diff options
5 files changed, 173 insertions, 0 deletions
diff --git a/queue-6.15/dm-table-check-blk_feat_atomic_writes-inside-limits_lock.patch b/queue-6.15/dm-table-check-blk_feat_atomic_writes-inside-limits_lock.patch new file mode 100644 index 0000000000..45bd7555cf --- /dev/null +++ b/queue-6.15/dm-table-check-blk_feat_atomic_writes-inside-limits_lock.patch @@ -0,0 +1,38 @@ +From 85f6d5b729eaace1549f1dcc284d9865f2c3ec02 Mon Sep 17 00:00:00 2001 +From: Benjamin Marzinski <bmarzins@redhat.com> +Date: Fri, 30 May 2025 10:50:32 -0400 +Subject: dm-table: check BLK_FEAT_ATOMIC_WRITES inside limits_lock + +From: Benjamin Marzinski <bmarzins@redhat.com> + +commit 85f6d5b729eaace1549f1dcc284d9865f2c3ec02 upstream. + +dm_set_device_limits() should check q->limits.features for +BLK_FEAT_ATOMIC_WRITES while holding q->limits_lock, like it does for +the rest of the queue limits. + +Fixes: b7c18b17a173 ("dm-table: Set BLK_FEAT_ATOMIC_WRITES for target queue limits") +Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com> +Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/md/dm-table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -431,13 +431,13 @@ static int dm_set_device_limits(struct d + return 0; + } + ++ mutex_lock(&q->limits_lock); + /* + * BLK_FEAT_ATOMIC_WRITES is not inherited from the bottom device in + * blk_stack_limits(), so do it manually. + */ + limits->features |= (q->limits.features & BLK_FEAT_ATOMIC_WRITES); + +- mutex_lock(&q->limits_lock); + if (blk_stack_limits(limits, &q->limits, + get_start_sect(bdev) + start) < 0) + DMWARN("%s: adding target device %pg caused an alignment inconsistency: " diff --git a/queue-6.15/documentation-nouveau-update-gsp-message-queue-kernel-doc-reference.patch b/queue-6.15/documentation-nouveau-update-gsp-message-queue-kernel-doc-reference.patch new file mode 100644 index 0000000000..ec324bf889 --- /dev/null +++ b/queue-6.15/documentation-nouveau-update-gsp-message-queue-kernel-doc-reference.patch @@ -0,0 +1,44 @@ +From 553ab30a181043f01b99a493ba13f9c011eb75ae Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya <bagasdotme@gmail.com> +Date: Wed, 11 Jun 2025 09:08:06 +0700 +Subject: Documentation: nouveau: Update GSP message queue kernel-doc reference + +From: Bagas Sanjaya <bagasdotme@gmail.com> + +commit 553ab30a181043f01b99a493ba13f9c011eb75ae upstream. + +GSP message queue docs has been moved following RPC handling split in +commit 8a8b1ec5261f20 ("drm/nouveau/gsp: split rpc handling out on its +own"), before GSP-RM implementation is versioned in commit c472d828348caf +("drm/nouveau/gsp: move subdev/engine impls to subdev/gsp/rm/r535/"). +However, the kernel-doc reference in nouveau docs is left behind, which +triggers htmldocs warnings: + +ERROR: Cannot find file ./drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c +WARNING: No kernel-doc for file ./drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c + +Update the reference. + +Fixes: c472d828348c ("drm/nouveau/gsp: move subdev/engine impls to subdev/gsp/rm/r535/") +Fixes: 8a8b1ec5261f ("drm/nouveau/gsp: split rpc handling out on its own") +Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> +Acked-by: Randy Dunlap <rdunlap@infradead.org> +Tested-by: Randy Dunlap <rdunlap@infradead.org> +Link: https://lore.kernel.org/r/20250611020805.22418-2-bagasdotme@gmail.com +Signed-off-by: Danilo Krummrich <dakr@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + Documentation/gpu/nouveau.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/gpu/nouveau.rst ++++ b/Documentation/gpu/nouveau.rst +@@ -25,7 +25,7 @@ providing a consistent API to upper laye + GSP Support + ------------------------ + +-.. kernel-doc:: drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c ++.. kernel-doc:: drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c + :doc: GSP message queue element + + .. kernel-doc:: drivers/gpu/drm/nouveau/include/nvkm/subdev/gsp.h diff --git a/queue-6.15/rust-devres-fix-doctest-build-under-config_pci.patch b/queue-6.15/rust-devres-fix-doctest-build-under-config_pci.patch new file mode 100644 index 0000000000..2702c471a3 --- /dev/null +++ b/queue-6.15/rust-devres-fix-doctest-build-under-config_pci.patch @@ -0,0 +1,43 @@ +From 42055939a3a4cac8afbebff85a29571c2bd3238c Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda <ojeda@kernel.org> +Date: Sun, 11 May 2025 20:25:33 +0200 +Subject: rust: devres: fix doctest build under `!CONFIG_PCI` + +From: Miguel Ojeda <ojeda@kernel.org> + +commit 42055939a3a4cac8afbebff85a29571c2bd3238c upstream. + +The doctest requires `CONFIG_PCI`: + + error[E0432]: unresolved import `kernel::pci` + --> rust/doctests_kernel_generated.rs:2689:44 + | + 2689 | use kernel::{device::Core, devres::Devres, pci}; + | ^^^ no `pci` in the root + | + note: found an item that was configured out + --> rust/kernel/lib.rs:96:9 + note: the item is gated here + --> rust/kernel/lib.rs:95:1 + +Thus conditionally compile it (which still checks the syntax). + +Fixes: f301cb978c06 ("rust: devres: implement Devres::access()") +Signed-off-by: Miguel Ojeda <ojeda@kernel.org> +Link: https://lore.kernel.org/r/20250511182533.1016163-1-ojeda@kernel.org +Signed-off-by: Danilo Krummrich <dakr@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + rust/kernel/devres.rs | 1 + + 1 file changed, 1 insertion(+) + +--- a/rust/kernel/devres.rs ++++ b/rust/kernel/devres.rs +@@ -208,6 +208,7 @@ impl<T> Devres<T> { + /// # Example + /// + /// ```no_run ++ /// # #![cfg(CONFIG_PCI)] + /// # use kernel::{device::Core, devres::Devres, pci}; + /// + /// fn from_core(dev: &pci::Device<Core>, devres: Devres<pci::Bar<0x4>>) -> Result { diff --git a/queue-6.15/series b/queue-6.15/series index 81d8953abd..8be2c8eafa 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -564,3 +564,7 @@ smb-client-fix-first-command-failure-during-re-negotiation.patch smb-client-fix-max_sge-overflow-in-smb_extract_folioq_to_rdma.patch edac-igen6-fix-null-pointer-dereference.patch x86-its-fix-an-ifdef-typo-in-its_alloc.patch +rust-devres-fix-doctest-build-under-config_pci.patch +dm-table-check-blk_feat_atomic_writes-inside-limits_lock.patch +tracing-do-not-free-head-on-error-path-of-filter_free_subsystem_filters.patch +documentation-nouveau-update-gsp-message-queue-kernel-doc-reference.patch diff --git a/queue-6.15/tracing-do-not-free-head-on-error-path-of-filter_free_subsystem_filters.patch b/queue-6.15/tracing-do-not-free-head-on-error-path-of-filter_free_subsystem_filters.patch new file mode 100644 index 0000000000..aa9d757796 --- /dev/null +++ b/queue-6.15/tracing-do-not-free-head-on-error-path-of-filter_free_subsystem_filters.patch @@ -0,0 +1,44 @@ +From 8a157d8a00e815cab4432653cb50c9cedbbb4931 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt <rostedt@goodmis.org> +Date: Tue, 10 Jun 2025 09:33:48 -0400 +Subject: tracing: Do not free "head" on error path of filter_free_subsystem_filters() + +From: Steven Rostedt <rostedt@goodmis.org> + +commit 8a157d8a00e815cab4432653cb50c9cedbbb4931 upstream. + +The variable "head" is allocated and initialized as a list before +allocating the first "item" for the list. If the allocation of "item" +fails, it frees "head" and then jumps to the label "free_now" which will +process head and free it. + +This will cause a UAF of "head", and it doesn't need to free it before +jumping to the "free_now" label as that code will free it. + +Cc: Masami Hiramatsu <mhiramat@kernel.org> +Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Link: https://lore.kernel.org/20250610093348.33c5643a@gandalf.local.home +Fixes: a9d0aab5eb33 ("tracing: Fix regression of filter waiting a long time on RCU synchronization") +Reported-by: kernel test robot <lkp@intel.com> +Reported-by: Dan Carpenter <dan.carpenter@linaro.org> +Closes: https://lore.kernel.org/r/202506070424.lCiNreTI-lkp@intel.com/ +Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/trace/trace_events_filter.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -1435,10 +1435,8 @@ static void filter_free_subsystem_filter + INIT_LIST_HEAD(&head->list); + + item = kmalloc(sizeof(*item), GFP_KERNEL); +- if (!item) { +- kfree(head); ++ if (!item) + goto free_now; +- } + + item->filter = filter; + list_add_tail(&item->list, &head->list); |