_mount_hash(); -+ return ret; -+} -+ - /** - * clone_private_mount - create a private clone of a path - * @path: path to clone -@@ -2268,7 +2300,7 @@ struct vfsmount *clone_private_mount(const struct path *path) - return ERR_PTR(-EPERM); - } - -- if (has_locked_children(old_mnt, path->dentry)) -+ if (__has_locked_children(old_mnt, path->dentry)) - goto invalid; - - new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE); -@@ -2762,7 +2794,7 @@ static struct mount *__do_loopback(struct path *old_path, int recurse) - if (!check_mnt(old) && old_path->dentry->d_op != &ns_dentry_operations) - return mnt; - -- if (!recurse && has_locked_children(old, old_path->dentry)) -+ if (!recurse && __has_locked_children(old, old_path->dentry)) - return mnt; - - if (recurse) -@@ -3097,28 +3129,6 @@ static inline int tree_contains_unbindable(struct mount *mnt) - return 0; - } - --/* -- * Check that there aren't references to earlier/same mount namespaces in the -- * specified subtree. Such references can act as pins for mount namespaces -- * that aren't checked by the mount-cycle checking code, thereby allowing -- * cycles to be made. -- */ --static bool check_for_nsfs_mounts(struct mount *subtree) --{ -- struct mount *p; -- bool ret = false; -- -- lock_mount_hash(); -- for (p = subtree; p; p = next_mnt(p, subtree)) -- if (mnt_ns_loop(p->mnt.mnt_root)) -- goto out; -- -- ret = true; --out: -- unlock_mount_hash(); -- return ret; --} -- - static int do_set_group(struct path *from_path, struct path *to_path) - { - struct mount *from, *to; -@@ -3152,7 +3162,7 @@ static int do_set_group(struct path *from_path, struct path *to_path) - goto out; - - /* From mount should not have locked children in place of To's root */ -- if (has_locked_children(from, to->mnt.mnt_root)) -+ if (__has_locked_children(from, to->mnt.mnt_root)) - goto out; - - /* Setting sharing groups is only allowed on private mounts */ --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-38502.patch b/SPECS/kernel/CVE-2025-38502.patch deleted file mode 100644 index ada07fcfbf..0000000000 --- a/SPECS/kernel/CVE-2025-38502.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 948ea4b9d31826977c5bd558e47de2322afeb52b Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Thu, 31 Jul 2025 01:47:33 +0200 -Subject: [PATCH 2/4] bpf: Fix oob access in cgroup local storage - -Lonial reported that an out-of-bounds access in cgroup local storage -can be crafted via tail calls. Given two programs each utilizing a -cgroup local storage with a different value size, and one program -doing a tail call into the other. The verifier will validate each of -the indivial programs just fine. However, in the runtime context -the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the -BPF program as well as any cgroup local storage flavor the program -uses. Helpers such as bpf_get_local_storage() pick this up from the -runtime context: - - ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); - storage = ctx->prog_item->cgroup_storage[stype]; - - if (stype == BPF_CGROUP_STORAGE_SHARED) - ptr = &READ_ONCE(storage->buf)->data[0]; - else - ptr = this_cpu_ptr(storage->percpu_buf); - -For the second program which was called from the originally attached -one, this means bpf_get_local_storage() will pick up the former -program's map, not its own. With mismatching sizes, this can result -in an unintended out-of-bounds access. - -To fix this issue, we need to extend bpf_map_owner with an array of -storage_cookie[] to match on i) the exact maps from the original -program if the second program was using bpf_get_local_storage(), or -ii) allow the tail call combination if the second program was not -using any of the cgroup local storage maps. - -Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup") -Reported-by: Lonial Con -Signed-off-by: Daniel Borkmann -Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net -Signed-off-by: Alexei Starovoitov ---- ---- - include/linux/bpf.h | 25 +++++++++++++++++-------- - kernel/bpf/core.c | 15 +++++++++++++++ - 2 files changed, 32 insertions(+), 8 deletions(-) - -diff --git a/include/linux/bpf.h b/include/linux/bpf.h -index 1150a595aa54..66a0ffe9bae3 100644 ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -205,6 +205,21 @@ enum btf_field_type { - BPF_WORKQUEUE = (1 << 10), - }; - -+enum bpf_cgroup_storage_type { -+ BPF_CGROUP_STORAGE_SHARED, -+ BPF_CGROUP_STORAGE_PERCPU, -+ __BPF_CGROUP_STORAGE_MAX -+}; -+ -+#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX -+ -+#ifdef CONFIG_CGROUP_BPF -+# define for_each_cgroup_storage_type(stype) \ -+ for (stype = 0; stype < MAX_BPF_CGROUP_STORAGE_TYPE; stype++) -+#else -+# define for_each_cgroup_storage_type(stype) for (; false; ) -+#endif /* CONFIG_CGROUP_BPF */ -+ - typedef void (*btf_dtor_kfunc_t)(void *); - - struct btf_field_kptr { -@@ -298,6 +313,7 @@ struct bpf_map { - spinlock_t lock; - enum bpf_prog_type type; - bool jited; -+ u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; - bool xdp_has_frags; - } owner; - bool bypass_spec_v1; -@@ -306,6 +322,7 @@ struct bpf_map { - bool free_after_rcu_gp; - atomic64_t sleepable_refcnt; - s64 __percpu *elem_count; -+ u64 cookie; /* write-once */ - }; - - static inline const char *btf_field_type_name(enum btf_field_type type) -@@ -1025,14 +1042,6 @@ struct bpf_prog_offload { - u32 jited_len; - }; - --enum bpf_cgroup_storage_type { -- BPF_CGROUP_STORAGE_SHARED, -- BPF_CGROUP_STORAGE_PERCPU, -- __BPF_CGROUP_STORAGE_MAX --}; -- --#define MAX_BPF_CGROUP_STORAGE_TYPE __BPF_CGROUP_STORAGE_MAX -- - /* The longest tracepoint has 12 args. - * See include/trace/bpf_probe.h - */ -diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c -index 767dcb8471f6..b714362a297c 100644 ---- a/kernel/bpf/core.c -+++ b/kernel/bpf/core.c -@@ -2312,6 +2312,8 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, - enum bpf_prog_type prog_type = resolve_prog_type(fp); - bool ret; - struct bpf_prog_aux *aux = fp->aux; -+ enum bpf_cgroup_storage_type i; -+ u64 cookie; - - if (fp->kprobe_override) - return false; -@@ -2325,11 +2327,24 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, - map->owner.jited = fp->jited; - map->owner.xdp_has_frags = aux->xdp_has_frags; - map->owner.attach_func_proto = aux->attach_func_proto; -+ for_each_cgroup_storage_type(i) { -+ map->owner.storage_cookie[i] = -+ aux->cgroup_storage[i] ? -+ aux->cgroup_storage[i]->cookie : 0; -+ } - ret = true; - } else { - ret = map->owner.type == prog_type && - map->owner.jited == fp->jited && - map->owner.xdp_has_frags == aux->xdp_has_frags; -+ for_each_cgroup_storage_type(i) { -+ if (!ret) -+ break; -+ cookie = aux->cgroup_storage[i] ? -+ aux->cgroup_storage[i]->cookie : 0; -+ ret = map->owner.storage_cookie[i] == cookie || -+ !cookie; -+ } - if (ret && - map->owner.attach_func_proto != aux->attach_func_proto) { - switch (prog_type) { --- -2.43.0 - diff --git a/SPECS/kernel/CVE-2025-39677.patch b/SPECS/kernel/CVE-2025-39677.patch new file mode 100644 index 0000000000..6f075526c7 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39677.patch @@ -0,0 +1,313 @@ +From 6475c4fdc534ff8302069efc313e47a9617963fc Mon Sep 17 00:00:00 2001 +From: William Liu +Date: Tue, 12 Aug 2025 23:57:57 +0000 +Subject: [PATCH 4/4] net/sched: Fix backlog accounting in + qdisc_dequeue_internal + +This issue applies for the following qdiscs: hhf, fq, fq_codel, and +fq_pie, and occurs in their change handlers when adjusting to the new +limit. The problem is the following in the values passed to the +subsequent qdisc_tree_reduce_backlog call given a tbf parent: + + When the tbf parent runs out of tokens, skbs of these qdiscs will + be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued, + which accounts for both qlen and backlog. However, in the case of + qdisc_dequeue_internal, ONLY qlen is accounted for when pulling + from gso_skb. This means that these qdiscs are missing a + qdisc_qstats_backlog_dec when dropping packets to satisfy the + new limit in their change handlers. + + One can observe this issue with the following (with tc patched to + support a limit of 0): + + export TARGET=fq + tc qdisc del dev lo root + tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms + tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 + echo ''; echo 'add child'; tc -s -d qdisc show dev lo + ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null + echo ''; echo 'after ping'; tc -s -d qdisc show dev lo + tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 + echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo + tc qdisc replace dev lo handle 2: parent 1:1 sfq + echo ''; echo 'post graft'; tc -s -d qdisc show dev lo + + The second to last show command shows 0 packets but a positive + number (74) of backlog bytes. The problem becomes clearer in the + last show command, where qdisc_purge_queue triggers + qdisc_tree_reduce_backlog with the positive backlog and causes an + underflow in the tbf parent's backlog (4096 Mb instead of 0). + +To fix this issue, the codepath for all clients of qdisc_dequeue_internal +has been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel. +qdisc_dequeue_internal handles the backlog adjustments for all cases that +do not directly use the dequeue handler. + +The old fq_codel_change limit adjustment loop accumulated the arguments to +the subsequent qdisc_tree_reduce_backlog call through the cstats field. +However, this is confusing and error prone as fq_codel_dequeue could also +potentially mutate this field (which qdisc_dequeue_internal calls in the +non gso_skb case), so we have unified the code here with other qdiscs. + +Fixes: 2d3cbfd6d54a ("net_sched: Flush gso_skb list too during ->change()") +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") +Signed-off-by: William Liu +Reviewed-by: Savino Dicanosa +Link: https://patch.msgid.link/20250812235725.45243-1-will@willsroot.io +Signed-off-by: Jakub Kicinski +--- + include/net/sch_generic.h | 11 ++++++++--- + net/sched/sch_codel.c | 12 +++++++----- + net/sched/sch_fq.c | 12 +++++++----- + net/sched/sch_fq_codel.c | 12 +++++++----- + net/sched/sch_fq_pie.c | 12 +++++++----- + net/sched/sch_hhf.c | 12 +++++++----- + net/sched/sch_pie.c | 12 +++++++----- + 7 files changed, 50 insertions(+), 33 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index a9d7e9ecee6b5..f0f64beb9486f 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1038,12 +1038,17 @@ static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool dir + skb = __skb_dequeue(&sch->gso_skb); + if (skb) { + sch->q.qlen--; ++ qdisc_qstats_backlog_dec(sch, skb); + return skb; + } +- if (direct) +- return __qdisc_dequeue_head(&sch->q); +- else ++ if (direct) { ++ skb = __qdisc_dequeue_head(&sch->q); ++ if (skb) ++ qdisc_qstats_backlog_dec(sch, skb); ++ return skb; ++ } else { + return sch->dequeue(sch); ++ } + } + + static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch) +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index afd9805cb68e2..655eb64cd1761 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -100,9 +100,9 @@ static const struct nla_policy codel_policy[TCA_CODEL_MAX + 1] = { + static int codel_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct codel_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_CODEL_MAX + 1]; +- unsigned int qlen, dropped = 0; + int err; + + err = nla_parse_nested_deprecated(tb, TCA_CODEL_MAX, opt, +@@ -141,15 +141,17 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt, + WRITE_ONCE(q->params.ecn, + !!nla_get_u32(tb[TCA_CODEL_ECN])); + +- qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + +- dropped += qdisc_pkt_len(skb); +- qdisc_qstats_backlog_dec(sch, skb); ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_qdisc_drop(skb, sch); + } +- qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index 1af9768cd8ff6..df11a54e390cf 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -1001,11 +1001,11 @@ static int fq_load_priomap(struct fq_sched_data *q, + static int fq_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct fq_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_MAX + 1]; +- int err, drop_count = 0; +- unsigned drop_len = 0; + u32 fq_log; ++ int err; + + err = nla_parse_nested_deprecated(tb, TCA_FQ_MAX, opt, fq_policy, + NULL); +@@ -1112,16 +1112,18 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt, + err = fq_resize(sch, fq_log); + sch_tree_lock(sch); + } ++ + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + if (!skb) + break; +- drop_len += qdisc_pkt_len(skb); ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +- drop_count++; + } +- qdisc_tree_reduce_backlog(sch, drop_count, drop_len); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return err; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 551b7cbdae90c..5e4c69d4df419 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -365,6 +365,7 @@ static const struct nla_policy fq_codel_policy[TCA_FQ_CODEL_MAX + 1] = { + static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct fq_codel_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_CODEL_MAX + 1]; + u32 quantum = 0; +@@ -442,13 +443,14 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + q->memory_usage > q->memory_limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + +- q->cstats.drop_len += qdisc_pkt_len(skb); ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +- q->cstats.drop_count++; + } +- qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, q->cstats.drop_len); +- q->cstats.drop_count = 0; +- q->cstats.drop_len = 0; ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index 6ed08b705f8a5..5881d34d58b49 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -285,10 +285,9 @@ static struct sk_buff *fq_pie_qdisc_dequeue(struct Qdisc *sch) + static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct fq_pie_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_FQ_PIE_MAX + 1]; +- unsigned int len_dropped = 0; +- unsigned int num_dropped = 0; + int err; + + err = nla_parse_nested(tb, TCA_FQ_PIE_MAX, opt, fq_pie_policy, extack); +@@ -366,11 +365,14 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + +- len_dropped += qdisc_pkt_len(skb); +- num_dropped += 1; ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); + } +- qdisc_tree_reduce_backlog(sch, num_dropped, len_dropped); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index 5aa434b467073..2d4855e28a286 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -508,9 +508,9 @@ static const struct nla_policy hhf_policy[TCA_HHF_MAX + 1] = { + static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct hhf_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_HHF_MAX + 1]; +- unsigned int qlen, prev_backlog; + int err; + u64 non_hh_quantum; + u32 new_quantum = q->quantum; +@@ -561,15 +561,17 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + usecs_to_jiffies(us)); + } + +- qlen = sch->q.qlen; +- prev_backlog = sch->qstats.backlog; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); + } +- qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, +- prev_backlog - sch->qstats.backlog); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c +index db61cbc21b138..a6a5874f4c3a9 100644 +--- a/net/sched/sch_pie.c ++++ b/net/sched/sch_pie.c +@@ -138,9 +138,9 @@ static const struct nla_policy pie_policy[TCA_PIE_MAX + 1] = { + static int pie_change(struct Qdisc *sch, struct nlattr *opt, + struct netlink_ext_ack *extack) + { ++ unsigned int dropped_pkts = 0, dropped_bytes = 0; + struct pie_sched_data *q = qdisc_priv(sch); + struct nlattr *tb[TCA_PIE_MAX + 1]; +- unsigned int qlen, dropped = 0; + int err; + + err = nla_parse_nested_deprecated(tb, TCA_PIE_MAX, opt, pie_policy, +@@ -190,15 +190,17 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt, + nla_get_u32(tb[TCA_PIE_DQ_RATE_ESTIMATOR])); + + /* Drop excess packets if new limit is lower */ +- qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { + struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + +- dropped += qdisc_pkt_len(skb); +- qdisc_qstats_backlog_dec(sch, skb); ++ if (!skb) ++ break; ++ ++ dropped_pkts++; ++ dropped_bytes += qdisc_pkt_len(skb); + rtnl_qdisc_drop(skb, sch); + } +- qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped); ++ qdisc_tree_reduce_backlog(sch, dropped_pkts, dropped_bytes); + + sch_tree_unlock(sch); + return 0; +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39745.patch b/SPECS/kernel/CVE-2025-39745.patch new file mode 100644 index 0000000000..86b7b34554 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39745.patch @@ -0,0 +1,52 @@ +From 75aa7cb87d85ed76966c409bd5d80266d9c77b17 Mon Sep 17 00:00:00 2001 +From: Zqiang +Date: Wed, 7 May 2025 19:26:03 +0800 +Subject: [PATCH 3/4] rcutorture: Fix rcutorture_one_extend_check() splat in RT + kernels + +For built with CONFIG_PREEMPT_RT=y kernels, running rcutorture +tests resulted in the following splat: + +[ 68.797425] rcutorture_one_extend_check during change: Current 0x1 To add 0x1 To remove 0x0 preempt_count() 0x0 +[ 68.797533] WARNING: CPU: 2 PID: 512 at kernel/rcu/rcutorture.c:1993 rcutorture_one_extend_check+0x419/0x560 [rcutorture] +[ 68.797601] Call Trace: +[ 68.797602] +[ 68.797619] ? lockdep_softirqs_off+0xa5/0x160 +[ 68.797631] rcutorture_one_extend+0x18e/0xcc0 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797646] ? local_clock+0x19/0x40 +[ 68.797659] rcu_torture_one_read+0xf0/0x280 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797678] ? __pfx_rcu_torture_one_read+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797804] ? __pfx_rcu_torture_timer+0x10/0x10 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797815] rcu-torture: rcu_torture_reader task started +[ 68.797824] rcu-torture: Creating rcu_torture_reader task +[ 68.797824] rcu_torture_reader+0x238/0x580 [rcutorture 2466dbd2ff34dbaa36049cb323a80c3306ac997c] +[ 68.797836] ? kvm_sched_clock_read+0x15/0x30 + +Disable BH does not change the SOFTIRQ corresponding bits in +preempt_count() for RT kernels, this commit therefore use +softirq_count() to check the if BH is disabled. + +Reviewed-by: Paul E. McKenney +Signed-off-by: Zqiang +Signed-off-by: Joel Fernandes +Signed-off-by: Neeraj Upadhyay (AMD) +--- + kernel/rcu/rcutorture.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index 609687fd742d5..b3c8651f14729 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -430,7 +430,7 @@ rcu_read_delay(struct torture_random_state *rrsp, struct rt_read_seg *rtrsp) + !(torture_random(rrsp) % (nrealreaders * 2000 * longdelay_ms))) { + started = cur_ops->get_gp_seq(); + ts = rcu_trace_clock_local(); +- if (preempt_count() & (SOFTIRQ_MASK | HARDIRQ_MASK)) ++ if ((preempt_count() & HARDIRQ_MASK) || softirq_count()) + longdelay_ms = 5; /* Avoid triggering BH limits. */ + mdelay(longdelay_ms); + rtrsp->rt_delay_ms = longdelay_ms; +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39764.patch b/SPECS/kernel/CVE-2025-39764.patch new file mode 100644 index 0000000000..51b13efc30 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39764.patch @@ -0,0 +1,160 @@ +From 8dbe282d028de5d53c830caa6f801089803b0dbf Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 1 Aug 2025 17:25:09 +0200 +Subject: [PATCH 2/4] netfilter: ctnetlink: remove refcounting in expectation + dumpers + +Same pattern as previous patch: do not keep the expectation object +alive via refcount, only store a cookie value and then use that +as the skip hint for dump resumption. + +AFAICS this has the same issue as the one resolved in the conntrack +dumper, when we do + if (!refcount_inc_not_zero(&exp->use)) + +to increment the refcount, there is a chance that exp == last, which +causes a double-increment of the refcount and subsequent memory leak. + +Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping") +Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++---------------- + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c +index 18a91c031554c..13836723223e0 100644 +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -3146,23 +3146,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) + return 0; + } + #endif +-static int ctnetlink_exp_done(struct netlink_callback *cb) ++ ++static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp) + { +- if (cb->args[1]) +- nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); +- return 0; ++ unsigned long id = (unsigned long)exp; ++ ++ id += nf_ct_get_id(exp->master); ++ id += exp->class; ++ ++ return id ? id : 1; + } + + static int + ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { + struct net *net = sock_net(skb->sk); +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; + for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { + restart: + hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], +@@ -3174,7 +3178,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + continue; + + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3183,9 +3187,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3196,32 +3198,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + } + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + + static int + ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + { +- struct nf_conntrack_expect *exp, *last; + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); + struct nf_conn *ct = cb->data; + struct nf_conn_help *help = nfct_help(ct); + u_int8_t l3proto = nfmsg->nfgen_family; ++ unsigned long last_id = cb->args[1]; ++ struct nf_conntrack_expect *exp; + + if (cb->args[0]) + return 0; + + rcu_read_lock(); +- last = (struct nf_conntrack_expect *)cb->args[1]; ++ + restart: + hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { + if (l3proto && exp->tuple.src.l3num != l3proto) + continue; + if (cb->args[1]) { +- if (exp != last) ++ if (ctnetlink_exp_id(exp) != last_id) + continue; + cb->args[1] = 0; + } +@@ -3229,9 +3229,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->nlh->nlmsg_seq, + IPCTNL_MSG_EXP_NEW, + exp) < 0) { +- if (!refcount_inc_not_zero(&exp->use)) +- continue; +- cb->args[1] = (unsigned long)exp; ++ cb->args[1] = ctnetlink_exp_id(exp); + goto out; + } + } +@@ -3242,9 +3240,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + cb->args[0] = 1; + out: + rcu_read_unlock(); +- if (last) +- nf_ct_expect_put(last); +- + return skb->len; + } + +@@ -3263,7 +3258,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, + struct nf_conntrack_zone zone; + struct netlink_dump_control c = { + .dump = ctnetlink_exp_ct_dump_table, +- .done = ctnetlink_exp_done, + }; + + err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, +@@ -3313,7 +3307,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, + else { + struct netlink_dump_control c = { + .dump = ctnetlink_exp_dump_table, +- .done = ctnetlink_exp_done, + }; + return netlink_dump_start(info->sk, skb, info->nlh, &c); + } +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39789.patch b/SPECS/kernel/CVE-2025-39789.patch new file mode 100644 index 0000000000..10a29845b4 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39789.patch @@ -0,0 +1,119 @@ +From b3cebc12805fd709f20b6c0bbe9bbeffce7169ce Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 15 Sep 2025 15:51:56 +0800 +Subject: [PATCH 1/4] crypto: x86/aegis - Add missing error checks + +The skcipher_walk functions can allocate memory and can fail, so +checking for errors is necessary. + +Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +--- + arch/x86/crypto/aegis128-aesni-glue.c | 36 +++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/crypto/aegis128-aesni-glue.c b/arch/x86/crypto/aegis128-aesni-glue.c +index 4623189000d89..f3a8f0c4d0b07 100644 +--- a/arch/x86/crypto/aegis128-aesni-glue.c ++++ b/arch/x86/crypto/aegis128-aesni-glue.c +@@ -114,22 +114,27 @@ static void crypto_aegis128_aesni_process_ad( + } + } + +-static void crypto_aegis128_aesni_process_crypt( ++static int crypto_aegis128_aesni_process_crypt( + struct aegis_state *state, struct skcipher_walk *walk, + const struct aegis_crypt_ops *ops) + { ++ int err = 0; ++ + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { + ops->crypt_blocks(state, + round_down(walk->nbytes, AEGIS128_BLOCK_SIZE), + walk->src.virt.addr, walk->dst.virt.addr); +- skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); ++ err = skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); ++ if (err) ++ break; + } + +- if (walk->nbytes) { ++ if (walk->nbytes && !err) { + ops->crypt_tail(state, walk->nbytes, walk->src.virt.addr, + walk->dst.virt.addr); +- skcipher_walk_done(walk, 0); ++ err = skcipher_walk_done(walk, 0); + } ++ return err; + } + + static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) +@@ -162,7 +167,7 @@ static int crypto_aegis128_aesni_setauthsize(struct crypto_aead *tfm, + return 0; + } + +-static void crypto_aegis128_aesni_crypt(struct aead_request *req, ++static int crypto_aegis128_aesni_crypt(struct aead_request *req, + struct aegis_block *tag_xor, + unsigned int cryptlen, + const struct aegis_crypt_ops *ops) +@@ -171,17 +176,22 @@ static void crypto_aegis128_aesni_crypt(struct aead_request *req, + struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); + struct skcipher_walk walk; + struct aegis_state state; ++ int err; + +- ops->skcipher_walk_init(&walk, req, true); ++ err = ops->skcipher_walk_init(&walk, req, true); ++ if (err) ++ return err; + + kernel_fpu_begin(); + + crypto_aegis128_aesni_init(&state, ctx->key.bytes, req->iv); + crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); +- crypto_aegis128_aesni_process_crypt(&state, &walk, ops); +- crypto_aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); ++ err = crypto_aegis128_aesni_process_crypt(&state, &walk, ops); ++ if (err == 0) ++ crypto_aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); + + kernel_fpu_end(); ++ return err; + } + + static int crypto_aegis128_aesni_encrypt(struct aead_request *req) +@@ -196,8 +206,11 @@ static int crypto_aegis128_aesni_encrypt(struct aead_request *req) + struct aegis_block tag = {}; + unsigned int authsize = crypto_aead_authsize(tfm); + unsigned int cryptlen = req->cryptlen; ++ int err; + +- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ if (err) ++ return err; + + scatterwalk_map_and_copy(tag.bytes, req->dst, + req->assoclen + cryptlen, authsize, 1); +@@ -218,11 +231,14 @@ static int crypto_aegis128_aesni_decrypt(struct aead_request *req) + struct aegis_block tag; + unsigned int authsize = crypto_aead_authsize(tfm); + unsigned int cryptlen = req->cryptlen - authsize; ++ int err; + + scatterwalk_map_and_copy(tag.bytes, req->src, + req->assoclen + cryptlen, authsize, 0); + +- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, &OPS); ++ if (err) ++ return err; + + return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; + } +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39833.patch b/SPECS/kernel/CVE-2025-39833.patch new file mode 100644 index 0000000000..e5caa06f96 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39833.patch @@ -0,0 +1,100 @@ +From 47b3584e3e6b3d19aec5cda2a453c5ef9a117b27 Mon Sep 17 00:00:00 2001 +From: Vladimir Riabchun +Date: Fri, 22 Aug 2025 20:11:36 +0200 +Subject: [PATCH 2/5] mISDN: hfcpci: Fix warning when deleting uninitialized + timer + +With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads +to the following splat: + +[ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0 +[ 250.217520] WARNING: CPU: 0 PID: 233 at lib/debugobjects.c:612 debug_print_object+0x1b6/0x2c0 +[ 250.218775] Modules linked in: hfcpci(-) mISDN_core +[ 250.219537] CPU: 0 UID: 0 PID: 233 Comm: rmmod Not tainted 6.17.0-rc2-g6f713187ac98 #2 PREEMPT(voluntary) +[ 250.220940] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 250.222377] RIP: 0010:debug_print_object+0x1b6/0x2c0 +[ 250.223131] Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 41 56 48 8b 14 dd a0 4e 01 9f 48 89 ee 48 c7 c7 20 46 01 9f e8 cb 84d +[ 250.225805] RSP: 0018:ffff888015ea7c08 EFLAGS: 00010286 +[ 250.226608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: ffffffff9be93a95 +[ 250.227708] RDX: 1ffff1100d945138 RSI: 0000000000000008 RDI: ffff88806ca289c0 +[ 250.228993] RBP: ffffffff9f014a00 R08: 0000000000000001 R09: ffffed1002bd4f39 +[ 250.230043] R10: ffff888015ea79cf R11: 0000000000000001 R12: 0000000000000001 +[ 250.231185] R13: ffffffff9eea0520 R14: 0000000000000000 R15: ffff888015ea7cc8 +[ 250.232454] FS: 00007f3208f01540(0000) GS:ffff8880caf5a000(0000) knlGS:0000000000000000 +[ 250.233851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 250.234856] CR2: 00007f32090a7421 CR3: 0000000004d63000 CR4: 00000000000006f0 +[ 250.236117] Call Trace: +[ 250.236599] +[ 250.236967] ? trace_irq_enable.constprop.0+0xd4/0x130 +[ 250.237920] debug_object_assert_init+0x1f6/0x310 +[ 250.238762] ? __pfx_debug_object_assert_init+0x10/0x10 +[ 250.239658] ? __lock_acquire+0xdea/0x1c70 +[ 250.240369] __try_to_del_timer_sync+0x69/0x140 +[ 250.241172] ? __pfx___try_to_del_timer_sync+0x10/0x10 +[ 250.242058] ? __timer_delete_sync+0xc6/0x120 +[ 250.242842] ? lock_acquire+0x30/0x80 +[ 250.243474] ? __timer_delete_sync+0xc6/0x120 +[ 250.244262] __timer_delete_sync+0x98/0x120 +[ 250.245015] HFC_cleanup+0x10/0x20 [hfcpci] +[ 250.245704] __do_sys_delete_module+0x348/0x510 +[ 250.246461] ? __pfx___do_sys_delete_module+0x10/0x10 +[ 250.247338] do_syscall_64+0xc1/0x360 +[ 250.247924] entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fix this by initializing hfc_tl timer with DEFINE_TIMER macro. +Also, use mod_timer instead of manual timeout update. + +Fixes: 87c5fa1bb426 ("mISDN: Add different different timer settings for hfc-pci") +Fixes: 175302f6b79e ("mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq") +Signed-off-by: Vladimir Riabchun +Link: https://patch.msgid.link/aKiy2D_LiWpQ5kXq@vova-pc +Signed-off-by: Jakub Kicinski +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index ce7bccc9faa3..465503e966b9 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -39,12 +39,13 @@ + + #include "hfc_pci.h" + ++static void hfcpci_softirq(struct timer_list *unused); + static const char *hfcpci_revision = "2.0"; + + static int HFC_cnt; + static uint debug; + static uint poll, tics; +-static struct timer_list hfc_tl; ++static DEFINE_TIMER(hfc_tl, hfcpci_softirq); + static unsigned long hfc_jiffies; + + MODULE_AUTHOR("Karsten Keil"); +@@ -2305,8 +2306,7 @@ hfcpci_softirq(struct timer_list *unused) + hfc_jiffies = jiffies + 1; + else + hfc_jiffies += tics; +- hfc_tl.expires = hfc_jiffies; +- add_timer(&hfc_tl); ++ mod_timer(&hfc_tl, hfc_jiffies); + } + + static int __init +@@ -2332,10 +2332,8 @@ HFC_init(void) + if (poll != HFCPCI_BTRANS_THRESHOLD) { + printk(KERN_INFO "%s: Using alternative poll value of %d\n", + __func__, poll); +- timer_setup(&hfc_tl, hfcpci_softirq, 0); +- hfc_tl.expires = jiffies + tics; +- hfc_jiffies = hfc_tl.expires; +- add_timer(&hfc_tl); ++ hfc_jiffies = jiffies + tics; ++ mod_timer(&hfc_tl, hfc_jiffies); + } else + tics = 0; /* indicate the use of controller's timer */ + +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39859.patch b/SPECS/kernel/CVE-2025-39859.patch new file mode 100644 index 0000000000..46cc8aa06e --- /dev/null +++ b/SPECS/kernel/CVE-2025-39859.patch @@ -0,0 +1,51 @@ +From 43f5728e5be5317c53cb12bcf03bcac59a555f2d Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Thu, 28 Aug 2025 16:29:49 +0800 +Subject: [PATCH 5/5] ptp: ocp: fix use-after-free bugs causing by + ptp_ocp_watchdog + +The ptp_ocp_detach() only shuts down the watchdog timer if it is +pending. However, if the timer handler is already running, the +timer_delete_sync() is not called. This leads to race conditions +where the devlink that contains the ptp_ocp is deallocated while +the timer handler is still accessing it, resulting in use-after-free +bugs. The following details one of the race scenarios. + +(thread 1) | (thread 2) +ptp_ocp_remove() | + ptp_ocp_detach() | ptp_ocp_watchdog() + if (timer_pending(&bp->watchdog))| bp = timer_container_of() + timer_delete_sync() | + | + devlink_free(devlink) //free | + | bp-> //use + +Resolve this by unconditionally calling timer_delete_sync() to ensure +the timer is reliably deactivated, preventing any access after free. + +Fixes: 773bda964921 ("ptp: ocp: Expose various resources on the timecard.") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20250828082949.28189-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +--- + drivers/ptp/ptp_ocp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c +index efbd80db778d..8d0a679119d9 100644 +--- a/drivers/ptp/ptp_ocp.c ++++ b/drivers/ptp/ptp_ocp.c +@@ -4556,8 +4556,7 @@ ptp_ocp_detach(struct ptp_ocp *bp) + ptp_ocp_debugfs_remove_device(bp); + ptp_ocp_detach_sysfs(bp); + ptp_ocp_attr_group_del(bp); +- if (timer_pending(&bp->watchdog)) +- del_timer_sync(&bp->watchdog); ++ timer_delete_sync(&bp->watchdog); + if (bp->ts0) + ptp_ocp_unregister_ext(bp->ts0); + if (bp->ts1) +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39905.patch b/SPECS/kernel/CVE-2025-39905.patch new file mode 100644 index 0000000000..20c2bb27bd --- /dev/null +++ b/SPECS/kernel/CVE-2025-39905.patch @@ -0,0 +1,160 @@ +From f80b8625e8c4738ab34e0e5711d774ccfee9397a Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Thu, 4 Sep 2025 15:52:37 +0300 +Subject: [PATCH 4/5] net: phylink: add lock for serializing concurrent + pl->phydev writes with resolver + +Currently phylink_resolve() protects itself against concurrent +phylink_bringup_phy() or phylink_disconnect_phy() calls which modify +pl->phydev by relying on pl->state_mutex. + +The problem is that in phylink_resolve(), pl->state_mutex is in a lock +inversion state with pl->phydev->lock. So pl->phydev->lock needs to be +acquired prior to pl->state_mutex. But that requires dereferencing +pl->phydev in the first place, and without pl->state_mutex, that is +racy. + +Hence the reason for the extra lock. Currently it is redundant, but it +will serve a functional purpose once mutex_lock(&phy->lock) will be +moved outside of the mutex_lock(&pl->state_mutex) section. + +Another alternative considered would have been to let phylink_resolve() +acquire the rtnl_mutex, which is also held when phylink_bringup_phy() +and phylink_disconnect_phy() are called. But since phylink_disconnect_phy() +runs under rtnl_lock(), it would deadlock with phylink_resolve() when +calling flush_work(&pl->resolve). Additionally, it would have been +undesirable because it would have unnecessarily blocked many other call +paths as well in the entire kernel, so the smaller-scoped lock was +preferred. + +Link: https://lore.kernel.org/netdev/aLb6puGVzR29GpPx@shell.armlinux.org.uk/ +Signed-off-by: Vladimir Oltean +Reviewed-by: Russell King (Oracle) +Link: https://patch.msgid.link/20250904125238.193990-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/phy/phylink.c | 48 ++++++++++++++++++++++++--------------- + 1 file changed, 30 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 9fc70e108883..c980f59d756f 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -73,6 +73,8 @@ struct phylink { + struct phylink_link_state *s); + + struct mutex state_mutex; ++ /* Serialize updates to pl->phydev with phylink_resolve() */ ++ struct mutex phydev_mutex; + struct phylink_link_state phy_state; + struct work_struct resolve; + unsigned int pcs_neg_mode; +@@ -1475,8 +1477,11 @@ static void phylink_resolve(struct work_struct *w) + struct net_device *ndev = pl->netdev; + bool mac_config = false; + bool retrigger = false; ++ struct phy_device *phy; + bool cur_link_state; + ++ mutex_lock(&pl->phydev_mutex); ++ phy = pl->phydev; + mutex_lock(&pl->state_mutex); + if (pl->netdev) + cur_link_state = netif_carrier_ok(ndev); +@@ -1518,24 +1523,23 @@ static void phylink_resolve(struct work_struct *w) + &link_state); + } + +- /* If we have a phy, the "up" state is the union of +- * both the PHY and the MAC ++ /* If we have a phy, the "up" state is the union of both the ++ * PHY and the MAC ++ */ ++ if (phy) ++ link_state.link &= pl->phy_state.link; ++ ++ /* Only update if the PHY link is up */ ++ if (phy && pl->phy_state.link) { ++ /* If the interface has changed, force a link down ++ * event if the link isn't already down, and re-resolve. + */ +- if (pl->phydev) +- link_state.link &= pl->phy_state.link; +- +- /* Only update if the PHY link is up */ +- if (pl->phydev && pl->phy_state.link) { +- /* If the interface has changed, force a +- * link down event if the link isn't already +- * down, and re-resolve. +- */ +- if (link_state.interface != +- pl->phy_state.interface) { +- retrigger = true; +- link_state.link = false; +- } +- link_state.interface = pl->phy_state.interface; ++ if (link_state.interface != pl->phy_state.interface) { ++ retrigger = true; ++ link_state.link = false; ++ } ++ ++ link_state.interface = pl->phy_state.interface; + + /* If we are doing rate matching, then the + * link speed/duplex comes from the PHY +@@ -1585,6 +1589,7 @@ static void phylink_resolve(struct work_struct *w) + queue_work(system_power_efficient_wq, &pl->resolve); + } + mutex_unlock(&pl->state_mutex); ++ mutex_unlock(&pl->phydev_mutex); + } + + static void phylink_run_resolve(struct phylink *pl) +@@ -1727,6 +1732,7 @@ struct phylink *phylink_create(struct phylink_config *config, + if (!pl) + return ERR_PTR(-ENOMEM); + ++ mutex_init(&pl->phydev_mutex); + mutex_init(&pl->state_mutex); + INIT_WORK(&pl->resolve, phylink_resolve); + +@@ -1972,6 +1978,7 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy, + dev_name(&phy->mdio.dev), phy->drv->name, irq_str); + kfree(irq_str); + ++ mutex_lock(&pl->phydev_mutex); + mutex_lock(&phy->lock); + mutex_lock(&pl->state_mutex); + pl->phydev = phy; +@@ -1987,6 +1994,7 @@ static int phylink_bringup_phy(struct phylink *pl, struct phy_device *phy, + linkmode_copy(phy->advertising, config.advertising); + mutex_unlock(&pl->state_mutex); + mutex_unlock(&phy->lock); ++ mutex_unlock(&pl->phydev_mutex); + + phylink_dbg(pl, + "phy: %s setting supported %*pb advertising %*pb\n", +@@ -2152,6 +2160,7 @@ void phylink_disconnect_phy(struct phylink *pl) + + ASSERT_RTNL(); + ++ mutex_lock(&pl->phydev_mutex); + phy = pl->phydev; + if (phy) { + mutex_lock(&phy->lock); +@@ -2159,8 +2168,11 @@ void phylink_disconnect_phy(struct phylink *pl) + pl->phydev = NULL; + mutex_unlock(&pl->state_mutex); + mutex_unlock(&phy->lock); +- flush_work(&pl->resolve); ++ } ++ mutex_unlock(&pl->phydev_mutex); + ++ if (phy) { ++ flush_work(&pl->resolve); + phy_disconnect(phy); + } + } +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39910.patch b/SPECS/kernel/CVE-2025-39910.patch new file mode 100644 index 0000000000..667e25520a --- /dev/null +++ b/SPECS/kernel/CVE-2025-39910.patch @@ -0,0 +1,205 @@ +From 04ba72d9f91cd5c66a5be498d53f8d1a5712fd47 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Sun, 31 Aug 2025 14:10:58 +0200 +Subject: [PATCH] mm/vmalloc, mm/kasan: respect gfp mask in + kasan_populate_vmalloc() + +kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and +always allocate memory using the hardcoded GFP_KERNEL flag. This makes +them inconsistent with vmalloc(), which was recently extended to support +GFP_NOFS and GFP_NOIO allocations. + +Page table allocations performed during shadow population also ignore the +external gfp_mask. To preserve the intended semantics of GFP_NOFS and +GFP_NOIO, wrap the apply_to_page_range() calls into the appropriate +memalloc scope. + +xfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock. + +There was a report here +https://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com + +This patch: + - Extends kasan_populate_vmalloc() and helpers to take gfp_mask; + - Passes gfp_mask down to alloc_pages_bulk() and __get_free_page(); + - Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore() + around apply_to_page_range(); + - Updates vmalloc.c and percpu allocator call sites accordingly. + +Link: https://lkml.kernel.org/r/20250831121058.92971-1-urezki@gmail.com +Fixes: 451769ebb7e7 ("mm/vmalloc: alloc GFP_NO{FS,IO} for vmalloc") +Signed-off-by: Uladzislau Rezki (Sony) +Reported-by: syzbot+3470c9ffee63e4abafeb@syzkaller.appspotmail.com +Reviewed-by: Andrey Ryabinin +Cc: Baoquan He +Cc: Michal Hocko +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Dmitry Vyukov +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +--- + include/linux/kasan.h | 6 +++--- + mm/kasan/shadow.c | 31 ++++++++++++++++++++++++------- + mm/vmalloc.c | 8 ++++---- + 3 files changed, 31 insertions(+), 14 deletions(-) + +diff --git a/include/linux/kasan.h b/include/linux/kasan.h +index 6bbfc8aa42e8f..ef81c543ea2a0 100644 +--- a/include/linux/kasan.h ++++ b/include/linux/kasan.h +@@ -564,7 +564,7 @@ static inline void kasan_init_hw_tags(void) { } + #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) + + void kasan_populate_early_vm_area_shadow(void *start, unsigned long size); +-int kasan_populate_vmalloc(unsigned long addr, unsigned long size); ++int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask); + void kasan_release_vmalloc(unsigned long start, unsigned long end, + unsigned long free_region_start, + unsigned long free_region_end, +@@ -576,7 +576,7 @@ static inline void kasan_populate_early_vm_area_shadow(void *start, + unsigned long size) + { } + static inline int kasan_populate_vmalloc(unsigned long start, +- unsigned long size) ++ unsigned long size, gfp_t gfp_mask) + { + return 0; + } +@@ -612,7 +612,7 @@ static __always_inline void kasan_poison_vmalloc(const void *start, + static inline void kasan_populate_early_vm_area_shadow(void *start, + unsigned long size) { } + static inline int kasan_populate_vmalloc(unsigned long start, +- unsigned long size) ++ unsigned long size, gfp_t gfp_mask) + { + return 0; + } +diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c +index d2c70cd2afb1d..f934816e9dad3 100644 +--- a/mm/kasan/shadow.c ++++ b/mm/kasan/shadow.c +@@ -335,13 +335,13 @@ static void ___free_pages_bulk(struct page **pages, int nr_pages) + } + } + +-static int ___alloc_pages_bulk(struct page **pages, int nr_pages) ++static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask) + { + unsigned long nr_populated, nr_total = nr_pages; + struct page **page_array = pages; + + while (nr_pages) { +- nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); ++ nr_populated = alloc_pages_bulk_array(gfp_mask, nr_pages, pages); + if (!nr_populated) { + ___free_pages_bulk(page_array, nr_total - nr_pages); + return -ENOMEM; +@@ -353,25 +353,42 @@ static int ___alloc_pages_bulk(struct page **pages, int nr_pages) + return 0; + } + +-static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) ++static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask) + { + unsigned long nr_pages, nr_total = PFN_UP(end - start); + struct vmalloc_populate_data data; ++ unsigned int flags; + int ret = 0; + +- data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); ++ data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO); + if (!data.pages) + return -ENOMEM; + + while (nr_total) { + nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); +- ret = ___alloc_pages_bulk(data.pages, nr_pages); ++ ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask); + if (ret) + break; + + data.start = start; ++ ++ /* ++ * page tables allocations ignore external gfp mask, enforce it ++ * by the scope API ++ */ ++ if ((gfp_mask & (__GFP_FS | __GFP_IO)) == __GFP_IO) ++ flags = memalloc_nofs_save(); ++ else if ((gfp_mask & (__GFP_FS | __GFP_IO)) == 0) ++ flags = memalloc_noio_save(); ++ + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, + kasan_populate_vmalloc_pte, &data); ++ ++ if ((gfp_mask & (__GFP_FS | __GFP_IO)) == __GFP_IO) ++ memalloc_nofs_restore(flags); ++ else if ((gfp_mask & (__GFP_FS | __GFP_IO)) == 0) ++ memalloc_noio_restore(flags); ++ + ___free_pages_bulk(data.pages, nr_pages); + if (ret) + break; +@@ -385,7 +402,7 @@ static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) + return ret; + } + +-int kasan_populate_vmalloc(unsigned long addr, unsigned long size) ++int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask) + { + unsigned long shadow_start, shadow_end; + int ret; +@@ -414,7 +431,7 @@ int kasan_populate_vmalloc(unsigned long addr, unsigned long size) + shadow_start = PAGE_ALIGN_DOWN(shadow_start); + shadow_end = PAGE_ALIGN(shadow_end); + +- ret = __kasan_populate_vmalloc(shadow_start, shadow_end); ++ ret = __kasan_populate_vmalloc(shadow_start, shadow_end, gfp_mask); + if (ret) + return ret; + +diff --git a/mm/vmalloc.c b/mm/vmalloc.c +index 3519c4e4f841d..79e6c0e599f5f 100644 +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1977,6 +1977,8 @@ static struct vmap_area *alloc_vmap_area(unsigned long size, + if (unlikely(!vmap_initialized)) + return ERR_PTR(-EBUSY); + ++ /* Only reclaim behaviour flags are relevant. */ ++ gfp_mask = gfp_mask & GFP_RECLAIM_MASK; + might_sleep(); + + /* +@@ -1989,8 +1991,6 @@ static struct vmap_area *alloc_vmap_area(unsigned long size, + */ + va = node_alloc(size, align, vstart, vend, &addr, &vn_id); + if (!va) { +- gfp_mask = gfp_mask & GFP_RECLAIM_MASK; +- + va = kmem_cache_alloc_node(vmap_area_cachep, gfp_mask, node); + if (unlikely(!va)) + return ERR_PTR(-ENOMEM); +@@ -2040,7 +2040,7 @@ static struct vmap_area *alloc_vmap_area(unsigned long size, + BUG_ON(va->va_start < vstart); + BUG_ON(va->va_end > vend); + +- ret = kasan_populate_vmalloc(addr, size); ++ ret = kasan_populate_vmalloc(addr, size, gfp_mask); + if (ret) { + free_vmap_area(va); + return ERR_PTR(ret); +@@ -4789,7 +4789,7 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets, + + /* populate the kasan shadow space */ + for (area = 0; area < nr_vms; area++) { +- if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area])) ++ if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area], GFP_KERNEL)) + goto err_free_shadow; + } + +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39925.patch b/SPECS/kernel/CVE-2025-39925.patch new file mode 100644 index 0000000000..7c6a463b3c --- /dev/null +++ b/SPECS/kernel/CVE-2025-39925.patch @@ -0,0 +1,130 @@ +From 9c9badcf05fae5f58bbe1d6d7bafa56d5be2d6a2 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 25 Aug 2025 23:07:24 +0900 +Subject: [PATCH 3/5] can: j1939: implement NETDEV_UNREGISTER notification + handler + +syzbot is reporting + + unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 + +problem, for j1939 protocol did not have NETDEV_UNREGISTER notification +handler for undoing changes made by j1939_sk_bind(). + +Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct +callback") expects that a call to j1939_priv_put() can be unconditionally +delayed until j1939_sk_sock_destruct() is called. But we need to call +j1939_priv_put() against an extra ref held by j1939_sk_bind() call +(as a part of undoing changes made by j1939_sk_bind()) as soon as +NETDEV_UNREGISTER notification fires (i.e. before j1939_sk_sock_destruct() +is called via j1939_sk_release()). Otherwise, the extra ref on "struct +j1939_priv" held by j1939_sk_bind() call prevents "struct net_device" from +dropping the usage count to 1; making it impossible for +unregister_netdevice() to continue. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 +Tested-by: syzbot +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") +Signed-off-by: Tetsuo Handa +Tested-by: Oleksij Rempel +Acked-by: Oleksij Rempel +Link: https://patch.msgid.link/ac9db9a4-6c30-416e-8b94-96e6559d55b2@I-love.SAKURA.ne.jp +[mkl: remove space in front of label] +Signed-off-by: Marc Kleine-Budde +--- + net/can/j1939/j1939-priv.h | 1 + + net/can/j1939/main.c | 3 +++ + net/can/j1939/socket.c | 49 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 53 insertions(+) + +diff --git a/net/can/j1939/j1939-priv.h b/net/can/j1939/j1939-priv.h +index 31a93cae5111..81f58924b4ac 100644 +--- a/net/can/j1939/j1939-priv.h ++++ b/net/can/j1939/j1939-priv.h +@@ -212,6 +212,7 @@ void j1939_priv_get(struct j1939_priv *priv); + + /* notify/alert all j1939 sockets bound to ifindex */ + void j1939_sk_netdev_event_netdown(struct j1939_priv *priv); ++void j1939_sk_netdev_event_unregister(struct j1939_priv *priv); + int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk); + void j1939_tp_init(struct j1939_priv *priv); + +diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c +index 7e8a20f2fc42..3706a872ecaf 100644 +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -377,6 +377,9 @@ static int j1939_netdev_notify(struct notifier_block *nb, + j1939_sk_netdev_event_netdown(priv); + j1939_ecu_unmap_all(priv); + break; ++ case NETDEV_UNREGISTER: ++ j1939_sk_netdev_event_unregister(priv); ++ break; + } + + j1939_priv_put(priv); +diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c +index 75c2b9b23390..15380255969c 100644 +--- a/net/can/j1939/socket.c ++++ b/net/can/j1939/socket.c +@@ -1301,6 +1301,55 @@ void j1939_sk_netdev_event_netdown(struct j1939_priv *priv) + read_unlock_bh(&priv->j1939_socks_lock); + } + ++void j1939_sk_netdev_event_unregister(struct j1939_priv *priv) ++{ ++ struct sock *sk; ++ struct j1939_sock *jsk; ++ bool wait_rcu = false; ++ ++rescan: /* The caller is holding a ref on this "priv" via j1939_priv_get_by_ndev(). */ ++ read_lock_bh(&priv->j1939_socks_lock); ++ list_for_each_entry(jsk, &priv->j1939_socks, list) { ++ /* Skip if j1939_jsk_add() is not called on this socket. */ ++ if (!(jsk->state & J1939_SOCK_BOUND)) ++ continue; ++ sk = &jsk->sk; ++ sock_hold(sk); ++ read_unlock_bh(&priv->j1939_socks_lock); ++ /* Check if j1939_jsk_del() is not yet called on this socket after holding ++ * socket's lock, for both j1939_sk_bind() and j1939_sk_release() call ++ * j1939_jsk_del() with socket's lock held. ++ */ ++ lock_sock(sk); ++ if (jsk->state & J1939_SOCK_BOUND) { ++ /* Neither j1939_sk_bind() nor j1939_sk_release() called j1939_jsk_del(). ++ * Make this socket no longer bound, by pretending as if j1939_sk_bind() ++ * dropped old references but did not get new references. ++ */ ++ j1939_jsk_del(priv, jsk); ++ j1939_local_ecu_put(priv, jsk->addr.src_name, jsk->addr.sa); ++ j1939_netdev_stop(priv); ++ /* Call j1939_priv_put() now and prevent j1939_sk_sock_destruct() from ++ * calling the corresponding j1939_priv_put(). ++ * ++ * j1939_sk_sock_destruct() is supposed to call j1939_priv_put() after ++ * an RCU grace period. But since the caller is holding a ref on this ++ * "priv", we can defer synchronize_rcu() until immediately before ++ * the caller calls j1939_priv_put(). ++ */ ++ j1939_priv_put(priv); ++ jsk->priv = NULL; ++ wait_rcu = true; ++ } ++ release_sock(sk); ++ sock_put(sk); ++ goto rescan; ++ } ++ read_unlock_bh(&priv->j1939_socks_lock); ++ if (wait_rcu) ++ synchronize_rcu(); ++} ++ + static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd, + unsigned long arg) + { +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39933.patch b/SPECS/kernel/CVE-2025-39933.patch new file mode 100644 index 0000000000..d209d0b957 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39933.patch @@ -0,0 +1,63 @@ +From 4fd5128a1bd2ecd10acd8c33e9e3fcefaa8ce927 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 10 Sep 2025 11:49:05 +0200 +Subject: [PATCH 1/5] smb: client: let recv_done verify data_offset, + data_length and remaining_data_length + +This is inspired by the related server fixes. + +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Reviewed-by: Namjae Jeon +Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection") +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +--- + fs/smb/client/smbdirect.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c +index b1548269c308..b9b49cb501ee 100644 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -445,7 +445,11 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + struct smbd_response *response = + container_of(wc->wr_cqe, struct smbd_response, cqe); + struct smbd_connection *info = response->info; +- int data_length = 0; ++ struct smbdirect_socket *sc = &info->socket; ++ struct smbdirect_socket_parameters *sp = &sc->parameters; ++ u32 data_offset = 0; ++ u32 data_length = 0; ++ u32 remaining_data_length = 0; + + log_rdma_recv(INFO, "response=0x%p type=%d wc status=%d wc opcode %d byte_len=%d pkey_index=%u\n", + response, response->type, wc->status, wc->opcode, +@@ -477,7 +481,22 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + /* SMBD data transfer packet */ + case SMBD_TRANSFER_DATA: + data_transfer = smbd_response_payload(response); ++ ++ if (wc->byte_len < ++ offsetof(struct smbdirect_data_transfer, padding)) ++ goto error; ++ ++ remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); ++ data_offset = le32_to_cpu(data_transfer->data_offset); + data_length = le32_to_cpu(data_transfer->data_length); ++ if (wc->byte_len < data_offset || ++ (u64)wc->byte_len < (u64)data_offset + data_length) ++ goto error; ++ ++ if (remaining_data_length > sp->max_fragmented_recv_size || ++ data_length > sp->max_fragmented_recv_size || ++ (u64)remaining_data_length + (u64)data_length > (u64)sp->max_fragmented_recv_size) ++ goto error; + + if (data_length) { + if (info->full_packet_received) +-- +2.43.0 + diff --git a/SPECS/kernel/CVE-2025-39981.patch b/SPECS/kernel/CVE-2025-39981.patch new file mode 100644 index 0000000000..604d2ef847 --- /dev/null +++ b/SPECS/kernel/CVE-2025-39981.patch @@ -0,0 +1,770 @@ +From df40aa342d6e076b8800cce0a596d98ea61cc02a Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 25 Aug 2025 10:03:07 -0400 +Subject: [PATCH] Bluetooth: MGMT: Fix possible UAFs + +This attemps to fix possible UAFs caused by struct mgmt_pending being +freed while still being processed like in the following trace, in order +to fix mgmt_pending_valid is introduce and use to check if the +mgmt_pending hasn't been removed from the pending list, on the complete +callbacks it is used to check and in addtion remove the cmd from the list +while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd +is left on the list it can still be accessed and freed. + +BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 +Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55 + +CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 +Workqueue: hci0 hci_cmd_sync_work +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 + hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 + process_one_work kernel/workqueue.c:3238 [inline] + process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 + kthread+0x711/0x8a0 kernel/kthread.c:464 + ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245 + + +Allocated by task 12210: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364 + kmalloc_noprof include/linux/slab.h:905 [inline] + kzalloc_noprof include/linux/slab.h:1039 [inline] + mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269 + mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 + __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247 + add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364 + hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 + hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 + sock_sendmsg_nosec net/socket.c:714 [inline] + __sock_sendmsg+0x219/0x270 net/socket.c:729 + sock_write_iter+0x258/0x330 net/socket.c:1133 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x5c9/0xb30 fs/read_write.c:686 + ksys_write+0x145/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 12221: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2381 [inline] + slab_free mm/slub.c:4648 [inline] + kfree+0x18e/0x440 mm/slub.c:4847 + mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] + mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 + __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444 + hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290 + hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] + hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526 + sock_do_ioctl+0xd9/0x300 net/socket.c:1192 + sock_ioctl+0x576/0x790 net/socket.c:1313 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED") +Fixes: 2bd1b237616b ("Bluetooth: hci_sync: Convert MGMT_OP_SET_DISCOVERABLE to use cmd_sync") +Fixes: f056a65783cc ("Bluetooth: hci_sync: Convert MGMT_OP_SET_CONNECTABLE to use cmd_sync") +Fixes: 3244845c6307 ("Bluetooth: hci_sync: Convert MGMT_OP_SSP") +Fixes: d81a494c43df ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LE") +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Fixes: 6f6ff38a1e14 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_LOCAL_NAME") +Fixes: 71efbb08b538 ("Bluetooth: hci_sync: Convert MGMT_OP_SET_PHY_CONFIGURATION") +Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor") +Fixes: abfeea476c68 ("Bluetooth: hci_sync: Convert MGMT_OP_START_DISCOVERY") +Fixes: 26ac4c56f03f ("Bluetooth: hci_sync: Convert MGMT_OP_SET_ADVERTISING") +Reported-by: cen zhang +Signed-off-by: Luiz Augusto von Dentz +--- + net/bluetooth/mgmt.c | 259 ++++++++++++++++++++++++++------------ + net/bluetooth/mgmt_util.c | 46 +++++++ + net/bluetooth/mgmt_util.h | 3 + + 3 files changed, 231 insertions(+), 77 deletions(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 563cae4f76b0..bc14b9410bcf 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1318,8 +1318,7 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) + struct mgmt_mode *cp; + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + cp = cmd->param; +@@ -1346,23 +1345,29 @@ static void mgmt_set_powered_complete(struct hci_dev *hdev, void *data, int err) + mgmt_status(err)); + } + +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int set_powered_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp; ++ struct mgmt_mode cp; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); + + /* Make sure cmd still outstanding. */ +- if (cmd != pending_find(MGMT_OP_SET_POWERED, hdev)) ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); + return -ECANCELED; ++ } + +- cp = cmd->param; ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); + + BT_DBG("%s", hdev->name); + +- return hci_set_powered_sync(hdev, cp->val); ++ return hci_set_powered_sync(hdev, cp.val); + } + + static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data, +@@ -1511,8 +1516,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data, + bt_dev_dbg(hdev, "err %d", err); + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_DISCOVERABLE, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + hci_dev_lock(hdev); +@@ -1534,12 +1538,15 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data, + new_settings(hdev, cmd->sk); + + done: +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + hci_dev_unlock(hdev); + } + + static int set_discoverable_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + BT_DBG("%s", hdev->name); + + return hci_update_discoverable_sync(hdev); +@@ -1686,8 +1693,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data, + bt_dev_dbg(hdev, "err %d", err); + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + hci_dev_lock(hdev); +@@ -1702,7 +1708,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data, + new_settings(hdev, cmd->sk); + + done: +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_dev_unlock(hdev); + } +@@ -1738,6 +1744,9 @@ static int set_connectable_update_settings(struct hci_dev *hdev, + + static int set_connectable_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + BT_DBG("%s", hdev->name); + + return hci_update_connectable_sync(hdev); +@@ -1914,14 +1923,17 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + { + struct cmd_lookup match = { NULL, hdev }; + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; +- u8 enable = cp->val; ++ struct mgmt_mode *cp; ++ u8 enable; + bool changed; + + /* Make sure cmd still outstanding. */ +- if (err == -ECANCELED || cmd != pending_find(MGMT_OP_SET_SSP, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + ++ cp = cmd->param; ++ enable = cp->val; ++ + if (err) { + u8 mgmt_err = mgmt_status(err); + +@@ -1930,8 +1942,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + new_settings(hdev, NULL); + } + +- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, +- cmd_status_rsp, &mgmt_err); ++ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); + return; + } + +@@ -1941,7 +1952,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED); + } + +- mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match); ++ settings_rsp(cmd, &match); + + if (changed) + new_settings(hdev, match.sk); +@@ -1955,14 +1966,25 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err) + static int set_ssp_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; ++ struct mgmt_mode cp; + bool changed = false; + int err; + +- if (cp->val) ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ if (cp.val) + changed = !hci_dev_test_and_set_flag(hdev, HCI_SSP_ENABLED); + +- err = hci_write_ssp_mode_sync(hdev, cp->val); ++ err = hci_write_ssp_mode_sync(hdev, cp.val); + + if (!err && changed) + hci_dev_clear_flag(hdev, HCI_SSP_ENABLED); +@@ -2055,32 +2077,50 @@ static int set_hs(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) + + static void set_le_complete(struct hci_dev *hdev, void *data, int err) + { ++ struct mgmt_pending_cmd *cmd = data; + struct cmd_lookup match = { NULL, hdev }; + u8 status = mgmt_status(err); + + bt_dev_dbg(hdev, "err %d", err); + +- if (status) { +- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp, +- &status); ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) + return; ++ ++ if (status) { ++ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); ++ goto done; + } + +- mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match); ++ settings_rsp(cmd, &match); + + new_settings(hdev, match.sk); + + if (match.sk) + sock_put(match.sk); ++ ++done: ++ mgmt_pending_free(cmd); + } + + static int set_le_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; +- u8 val = !!cp->val; ++ struct mgmt_mode cp; ++ u8 val; + int err; + ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ val = !!cp.val; ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ + if (!val) { + hci_clear_adv_instance_sync(hdev, NULL, 0x00, true); + +@@ -2122,7 +2162,12 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; + u8 status = mgmt_status(err); +- struct sock *sk = cmd->sk; ++ struct sock *sk; ++ ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) ++ return; ++ ++ sk = cmd->sk; + + if (status) { + mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, +@@ -2137,24 +2182,37 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err) + static int set_mesh_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_mesh *cp = cmd->param; +- size_t len = cmd->param_len; ++ struct mgmt_cp_set_mesh cp; ++ size_t len; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ len = cmd->param_len; + + memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types)); + +- if (cp->enable) ++ if (cp.enable) + hci_dev_set_flag(hdev, HCI_MESH); + else + hci_dev_clear_flag(hdev, HCI_MESH); + +- hdev->le_scan_interval = __le16_to_cpu(cp->period); +- hdev->le_scan_window = __le16_to_cpu(cp->window); ++ hdev->le_scan_interval = __le16_to_cpu(cp.period); ++ hdev->le_scan_window = __le16_to_cpu(cp.window); + +- len -= sizeof(*cp); ++ len -= sizeof(cp); + + /* If filters don't fit, forward all adv pkts */ + if (len <= sizeof(hdev->mesh_ad_types)) +- memcpy(hdev->mesh_ad_types, cp->ad_types, len); ++ memcpy(hdev->mesh_ad_types, cp.ad_types, len); + + hci_update_passive_scan_sync(hdev); + return 0; +@@ -3801,15 +3859,16 @@ static int name_changed_sync(struct hci_dev *hdev, void *data) + static void set_name_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_local_name *cp = cmd->param; ++ struct mgmt_cp_set_local_name *cp; + u8 status = mgmt_status(err); + + bt_dev_dbg(hdev, "err %d", err); + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_LOCAL_NAME, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + ++ cp = cmd->param; ++ + if (status) { + mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_LOCAL_NAME, + status); +@@ -3821,16 +3880,27 @@ static void set_name_complete(struct hci_dev *hdev, void *data, int err) + hci_cmd_sync_queue(hdev, name_changed_sync, NULL, NULL); + } + +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int set_name_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_local_name *cp = cmd->param; ++ struct mgmt_cp_set_local_name cp; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); + + if (lmp_bredr_capable(hdev)) { +- hci_update_name_sync(hdev, cp->name); ++ hci_update_name_sync(hdev, cp.name); + hci_update_eir_sync(hdev); + } + +@@ -3982,12 +4052,10 @@ int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip) + static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; +- struct sk_buff *skb = cmd->skb; ++ struct sk_buff *skb; + u8 status = mgmt_status(err); + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_SET_PHY_CONFIGURATION, hdev)) +- return; ++ skb = cmd->skb; + + if (!status) { + if (!skb) +@@ -4014,7 +4082,7 @@ static void set_default_phy_complete(struct hci_dev *hdev, void *data, int err) + if (skb && !IS_ERR(skb)) + kfree_skb(skb); + +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int set_default_phy_sync(struct hci_dev *hdev, void *data) +@@ -4022,7 +4090,9 @@ static int set_default_phy_sync(struct hci_dev *hdev, void *data) + struct mgmt_pending_cmd *cmd = data; + struct mgmt_cp_set_phy_configuration *cp = cmd->param; + struct hci_cp_le_set_default_phy cp_phy; +- u32 selected_phys = __le32_to_cpu(cp->selected_phys); ++ u32 selected_phys; ++ ++ selected_phys = __le32_to_cpu(cp->selected_phys); + + memset(&cp_phy, 0, sizeof(cp_phy)); + +@@ -4162,7 +4232,7 @@ static int set_phy_configuration(struct sock *sk, struct hci_dev *hdev, + goto unlock; + } + +- cmd = mgmt_pending_add(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, ++ cmd = mgmt_pending_new(sk, MGMT_OP_SET_PHY_CONFIGURATION, hdev, data, + len); + if (!cmd) + err = -ENOMEM; +@@ -5252,7 +5322,17 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + { + struct mgmt_rp_add_adv_patterns_monitor rp; + struct mgmt_pending_cmd *cmd = data; +- struct adv_monitor *monitor = cmd->user_data; ++ struct adv_monitor *monitor; ++ ++ /* This is likely the result of hdev being closed and mgmt_index_removed ++ * is attempting to clean up any pending command so ++ * hci_adv_monitors_clear is about to be called which will take care of ++ * freeing the adv_monitor instances. ++ */ ++ if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)) ++ return; ++ ++ monitor = cmd->user_data; + + hci_dev_lock(hdev); + +@@ -5278,9 +5358,20 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev, + static int mgmt_add_adv_patterns_monitor_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct adv_monitor *monitor = cmd->user_data; ++ struct adv_monitor *mon; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ mon = cmd->user_data; ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); + +- return hci_add_adv_monitor(hdev, monitor); ++ return hci_add_adv_monitor(hdev, mon); + } + + static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, +@@ -5547,7 +5638,8 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev, + status); + } + +-static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int err) ++static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, ++ int err) + { + struct mgmt_rp_read_local_oob_data mgmt_rp; + size_t rp_size = sizeof(mgmt_rp); +@@ -5567,7 +5659,8 @@ static void read_local_oob_data_complete(struct hci_dev *hdev, void *data, int e + bt_dev_dbg(hdev, "status %d", status); + + if (status) { +- mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, status); ++ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_READ_LOCAL_OOB_DATA, ++ status); + goto remove; + } + +@@ -5872,17 +5965,12 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err) + + bt_dev_dbg(hdev, "err %d", err); + +- if (err == -ECANCELED) +- return; +- +- if (cmd != pending_find(MGMT_OP_START_DISCOVERY, hdev) && +- cmd != pending_find(MGMT_OP_START_LIMITED_DISCOVERY, hdev) && +- cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), + cmd->param, 1); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + hci_discovery_set_state(hdev, err ? DISCOVERY_STOPPED: + DISCOVERY_FINDING); +@@ -5890,6 +5978,9 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err) + + static int start_discovery_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + return hci_start_discovery_sync(hdev); + } + +@@ -6112,15 +6203,14 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err) + { + struct mgmt_pending_cmd *cmd = data; + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_STOP_DISCOVERY, hdev)) ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + bt_dev_dbg(hdev, "err %d", err); + + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err), + cmd->param, 1); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + + if (!err) + hci_discovery_set_state(hdev, DISCOVERY_STOPPED); +@@ -6128,6 +6218,9 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err) + + static int stop_discovery_sync(struct hci_dev *hdev, void *data) + { ++ if (!mgmt_pending_listed(hdev, data)) ++ return -ECANCELED; ++ + return hci_stop_discovery_sync(hdev); + } + +@@ -6337,14 +6430,18 @@ static void enable_advertising_instance(struct hci_dev *hdev, int err) + + static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + { ++ struct mgmt_pending_cmd *cmd = data; + struct cmd_lookup match = { NULL, hdev }; + u8 instance; + struct adv_info *adv_instance; + u8 status = mgmt_status(err); + ++ if (err == -ECANCELED || !mgmt_pending_valid(hdev, data)) ++ return; ++ + if (status) { +- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, +- cmd_status_rsp, &status); ++ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, status); ++ mgmt_pending_free(cmd); + return; + } + +@@ -6353,8 +6450,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + else + hci_dev_clear_flag(hdev, HCI_ADVERTISING); + +- mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp, +- &match); ++ settings_rsp(cmd, &match); + + new_settings(hdev, match.sk); + +@@ -6386,10 +6482,23 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err) + static int set_adv_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_mode *cp = cmd->param; +- u8 val = !!cp->val; ++ struct mgmt_mode cp; ++ u8 val; + +- if (cp->val == 0x02) ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ if (!__mgmt_pending_listed(hdev, cmd)) { ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ return -ECANCELED; ++ } ++ ++ memcpy(&cp, cmd->param, sizeof(cp)); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ val = !!cp.val; ++ ++ if (cp.val == 0x02) + hci_dev_set_flag(hdev, HCI_ADVERTISING_CONNECTABLE); + else + hci_dev_clear_flag(hdev, HCI_ADVERTISING_CONNECTABLE); +@@ -8142,10 +8251,6 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data, + u8 status = mgmt_status(err); + u16 eir_len; + +- if (err == -ECANCELED || +- cmd != pending_find(MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev)) +- return; +- + if (!status) { + if (!skb) + status = MGMT_STATUS_FAILED; +@@ -8252,7 +8357,7 @@ static void read_local_oob_ext_data_complete(struct hci_dev *hdev, void *data, + kfree_skb(skb); + + kfree(mgmt_rp); +- mgmt_pending_remove(cmd); ++ mgmt_pending_free(cmd); + } + + static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, +@@ -8261,7 +8366,7 @@ static int read_local_ssp_oob_req(struct hci_dev *hdev, struct sock *sk, + struct mgmt_pending_cmd *cmd; + int err; + +- cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, ++ cmd = mgmt_pending_new(sk, MGMT_OP_READ_LOCAL_OOB_EXT_DATA, hdev, + cp, sizeof(*cp)); + if (!cmd) + return -ENOMEM; +diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c +index a88a07da3947..aa7b5585cb26 100644 +--- a/net/bluetooth/mgmt_util.c ++++ b/net/bluetooth/mgmt_util.c +@@ -320,6 +320,52 @@ void mgmt_pending_remove(struct mgmt_pending_cmd *cmd) + mgmt_pending_free(cmd); + } + ++bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) ++{ ++ struct mgmt_pending_cmd *tmp; ++ ++ lockdep_assert_held(&hdev->mgmt_pending_lock); ++ ++ if (!cmd) ++ return false; ++ ++ list_for_each_entry(tmp, &hdev->mgmt_pending, list) { ++ if (cmd == tmp) ++ return true; ++ } ++ ++ return false; ++} ++ ++bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) ++{ ++ bool listed; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ listed = __mgmt_pending_listed(hdev, cmd); ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ return listed; ++} ++ ++bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd) ++{ ++ bool listed; ++ ++ if (!cmd) ++ return false; ++ ++ mutex_lock(&hdev->mgmt_pending_lock); ++ ++ listed = __mgmt_pending_listed(hdev, cmd); ++ if (listed) ++ list_del(&cmd->list); ++ ++ mutex_unlock(&hdev->mgmt_pending_lock); ++ ++ return listed; ++} ++ + void mgmt_mesh_foreach(struct hci_dev *hdev, + void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), + void *data, struct sock *sk) +diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h +index 024e51dd6937..bcba8c9d8952 100644 +--- a/net/bluetooth/mgmt_util.h ++++ b/net/bluetooth/mgmt_util.h +@@ -65,6 +65,9 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode, + void *data, u16 len); + void mgmt_pending_free(struct mgmt_pending_cmd *cmd); + void mgmt_pending_remove(struct mgmt_pending_cmd *cmd); ++bool __mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); ++bool mgmt_pending_listed(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); ++bool mgmt_pending_valid(struct hci_dev *hdev, struct mgmt_pending_cmd *cmd); + void mgmt_mesh_foreach(struct hci_dev *hdev, + void (*cb)(struct mgmt_mesh_tx *mesh_tx, void *data), + void *data, struct sock *sk); +-- +2.43.0 + diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index ffd197a7f0..8201e3fee3 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -5,6 +5,6 @@ "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "linux-6.12.44.tar.gz": "fac0ed5371cbd46ebc8a2a1e152ac5fbb5fc2660e748a7fc1d28b8e399854a1a" + "linux-6.12.55.tar.gz": "c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 7af9aa4690..3ecee61280 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -1,19 +1,20 @@ Summary: Linux Kernel Name: kernel -Version: 6.12.44 -Release: 6%{?dist} +Version: 6.12.55 +Release: 1%{?dist} License: GPLv2 Vendor: Intel Corporation Distribution: Edge Microvisor Toolkit Group: System Environment/Kernel URL: https://www.kernel.org/pub/linux/kernel -Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.44.tar.gz +Source0: https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz Source1: config Source3: sha512hmac-openssl.sh Source4: emt-ca-20211013.pem Source5: cpupower Source6: cpupower.service + # Intel not-upstreamed kernel features #sriov Patch0: 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov @@ -73,369 +74,364 @@ Patch53: 0001-virtio-hookup-irq_get_affinity-callback.sriov Patch54: 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov Patch55: 0003-virtgpu-don-t-reset-on-shutdown.sriov Patch56: 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov +Patch57: 0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov +Patch58: 0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov #security -Patch57: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security -Patch58: 0002-mei-virtio-virtualization-frontend-driver.security -Patch59: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security -Patch60: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security -Patch61: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security -Patch62: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security -Patch63: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security -Patch64: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security -Patch65: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security -Patch66: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security -Patch67: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security -Patch68: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security -Patch69: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security -Patch70: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security -Patch71: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security -Patch72: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security -Patch73: 0017-INTEL_DII-mei-optimize-force-wake-wait.security -Patch74: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security -Patch75: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security +Patch59: 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security +Patch60: 0002-mei-virtio-virtualization-frontend-driver.security +Patch61: 0003-INTEL_DII-mei-avoid-reset-if-fw-is-down.security +Patch62: 0004-INTEL_DII-FIXME-mei-iaf-add-iaf-Intel-Accelerator.security +Patch63: 0005-INTEL_DII-mei-add-check-for-offline-bit-in-every-.security +Patch64: 0006-INTEL_DII-mei-add-empty-handlers-for-ops-function.security +Patch65: 0007-INTEL_DII-mei-gsc-add-fields-to-support-force-wak.security +Patch66: 0008-INTEL_DII-mei-add-waitqueue-for-device-state-chan.security +Patch67: 0009-INTEL_DII-mei-add-force-wake-workaround-infra.security +Patch68: 0010-INTEL_DII-mei-add-force-wake-workaround-in-init.security +Patch69: 0011-INTEL_DII-mei-add-force-wake-workaround-on-sessio.security +Patch70: 0012-INTEL_DII-mei-add-force-wake-workaround-in-runtim.security +Patch71: 0013-INTEL_DII-mei-add-force-wake-workaround-in-resume.security +Patch72: 0014-INTEL_DII-mei-disable-immediate-enum-if-forcewake.security +Patch73: 0015-INTEL_DII-mei-put-force-wake-in-error-flows.security +Patch74: 0016-INTEL_DII-mei-add-force-wake-callbacks-to-empty-h.security +Patch75: 0017-INTEL_DII-mei-optimize-force-wake-wait.security +Patch76: 0018-mei-me-apply-GSC-error-supression-to-systems-with.security +Patch77: 0019-INTEL_DII-mei-bus-fixup-disable-version-retrieval.security #tgpio -Patch76: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio -Patch77: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio -Patch78: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio -Patch79: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio -Patch80: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio -Patch81: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio -Patch82: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio -Patch83: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio -Patch84: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio -Patch85: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio -Patch86: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio -Patch87: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio -Patch88: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio -Patch89: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio -Patch90: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio -Patch91: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio -Patch92: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio -Patch93: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio -Patch94: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio -Patch95: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio -Patch96: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio -Patch97: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio -Patch98: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio -Patch99: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio -Patch100: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio -Patch101: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio -Patch102: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio -Patch103: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio -Patch104: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio -Patch105: 0030-Added-an-example-to-poll-for-edges.tgpio -Patch106: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio -Patch107: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio -Patch108: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio -Patch109: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio -Patch110: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio -Patch111: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio -Patch112: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio -Patch113: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio -Patch114: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio -Patch115: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio -Patch116: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio -Patch117: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio -Patch118: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio +Patch78: 0001-Revert-timekeeping-Add-function-to-convert-realtime-.tgpio +Patch79: 0002-Revert-x86-tsc-Remove-obsolete-ART-to-TSC-conversion.tgpio +Patch80: 0003-Revert-ice-ptp-Remove-convert_art_to_tsc.tgpio +Patch81: 0004-Revert-ALSA-hda-Remove-convert_art_to_tsc.tgpio +Patch82: 0005-Revert-stmmac-intel-Remove-convert_art_to_tsc.tgpio +Patch83: 0006-Revert-igc-Remove-convert_art_ns_to_tsc.tgpio +Patch84: 0007-Revert-e1000e-Replace-convert_art_to_tsc.tgpio +Patch85: 0008-Revert-x86-tsc-Provide-ART-base-clock-information-fo.tgpio +Patch86: 0009-Revert-timekeeping-Provide-infrastructure-for-conver.tgpio +Patch87: 0010-drivers-ptp-Add-Enhanced-handling-of-reserve-fields.tgpio +Patch88: 0011-drivers-ptp-Add-PEROUT2-ioctl-frequency-adjustment-i.tgpio +Patch89: 0012-drivers-ptp-Add-user-space-input-polling-interface.tgpio +Patch90: 0013-x86-tsc-Add-TSC-support-functions-to-support-ART-dri.tgpio +Patch91: 0014-drivers-ptp-Add-support-for-PMC-Time-Aware-GPIO-Driv.tgpio +Patch92: 0015-x86-core-TSC-reliable-kernel-arg-prevents-DQ-of-TSC-.tgpio +Patch93: 0016-mfd-intel-ehl-gpio-Introduce-MFD-framework-to-PSE-GP.tgpio +Patch94: 0017-TGPIO-Calling-power-management-calls-without-enterin.tgpio +Patch95: 0018-TGPIO-Fix-PSE-TGPIO-PTP-driver-ioctls-fail.tgpio +Patch96: 0019-Kernel-Argument-Bypassing-ART-Detection.tgpio +Patch97: 0020-GPIO-Fix-for-PSE-GPIO-generating-only-one-event-as-i.tgpio +Patch98: 0021-Added-TGPIO-pin-check-before-input-event-read.tgpio +Patch99: 0022-Added-an-Example-to-adjust-frequency-for-output.tgpio +Patch100: 0023-ptp-tgpio-PSE-TGPIO-crosststamp-counttstamp.tgpio +Patch101: 0024-ptp-Fixed-read-issue-on-PHC-with-zero-n_pins.tgpio +Patch102: 0025-ptp-S-W-workaround-for-PMC-TGPIO-h-w-bug.tgpio +Patch103: 0026-ptp-Fix-for-PSE-TGPIO-Oneshot-output-and-counttstamp.tgpio +Patch104: 0027-ptp-Fix-for-PSE-TGPIO-frequency-Adjustment-issue.tgpio +Patch105: 0028-tgpio-Fix-compilation-errors-for-PSE-TGPIO.tgpio +Patch106: 0029-Added-single-shot-output-mode-support-for-TGPIO.tgpio +Patch107: 0030-Added-an-example-to-poll-for-edges.tgpio +Patch108: 0031-Added-support-to-get-TGPIO-System-Clock-Offset.tgpio +Patch109: 0032-Added-single-shot-output-mode-option-for-TGPIO-pin.tgpio +Patch110: 0033-selftests-ptp-Added-COMPV-GPIO-Input-Mode-for-TGPIO.tgpio +Patch111: 0034-ptp-Introduce-PTP_PINDESC_INPUTPOLL-for-Intel-PMC-TG.tgpio +Patch112: 0035-drivers-ptp-Add-COMPV-GPIO-Mode-for-PSE-TGPIO.tgpio +Patch113: 0036-net-ice-fix-braces-around-scalar-initializer.tgpio +Patch114: 0037-ptp-Add-PTP_EVENT_COUNTER_MODE-in-v1-valid-flags.tgpio +Patch115: 0038-ptp-Enable-preempt-if-it-is-disabled.tgpio +Patch116: 0039-ptp-Generate-sqaure-wave-on-PSE-TGPIO.tgpio +Patch117: 0040-ptp-tgpio-Add-an-edge-if-the-output-signal-ends-high.tgpio +Patch118: 0041-ptp-pmc-tgpio-Initialize-variable-to-zero.tgpio +Patch119: 0042-ptp-tgpio-Fix-return-type-of-remove-function-in-tgpi.tgpio +Patch120: 0043-net-mlx5-reuse-convert_art_ns_to_tsc-to-convert-ART-.tgpio #edac -Patch119: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac -Patch120: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac -Patch121: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac -Patch122: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac -Patch123: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac -Patch124: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac -Patch125: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac -Patch126: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac -Patch127: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac -Patch128: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac -Patch129: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac -Patch130: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac -Patch131: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac -Patch132: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac -Patch133: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac -Patch134: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac -Patch135: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac -Patch136: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac -Patch137: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac -Patch138: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +Patch121: 0001-x86-mce-Add-MCACOD-code-for-generic-I-O-error.edac +Patch122: 0002-EDAC-ieh-Add-I-O-device-EDAC-driver-for-Intel-CPUs-wi.edac +Patch123: 0003-EDAC-ieh-Add-I-O-device-EDAC-support-for-Intel-Tiger-.edac +Patch124: 0004-EDAC-igen6-Add-registration-APIs-for-In-Band-ECC-erro.edac +Patch125: 0005-EDAC-i10nm-Print-DRAM-rules-debug-purpose.edac +Patch126: 0006-EDAC-skx_common-skx-i10nm-Make-skx_register_mci-indep.edac +Patch127: 0007-EDAC-skx_common-Prepare-skx_get_edac_list.edac +Patch128: 0008-EDAC-skx_common-Prepare-skx_set_hi_lo.edac +Patch129: 0009-EDAC-igen6-Add-Intel-Pnther-Lake-H-SoCs-support.edac +Patch130: 0002-EDAC-ie31200-Add-Kaby-Lake-S-dual-core-host-bridge-ID.edac +Patch131: 0006-EDAC-ie31200-Fix-the-3rd-parameter-name-of-populate_d.edac +Patch132: 0007-EDAC-ie31200-Simplify-the-pci_device_id-table.edac +Patch133: 0008-EDAC-ie31200-Make-the-memory-controller-resources-con.edac +Patch134: 0009-EDAC-ie31200-Make-struct-dimm_data-contain-decoded-in.edac +Patch135: 0010-EDAC-ie31200-Fold-the-two-channel-loops-into-one-loop.edac +Patch136: 0011-EDAC-ie31200-Break-up-ie31200_probe1.edac +Patch137: 0012-EDAC-ie31200-Add-Intel-Raptor-Lake-S-SoCs-support.edac +Patch138: 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac +Patch139: 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac +Patch140: 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +Patch141: 0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac +Patch142: 0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac #tsn -Patch139: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn -Patch140: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn -Patch141: 0003-net-phy-increase-gpy-loopback-test-delay.tsn -Patch142: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn -Patch143: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn -Patch144: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn -Patch145: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn -Patch146: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn -Patch147: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn -Patch148: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn -Patch149: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn -Patch150: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn -Patch151: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn -Patch152: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn -Patch153: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn -Patch154: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn -Patch155: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn -Patch156: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn -Patch157: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn -Patch158: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn -Patch159: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn -Patch160: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn -Patch161: 0023-net-phylink-Add-module_exit.tsn -Patch162: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn -Patch163: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn -Patch164: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn -Patch165: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn -Patch166: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn -Patch167: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn -Patch168: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn -Patch169: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch170: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch171: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch172: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn -Patch173: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch174: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn -Patch175: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn -Patch176: 0038-taprio-Add-support-for-frame-preemption-offload.tsn -Patch177: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn -Patch178: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn -Patch179: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn -Patch180: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn -Patch181: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn -Patch182: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn -Patch183: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn -Patch184: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn -Patch185: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn -Patch186: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn -Patch187: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn -Patch188: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn -Patch189: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn -Patch190: 0010-igc-Optimize-the-packet-buffer-utilization.tsn -Patch191: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn -Patch192: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn -Patch193: 0013-bpf-add-btf-register-unregister-API.tsn -Patch194: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn -Patch195: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn -Patch196: 0016-rtnetlink-Add-return-value-check.tsn -Patch197: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn -Patch198: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn -Patch199: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn -Patch200: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn -Patch201: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn -Patch202: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn -Patch203: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn -Patch204: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn -Patch205: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn -Patch206: 0026-taprio-Replace-tc_map_to_queue_mask.tsn -Patch207: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn -Patch208: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn -Patch209: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn -Patch210: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn -Patch211: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn -Patch212: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn -Patch213: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn -Patch214: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn -Patch215: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn -Patch216: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn -Patch217: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn -Patch218: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn -Patch219: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn -Patch220: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn -Patch221: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn +Patch143: 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn +Patch144: 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn +Patch145: 0003-net-phy-increase-gpy-loopback-test-delay.tsn +Patch146: 0004-net-stmmac-Resolve-poor-line-rate-after-switching-from.tsn +Patch147: 0005-net-phy-dp83867-perform-restart-AN-after-modifying-AN-.tsn +Patch148: 0006-stmmac-intel-Separate-ADL-N-and-RPL-P-device-ID-from-T.tsn +Patch149: 0007-net-stmmac-Adjust-mac_capabilities-for-Intel-mGbE-2.5G.tsn +Patch150: 0008-stmmac-intel-skip-xpcs-reset-for-2.5Gbps-on-Intel-Alde.tsn +Patch151: 0009-net-stmmac-add-check-for-2.5G-mode-to-prevent-MAC-capa.tsn +Patch152: 0010-stmmac-intel-Enable-PHY-WoL-in-ADL-N.tsn +Patch153: 0011-net-phy-reconfigure-PHY-WoL-when-WoL-option-is-enabled.tsn +Patch154: 0012-net-stmmac-fix-MAC-and-phylink-mismatch-issue-after-re.tsn +Patch155: 0013-net-stmmac-restructure-Rx-Tx-hardware-timestamping-fun.tsn +Patch156: 0014-net-stmmac-Add-per-packet-time-based-scheduling-for-XD.tsn +Patch157: 0015-net-stmmac-introduce-AF_XDP-ZC-RX-HW-timestamps.tsn +Patch158: 0016-net-stmmac-add-fsleep-in-HW-Rx-timestamp-checking-loop.tsn +Patch159: 0017-net-stmmac-select-PCS-negotiation-mode-according-to-th.tsn +Patch160: 0018-net-pcs-xpcs-re-initiate-clause-37-Auto-negotiation.tsn +Patch161: 0019-arch-x86-Add-IPC-mailbox-accessor-function-and-add-SoC.tsn +Patch162: 0020-net-stmmac-configure-SerDes-according-to-the-interface.tsn +Patch163: 0021-stmmac-intel-interface-switching-support-for-intel-pla.tsn +Patch164: 0022-net-stmmac-Set-mac_managed_pm-flag-from-stmmac-to-reso.tsn +Patch165: 0023-net-phylink-Add-module_exit.tsn +Patch166: 0024-net-stmmac-introduce-AF_XDP-ZC-TX-HW-timestamps.tsn +Patch167: 0025-net-sched-taprio-fix-too-early-schedules-switching.tsn +Patch168: 0026-net-sched-taprio-fix-cycle-time-adjustment-for-next-en.tsn +Patch169: 0027-net-sched-taprio-fix-impacted-fields-value-during-cycl.tsn +Patch170: 0028-net-sched-taprio-get-corrected-value-of-cycle_time-and.tsn +Patch171: 0029-xsk-add-txtime-field-in-xdp_desc-struct.tsn +Patch172: 0030-Revert-net-stmmac-silence-FPE-kernel-logs.tsn +Patch173: 0031-Revert-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch174: 0032-Revert-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch175: 0033-Revert-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch176: 0034-Revert-net-stmmac-refactor-FPE-verification-process.tsn +Patch177: 0035-Revert-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch178: 0036-Revert-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-d.tsn +Patch179: 0037-net-stmmac-add-FPE-preempt-setting-for-TxQ-preemptible.tsn +Patch180: 0038-taprio-Add-support-for-frame-preemption-offload.tsn +Patch181: 0039-net-stmmac-set-initial-EEE-policy-configuration.tsn +Patch182: 0040-net-phy-fix-phylib-s-dual-eee_enabled.tsn +Patch183: 0041-net-phy-ensure-that-genphy_c45_an_config_eee_aneg-sees.tsn +Patch184: 0042-net-phy-fix-phy_ethtool_set_eee-incorrectly-enabling-L.tsn +Patch185: 0001-igc-Set-the-RX-packet-buffer-size-for-TSN-mode.tsn +Patch186: 0002-igc-Only-dump-registers-if-configured-to-dump-HW-infor.tsn +Patch187: 0003-ethtool-Add-support-for-configuring-frame-preemption.tsn +Patch188: 0004-ethtool-Add-support-for-Frame-Preemption-verification.tsn +Patch189: 0005-igc-Add-support-for-enabling-frame-preemption-via-etht.tsn +Patch190: 0006-igc-Add-support-for-TC_SETUP_PREEMPT.tsn +Patch191: 0007-igc-Add-support-for-setting-frame-preemption-configura.tsn +Patch192: 0008-igc-Add-support-for-Frame-Preemption-verification.tsn +Patch193: 0009-igc-Add-support-for-exposing-frame-preemption-stats-re.tsn +Patch194: 0010-igc-Optimize-the-packet-buffer-utilization.tsn +Patch195: 0011-igc-Add-support-for-enabling-all-packets-to-be-receive.tsn +Patch196: 0012-igc-Add-support-for-DMA-timestamp-for-non-PTP-packets.tsn +Patch197: 0013-bpf-add-btf-register-unregister-API.tsn +Patch198: 0014-net-core-XDP-metadata-BTF-netlink-API.tsn +Patch199: 0015-rtnetlink-Fix-unchecked-return-value-of-dev_xdp_query_.tsn +Patch200: 0016-rtnetlink-Add-return-value-check.tsn +Patch201: 0017-tools-bpf-Query-XDP-metadata-BTF-ID.tsn +Patch202: 0018-tools-bpf-Add-xdp-set-command-for-md-btf.tsn +Patch203: 0019-igc-Add-BTF-based-metadata-for-XDP.tsn +Patch204: 0020-igc-Enable-HW-RX-Timestamp-for-AF_XDP-ZC.tsn +Patch205: 0021-igc-Take-care-of-DMA-timestamp-rollover.tsn +Patch206: 0022-igc-Add-SO_TXTIME-for-AF_XDP-ZC.tsn +Patch207: 0023-igc-Reodering-the-empty-packet-buffers-and-descriptors.tsn +Patch208: 0024-Revert-igc-Add-support-for-PTP-.getcyclesx64.tsn +Patch209: 0025-core-Introduce-netdev_tc_map_to_queue_mask.tsn +Patch210: 0026-taprio-Replace-tc_map_to_queue_mask.tsn +Patch211: 0027-mqprio-Add-support-for-frame-preemption-offload.tsn +Patch212: 0030-igc-Reduce-retry-count-to-a-more-reasonable-number.tsn +Patch213: 0001-igc-Enable-HW-TX-Timestamp-for-AF_XDP-ZC.tsn +Patch214: 0002-igc-Enable-trace-for-HW-TX-Timestamp-AF_XDP-ZC.tsn +Patch215: 0003-igc-Remove-the-CONFIG_DEBUG_MISC-condition-for-trace.tsn +Patch216: 0006-Revert-net-stmmac-set-initial-EEE-policy-configurati.tsn +Patch217: 0001-net-phy-Set-eee_cfg.eee_enabled-according-to-PHY.tsn +Patch218: 0001-Revert-net-stmmac-add-FPE-preempt-setting-for-TxQ-pree.tsn +Patch219: 0002-Reapply-net-stmmac-move-stmmac_fpe_cfg-to-stmmac_priv-.tsn +Patch220: 0003-Reapply-net-stmmac-drop-stmmac_fpe_handshake.tsn +Patch221: 0004-Reapply-net-stmmac-refactor-FPE-verification-process.tsn +Patch222: 0005-Reapply-net-stmmac-configure-FPE-via-ethtool-mm.tsn +Patch223: 0006-Reapply-net-stmmac-support-fp-parameter-of-tc-mqprio.tsn +Patch224: 0007-Reapply-net-stmmac-support-fp-parameter-of-tc-taprio.tsn +Patch225: 0008-Reapply-net-stmmac-silence-FPE-kernel-logs.tsn #camera -Patch222: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera -Patch223: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera -Patch224: 0002-media-i2c-add-support-for-lt6911uxe.camera -Patch225: 0003-INT3472-Support-LT6911UXE.camera -Patch226: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera -Patch227: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera -Patch228: 0006-media-pci-Enable-ISYS-reset.camera -Patch229: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera -Patch230: 0008-driver-media-i2c-remove-useless-header-file.camera -Patch231: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera -Patch232: 0010-media-i2c-add-support-for-lt6911uxc.camera -Patch233: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera -Patch234: 0012-media-pci-intel-psys-driver.camera -Patch235: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera -Patch236: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera -Patch237: 0002-media-pci-intel-include-psys-driver.camera -Patch238: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera -Patch239: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera -Patch240: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera -Patch241: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera -Patch242: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera -Patch243: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera -Patch244: 0001-media-pci-update-IPU6-PSYS-driver.camera -Patch245: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera -Patch246: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera -Patch247: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera -Patch248: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch249: 0006-media-i2c-some-changes-in-lt6911uxe.camera -Patch250: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch251: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera -Patch252: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera -Patch253: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera -Patch254: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera -Patch255: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera -Patch256: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera -Patch257: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera -Patch258: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera -Patch259: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera -Patch260: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera -Patch261: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera -Patch262: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera -Patch263: 0004-i2c-media-fix-cov-issue.camera -Patch264: 0005-mv-ipu-acpi-module-to-linux-drivers.camera -Patch265: 0006-kernel-enable-VC-support-in-v4l2.camera -Patch266: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera -Patch267: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera -Patch268: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera -Patch269: 0010-media-pci-add-missing-if-for-PDATA.camera -Patch270: 0011-media-platform-fix-allyesconfig-build-error.camera -Patch271: 0012-media-pci-refine-PDATA-related-config.camera -Patch272: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera -Patch273: 0014-media-i2c-add-gmsl-isx031-support.camera -Patch274: 0015-media-i2c-add-support-for-isx031-max9296.camera -Patch275: 0016-fix-S4-issue-on-TWL.camera -Patch276: 0017-code-changes-for-link-frequency-and-sensor-physical.camera +Patch226: 0001-media-intel-ipu6-remove-buttress-ish-structure.camera +Patch227: 0001-media-i2c-Add-ar0234-camera-sensor-driver.camera +Patch228: 0002-media-i2c-add-support-for-lt6911uxe.camera +Patch229: 0003-INT3472-Support-LT6911UXE.camera +Patch230: 0004-upstream-Use-module-parameter-to-set-isys-freq.camera +Patch231: 0005-upstream-Use-module-parameter-to-set-psys-freq.camera +Patch232: 0006-media-pci-Enable-ISYS-reset.camera +Patch233: 0007-media-i2c-add-support-for-ar0234-and-lt6911uxe.camera +Patch234: 0008-driver-media-i2c-remove-useless-header-file.camera +Patch235: 0009-media-i2c-update-lt6911uxe-for-upstream-and-bug-fix.camera +Patch236: 0010-media-i2c-add-support-for-lt6911uxc.camera +Patch237: 0011-media-i2c-add-lt6911uxc-driver-and-enable-in-ipu-br.camera +Patch238: 0012-media-pci-intel-psys-driver.camera +Patch239: 0013-media-i2c-Remove-unused-variables-in-Lontium-driver.camera +Patch240: 0001-media-intel-ipu6-remove-buttress-ish-structure-1.camera +Patch241: 0002-media-pci-intel-include-psys-driver.camera +Patch242: 0003-Revert-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to-.camera +Patch243: 0004-Revert-media-ipu6-remove-architecture-DMA-ops-depen.camera +Patch244: 0005-Revert-media-ipu6-not-override-the-dma_ops-of-devic.camera +Patch245: 0001-Reapply-media-ipu6-not-override-the-dma_ops-of-devi.camera +Patch246: 0002-Reapply-media-ipu6-remove-architecture-DMA-ops-depe.camera +Patch247: 0003-Reapply-media-ipu6-use-the-IPU6-DMA-mapping-APIs-to.camera +Patch248: 0001-media-pci-update-IPU6-PSYS-driver.camera +Patch249: 0002-media-i2c-update-lt6911uxc-driver-to-fix-COV-issue.camera +Patch250: 0003-lt6911-2-pads-linked-to-ipu-2-ports-for-split-mode.camera +Patch251: 0004-media-i2c-add-dv_timings-api-in-lt6911uxe.camera +Patch252: 0005-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch253: 0006-media-i2c-some-changes-in-lt6911uxe.camera +Patch254: 0001-Revert-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch255: 0002-media-i2c-update-format-in-irq-for-lt6911uxe.camera +Patch256: 0003-media-i2c-remove-unused-func-in-lt6911uxe.camera +Patch257: 0001-media-intel-ipu6-use-vc1-dma-for-MTL-and-ARL.camera +Patch258: 0002-media-ipu-Dma-sync-at-buffer_prepare-callback-as-DM.camera +Patch259: 0003-Support-IPU6-ISYS-FW-trace-dump-for-upstream-driver.camera +Patch260: 0004-Support-IPU6-PSYS-FW-trace-dump-for-upstream-driver.camera +Patch261: 0005-media-pci-The-order-of-return-buffers-should-be-FIF.camera +Patch262: 0006-media-i2c-fix-power-on-issue-for-on-board-LT6911UXC.camera +Patch263: 0007-media-i2c-fix-power-on-issue-for-on-board-LT6911UXE.camera +Patch264: 0001-media-pci-Modify-enble-disable-stream-in-CSI2.camera +Patch265: 0002-media-pci-Set-the-correct-SOF-for-different-stream.camera +Patch266: 0003-media-pci-support-imx390-for-6.11.0-rc3.camera +Patch267: 0004-i2c-media-fix-cov-issue.camera +Patch268: 0005-mv-ipu-acpi-module-to-linux-drivers.camera +Patch269: 0006-kernel-enable-VC-support-in-v4l2.camera +Patch270: 0007-media-pci-intel-support-PDATA-in-Kconfig-Makefile.camera +Patch271: 0008-media-pci-unregister-i2c-device-to-complete-ext_sub.camera +Patch272: 0009-media-pci-align-params-for-non-MIPI-split-and-split.camera +Patch273: 0010-media-pci-add-missing-if-for-PDATA.camera +Patch274: 0011-media-platform-fix-allyesconfig-build-error.camera +Patch275: 0012-media-pci-refine-PDATA-related-config.camera +Patch276: 0013-kernel-align-ACPI-PDATA-and-ACPI-fwnode-build-for-E.camera +Patch277: 0014-media-i2c-add-gmsl-isx031-support.camera +Patch278: 0015-media-i2c-add-support-for-isx031-max9296.camera +Patch279: 0016-fix-S4-issue-on-TWL.camera +Patch280: 0017-code-changes-for-link-frequency-and-sensor-physical.camera #wwan -Patch277: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan -Patch278: 0002-wwan-add-SAHARA-device.wwan -Patch279: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch280: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan -Patch281: 0005-wwan-add-NMEA-type.wwan -Patch282: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch283: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan -Patch284: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch285: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan -Patch286: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan -Patch287: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan -Patch288: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan -Patch289: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan -Patch290: 0005-Revert-wwan-add-NMEA-type.wwan -Patch291: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan -Patch292: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan -Patch293: 0008-Revert-wwan-add-SAHARA-device.wwan -Patch294: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan +Patch281: 0001-Revert-bus-mhi-host-pci_generic-add-support-for-sc828.wwan +Patch282: 0002-wwan-add-SAHARA-device.wwan +Patch283: 0003-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch284: 0004-drivers-bus-mhi-let-userspace-manage-xfp-fw-update-st.wwan +Patch285: 0005-wwan-add-NMEA-type.wwan +Patch286: 0006-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch287: 0007-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL-device.wwan +Patch288: 0008-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch289: 0009-drivers-bus-mhi-host-fix-recovery-process-when-modem-.wwan +Patch290: 0001-Revert-drivers-bus-mhi-host-fix-recovery-process-when.wwan +Patch291: 0002-Revert-drivers-net-wwan-add-simple-DTR-driver.wwan +Patch292: 0003-Revert-drivers-bus-mhi-add-FN990-NMEA-and-DIAG-in-SBL.wwan +Patch293: 0004-Revert-drivers-bus-mhi-add-FN980-v2-support.wwan +Patch294: 0005-Revert-wwan-add-NMEA-type.wwan +Patch295: 0006-Revert-drivers-bus-mhi-let-userspace-manage-xfp-fw-up.wwan +Patch296: 0007-Revert-bus-mhi-host-allow-SBL-as-initial-EE.wwan +Patch297: 0008-Revert-wwan-add-SAHARA-device.wwan +Patch298: 0009-Revert-Revert-bus-mhi-host-pci_generic-add-support-fo.wwan #pmc_core -Patch295: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core -Patch296: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core -Patch297: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core +Patch299: 0001-platform-x86-intel-pmc-Add-Arrow-Lake-U-H-support.pmc_core +Patch300: 0002-platform-x86-intel-pmc-Add-Bartlett-Lake-support-to-.pmc_core +Patch301: 0001-platform-x86-intel-pmc-Fix-Arrow-Lake-U-H-NPU-PCI.pmc_core #lpss -Patch298: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss -Patch299: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss -Patch300: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss -Patch301: 0004-spi-intel-Add-protected-and-locked-attributes.lpss +Patch302: 0001-Added-spi_set_cs-for-more-stable-r-w-operations-in-S.lpss +Patch303: 0002-mtd-core-Don-t-fail-mtd_device_parse_register-if-OTP.lpss +Patch304: 0003-spi-intel-pci-Add-support-for-Arrow-Lake-H-SPI-seria.lpss +Patch305: 0004-spi-intel-Add-protected-and-locked-attributes.lpss #preempt_rt patches backported -Patch302: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt -Patch303: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch304: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt -Patch305: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt -Patch306: 0004-serial-8250-Switch-to-nbcon-console.rt -Patch307: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt -Patch308: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt -Patch309: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt -Patch310: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt -Patch311: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt -Patch312: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt -Patch313: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt -Patch314: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt -Patch315: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt -Patch316: 0014-drm-i915-Drop-the-irqs_disabled-check.rt -Patch317: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt -Patch318: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt -Patch319: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt -Patch320: 0018-sched-Add-Lazy-preemption-model.rt -Patch321: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt -Patch322: 0020-sched-x86-Enable-Lazy-preemption.rt -Patch323: 0021-sched-Add-laziest-preempt-model.rt -Patch324: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt -Patch325: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt -Patch326: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt -Patch327: 0025-sysfs-Add-sys-kernel-realtime-entry.rt -Patch328: 0001-serial-8250-enable-original-console-by-default.rt -Patch329: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt -Patch330: 0002-Revert-scripts-remove-bin2c.rt -Patch331: 0003-extend-uio-driver-to-supports-msix.rt -Patch332: 0004-virtio-add-VIRTIO_PMD-support.rt -Patch333: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt -Patch334: 0006-Add-hypercall-to-access-MSR.rt -Patch335: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt -Patch336: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt -Patch337: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt -Patch338: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt -Patch339: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt -Patch340: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt -Patch341: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt -Patch342: 0014-igb-Add-BTF-based-metadata-for-XDP.rt -Patch343: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt -Patch344: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt -Patch345: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt -Patch346: 0018-virtio-fix-VIRTIO_PMD-support.rt -Patch347: 0019-drm-i915-add-i915-perf-event-capacity.rt -Patch348: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt +Patch306: 0001-Revert-sched-core-Remove-the-unnecessary-need_resche.rt +Patch307: 0001-hrtimer-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch308: 0002-timers-Use-__raise_softirq_irqoff-to-raise-the-softirq.rt +Patch309: 0003-softirq-Use-a-dedicated-thread-for-timer-wakeups-on-PRE.rt +Patch310: 0004-serial-8250-Switch-to-nbcon-console.rt +Patch311: 0005-serial-8250-Revert-drop-lockdep-annotation-from-serial8.rt +Patch312: 0006-locking-rt-Remove-one-__cond_lock-in-RT-s-spin_trylock_.rt +Patch313: 0007-locking-rt-Add-sparse-annotation-for-RCU.rt +Patch314: 0008-locking-rt-Annotate-unlock-followed-by-lock-for-sparse.rt +Patch315: 0009-drm-i915-Use-preempt_disable-enable_rt-where-recommende.rt +Patch316: 0010-drm-i915-Don-t-disable-interrupts-on-PREEMPT_RT-during-.rt +Patch317: 0011-drm-i915-Don-t-check-for-atomic-context-on-PREEMPT_RT.rt +Patch318: 0012-drm-i915-Disable-tracing-points-on-PREEMPT_RT.rt +Patch319: 0013-drm-i915-gt-Use-spin_lock_irq-instead-of-local_irq_disa.rt +Patch320: 0014-drm-i915-Drop-the-irqs_disabled-check.rt +Patch321: 0015-drm-i915-guc-Consider-also-RCU-depth-in-busy-loop.rt +Patch322: 0016-Revert-drm-i915-Depend-on-PREEMPT_RT.rt +Patch323: 0017-sched-Add-TIF_NEED_RESCHED_LAZY-infrastructure.rt +Patch324: 0018-sched-Add-Lazy-preemption-model.rt +Patch325: 0019-sched-Enable-PREEMPT_DYNAMIC-for-PREEMPT_RT.rt +Patch326: 0020-sched-x86-Enable-Lazy-preemption.rt +Patch327: 0021-sched-Add-laziest-preempt-model.rt +Patch328: 0022-sched-Fixup-the-IS_ENABLED-check-for-PREEMPT_LAZY.rt +Patch329: 0023-tracing-Remove-TRACE_FLAG_IRQS_NOSUPPORT.rt +Patch330: 0024-tracing-Record-task-flag-NEED_RESCHED_LAZY.rt +Patch331: 0025-sysfs-Add-sys-kernel-realtime-entry.rt +Patch332: 0001-serial-8250-enable-original-console-by-default.rt +Patch333: 0001-kernel-trace-Add-DISALLOW_TRACE_PRINTK-make-option.rt +Patch334: 0002-Revert-scripts-remove-bin2c.rt +Patch335: 0003-extend-uio-driver-to-supports-msix.rt +Patch336: 0004-virtio-add-VIRTIO_PMD-support.rt +Patch337: 0005-virt-acrn-Introduce-interfaces-for-PIO-device.rt +Patch338: 0006-Add-hypercall-to-access-MSR.rt +Patch339: 0007-Revert-spi-Remove-unused-function-spi_busnum_to_master.rt +Patch340: 0008-igc-add-CONFIG_IGC_TSN_TRACE-conditional-trace_printk-u.rt +Patch341: 0009-stmmac_pci-add-CONFIG_STMMAC_TSN_TRACE-conditional-trac.rt +Patch342: 0010-igb-prepare-for-AF_XDP-zero-copy-support.rt +Patch343: 0011-igb-Introduce-XSK-data-structures-and-helpers.rt +Patch344: 0012-igb-add-AF_XDP-zero-copy-Rx-support.rt +Patch345: 0013-igb-add-AF_XDP-zero-copy-Tx-support.rt +Patch346: 0014-igb-Add-BTF-based-metadata-for-XDP.rt +Patch347: 0015-ANDROID-trace-power-add-trace_clock_set_parent.rt +Patch348: 0016-ANDROID-trace-net-use-pK-for-kernel-pointers.rt +Patch349: 0017-ANDROID-trace-add-non-hierarchical-function_graph-optio.rt +Patch350: 0018-virtio-fix-VIRTIO_PMD-support.rt +Patch351: 0019-drm-i915-add-i915-perf-event-capacity.rt +Patch352: 0020-drm-xe-pm-allow-xe-with-CONFIG_PM.rt #drm -Patch349: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm -Patch350: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm -Patch351: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch352: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm -Patch353: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm -Patch354: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm -Patch355: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm -Patch356: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm -Patch357: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm -Patch358: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm -Patch359: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm -Patch360: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm -Patch361: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm -Patch362: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm -Patch363: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm -Patch364: 0011-drm-i915-gt-Store-active-CCS-mask.drm -Patch365: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm -Patch366: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm -Patch367: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm -Patch368: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm -Patch369: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm -Patch370: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm -Patch371: 0001-Remove-unneeded-files.patch +Patch353: 0001-drm-i915-enable-guc-submission-for-ADLs-by-default.drm +Patch354: 0001-drm-i915-disable-a-couple-of-RT-functions-if-RT-is-d.drm +Patch355: 0001-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch356: 0001-i915-Update-GUC-to-v70.44.1-for-i915-platforms.drm +Patch357: 0001-Revert-drm-i915-disable-dGPU-support-with-RT-kernel.drm +Patch358: 0001-drm-i915-gt-Avoid-using-masked-workaround-for-CCS_MODE.drm +Patch359: 0002-drm-i915-gt-Move-the-CCS-mode-variable-to-a-global-pos.drm +Patch360: 0003-drm-i915-gt-Allow-the-creation-of-multi-mode-CCS-masks.drm +Patch361: 0004-drm-i915-gt-Refactor-uabi-engine-class-instance-list-c.drm +Patch362: 0005-drm-i915-gem-Mark-and-verify-UABI-engine-validity.drm +Patch363: 0006-drm-i915-gt-Introduce-for_each_enabled_engine-and-appl.drm +Patch364: 0007-drm-i915-gt-Manage-CCS-engine-creation-within-UABI-exp.drm +Patch365: 0008-drm-i915-gt-Remove-cslices-mask-value-from-the-CCS-str.drm +Patch366: 0009-drm-i915-gt-Expose-the-number-of-total-CCS-slices.drm +Patch367: 0010-drm-i915-gt-Store-engine-related-sysfs-kobjects.drm +Patch368: 0011-drm-i915-gt-Store-active-CCS-mask.drm +Patch369: 0012-drm-i915-Protect-access-to-the-UABI-engines-list-with-.drm +Patch370: 0013-drm-i915-gt-Isolate-single-sysfs-engine-file-creation.drm +Patch371: 0014-drm-i915-gt-Implement-creation-and-removal-routines-fo.drm +Patch372: 0015-drm-i915-gt-Allow-the-user-to-change-the-CCS-mode-thro.drm +Patch373: 0016-drm-i915-gt-Refactor-CCS-mode-handling-and-improve-app.drm +Patch374: 0017-drm-i915-no-waiting-for-page-flip-in-vpp-case.drm +Patch375: 0001-Remove-unneeded-files.patch #rapl -Patch372: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl +Patch376: 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl #misc -Patch373: 0001-Add-security.md-file.misc +Patch377: 0001-Add-security.md-file.misc +#iommu +Patch378: 0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu +Patch379: 0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm -Patch374: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch -# CVE Patches +Patch380: 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 -Patch375: CVE-2025-21709.patch -#CVE-2025-21807 -Patch376: CVE-2025-21807.patch +Patch381: CVE-2025-21709.patch #CVE-2025-21817 -Patch377: CVE-2025-21817.patch -#CVE-2025-22103 -Patch378: CVE-2025-22103.patch +Patch382: CVE-2025-21817.patch #CVE-2025-22104 -Patch379: CVE-2025-22104.patch +Patch383: CVE-2025-22104.patch #CVE-2025-22105 -Patch380: CVE-2025-22105.patch -Patch381: CVE-2025-22105-1.patch -#CVE-2025-22106 -Patch382: CVE-2025-22106.patch +Patch384: CVE-2025-22105.patch +Patch385: CVE-2025-22105-1.patch #CVE-2025-22108 -Patch383: CVE-2025-22108.patch +Patch386: CVE-2025-22108.patch #CVE-2025-22111 -Patch384: CVE-2025-22111.patch -#CVE-2025-22113 -Patch385: CVE-2025-22113.patch -Patch386: CVE-2025-22113-1.patch +Patch387: CVE-2025-22111.patch #CVE-2025-22116 -Patch387: CVE-2025-22116.patch +Patch388: CVE-2025-22116.patch #CVE-2025-22117 -Patch388: CVE-2025-22117.patch +Patch389: CVE-2025-22117.patch #CVE-2025-22121 -Patch389: CVE-2025-22121.patch -Patch390: CVE-2025-22121-1.patch -#CVE-2025-22124 -Patch391: CVE-2025-22124.patch +Patch390: CVE-2025-22121.patch +Patch391: CVE-2025-22121-1.patch #CVE-2025-23131 Patch392: CVE-2025-23131.patch #CVE-2025-37746 @@ -451,73 +447,83 @@ Patch398: CVE-2025-38041-2.patch Patch399: CVE-2025-38029.patch #CVE-2025-38311 Patch400: CVE-2025-38311.patch -#CVE-2025-38306 -Patch401: CVE-2025-38306.patch #CVE-2025-38248 -Patch402: CVE-2025-38248.patch +Patch401: CVE-2025-38248.patch #CVE-2025-38234 -Patch403: CVE-2025-38234.patch +Patch402: CVE-2025-38234.patch #CVE-2025-38207 -Patch404: CVE-2025-38207.patch +Patch403: CVE-2025-38207.patch #CVE-2025-38137 -Patch405: CVE-2025-38137.patch -#CVE-2025-38105 -Patch406: CVE-2025-38105.patch +Patch404: CVE-2025-38137.patch #CVE-2025-40325 -Patch407: CVE-2025-40325.patch +Patch405: CVE-2025-40325.patch #CVE-2025-38284 -Patch408: CVE-2025-38284.patch -Patch409: CVE-2025-38284-1.patch -Patch410: CVE-2025-38284-2.patch -#CVE-2025-38272 -Patch411: CVE-2025-38272.patch -Patch412: CVE-2025-38272-1.patch -Patch413: CVE-2025-38272-2.patch +Patch406: CVE-2025-38284.patch +Patch407: CVE-2025-38284-1.patch +Patch408: CVE-2025-38284-2.patch #CVE-2025-38199 -Patch414: CVE-2025-38199.patch +Patch409: CVE-2025-38199.patch #CVE-2025-38140 -Patch415: CVE-2025-38140.patch +Patch410: CVE-2025-38140.patch #CVE-2025-38132 -Patch416: CVE-2025-38132.patch -Patch417: CVE-2025-38132-1.patch +Patch411: CVE-2025-38132.patch +Patch412: CVE-2025-38132-1.patch #CVE-2025-37743 -Patch418: CVE-2025-37743.patch -#CVE-2025-23133 -Patch419: CVE-2025-23133.patch +Patch413: CVE-2025-37743.patch #CVE-2025-23132 -Patch420: CVE-2025-23132.patch +Patch414: CVE-2025-23132.patch #CVE-2025-23130 -Patch421: CVE-2025-23130.patch +Patch415: CVE-2025-23130.patch #CVE-2025-23129 -Patch422: CVE-2025-23129.patch +Patch416: CVE-2025-23129.patch #CVE-2025-22127 -Patch423: CVE-2025-22127.patch -#CVE-2025-22125 -Patch424: CVE-2025-22125.patch +Patch417: CVE-2025-22127.patch #CVE-2025-22109 -Patch425: CVE-2025-22109.patch +Patch418: CVE-2025-22109.patch #CVE-2025-21752 -Patch426: CVE-2025-21752.patch -Patch427: CVE-2025-21752-1.patch +Patch419: CVE-2025-21752.patch +Patch420: CVE-2025-21752-1.patch #CVE-2025-37860 -Patch428: CVE-2025-37860.patch +Patch421: CVE-2025-37860.patch #CVE-2024-58095 -Patch429: CVE-2024-58095.patch +Patch422: CVE-2024-58095.patch #CVE-2024-58094 -Patch430: CVE-2024-58094.patch +Patch423: CVE-2024-58094.patch #CVE-2024-57995 -Patch431: CVE-2024-57995.patch +Patch424: CVE-2024-57995.patch #CVE-2024-52560 -Patch432: CVE-2024-52560.patch -Patch433: CVE-2024-52560-1.patch +Patch425: CVE-2024-52560.patch +Patch426: CVE-2024-52560-1.patch #CVE-2025-38621 -Patch434: CVE-2025-38621.patch -#CVE-2025-38502 -Patch435: CVE-2025-38502.patch +Patch427: CVE-2025-38621.patch #CVE-2025-38627 -Patch436: CVE-2025-38627.patch +Patch428: CVE-2025-38627.patch #CVE-2025-38643 -Patch437: CVE-2025-38643.patch +Patch429: CVE-2025-38643.patch +#CVE-2025-39789 +Patch430: CVE-2025-39789.patch +#CVE-2025-39764 +Patch431: CVE-2025-39764.patch +#CVE-2025-39745 +Patch432: CVE-2025-39745.patch +#CVE-2025-39677 +Patch433: CVE-2025-39677.patch +#CVE-2025-39933 +Patch434: CVE-2025-39933.patch +#CVE-2025-39833 +Patch435: CVE-2025-39833.patch +#CVE-2025-39925 +Patch436: CVE-2025-39925.patch +#CVE-2025-39905 +Patch437: CVE-2025-39905.patch +#CVE-2025-39859 +Patch438: CVE-2025-39859.patch +#CVE-2025-39910 +Patch439: CVE-2025-39910.patch +#CVE-2025-39981 +Patch440: CVE-2025-39981.patch +# CVE Patches + %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh @@ -666,8 +672,8 @@ manipulation of eBPF programs and maps. %prep %define _default_patch_flags -p1 --fuzz=3 --force -%setup -q -n linux-6.12.44 -%autosetup -p1 -n linux-6.12.44 +%setup -q -n linux-6.12.55 +%autosetup -p1 -n linux-6.12.55 # %patch 0 -p1 make mrproper @@ -913,6 +919,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Nov 18 2025 Lishan Liu - 6.12.55-1 +- Update kernel to 6.12.55 + * Fri Nov 14 2025 Lishan Liu - 6.12.44-6 - Update audio support in kernel config diff --git a/SPECS/kernel/series b/SPECS/kernel/series index 77137c69c1..38b1f51a3e 100644 --- a/SPECS/kernel/series +++ b/SPECS/kernel/series @@ -1,5 +1,5 @@ -# Series file for v6.12.44 linux kernel -# 11a24528d080a Linux 6.12.44 +# Series file for v6.12.55 linux kernel +# 4fc43debf5047 Linux 6.12.55 #sriov 0001-drm-i915-mtl-Add-C10-table-for-HDMI-Clock-25175.sriov 0002-drm-i915-mtl-Copy-c10-phy-pll-sw-state-from-master-t.sriov @@ -58,6 +58,8 @@ 0002-virtio-break-and-reset-virtio-devices-on-device_shut.sriov 0003-virtgpu-don-t-reset-on-shutdown.sriov 0004-drm-virtio-implement-virtio_gpu_shutdown.sriov +0001-drm-virtio-Wait-until-the-control-and-cursor-queues-.sriov +0001-drm-i915-move-sriov-selftest-buffer-out-of-stack.sriov #security 0001-mei-bus-add-api-to-query-capabilities-of-ME-clien.security 0002-mei-virtio-virtualization-frontend-driver.security @@ -143,6 +145,8 @@ 0013-EDAC-ie31200-Switch-Raptor-Lake-S-to-interrupt-mode.edac 0001-EDAC-ie31200-Add-two-Intel-SoCs-for-EDAC-support.edac 0002-ie31200-EDAC-Add-Intel-Bartlett-Lake-S-SoCs-support.edac +0001-EDAC-igen6-Add-Intel-Amston-Lake-SoCs-support.edac +0002-EDAC-igen6-Add-additional-Intel-Amston-Lake-SoC-compu.edac #tsn 0001-net-pcs-xpcs-enable-xpcs-reset-skipping.tsn 0002-net-stmmac-Bugfix-on-stmmac_interrupt-for-WOL.tsn @@ -387,20 +391,17 @@ 0001-powercap-intel_rapl-Add-support-for-Bartlett-Lake-pl.rapl #misc 0001-Add-security.md-file.misc +#iommu +0001-driver-core-add-a-faux-bus-for-use-when-a-simple-dev.iommu +0002-iommu-io-pgtable-arm-dynamically-allocate-selftest-d.iommu #emt-drm 0075-drm-xe-gsc-mei-interrupt-top-half-should-be-in-irq-d.patch #CVE-2025-21709 CVE-2025-21709.patch -#CVE-2025-21807 -CVE-2025-21807.patch - #CVE-2025-21817 CVE-2025-21817.patch -#CVE-2025-22103 -CVE-2025-22103.patch - #CVE-2025-22104 CVE-2025-22104.patch @@ -408,19 +409,12 @@ CVE-2025-22104.patch CVE-2025-22105.patch CVE-2025-22105-1.patch -#CVE-2025-22106 -CVE-2025-22106.patch - #CVE-2025-22108 CVE-2025-22108.patch #CVE-2025-22111 CVE-2025-22111.patch -#CVE-2025-22113 -CVE-2025-22113.patch -CVE-2025-22113-1.patch - #CVE-2025-22116 CVE-2025-22116.patch @@ -431,9 +425,6 @@ CVE-2025-22117.patch CVE-2025-22121.patch CVE-2025-22121-1.patch -#CVE-2025-22124 -CVE-2025-22124.patch - #CVE-2025-23131 CVE-2025-23131.patch @@ -455,9 +446,6 @@ CVE-2025-38029.patch #CVE-2025-38311 CVE-2025-38311.patch -#CVE-2025-38306 -CVE-2025-38306.patch - #CVE-2025-38248 CVE-2025-38248.patch @@ -470,9 +458,6 @@ CVE-2025-38207.patch #CVE-2025-38137 CVE-2025-38137.patch -#CVE-2025-38105 -CVE-2025-38105.patch - #CVE-2025-40325 CVE-2025-40325.patch @@ -481,11 +466,6 @@ CVE-2025-38284.patch CVE-2025-38284-1.patch CVE-2025-38284-2.patch -#CVE-2025-38272 -CVE-2025-38272.patch -CVE-2025-38272-1.patch -CVE-2025-38272-2.patch - #CVE-2025-38199 CVE-2025-38199.patch @@ -499,9 +479,6 @@ CVE-2025-38132-1.patch #CVE-2025-37743 CVE-2025-37743.patch -#CVE-2025-23133 -CVE-2025-23133.patch - #CVE-2025-23132 CVE-2025-23132.patch @@ -514,9 +491,6 @@ CVE-2025-23129.patch #CVE-2025-22127 CVE-2025-22127.patch -#CVE-2025-22125 -CVE-2025-22125.patch - #CVE-2025-22109 CVE-2025-22109.patch @@ -543,11 +517,41 @@ CVE-2024-52560-1.patch #CVE-2025-38621 CVE-2025-38621.patch -#CVE-2025-38502 -CVE-2025-38502.patch - #CVE-2025-38627 CVE-2025-38627.patch #CVE-2025-38643 CVE-2025-38643.patch + +#CVE-2025-39789 +CVE-2025-39789.patch + +#CVE-2025-39764 +CVE-2025-39764.patch + +#CVE-2025-39745 +CVE-2025-39745.patch + +#CVE-2025-39677 +CVE-2025-39677.patch + +#CVE-2025-39933 +CVE-2025-39933.patch + +#CVE-2025-39833 +CVE-2025-39833.patch + +#CVE-2025-39925 +CVE-2025-39925.patch + +#CVE-2025-39905 +CVE-2025-39905.patch + +#CVE-2025-39859 +CVE-2025-39859.patch + +#CVE-2025-39910 +CVE-2025-39910.patch + +#CVE-2025-39981 +CVE-2025-39981.patch diff --git a/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec b/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec index 10be20e0e0..e3beb6180a 100644 --- a/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec +++ b/SPECS/nvidia-data-center-driver/nvidia-data-center-driver.spec @@ -10,7 +10,7 @@ Summary: nvidia gpu driver kernel module for data center devices Name: nvidia-data-center-driver Version: 570.133.20 -Release: 10%{?dist} +Release: 11%{?dist} License: Public Domain Source0: https://us.download.nvidia.com/tesla/%{version}/NVIDIA-Linux-x86_64-%{version}.run Vendor: Intel Corporation @@ -51,6 +51,9 @@ make INSTALL_MOD_PATH=%{buildroot} modules_install /sbin/depmod -a %changelog +* Tue Nov 18 2025 Lishan Liu - 570.133.20-11 +- Bump release to rebuild + * Fri Nov 14 2025 Lishan Liu - 570.133.20-10 - Bump release to rebuild diff --git a/cgmanifest.json b/cgmanifest.json index 277d71f198..f138749536 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -8471,8 +8471,8 @@ "type": "other", "other": { "name": "kernel", - "version": "6.12.44", - "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.44.tar.gz" + "version": "6.12.55", + "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz" } } }, @@ -8501,8 +8501,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "6.12.44", - "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.44.tar.gz" + "version": "6.12.55", + "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz" } } }, @@ -8541,8 +8541,8 @@ "type": "other", "other": { "name": "kernel-rt", - "version": "6.12.44", - "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.44.tar.gz" + "version": "6.12.55", + "downloadUrl": "https://www.kernel.org/pub/linux/kernel/v6.x/linux-6.12.55.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 96afbc203f..01b233927f 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-21.emt3.x86_64.rpm -kernel-headers-6.12.44-6.emt3.noarch.rpm +kernel-headers-6.12.55-1.emt3.noarch.rpm glibc-2.38-12.emt3.x86_64.rpm glibc-devel-2.38-12.emt3.x86_64.rpm glibc-i18n-2.38-12.emt3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 720efced62..88dad4306a 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -150,8 +150,8 @@ intltool-0.51.0-7.emt3.noarch.rpm itstool-2.0.7-1.emt3.noarch.rpm kbd-2.2.0-2.emt3.x86_64.rpm kbd-debuginfo-2.2.0-2.emt3.x86_64.rpm -kernel-cross-headers-6.12.44-6.emt3.noarch.rpm -kernel-headers-6.12.44-6.emt3.noarch.rpm +kernel-cross-headers-6.12.55-1.emt3.noarch.rpm +kernel-headers-6.12.55-1.emt3.noarch.rpm kmod-30-1.emt3.x86_64.rpm kmod-debuginfo-30-1.emt3.x86_64.rpm kmod-devel-30-1.emt3.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 08ca561498..e1a4eb4e69 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -63,7 +63,7 @@ RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolch # Disable downloading from remote sources by default. The 'toolchain-local-wget-list' generated for the above line will download from $(SOURCE_URL) # The 'toolchain-remote-wget-list' is still available and can be used as an alternate to $(SOURCE_URL) if desired. #RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.44-emt-250903T203906Z.tar.gz -O lts-v6.12.44-emt-250903T203906Z.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/intel/linux-intel-lts/archive/refs/tags/lts-v6.12.55-emt-251024T084840Z.tar.gz -O lts-v6.12.55-emt-251024T084840Z.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN mkdir -pv $LFS/{etc,var} $LFS/usr/{bin,lib,sbin} && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 2d1afafe1c..86aeaef63d 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898 gmp-6.3.0.tar. 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab grep-3.11.tar.xz 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13 groff-1.23.0.tar.gz 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057 gzip-1.13.tar.xz -fac0ed5371cbd46ebc8a2a1e152ac5fbb5fc2660e748a7fc1d28b8e399854a1a linux-6.12.44.tar.gz +c8076132f818c0a22b7fe9a1184769406f0a62d0b93e4516d7f1a6d24f3791c3 linux-6.12.55.tar.gz 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0 libarchive-3.7.1.tar.gz f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb libcap-2.69.tar.xz b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0 libpipeline-1.5.7.tar.gz diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index 856269d55f..35da43e5dd 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -86,9 +86,9 @@ rm -rf gcc-13.2.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -KERNEL_VERSION="6.12.44" +KERNEL_VERSION="6.12.55" echo Linux-${KERNEL_VERSION} API Headers -tar xf linux-6.12.44.tar.gz +tar xf linux-6.12.55.tar.gz pushd linux-${KERNEL_VERSION} make mrproper make headers