+From e1bc3a13bd775791cca0bb144d977b00f3598042 Mon Sep 17 00:00:00 2001

+From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>

+Date: Mon, 2 Jun 2025 12:14:02 -0300

+Subject: drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()`

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Maíra Canal <mcanal@igalia.com>

+

+commit e1bc3a13bd775791cca0bb144d977b00f3598042 upstream.

+

+The following kernel Oops was recently reported by Mesa CI:

+

+[ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588

+[ 800.148619] Mem abort info:

+[ 800.151402] ESR = 0x0000000096000005

+[ 800.155141] EC = 0x25: DABT (current EL), IL = 32 bits

+[ 800.160444] SET = 0, FnV = 0

+[ 800.163488] EA = 0, S1PTW = 0

+[ 800.166619] FSC = 0x05: level 1 translation fault

+[ 800.171487] Data abort info:

+[ 800.174357] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000

+[ 800.179832] CM = 0, WnR = 0, TnD = 0, TagAccess = 0

+[ 800.184873] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0

+[ 800.190176] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001014c2000

+[ 800.196607] [0000000000000588] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000

+[ 800.205305] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP

+[ 800.211564] Modules linked in: vc4 snd_soc_hdmi_codec drm_display_helper v3d cec gpu_sched drm_dma_helper drm_shmem_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm i2c_brcmstb snd_timer snd backlight

+[ 800.234448] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1

+[ 800.244182] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)

+[ 800.250005] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)

+[ 800.256959] pc : v3d_job_update_stats+0x60/0x130 [v3d]

+[ 800.262112] lr : v3d_job_update_stats+0x48/0x130 [v3d]

+[ 800.267251] sp : ffffffc080003e60

+[ 800.270555] x29: ffffffc080003e60 x28: ffffffd842784980 x27: 0224012000000000

+[ 800.277687] x26: ffffffd84277f630 x25: ffffff81012fd800 x24: 0000000000000020

+[ 800.284818] x23: ffffff8040238b08 x22: 0000000000000570 x21: 0000000000000158

+[ 800.291948] x20: 0000000000000000 x19: ffffff8040238000 x18: 0000000000000000

+[ 800.299078] x17: ffffffa8c1bd2000 x16: ffffffc080000000 x15: 0000000000000000

+[ 800.306208] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000

+[ 800.313338] x11: 0000000000000040 x10: 0000000000001a40 x9 : ffffffd83b39757c

+[ 800.320468] x8 : ffffffd842786420 x7 : 7fffffffffffffff x6 : 0000000000ef32b0

+[ 800.327598] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : ffffffd842784980

+[ 800.334728] x2 : 0000000000000004 x1 : 0000000000010002 x0 : 000000ba4c0ca382

+[ 800.341859] Call trace:

+[ 800.344294] v3d_job_update_stats+0x60/0x130 [v3d]

+[ 800.349086] v3d_irq+0x124/0x2e0 [v3d]

+[ 800.352835] __handle_irq_event_percpu+0x58/0x218

+[ 800.357539] handle_irq_event+0x54/0xb8

+[ 800.361369] handle_fasteoi_irq+0xac/0x240

+[ 800.365458] handle_irq_desc+0x48/0x68

+[ 800.369200] generic_handle_domain_irq+0x24/0x38

+[ 800.373810] gic_handle_irq+0x48/0xd8

+[ 800.377464] call_on_irq_stack+0x24/0x58

+[ 800.381379] do_interrupt_handler+0x88/0x98

+[ 800.385554] el1_interrupt+0x34/0x68

+[ 800.389123] el1h_64_irq_handler+0x18/0x28

+[ 800.393211] el1h_64_irq+0x64/0x68

+[ 800.396603] default_idle_call+0x3c/0x168

+[ 800.400606] do_idle+0x1fc/0x230

+[ 800.403827] cpu_startup_entry+0x40/0x50

+[ 800.407742] rest_init+0xe4/0xf0

+[ 800.410962] start_kernel+0x5e8/0x790

+[ 800.414616] __primary_switched+0x80/0x90

+[ 800.418622] Code: 8b170277 8b160296 11000421 b9000861 (b9401ac1)

+[ 800.424707] ---[ end trace 0000000000000000 ]---

+[ 800.457313] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

+

+This issue happens when the file descriptor is closed before the jobs

+submitted by it are completed. When the job completes, we update the

+global GPU stats and the per-fd GPU stats, which are exposed through

+fdinfo. If the file descriptor was closed, then the struct `v3d_file_priv`

+and its stats were already freed and we can't update the per-fd stats.

+

+Therefore, if the file descriptor was already closed, don't update the

+per-fd GPU stats, only update the global ones.

+

+Cc: stable@vger.kernel.org # v6.12+

+Reviewed-by: Jose Maria Casanova Crespo <jmcasanova@igalia.com>

+Link: https://lore.kernel.org/r/20250602151451.10161-1-mcanal@igalia.com

+Signed-off-by: Maíra Canal <mcanal@igalia.com>

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+---

+ drivers/gpu/drm/v3d/v3d_sched.c | 8 ++++++--

+ 1 file changed, 6 insertions(+), 2 deletions(-)

+

+--- a/drivers/gpu/drm/v3d/v3d_sched.c

++++ b/drivers/gpu/drm/v3d/v3d_sched.c

+@@ -199,7 +199,6 @@ v3d_job_update_stats(struct v3d_job *job

+ struct v3d_dev *v3d = job->v3d;

+ struct v3d_file_priv *file = job->file->driver_priv;

+ struct v3d_stats *global_stats = &v3d->queue[queue].stats;

+- struct v3d_stats *local_stats = &file->stats[queue];

+ u64 now = local_clock();

+ unsigned long flags;

+

+@@ -209,7 +208,12 @@ v3d_job_update_stats(struct v3d_job *job

+ else

+ preempt_disable();

+

+- v3d_stats_update(local_stats, now);

++ /* Don't update the local stats if the file context has already closed */

++ if (file)

++ v3d_stats_update(&file->stats[queue], now);

++ else

++ drm_dbg(&v3d->drm, "The file descriptor was closed before job completion\n");

++

+ v3d_stats_update(global_stats, now);

+

+ if (IS_ENABLED(CONFIG_LOCKDEP))

+From d6fb4f01736a1d18cc981eb04fa2907a7121fc27 Mon Sep 17 00:00:00 2001

+From: Maarten Lankhorst <dev@lankhorst.se>

+Date: Wed, 21 May 2025 11:01:02 +0200

+Subject: drm/xe/svm: Fix regression disallowing 64K SVM migration

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+From: Maarten Lankhorst <dev@lankhorst.se>

+

+commit d6fb4f01736a1d18cc981eb04fa2907a7121fc27 upstream.

+

+When changing the condition from >= SZ_64K, it was changed to <= SZ_64K.

+This disallows migration of 64K, which is the exact minimum allowed.

+

+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5057

+Fixes: 794f5493f518 ("drm/xe: Strict migration policy for atomic SVM faults")

+Cc: stable@vger.kernel.org

+Cc: Matthew Brost <matthew.brost@intel.com>

+Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>

+Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>

+Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>

+Link: https://lore.kernel.org/r/20250521090102.2965100-1-dev@lankhorst.se

+(cherry picked from commit 531bef26d189b28bf0d694878c0e064b30990b6c)

+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+---

+ drivers/gpu/drm/xe/xe_svm.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+--- a/drivers/gpu/drm/xe/xe_svm.c

++++ b/drivers/gpu/drm/xe/xe_svm.c

+@@ -750,7 +750,7 @@ static bool xe_svm_range_needs_migrate_t

+ return false;

+ }

+

+- if (range_size <= SZ_64K && !supports_4K_migration(vm->xe)) {

++ if (range_size < SZ_64K && !supports_4K_migration(vm->xe)) {

+ drm_dbg(&vm->xe->drm, "Platform doesn't support SZ_4K range migration\n");

+ return false;

+ }

+From 30b58444807c93bffeaba7d776110f2a909d2f9a Mon Sep 17 00:00:00 2001

+From: Gao Xiang <hsiangkao@linux.alibaba.com>

+Date: Tue, 17 Jun 2025 13:40:56 +0800

+Subject: erofs: remove unused trace event erofs_destroy_inode

+

+From: Gao Xiang <hsiangkao@linux.alibaba.com>

+

+commit 30b58444807c93bffeaba7d776110f2a909d2f9a upstream.

+

+The trace event `erofs_destroy_inode` was added but remains unused. This

+unused event contributes approximately 5KB to the kernel module size.

+

+Reported-by: Steven Rostedt <rostedt@goodmis.org>

+Closes: https://lore.kernel.org/r/20250612224906.15000244@batman.local.home

+Fixes: 13f06f48f7bf ("staging: erofs: support tracepoint")

+Cc: stable@vger.kernel.org

+Reviewed-by: Hongbo Li <lihongbo22@huawei.com>

+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

+Link: https://lore.kernel.org/r/20250617054056.3232365-1-hsiangkao@linux.alibaba.com

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+---

+ include/trace/events/erofs.h | 18 ------------------

+ 1 file changed, 18 deletions(-)

+

+--- a/include/trace/events/erofs.h

++++ b/include/trace/events/erofs.h

+@@ -211,24 +211,6 @@ TRACE_EVENT(erofs_map_blocks_exit,

+ show_mflags(__entry->mflags), __entry->ret)

+ );

+

+-TRACE_EVENT(erofs_destroy_inode,

+- TP_PROTO(struct inode *inode),

+-

+- TP_ARGS(inode),

+-

+- TP_STRUCT__entry(

+- __field( dev_t, dev )

+- __field( erofs_nid_t, nid )

+- ),

+-

+- TP_fast_assign(

+- __entry->dev = inode->i_sb->s_dev;

+- __entry->nid = EROFS_I(inode)->nid;

+- ),

+-

+- TP_printk("dev = (%d,%d), nid = %llu", show_dev_nid(__entry))

+-);

+-

+ #endif /* _TRACE_EROFS_H */

+

+ /* This part must be outside protection */

+From 51a4598ad5d9eb6be4ec9ba65bbfdf0ac302eb2e Mon Sep 17 00:00:00 2001

+From: Jens Axboe <axboe@kernel.dk>

+Date: Fri, 20 Jun 2025 07:41:21 -0600

+Subject: io_uring/net: always use current transfer count for buffer put

+

+From: Jens Axboe <axboe@kernel.dk>

+

+commit 51a4598ad5d9eb6be4ec9ba65bbfdf0ac302eb2e upstream.

+

+A previous fix corrected the retry condition for when to continue a

+current bundle, but it missed that the current (not the total) transfer

+count also applies to the buffer put. If not, then for incrementally

+consumed buffer rings repeated completions on the same request may end

+up over consuming.

+

+Reported-by: Roy Tang (ErgoniaTrading) <royonia@ergonia.io>

+Cc: stable@vger.kernel.org

+Fixes: 3a08988123c8 ("io_uring/net: only retry recv bundle for a full transfer")

+Link: https://github.com/axboe/liburing/issues/1423

+Signed-off-by: Jens Axboe <axboe@kernel.dk>

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+---

+ io_uring/net.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+--- a/io_uring/net.c

++++ b/io_uring/net.c

+@@ -829,7 +829,7 @@ static inline bool io_recv_finish(struct

+ if (sr->flags & IORING_RECVSEND_BUNDLE) {

+ size_t this_ret = *ret - sr->done_io;

+

+- cflags |= io_put_kbufs(req, *ret, io_bundle_nbufs(kmsg, this_ret),

++ cflags |= io_put_kbufs(req, this_ret, io_bundle_nbufs(kmsg, this_ret),

+ issue_flags);

+ if (sr->retry)

+ cflags = req->cqe.flags | (cflags & CQE_F_MASK);

+From 8ea688a3372e8369dc04395b39b4e71a6d91d4d5 Mon Sep 17 00:00:00 2001

+From: Jeff Layton <jlayton@kernel.org>

+Date: Tue, 27 May 2025 20:12:47 -0400

+Subject: nfsd: use threads array as-is in netlink interface

+

+From: Jeff Layton <jlayton@kernel.org>

+

+commit 8ea688a3372e8369dc04395b39b4e71a6d91d4d5 upstream.

+

+The old nfsdfs interface for starting a server with multiple pools

+handles the special case of a single entry array passed down from

+userland by distributing the threads over every NUMA node.

+

+The netlink control interface however constructs an array of length

+nfsd_nrpools() and fills any unprovided slots with 0's. This behavior

+defeats the special casing that the old interface relies on.

+

+Change nfsd_nl_threads_set_doit() to pass down the array from userland

+as-is.

+

+Fixes: 7f5c330b2620 ("nfsd: allow passing in array of thread counts via netlink")

+Cc: stable@vger.kernel.org

+Reported-by: Mike Snitzer <snitzer@kernel.org>

+Closes: https://lore.kernel.org/linux-nfs/aDC-ftnzhJAlwqwh@kernel.org/

+Signed-off-by: Jeff Layton <jlayton@kernel.org>

+Reviewed-by: Simon Horman <horms@kernel.org>

+Tested-by: Mike Snitzer <snitzer@kernel.org>

+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+---

+ fs/nfsd/nfsctl.c | 5 ++---

+ 1 file changed, 2 insertions(+), 3 deletions(-)

+

+--- a/fs/nfsd/nfsctl.c

++++ b/fs/nfsd/nfsctl.c

+@@ -1611,7 +1611,7 @@ out_unlock:

+ */

+ int nfsd_nl_threads_set_doit(struct sk_buff *skb, struct genl_info *info)

+ {

+- int *nthreads, count = 0, nrpools, i, ret = -EOPNOTSUPP, rem;

++ int *nthreads, nrpools = 0, i, ret = -EOPNOTSUPP, rem;

+ struct net *net = genl_info_net(info);

+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);

+ const struct nlattr *attr;

+@@ -1623,12 +1623,11 @@ int nfsd_nl_threads_set_doit(struct sk_b

+ /* count number of SERVER_THREADS values */

+ nlmsg_for_each_attr(attr, info->nlhdr, GENL_HDRLEN, rem) {

+ if (nla_type(attr) == NFSD_A_SERVER_THREADS)

+- count++;

++ nrpools++;

+ }

+

+ mutex_lock(&nfsd_mutex);

+

+- nrpools = max(count, nfsd_nrpools(net));

+ nthreads = kcalloc(nrpools, sizeof(int), GFP_KERNEL);

+ if (!nthreads) {

+ ret = -ENOMEM;

+erofs-remove-unused-trace-event-erofs_destroy_inode.patch

+nfsd-use-threads-array-as-is-in-netlink-interface.patch

+sunrpc-handle-svc_garbage-during-svc-auth-processing-as-auth-error.patch

+io_uring-net-always-use-current-transfer-count-for-buffer-put.patch

+drm-xe-svm-fix-regression-disallowing-64k-svm-migration.patch

+drm-v3d-avoid-null-pointer-dereference-in-v3d_job_update_stats.patch

+From 94d10a4dba0bc482f2b01e39f06d5513d0f75742 Mon Sep 17 00:00:00 2001

+From: Jeff Layton <jlayton@kernel.org>

+Date: Thu, 19 Jun 2025 06:01:55 -0400

+Subject: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

+

+From: Jeff Layton <jlayton@kernel.org>

+

+commit 94d10a4dba0bc482f2b01e39f06d5513d0f75742 upstream.

+

+tianshuo han reported a remotely-triggerable crash if the client sends a

+kernel RPC server a specially crafted packet. If decoding the RPC reply

+fails in such a way that SVC_GARBAGE is returned without setting the

+rq_accept_statp pointer, then that pointer can be dereferenced and a

+value stored there.

+

+If it's the first time the thread has processed an RPC, then that

+pointer will be set to NULL and the kernel will crash. In other cases,

+it could create a memory scribble.

+

+The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate

+or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531

+says that if authentication fails that the RPC should be rejected

+instead with a status of AUTH_ERR.

+

+Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of

+AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This

+sidesteps the whole problem of touching the rpc_accept_statp pointer in

+this situation and avoids the crash.

+

+Cc: stable@kernel.org

+Fixes: 29cd2927fb91 ("SUNRPC: Fix encoding of accepted but unsuccessful RPC replies")

+Reported-by: tianshuo han <hantianshuo233@gmail.com>

+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>

+Signed-off-by: Jeff Layton <jlayton@kernel.org>

+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

+---

+ net/sunrpc/svc.c | 11 ++---------

+ 1 file changed, 2 insertions(+), 9 deletions(-)

+

+--- a/net/sunrpc/svc.c

++++ b/net/sunrpc/svc.c

+@@ -1369,7 +1369,8 @@ svc_process_common(struct svc_rqst *rqst

+ case SVC_OK:

+ break;

+ case SVC_GARBAGE:

+- goto err_garbage_args;

++ rqstp->rq_auth_stat = rpc_autherr_badcred;

++ goto err_bad_auth;

+ case SVC_SYSERR:

+ goto err_system_err;

+ case SVC_DENIED:

+@@ -1510,14 +1511,6 @@ err_bad_proc:

+ *rqstp->rq_accept_statp = rpc_proc_unavail;

+ goto sendit;

+

+-err_garbage_args:

+- svc_printk(rqstp, "failed to decode RPC header\n");

+-

+- if (serv->sv_stats)

+- serv->sv_stats->rpcbadfmt++;

+- *rqstp->rq_accept_statp = rpc_garbage_args;

+- goto sendit;

+-

+ err_system_err:

+ if (serv->sv_stats)

+ serv->sv_stats->rpcbadfmt++;