diff options
24 files changed, 1767 insertions, 0 deletions
diff --git a/queue-6.6/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch b/queue-6.6/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch new file mode 100644 index 00000000000..edb71bbf27d --- /dev/null +++ b/queue-6.6/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch @@ -0,0 +1,75 @@ +From 7851263998d4269125fd6cb3fdbfc7c6db853859 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima <kuniyu@google.com> +Date: Mon, 16 Jun 2025 11:21:15 -0700 +Subject: atm: Revert atm_account_tx() if copy_from_iter_full() fails. + +From: Kuniyuki Iwashima <kuniyu@google.com> + +commit 7851263998d4269125fd6cb3fdbfc7c6db853859 upstream. + +In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by +atm_account_tx(). + +It is expected to be reverted by atm_pop_raw() later called by +vcc->dev->ops->send(vcc, skb). + +However, vcc_sendmsg() misses the same revert when copy_from_iter_full() +fails, and then we will leak a socket. + +Let's factorise the revert part as atm_return_tx() and call it in +the failure path. + +Note that the corresponding sk_wmem_alloc operation can be found in +alloc_tx() as of the blamed commit. + + $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Simon Horman <horms@kernel.org> +Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/ +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/atmdev.h | 6 ++++++ + net/atm/common.c | 1 + + net/atm/raw.c | 2 +- + 3 files changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/atmdev.h ++++ b/include/linux/atmdev.h +@@ -249,6 +249,12 @@ static inline void atm_account_tx(struct + ATM_SKB(skb)->atm_options = vcc->atm_options; + } + ++static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb) ++{ ++ WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, ++ &sk_atm(vcc)->sk_wmem_alloc)); ++} ++ + static inline void atm_force_charge(struct atm_vcc *vcc,int truesize) + { + atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc); +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -635,6 +635,7 @@ int vcc_sendmsg(struct socket *sock, str + + skb->dev = NULL; /* for paths shared with net_device interfaces */ + if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) { ++ atm_return_tx(vcc, skb); + kfree_skb(skb); + error = -EFAULT; + goto out; +--- a/net/atm/raw.c ++++ b/net/atm/raw.c +@@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc * + + pr_debug("(%d) %d -= %d\n", + vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize); +- WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc)); ++ atm_return_tx(vcc, skb); + dev_kfree_skb_any(skb); + sk->sk_write_space(sk); + } diff --git a/queue-6.6/cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch b/queue-6.6/cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch new file mode 100644 index 00000000000..55055845957 --- /dev/null +++ b/queue-6.6/cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch @@ -0,0 +1,78 @@ +From 66d590b828b1fd9fa337047ae58fe1c4c6f43609 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N <sprasad@microsoft.com> +Date: Mon, 2 Jun 2025 22:37:12 +0530 +Subject: cifs: deal with the channel loading lag while picking channels + +From: Shyam Prasad N <sprasad@microsoft.com> + +commit 66d590b828b1fd9fa337047ae58fe1c4c6f43609 upstream. + +Our current approach to select a channel for sending requests is this: +1. iterate all channels to find the min and max queue depth +2. if min and max are not the same, pick the channel with min depth +3. if min and max are same, round robin, as all channels are equally loaded + +The problem with this approach is that there's a lag between selecting +a channel and sending the request (that increases the queue depth on the channel). +While these numbers will eventually catch up, there could be a skew in the +channel usage, depending on the application's I/O parallelism and the server's +speed of handling requests. + +With sufficient parallelism, this lag can artificially increase the queue depth, +thereby impacting the performance negatively. + +This change will change the step 1 above to start the iteration from the last +selected channel. This is to reduce the skew in channel usage even in the presence +of this lag. + +Fixes: ea90708d3cf3 ("cifs: use the least loaded channel for sending requests") +Cc: <stable@vger.kernel.org> +Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/transport.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -1025,14 +1025,16 @@ struct TCP_Server_Info *cifs_pick_channe + uint index = 0; + unsigned int min_in_flight = UINT_MAX, max_in_flight = 0; + struct TCP_Server_Info *server = NULL; +- int i; ++ int i, start, cur; + + if (!ses) + return NULL; + + spin_lock(&ses->chan_lock); ++ start = atomic_inc_return(&ses->chan_seq); + for (i = 0; i < ses->chan_count; i++) { +- server = ses->chans[i].server; ++ cur = (start + i) % ses->chan_count; ++ server = ses->chans[cur].server; + if (!server || server->terminate) + continue; + +@@ -1049,17 +1051,15 @@ struct TCP_Server_Info *cifs_pick_channe + */ + if (server->in_flight < min_in_flight) { + min_in_flight = server->in_flight; +- index = i; ++ index = cur; + } + if (server->in_flight > max_in_flight) + max_in_flight = server->in_flight; + } + + /* if all channels are equally loaded, fall back to round-robin */ +- if (min_in_flight == max_in_flight) { +- index = (uint)atomic_inc_return(&ses->chan_seq); +- index %= ses->chan_count; +- } ++ if (min_in_flight == max_in_flight) ++ index = (uint)start % ses->chan_count; + + server = ses->chans[index].server; + spin_unlock(&ses->chan_lock); diff --git a/queue-6.6/cifs-do-not-disable-interface-polling-on-failure.patch b/queue-6.6/cifs-do-not-disable-interface-polling-on-failure.patch new file mode 100644 index 00000000000..cae910abe68 --- /dev/null +++ b/queue-6.6/cifs-do-not-disable-interface-polling-on-failure.patch @@ -0,0 +1,69 @@ +From 42ca547b13a20e7cbb04fbdf8d5f089ac4bb35b7 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N <sprasad@microsoft.com> +Date: Mon, 2 Jun 2025 22:37:17 +0530 +Subject: cifs: do not disable interface polling on failure + +From: Shyam Prasad N <sprasad@microsoft.com> + +commit 42ca547b13a20e7cbb04fbdf8d5f089ac4bb35b7 upstream. + +When a server has multichannel enabled, we keep polling the server +for interfaces periodically. However, when this query fails, we +disable the polling. This can be problematic as it takes away the +chance for the server to start advertizing again. + +This change reschedules the delayed work, even if the current call +failed. That way, multichannel sessions can recover. + +Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> +Cc: stable@vger.kernel.org +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/connect.c | 6 +----- + fs/smb/client/smb2pdu.c | 9 +++++---- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -132,13 +132,9 @@ static void smb2_query_server_interfaces + rc = server->ops->query_server_interfaces(xid, tcon, false); + free_xid(xid); + +- if (rc) { +- if (rc == -EOPNOTSUPP) +- return; +- ++ if (rc) + cifs_dbg(FYI, "%s: failed to query server interfaces: %d\n", + __func__, rc); +- } + + queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, + (SMB_INTERFACE_POLL_INTERVAL * HZ)); +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -437,6 +437,10 @@ skip_sess_setup: + free_xid(xid); + ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES; + ++ /* regardless of rc value, setup polling */ ++ queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, ++ (SMB_INTERFACE_POLL_INTERVAL * HZ)); ++ + mutex_unlock(&ses->session_mutex); + + if (rc == -EOPNOTSUPP && ses->chan_count > 1) { +@@ -457,11 +461,8 @@ skip_sess_setup: + if (ses->chan_max > ses->chan_count && + ses->iface_count && + !SERVER_IS_CHAN(server)) { +- if (ses->chan_count == 1) { ++ if (ses->chan_count == 1) + cifs_server_dbg(VFS, "supports multichannel now\n"); +- queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, +- (SMB_INTERFACE_POLL_INTERVAL * HZ)); +- } + + cifs_try_adding_channels(ses); + } diff --git a/queue-6.6/cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch b/queue-6.6/cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch new file mode 100644 index 00000000000..61b4b3c7005 --- /dev/null +++ b/queue-6.6/cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch @@ -0,0 +1,86 @@ +From b5e3e6e28cf3853566ba5d816f79aba5be579158 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N <sprasad@microsoft.com> +Date: Mon, 2 Jun 2025 22:37:15 +0530 +Subject: cifs: serialize other channels when query server interfaces is pending + +From: Shyam Prasad N <sprasad@microsoft.com> + +commit b5e3e6e28cf3853566ba5d816f79aba5be579158 upstream. + +Today, during smb2_reconnect, session_mutex is released as soon as +the tcon is reconnected and is in a good state. However, in case +multichannel is enabled, there is also a query of server interfaces that +follows. We've seen that this query can race with reconnects of other +channels, causing them to step on each other with reconnects. + +This change extends the hold of session_mutex till after the query of +server interfaces is complete. In order to avoid recursive smb2_reconnect +checks during query ioctl, this change also introduces a session flag +for sessions where such a query is in progress. + +Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> +Cc: stable@vger.kernel.org +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/cifsglob.h | 1 + + fs/smb/client/smb2pdu.c | 24 ++++++++++++++++++------ + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -1053,6 +1053,7 @@ struct cifs_chan { + }; + + #define CIFS_SES_FLAG_SCALE_CHANNELS (0x1) ++#define CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES (0x2) + + /* + * Session structure. One of these for each uid session with a particular host +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -425,14 +425,19 @@ skip_sess_setup: + if (!rc && + (server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL) && + server->ops->query_server_interfaces) { +- mutex_unlock(&ses->session_mutex); +- + /* +- * query server network interfaces, in case they change ++ * query server network interfaces, in case they change. ++ * Also mark the session as pending this update while the query ++ * is in progress. This will be used to avoid calling ++ * smb2_reconnect recursively. + */ ++ ses->flags |= CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES; + xid = get_xid(); + rc = server->ops->query_server_interfaces(xid, tcon, false); + free_xid(xid); ++ ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES; ++ ++ mutex_unlock(&ses->session_mutex); + + if (rc == -EOPNOTSUPP && ses->chan_count > 1) { + /* +@@ -574,11 +579,18 @@ static int smb2_ioctl_req_init(u32 opcod + struct TCP_Server_Info *server, + void **request_buf, unsigned int *total_len) + { +- /* Skip reconnect only for FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs */ +- if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) { ++ /* ++ * Skip reconnect in one of the following cases: ++ * 1. For FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs ++ * 2. For FSCTL_QUERY_NETWORK_INTERFACE_INFO IOCTL when called from ++ * smb2_reconnect (indicated by CIFS_SES_FLAG_SCALE_CHANNELS ses flag) ++ */ ++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO || ++ (opcode == FSCTL_QUERY_NETWORK_INTERFACE_INFO && ++ (tcon->ses->flags & CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES))) + return __smb2_plain_req_init(SMB2_IOCTL, tcon, server, + request_buf, total_len); +- } ++ + return smb2_plain_req_init(SMB2_IOCTL, tcon, server, + request_buf, total_len); + } diff --git a/queue-6.6/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch b/queue-6.6/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch new file mode 100644 index 00000000000..ef7d5a85250 --- /dev/null +++ b/queue-6.6/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch @@ -0,0 +1,47 @@ +From 50695153d7ddde3b1696dbf0085be0033bf3ddb3 Mon Sep 17 00:00:00 2001 +From: Andrew Morton <akpm@linux-foundation.org> +Date: Sat, 7 Jun 2025 17:43:18 -0700 +Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite + +From: Andrew Morton <akpm@linux-foundation.org> + +commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3 upstream. + +In + +riocm_cdev_ioctl(RIO_CM_CHAN_SEND) + -> cm_chan_msg_send() + -> riocm_ch_send() + +cm_chan_msg_send() checks that userspace didn't send too much data but +riocm_ch_send() failed to check that userspace sent sufficient data. The +result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr +which were outside the bounds of the space which cm_chan_msg_send() +allocated. + +Address this by teaching riocm_ch_send() to check that the entire +rio_ch_chan_hdr was copied in from userspace. + +Reported-by: maher azz <maherazz04@gmail.com> +Cc: Matt Porter <mporter@kernel.crashing.org> +Cc: Alexandre Bounine <alex.bou9@gmail.com> +Cc: Linus Torvalds <torvalds@linuxfoundation.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/rapidio/rio_cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rapidio/rio_cm.c ++++ b/drivers/rapidio/rio_cm.c +@@ -787,6 +787,9 @@ static int riocm_ch_send(u16 ch_id, void + if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) + return -EINVAL; + ++ if (len < sizeof(struct rio_ch_chan_hdr)) ++ return -EINVAL; /* insufficient data from user */ ++ + ch = riocm_get_channel(ch_id); + if (!ch) { + riocm_error("%s(%d) ch_%d not found", current->comm, diff --git a/queue-6.6/io_uring-fix-task-leak-issue-in-io_wq_create.patch b/queue-6.6/io_uring-fix-task-leak-issue-in-io_wq_create.patch new file mode 100644 index 00000000000..acc537eb12e --- /dev/null +++ b/queue-6.6/io_uring-fix-task-leak-issue-in-io_wq_create.patch @@ -0,0 +1,35 @@ +From 89465d923bda180299e69ee2800aab84ad0ba689 Mon Sep 17 00:00:00 2001 +From: Penglei Jiang <superman.xpt@gmail.com> +Date: Sun, 15 Jun 2025 09:39:06 -0700 +Subject: io_uring: fix task leak issue in io_wq_create() + +From: Penglei Jiang <superman.xpt@gmail.com> + +commit 89465d923bda180299e69ee2800aab84ad0ba689 upstream. + +Add missing put_task_struct() in the error path + +Cc: stable@vger.kernel.org +Fixes: 0f8baa3c9802 ("io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls()") +Signed-off-by: Penglei Jiang <superman.xpt@gmail.com> +Link: https://lore.kernel.org/r/20250615163906.2367-1-superman.xpt@gmail.com +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + io_uring/io-wq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1206,8 +1206,10 @@ struct io_wq *io_wq_create(unsigned boun + atomic_set(&wq->worker_refs, 1); + init_completion(&wq->worker_done); + ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node); +- if (ret) ++ if (ret) { ++ put_task_struct(wq->task); + goto err; ++ } + + return wq; + err: diff --git a/queue-6.6/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch b/queue-6.6/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch new file mode 100644 index 00000000000..6f1aef7a000 --- /dev/null +++ b/queue-6.6/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch @@ -0,0 +1,80 @@ +From 2b6d96503255a3ed676cd70f8368870c6d6a25c6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin <pchelkin@ispras.ru> +Date: Tue, 25 Mar 2025 19:32:13 +0300 +Subject: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places + +From: Fedor Pchelkin <pchelkin@ispras.ru> + +commit 2b6d96503255a3ed676cd70f8368870c6d6a25c6 upstream. + +Fuzzing hit another invalid pointer dereference due to the lack of +checking whether jffs2_prealloc_raw_node_refs() completed successfully. +Subsequent logic implies that the node refs have been allocated. + +Handle that. The code is ready for propagating the error upwards. + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 +Call Trace: + jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] + jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 + jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 + jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 + generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 + __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 + generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 + call_write_iter include/linux/fs.h:2039 [inline] + do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 + do_iter_write+0x18c/0x710 fs/read_write.c:866 + vfs_writev+0x1db/0x6a0 fs/read_write.c:939 + do_pwritev fs/read_write.c:1036 [inline] + __do_sys_pwritev fs/read_write.c:1083 [inline] + __se_sys_pwritev fs/read_write.c:1078 [inline] + __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x67/0xd1 + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> +Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/jffs2/erase.c | 4 +++- + fs/jffs2/scan.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -425,7 +425,9 @@ static void jffs2_mark_erased_block(stru + .totlen = cpu_to_je32(c->cleanmarker_size) + }; + +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ if (ret) ++ goto filebad; + + marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4)); + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_in + + jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n", + __func__, skip); +- jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ if (ret) ++ goto out; + jffs2_scan_dirty_space(c, c->nextblock, skip); + } + #endif diff --git a/queue-6.6/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch b/queue-6.6/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch new file mode 100644 index 00000000000..ad59dd44def --- /dev/null +++ b/queue-6.6/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch @@ -0,0 +1,87 @@ +From ec9e6f22bce433b260ea226de127ec68042849b0 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov <a.sadovnikov@ispras.ru> +Date: Fri, 7 Mar 2025 16:34:09 +0000 +Subject: jffs2: check that raw node were preallocated before writing summary + +From: Artem Sadovnikov <a.sadovnikov@ispras.ru> + +commit ec9e6f22bce433b260ea226de127ec68042849b0 upstream. + +Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault +injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't +check return value of jffs2_prealloc_raw_node_refs and simply lets any +error propagate into jffs2_sum_write_data, which eventually calls +jffs2_link_node_ref in order to link the summary to an expectedly allocated +node. + +kernel BUG at fs/jffs2/nodelist.c:592! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 +Call Trace: + <TASK> + jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] + jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 + jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 + jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 + generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 + __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 + generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 + call_write_iter include/linux/fs.h:2265 [inline] + do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 + do_iter_write+0x186/0x710 fs/read_write.c:861 + vfs_iter_write+0x70/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 + do_splice_from fs/splice.c:763 [inline] + direct_splice_actor+0x10c/0x170 fs/splice.c:950 + splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 + do_splice_direct+0x1a9/0x280 fs/splice.c:1002 + do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fix this issue by checking return value of jffs2_prealloc_raw_node_refs +before calling jffs2_sum_write_data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru> +Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/jffs2/summary.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -858,7 +858,10 @@ int jffs2_sum_write_sumnode(struct jffs2 + spin_unlock(&c->erase_completion_lock); + + jeb = c->nextblock; +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ++ if (ret) ++ goto out; + + if (!c->summary->sum_num || !c->summary->sum_list_head) { + JFFS2_WARNING("Empty summary info!!!\n"); +@@ -872,6 +875,8 @@ int jffs2_sum_write_sumnode(struct jffs2 + datasize += padsize; + + ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize); ++ ++out: + spin_lock(&c->erase_completion_lock); + return ret; + } diff --git a/queue-6.6/ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch b/queue-6.6/ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch new file mode 100644 index 00000000000..09d102dcdce --- /dev/null +++ b/queue-6.6/ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch @@ -0,0 +1,50 @@ +From 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Fri, 13 Jun 2025 10:12:43 +0900 +Subject: ksmbd: fix null pointer dereference in destroy_previous_session + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e upstream. + +If client set ->PreviousSessionId on kerberos session setup stage, +NULL pointer dereference error will happen. Since sess->user is not +set yet, It can pass the user argument as NULL to destroy_previous_session. +sess->user will be set in ksmbd_krb5_authenticate(). So this patch move +calling destroy_previous_session() after ksmbd_krb5_authenticate(). + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391 +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/smb2pdu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1599,17 +1599,18 @@ static int krb5_authenticate(struct ksmb + out_len = work->response_sz - + (le16_to_cpu(rsp->SecurityBufferOffset) + 4); + +- /* Check previous session */ +- prev_sess_id = le64_to_cpu(req->PreviousSessionId); +- if (prev_sess_id && prev_sess_id != sess->id) +- destroy_previous_session(conn, sess->user, prev_sess_id); +- + retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, + out_blob, &out_len); + if (retval) { + ksmbd_debug(SMB, "krb5 authentication failed\n"); + return -EINVAL; + } ++ ++ /* Check previous session */ ++ prev_sess_id = le64_to_cpu(req->PreviousSessionId); ++ if (prev_sess_id && prev_sess_id != sess->id) ++ destroy_previous_session(conn, sess->user, prev_sess_id); ++ + rsp->SecurityBufferLength = cpu_to_le16(out_len); + + if ((conn->sign || server_conf.enforced_signing) || diff --git a/queue-6.6/loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch b/queue-6.6/loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch new file mode 100644 index 00000000000..0551faf8ac2 --- /dev/null +++ b/queue-6.6/loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch @@ -0,0 +1,90 @@ +From 52c22661c79a7b6af7fad9f77200738fc6c51878 Mon Sep 17 00:00:00 2001 +From: Huacai Chen <chenhuacai@loongson.cn> +Date: Fri, 30 May 2025 21:45:48 +0800 +Subject: LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg + +From: Huacai Chen <chenhuacai@loongson.cn> + +commit 52c22661c79a7b6af7fad9f77200738fc6c51878 upstream. + +When building kernel with LLVM there are occasionally such errors: + +In file included from ./include/linux/spinlock.h:59: +In file included from ./include/linux/irqflags.h:17: +arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1 + 38 | "csrxchg %[val], %[mask], %[reg]\n\t" + | ^ +<inline asm>:1:16: note: instantiated into assembly here + 1 | csrxchg $a1, $ra, 0 + | ^ + +To prevent the compiler from allocating $r0 or $r1 for the "mask" of the +csrxchg instruction, the 'q' constraint must be used but Clang < 21 does +not support it. So force to use $t0 in the inline asm, in order to avoid +using $r0/$r1 while keeping the backward compatibility. + +Cc: stable@vger.kernel.org +Link: https://github.com/llvm/llvm-project/pull/141037 +Reviewed-by: Yanteng Si <si.yanteng@linux.dev> +Suggested-by: WANG Rui <wangrui@loongson.cn> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/loongarch/include/asm/irqflags.h ++++ b/arch/loongarch/include/asm/irqflags.h +@@ -14,40 +14,48 @@ + static inline void arch_local_irq_enable(void) + { + u32 flags = CSR_CRMD_IE; ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + } + + static inline void arch_local_irq_disable(void) + { + u32 flags = 0; ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + } + + static inline unsigned long arch_local_irq_save(void) + { + u32 flags = 0; ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + return flags; + } + + static inline void arch_local_irq_restore(unsigned long flags) + { ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + } + diff --git a/queue-6.6/loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch b/queue-6.6/loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch new file mode 100644 index 00000000000..aac8e6e67a1 --- /dev/null +++ b/queue-6.6/loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch @@ -0,0 +1,48 @@ +From ee084fa96123ede8b0563a1b5a9b23adc43cd50d Mon Sep 17 00:00:00 2001 +From: Tianyang Zhang <zhangtianyang@loongson.cn> +Date: Fri, 30 May 2025 21:45:57 +0800 +Subject: LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() + +From: Tianyang Zhang <zhangtianyang@loongson.cn> + +commit ee084fa96123ede8b0563a1b5a9b23adc43cd50d upstream. + +ERROR INFO: + +CPU 25 Unable to handle kernel paging request at virtual address 0x0 + ... + Call Trace: + [<900000000023c30c>] huge_pte_offset+0x3c/0x58 + [<900000000057fd4c>] hugetlb_follow_page_mask+0x74/0x438 + [<900000000051fee8>] __get_user_pages+0xe0/0x4c8 + [<9000000000522414>] faultin_page_range+0x84/0x380 + [<9000000000564e8c>] madvise_vma_behavior+0x534/0xa48 + [<900000000056689c>] do_madvise+0x1bc/0x3e8 + [<9000000000566df4>] sys_madvise+0x24/0x38 + [<90000000015b9e88>] do_syscall+0x78/0x98 + [<9000000000221f18>] handle_syscall+0xb8/0x158 + +In some cases, pmd may be NULL and rely on NULL as the return value for +processing, so it is necessary to determine this situation here. + +Cc: stable@vger.kernel.org +Fixes: bd51834d1cf6 ("LoongArch: Return NULL from huge_pte_offset() for invalid PMD") +Signed-off-by: Tianyang Zhang <zhangtianyang@loongson.cn> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/mm/hugetlbpage.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/loongarch/mm/hugetlbpage.c ++++ b/arch/loongarch/mm/hugetlbpage.c +@@ -47,7 +47,8 @@ pte_t *huge_pte_offset(struct mm_struct + pmd = pmd_offset(pud, addr); + } + } +- return pmd_none(pmdp_get(pmd)) ? NULL : (pte_t *) pmd; ++ ++ return (!pmd || pmd_none(pmdp_get(pmd))) ? NULL : (pte_t *) pmd; + } + + int pmd_huge(pmd_t pmd) diff --git a/queue-6.6/net-clear-the-dst-when-changing-skb-protocol.patch b/queue-6.6/net-clear-the-dst-when-changing-skb-protocol.patch new file mode 100644 index 00000000000..1747d7c8e07 --- /dev/null +++ b/queue-6.6/net-clear-the-dst-when-changing-skb-protocol.patch @@ -0,0 +1,118 @@ +From ba9db6f907ac02215e30128770f85fbd7db2fcf9 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <kuba@kernel.org> +Date: Mon, 9 Jun 2025 17:12:44 -0700 +Subject: net: clear the dst when changing skb protocol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski <kuba@kernel.org> + +commit ba9db6f907ac02215e30128770f85fbd7db2fcf9 upstream. + +A not-so-careful NAT46 BPF program can crash the kernel +if it indiscriminately flips ingress packets from v4 to v6: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ip6_rcv_core (net/ipv6/ip6_input.c:190:20) + ipv6_rcv (net/ipv6/ip6_input.c:306:8) + process_backlog (net/core/dev.c:6186:4) + napi_poll (net/core/dev.c:6906:9) + net_rx_action (net/core/dev.c:7028:13) + do_softirq (kernel/softirq.c:462:3) + netif_rx (net/core/dev.c:5326:3) + dev_loopback_xmit (net/core/dev.c:4015:2) + ip_mc_finish_output (net/ipv4/ip_output.c:363:8) + NF_HOOK (./include/linux/netfilter.h:314:9) + ip_mc_output (net/ipv4/ip_output.c:400:5) + dst_output (./include/net/dst.h:459:9) + ip_local_out (net/ipv4/ip_output.c:130:9) + ip_send_skb (net/ipv4/ip_output.c:1496:8) + udp_send_skb (net/ipv4/udp.c:1040:8) + udp_sendmsg (net/ipv4/udp.c:1328:10) + +The output interface has a 4->6 program attached at ingress. +We try to loop the multicast skb back to the sending socket. +Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr +and changes skb->protocol to v6. We enter ip6_rcv_core which +tries to use skb_dst(). But the dst is still an IPv4 one left +after IPv4 mcast output. + +Clear the dst in all BPF helpers which change the protocol. +Try to preserve metadata dsts, those may carry non-routing +metadata. + +Cc: stable@vger.kernel.org +Reviewed-by: Maciej Żenczykowski <maze@google.com> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Fixes: d219df60a70e ("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()") +Fixes: 1b00e0dfe7d0 ("bpf: update skb->protocol in bpf_skb_net_grow") +Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") +Reviewed-by: Willem de Bruijn <willemb@google.com> +Link: https://patch.msgid.link/20250610001245.1981782-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/filter.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3229,6 +3229,13 @@ static const struct bpf_func_proto bpf_s + .arg1_type = ARG_PTR_TO_CTX, + }; + ++static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto) ++{ ++ skb->protocol = htons(proto); ++ if (skb_valid_dst(skb)) ++ skb_dst_drop(skb); ++} ++ + static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len) + { + /* Caller already did skb_cow() with len as headroom, +@@ -3325,7 +3332,7 @@ static int bpf_skb_proto_4_to_6(struct s + } + } + +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + skb_clear_hash(skb); + + return 0; +@@ -3355,7 +3362,7 @@ static int bpf_skb_proto_6_to_4(struct s + } + } + +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + skb_clear_hash(skb); + + return 0; +@@ -3546,10 +3553,10 @@ static int bpf_skb_net_grow(struct sk_bu + /* Match skb->protocol to new outer l3 protocol */ + if (skb->protocol == htons(ETH_P_IP) && + flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6) +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + else if (skb->protocol == htons(ETH_P_IPV6) && + flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV4) +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + } + + if (skb_is_gso(skb)) { +@@ -3602,10 +3609,10 @@ static int bpf_skb_net_shrink(struct sk_ + /* Match skb->protocol to new outer l3 protocol */ + if (skb->protocol == htons(ETH_P_IP) && + flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV6) +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + else if (skb->protocol == htons(ETH_P_IPV6) && + flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV4) +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + + if (skb_is_gso(skb)) { + struct skb_shared_info *shinfo = skb_shinfo(skb); diff --git a/queue-6.6/net_sched-sch_sfq-reject-invalid-perturb-period.patch b/queue-6.6/net_sched-sch_sfq-reject-invalid-perturb-period.patch new file mode 100644 index 00000000000..5c226d4e7bd --- /dev/null +++ b/queue-6.6/net_sched-sch_sfq-reject-invalid-perturb-period.patch @@ -0,0 +1,72 @@ +From 7ca52541c05c832d32b112274f81a985101f9ba8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 11 Jun 2025 08:35:01 +0000 +Subject: net_sched: sch_sfq: reject invalid perturb period + +From: Eric Dumazet <edumazet@google.com> + +commit 7ca52541c05c832d32b112274f81a985101f9ba8 upstream. + +Gerrard Tai reported that SFQ perturb_period has no range check yet, +and this can be used to trigger a race condition fixed in a separate patch. + +We want to make sure ctl->perturb_period * HZ will not overflow +and is positive. + +Tested: + +tc qd add dev lo root sfq perturb -10 # negative value : error +Error: sch_sfq: invalid perturb period. + +tc qd add dev lo root sfq perturb 1000000000 # too big : error +Error: sch_sfq: invalid perturb period. + +tc qd add dev lo root sfq perturb 2000000 # acceptable value +tc -s -d qd sh dev lo +qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec + Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) + backlog 0b 0p requeues 0 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250611083501.1810459-1-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sched/sch_sfq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch, + NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); + return -EINVAL; + } ++ ++ if (ctl->perturb_period < 0 || ++ ctl->perturb_period > INT_MAX / HZ) { ++ NL_SET_ERR_MSG_MOD(extack, "invalid perturb period"); ++ return -EINVAL; ++ } ++ perturb_period = ctl->perturb_period * HZ; ++ + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) + return -EINVAL; +@@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch, + headdrop = q->headdrop; + maxdepth = q->maxdepth; + maxflows = q->maxflows; +- perturb_period = q->perturb_period; + quantum = q->quantum; + flags = q->flags; + + /* update and validate configuration */ + if (ctl->quantum) + quantum = ctl->quantum; +- perturb_period = ctl->perturb_period * HZ; + if (ctl->flows) + maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS); + if (ctl->divisor) { diff --git a/queue-6.6/platform-loongarch-laptop-add-backlight-power-control-support.patch b/queue-6.6/platform-loongarch-laptop-add-backlight-power-control-support.patch new file mode 100644 index 00000000000..885488d758c --- /dev/null +++ b/queue-6.6/platform-loongarch-laptop-add-backlight-power-control-support.patch @@ -0,0 +1,145 @@ +From 53c762b47f726e4079a1f06f684bce2fc0d56fba Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Thu, 5 Jun 2025 20:34:46 +0800 +Subject: platform/loongarch: laptop: Add backlight power control support + +From: Yao Zi <ziyao@disroot.org> + +commit 53c762b47f726e4079a1f06f684bce2fc0d56fba upstream. + +loongson_laptop_turn_{on,off}_backlight() are designed for controlling +the power of the backlight, but they aren't really used in the driver +previously. + +Unify these two functions since they only differ in arguments passed to +ACPI method, and wire up loongson_laptop_backlight_update() to update +the power state of the backlight as well. Tested on the TongFang L860-T2 +Loongson-3A5000 laptop. + +Cc: stable@vger.kernel.org +Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver") +Signed-off-by: Yao Zi <ziyao@disroot.org> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/loongarch/loongson-laptop.c | 73 +++++++++++++-------------- + 1 file changed, 37 insertions(+), 36 deletions(-) + +--- a/drivers/platform/loongarch/loongson-laptop.c ++++ b/drivers/platform/loongarch/loongson-laptop.c +@@ -56,8 +56,7 @@ static struct input_dev *generic_inputde + static acpi_handle hotkey_handle; + static struct key_entry hotkey_keycode_map[GENERIC_HOTKEY_MAP_MAX]; + +-int loongson_laptop_turn_on_backlight(void); +-int loongson_laptop_turn_off_backlight(void); ++static bool bl_powered; + static int loongson_laptop_backlight_update(struct backlight_device *bd); + + /* 2. ACPI Helpers and device model */ +@@ -354,16 +353,42 @@ static int ec_backlight_level(u8 level) + return level; + } + ++static int ec_backlight_set_power(bool state) ++{ ++ int status; ++ union acpi_object arg0 = { ACPI_TYPE_INTEGER }; ++ struct acpi_object_list args = { 1, &arg0 }; ++ ++ arg0.integer.value = state; ++ status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL); ++ if (ACPI_FAILURE(status)) { ++ pr_info("Loongson lvds error: 0x%x\n", status); ++ return -EIO; ++ } ++ ++ return 0; ++} ++ + static int loongson_laptop_backlight_update(struct backlight_device *bd) + { +- int lvl = ec_backlight_level(bd->props.brightness); ++ bool target_powered = !backlight_is_blank(bd); ++ int ret = 0, lvl = ec_backlight_level(bd->props.brightness); + + if (lvl < 0) + return -EIO; ++ + if (ec_set_brightness(lvl)) + return -EIO; + +- return 0; ++ if (target_powered != bl_powered) { ++ ret = ec_backlight_set_power(target_powered); ++ if (ret < 0) ++ return ret; ++ ++ bl_powered = target_powered; ++ } ++ ++ return ret; + } + + static int loongson_laptop_get_brightness(struct backlight_device *bd) +@@ -384,7 +409,7 @@ static const struct backlight_ops backli + + static int laptop_backlight_register(void) + { +- int status = 0; ++ int status = 0, ret; + struct backlight_properties props; + + memset(&props, 0, sizeof(props)); +@@ -392,44 +417,20 @@ static int laptop_backlight_register(voi + if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d")) + return -EIO; + ++ ret = ec_backlight_set_power(true); ++ if (ret) ++ return ret; ++ ++ bl_powered = true; ++ + props.max_brightness = status; + props.brightness = ec_get_brightness(); ++ props.power = BACKLIGHT_POWER_ON; + props.type = BACKLIGHT_PLATFORM; + + backlight_device_register("loongson_laptop", + NULL, NULL, &backlight_laptop_ops, &props); + +- return 0; +-} +- +-int loongson_laptop_turn_on_backlight(void) +-{ +- int status; +- union acpi_object arg0 = { ACPI_TYPE_INTEGER }; +- struct acpi_object_list args = { 1, &arg0 }; +- +- arg0.integer.value = 1; +- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL); +- if (ACPI_FAILURE(status)) { +- pr_info("Loongson lvds error: 0x%x\n", status); +- return -ENODEV; +- } +- +- return 0; +-} +- +-int loongson_laptop_turn_off_backlight(void) +-{ +- int status; +- union acpi_object arg0 = { ACPI_TYPE_INTEGER }; +- struct acpi_object_list args = { 1, &arg0 }; +- +- arg0.integer.value = 0; +- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL); +- if (ACPI_FAILURE(status)) { +- pr_info("Loongson lvds error: 0x%x\n", status); +- return -ENODEV; +- } + + return 0; + } diff --git a/queue-6.6/platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch b/queue-6.6/platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch new file mode 100644 index 00000000000..39a8338274a --- /dev/null +++ b/queue-6.6/platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch @@ -0,0 +1,41 @@ +From 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Thu, 5 Jun 2025 20:34:46 +0800 +Subject: platform/loongarch: laptop: Get brightness setting from EC on probe + +From: Yao Zi <ziyao@disroot.org> + +commit 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf upstream. + +Previously during driver probe, 1 is unconditionally taken as current +brightness value and set to props.brightness, which will be considered +as the brightness before suspend and restored to EC on resume. Since a +brightness value of 1 almost never matches EC's state on coldboot (my +laptop's EC defaults to 80), this causes surprising changes of screen +brightness on the first time of resume after coldboot. + +Let's get brightness from EC and take it as the current brightness on +probe of the laptop driver to avoid the surprising behavior. Tested on +TongFang L860-T2 Loongson-3A5000 laptop. + +Cc: stable@vger.kernel.org +Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver") +Signed-off-by: Yao Zi <ziyao@disroot.org> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/loongarch/loongson-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/loongarch/loongson-laptop.c ++++ b/drivers/platform/loongarch/loongson-laptop.c +@@ -392,8 +392,8 @@ static int laptop_backlight_register(voi + if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d")) + return -EIO; + +- props.brightness = 1; + props.max_brightness = status; ++ props.brightness = ec_get_brightness(); + props.type = BACKLIGHT_PLATFORM; + + backlight_device_register("loongson_laptop", diff --git a/queue-6.6/platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch b/queue-6.6/platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch new file mode 100644 index 00000000000..2f401f3c99d --- /dev/null +++ b/queue-6.6/platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch @@ -0,0 +1,46 @@ +From f78fb2576f22b0ba5297412a9aa7691920666c41 Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Thu, 5 Jun 2025 20:34:46 +0800 +Subject: platform/loongarch: laptop: Unregister generic_sub_drivers on exit + +From: Yao Zi <ziyao@disroot.org> + +commit f78fb2576f22b0ba5297412a9aa7691920666c41 upstream. + +Without correct unregisteration, ACPI notify handlers and the platform +drivers installed by generic_subdriver_init() will become dangling +references after removing the loongson_laptop module, triggering various +kernel faults when a hotkey is sent or at kernel shutdown. + +Cc: stable@vger.kernel.org +Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver") +Signed-off-by: Yao Zi <ziyao@disroot.org> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/loongarch/loongson-laptop.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/platform/loongarch/loongson-laptop.c ++++ b/drivers/platform/loongarch/loongson-laptop.c +@@ -611,11 +611,17 @@ static int __init generic_acpi_laptop_in + + static void __exit generic_acpi_laptop_exit(void) + { ++ int i; ++ + if (generic_inputdev) { +- if (input_device_registered) +- input_unregister_device(generic_inputdev); +- else ++ if (!input_device_registered) { + input_free_device(generic_inputdev); ++ } else { ++ input_unregister_device(generic_inputdev); ++ ++ for (i = 0; i < ARRAY_SIZE(generic_sub_drivers); i++) ++ generic_subdriver_exit(&generic_sub_drivers[i]); ++ } + } + } + diff --git a/queue-6.6/platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch b/queue-6.6/platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch new file mode 100644 index 00000000000..47f3572d449 --- /dev/null +++ b/queue-6.6/platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch @@ -0,0 +1,59 @@ +From 685f88c72a0c4d12d3bd2ff50286938f14486f85 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Fri, 6 Jun 2025 13:53:00 -0700 +Subject: platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> + +commit 685f88c72a0c4d12d3bd2ff50286938f14486f85 upstream. + +Address a Smatch static checker warning regarding an unchecked +dereference in the function call: +set_cdie_id(i, cluster_info, plat_info) +when plat_info is NULL. + +Instead of addressing this one case, in general if plat_info is NULL +then it can cause other issues. For example in a two package system it +will give warning for duplicate sysfs entry as package ID will be always +zero for both packages when creating string for attribute group name. + +plat_info is derived from TPMI ID TPMI_BUS_INFO, which is integral to +the core TPMI design. Therefore, it should not be NULL on a production +platform. Consequently, the module should fail to load if plat_info is +NULL. + +Reported-by: Dan Carpenter <dan.carpenter@linaro.org> +Closes: https://lore.kernel.org/platform-driver-x86/aEKvGCLd1qmX04Tc@stanley.mountain/T/#u +Fixes: 8a54e2253e4c ("platform/x86/intel-uncore-freq: Uncore frequency control via TPMI") +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250606205300.2384494-1-srinivas.pandruvada@linux.intel.com +Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> +Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c ++++ b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c +@@ -269,10 +269,13 @@ static int uncore_probe(struct auxiliary + + /* Get the package ID from the TPMI core */ + plat_info = tpmi_get_platform_data(auxdev); +- if (plat_info) +- pkg = plat_info->package_id; +- else ++ if (unlikely(!plat_info)) { + dev_info(&auxdev->dev, "Platform information is NULL\n"); ++ ret = -ENODEV; ++ goto err_rem_common; ++ } ++ ++ pkg = plat_info->package_id; + + for (i = 0; i < num_resources; ++i) { + struct tpmi_uncore_power_domain_info *pd_info; diff --git a/queue-6.6/scsi-s390-zfcp-ensure-synchronous-unit_add.patch b/queue-6.6/scsi-s390-zfcp-ensure-synchronous-unit_add.patch new file mode 100644 index 00000000000..e4b4279fc48 --- /dev/null +++ b/queue-6.6/scsi-s390-zfcp-ensure-synchronous-unit_add.patch @@ -0,0 +1,46 @@ +From 9697ca0d53e3db357be26d2414276143c4a2cd49 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter <oberpar@linux.ibm.com> +Date: Tue, 3 Jun 2025 20:21:56 +0200 +Subject: scsi: s390: zfcp: Ensure synchronous unit_add + +From: Peter Oberparleiter <oberpar@linux.ibm.com> + +commit 9697ca0d53e3db357be26d2414276143c4a2cd49 upstream. + +Improve the usability of the unit_add sysfs attribute by ensuring that +the associated FCP LUN scan processing is completed synchronously. This +enables configuration tooling to consistently determine the end of the +scan process to allow for serialization of follow-on actions. + +While the scan process associated with unit_add typically completes +synchronously, it is deferred to an asynchronous background process if +unit_add is used before initial remote port scanning has completed. This +occurs when unit_add is used immediately after setting the associated FCP +device online. + +To ensure synchronous unit_add processing, wait for remote port scanning +to complete before initiating the FCP LUN scan. + +Cc: stable@vger.kernel.org +Reviewed-by: M Nikhil <nikh1092@linux.ibm.com> +Reviewed-by: Nihar Panda <niharp@linux.ibm.com> +Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com> +Signed-off-by: Nihar Panda <niharp@linux.ibm.com> +Link: https://lore.kernel.org/r/20250603182252.2287285-2-niharp@linux.ibm.com +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/s390/scsi/zfcp_sysfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -450,6 +450,8 @@ static ssize_t zfcp_sysfs_unit_add_store + if (kstrtoull(buf, 0, (unsigned long long *) &fcp_lun)) + return -EINVAL; + ++ flush_work(&port->rport_work); ++ + retval = zfcp_unit_add(port, fcp_lun); + if (retval) + return retval; diff --git a/queue-6.6/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch b/queue-6.6/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch new file mode 100644 index 00000000000..94ffea874f1 --- /dev/null +++ b/queue-6.6/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch @@ -0,0 +1,76 @@ +From b2f966568faaad326de97481096d0f3dc0971c43 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui <decui@microsoft.com> +Date: Fri, 6 Jun 2025 13:57:39 -0700 +Subject: scsi: storvsc: Increase the timeouts to storvsc_timeout + +From: Dexuan Cui <decui@microsoft.com> + +commit b2f966568faaad326de97481096d0f3dc0971c43 upstream. + +Currently storvsc_timeout is only used in storvsc_sdev_configure(), and +5s and 10s are used elsewhere. It turns out that rarely the 5s is not +enough on Azure, so let's use storvsc_timeout everywhere. + +In case a timeout happens and storvsc_channel_init() returns an error, +close the VMBus channel so that any host-to-guest messages in the +channel's ringbuffer, which might come late, can be safely ignored. + +Add a "const" to storvsc_timeout. + +Cc: stable@kernel.org +Signed-off-by: Dexuan Cui <decui@microsoft.com> +Link: https://lore.kernel.org/r/1749243459-10419-1-git-send-email-decui@microsoft.com +Reviewed-by: Long Li <longli@microsoft.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/scsi/storvsc_drv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -362,7 +362,7 @@ MODULE_PARM_DESC(ring_avail_percent_lowa + /* + * Timeout in seconds for all devices managed by this driver. + */ +-static int storvsc_timeout = 180; ++static const int storvsc_timeout = 180; + + #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) + static struct scsi_transport_template *fc_transport_template; +@@ -768,7 +768,7 @@ static void handle_multichannel_storage + return; + } + +- t = wait_for_completion_timeout(&request->wait_event, 10*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) { + dev_err(dev, "Failed to create sub-channel: timed out\n"); + return; +@@ -833,7 +833,7 @@ static int storvsc_execute_vstor_op(stru + if (ret != 0) + return ret; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return -ETIMEDOUT; + +@@ -1351,6 +1351,8 @@ static int storvsc_connect_to_vsp(struct + return ret; + + ret = storvsc_channel_init(device, is_fc); ++ if (ret) ++ vmbus_close(device->channel); + + return ret; + } +@@ -1668,7 +1670,7 @@ static int storvsc_host_reset_handler(st + if (ret != 0) + return FAILED; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return TIMEOUT_ERROR; + diff --git a/queue-6.6/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch b/queue-6.6/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch new file mode 100644 index 00000000000..ba6e08eedf5 --- /dev/null +++ b/queue-6.6/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch @@ -0,0 +1,152 @@ +From f287822688eeb44ae1cf6ac45701d965efc33218 Mon Sep 17 00:00:00 2001 +From: "Xin Li (Intel)" <xin@zytor.com> +Date: Mon, 9 Jun 2025 01:40:54 -0700 +Subject: selftests/x86: Add a test to detect infinite SIGTRAP handler loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xin Li (Intel) <xin@zytor.com> + +commit f287822688eeb44ae1cf6ac45701d965efc33218 upstream. + +When FRED is enabled, if the Trap Flag (TF) is set without an external +debugger attached, it can lead to an infinite loop in the SIGTRAP +handler. To avoid this, the software event flag in the augmented SS +must be cleared, ensuring that no single-step trap remains pending when +ERETU completes. + +This test checks for that specific scenario—verifying whether the kernel +correctly prevents an infinite SIGTRAP loop in this edge case when FRED +is enabled. + +The test should _always_ pass with IDT event delivery, thus no need to +disable the test even when FRED is not enabled. + +Signed-off-by: Xin Li (Intel) <xin@zytor.com> +Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> +Tested-by: Sohil Mehta <sohil.mehta@intel.com> +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250609084054.2083189-3-xin%40zytor.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + tools/testing/selftests/x86/Makefile | 2 + tools/testing/selftests/x86/sigtrap_loop.c | 101 +++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/x86/sigtrap_loop.c + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -12,7 +12,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_ + + TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ + check_initial_reg_state sigreturn iopl ioperm \ +- test_vsyscall mov_ss_trap \ ++ test_vsyscall mov_ss_trap sigtrap_loop \ + syscall_arg_fault fsgsbase_restore sigaltstack + TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ + test_FCMOV test_FCOMI test_FISTTP \ +--- /dev/null ++++ b/tools/testing/selftests/x86/sigtrap_loop.c +@@ -0,0 +1,101 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * Copyright (C) 2025 Intel Corporation ++ */ ++#define _GNU_SOURCE ++ ++#include <err.h> ++#include <signal.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <sys/ucontext.h> ++ ++#ifdef __x86_64__ ++# define REG_IP REG_RIP ++#else ++# define REG_IP REG_EIP ++#endif ++ ++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), int flags) ++{ ++ struct sigaction sa; ++ ++ memset(&sa, 0, sizeof(sa)); ++ sa.sa_sigaction = handler; ++ sa.sa_flags = SA_SIGINFO | flags; ++ sigemptyset(&sa.sa_mask); ++ ++ if (sigaction(sig, &sa, 0)) ++ err(1, "sigaction"); ++ ++ return; ++} ++ ++static void sigtrap(int sig, siginfo_t *info, void *ctx_void) ++{ ++ ucontext_t *ctx = (ucontext_t *)ctx_void; ++ static unsigned int loop_count_on_same_ip; ++ static unsigned long last_trap_ip; ++ ++ if (last_trap_ip == ctx->uc_mcontext.gregs[REG_IP]) { ++ printf("\tTrapped at %016lx\n", last_trap_ip); ++ ++ /* ++ * If the same IP is hit more than 10 times in a row, it is ++ * _considered_ an infinite loop. ++ */ ++ if (++loop_count_on_same_ip > 10) { ++ printf("[FAIL]\tDetected SIGTRAP infinite loop\n"); ++ exit(1); ++ } ++ ++ return; ++ } ++ ++ loop_count_on_same_ip = 0; ++ last_trap_ip = ctx->uc_mcontext.gregs[REG_IP]; ++ printf("\tTrapped at %016lx\n", last_trap_ip); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ sethandler(SIGTRAP, sigtrap, 0); ++ ++ /* ++ * Set the Trap Flag (TF) to single-step the test code, therefore to ++ * trigger a SIGTRAP signal after each instruction until the TF is ++ * cleared. ++ * ++ * Because the arithmetic flags are not significant here, the TF is ++ * set by pushing 0x302 onto the stack and then popping it into the ++ * flags register. ++ * ++ * Four instructions in the following asm code are executed with the ++ * TF set, thus the SIGTRAP handler is expected to run four times. ++ */ ++ printf("[RUN]\tSIGTRAP infinite loop detection\n"); ++ asm volatile( ++#ifdef __x86_64__ ++ /* ++ * Avoid clobbering the redzone ++ * ++ * Equivalent to "sub $128, %rsp", however -128 can be encoded ++ * in a single byte immediate while 128 uses 4 bytes. ++ */ ++ "add $-128, %rsp\n\t" ++#endif ++ "push $0x302\n\t" ++ "popf\n\t" ++ "nop\n\t" ++ "nop\n\t" ++ "push $0x202\n\t" ++ "popf\n\t" ++#ifdef __x86_64__ ++ "sub $-128, %rsp\n\t" ++#endif ++ ); ++ ++ printf("[OK]\tNo SIGTRAP infinite loop detected\n"); ++ return 0; ++} diff --git a/queue-6.6/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch b/queue-6.6/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch new file mode 100644 index 00000000000..385ecbb806c --- /dev/null +++ b/queue-6.6/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch @@ -0,0 +1,41 @@ +From 86c8db86af43f52f682e53a0f2f0828683be1e52 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <stephen.smalley.work@gmail.com> +Date: Fri, 13 Jun 2025 15:37:05 -0400 +Subject: selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Smalley <stephen.smalley.work@gmail.com> + +commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream. + +We should count the terminating NUL byte as part of the ctx_len. +Otherwise, UBSAN logs a warning: + UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14 + index 60 is out of range for type 'char [*]' + +The allocation itself is correct so there is no actual out of bounds +indexing, just a warning. + +Cc: stable@vger.kernel.org +Suggested-by: Christian Göttsche <cgzones@googlemail.com> +Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/ +Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + security/selinux/xfrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -95,7 +95,7 @@ static int selinux_xfrm_alloc_user(struc + + ctx->ctx_doi = XFRM_SC_DOI_LSM; + ctx->ctx_alg = XFRM_SC_ALG_SELINUX; +- ctx->ctx_len = str_len; ++ ctx->ctx_len = str_len + 1; + memcpy(ctx->ctx_str, &uctx[1], str_len); + ctx->ctx_str[str_len] = '\0'; + rc = security_context_to_sid(ctx->ctx_str, str_len, diff --git a/queue-6.6/series b/queue-6.6/series index 49ce16ec5dd..fe72a79d7e1 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -206,3 +206,26 @@ platform-x86-dell_rbu-stop-overwriting-data-buffer.patch powerpc-vdso-fix-build-of-vdso32-with-pcrel.patch powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch revert-x86-bugs-make-spectre-user-default-depend-on-mitigation_spectre_v2-on-v6.6-and-older.patch +io_uring-fix-task-leak-issue-in-io_wq_create.patch +drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch +platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch +platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch +platform-loongarch-laptop-add-backlight-power-control-support.patch +loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch +loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch +jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch +jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch +cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch +cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch +cifs-do-not-disable-interface-polling-on-failure.patch +smb-improve-directory-cache-reuse-for-readdir-operations.patch +scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch +scsi-s390-zfcp-ensure-synchronous-unit_add.patch +net_sched-sch_sfq-reject-invalid-perturb-period.patch +net-clear-the-dst-when-changing-skb-protocol.patch +udmabuf-use-sgtable-based-scatterlist-wrappers.patch +selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch +ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch +selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch +platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch +atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch diff --git a/queue-6.6/smb-improve-directory-cache-reuse-for-readdir-operations.patch b/queue-6.6/smb-improve-directory-cache-reuse-for-readdir-operations.patch new file mode 100644 index 00000000000..48b420b0f0e --- /dev/null +++ b/queue-6.6/smb-improve-directory-cache-reuse-for-readdir-operations.patch @@ -0,0 +1,153 @@ +From 72dd7961a4bb4fa1fc456169a61dd12e68e50645 Mon Sep 17 00:00:00 2001 +From: Bharath SM <bharathsm.hsk@gmail.com> +Date: Wed, 11 Jun 2025 16:59:02 +0530 +Subject: smb: improve directory cache reuse for readdir operations + +From: Bharath SM <bharathsm.hsk@gmail.com> + +commit 72dd7961a4bb4fa1fc456169a61dd12e68e50645 upstream. + +Currently, cached directory contents were not reused across subsequent +'ls' operations because the cache validity check relied on comparing +the ctx pointer, which changes with each readdir invocation. As a +result, the cached dir entries was not marked as valid and the cache was +not utilized for subsequent 'ls' operations. + +This change uses the file pointer, which remains consistent across all +readdir calls for a given directory instance, to associate and validate +the cache. As a result, cached directory contents can now be +correctly reused, improving performance for repeated directory listings. + +Performance gains with local windows SMB server: + +Without the patch and default actimeo=1: + 1000 directory enumeration operations on dir with 10k files took 135.0s + +With this patch and actimeo=0: + 1000 directory enumeration operations on dir with 10k files took just 5.1s + +Signed-off-by: Bharath SM <bharathsm@microsoft.com> +Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> +Cc: stable@vger.kernel.org +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/cached_dir.h | 8 ++++---- + fs/smb/client/readdir.c | 28 +++++++++++++++------------- + 2 files changed, 19 insertions(+), 17 deletions(-) + +--- a/fs/smb/client/cached_dir.h ++++ b/fs/smb/client/cached_dir.h +@@ -21,10 +21,10 @@ struct cached_dirent { + struct cached_dirents { + bool is_valid:1; + bool is_failed:1; +- struct dir_context *ctx; /* +- * Only used to make sure we only take entries +- * from a single context. Never dereferenced. +- */ ++ struct file *file; /* ++ * Used to associate the cache with a single ++ * open file instance. ++ */ + struct mutex de_mutex; + int pos; /* Expected ctx->pos */ + struct list_head entries; +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -850,9 +850,9 @@ static bool emit_cached_dirents(struct c + } + + static void update_cached_dirents_count(struct cached_dirents *cde, +- struct dir_context *ctx) ++ struct file *file) + { +- if (cde->ctx != ctx) ++ if (cde->file != file) + return; + if (cde->is_valid || cde->is_failed) + return; +@@ -861,9 +861,9 @@ static void update_cached_dirents_count( + } + + static void finished_cached_dirents_count(struct cached_dirents *cde, +- struct dir_context *ctx) ++ struct dir_context *ctx, struct file *file) + { +- if (cde->ctx != ctx) ++ if (cde->file != file) + return; + if (cde->is_valid || cde->is_failed) + return; +@@ -876,11 +876,12 @@ static void finished_cached_dirents_coun + static void add_cached_dirent(struct cached_dirents *cde, + struct dir_context *ctx, + const char *name, int namelen, +- struct cifs_fattr *fattr) ++ struct cifs_fattr *fattr, ++ struct file *file) + { + struct cached_dirent *de; + +- if (cde->ctx != ctx) ++ if (cde->file != file) + return; + if (cde->is_valid || cde->is_failed) + return; +@@ -910,7 +911,8 @@ static void add_cached_dirent(struct cac + static bool cifs_dir_emit(struct dir_context *ctx, + const char *name, int namelen, + struct cifs_fattr *fattr, +- struct cached_fid *cfid) ++ struct cached_fid *cfid, ++ struct file *file) + { + bool rc; + ino_t ino = cifs_uniqueid_to_ino_t(fattr->cf_uniqueid); +@@ -922,7 +924,7 @@ static bool cifs_dir_emit(struct dir_con + if (cfid) { + mutex_lock(&cfid->dirents.de_mutex); + add_cached_dirent(&cfid->dirents, ctx, name, namelen, +- fattr); ++ fattr, file); + mutex_unlock(&cfid->dirents.de_mutex); + } + +@@ -1022,7 +1024,7 @@ static int cifs_filldir(char *find_entry + cifs_prime_dcache(file_dentry(file), &name, &fattr); + + return !cifs_dir_emit(ctx, name.name, name.len, +- &fattr, cfid); ++ &fattr, cfid, file); + } + + +@@ -1073,8 +1075,8 @@ int cifs_readdir(struct file *file, stru + * we need to initialize scanning and storing the + * directory content. + */ +- if (ctx->pos == 0 && cfid->dirents.ctx == NULL) { +- cfid->dirents.ctx = ctx; ++ if (ctx->pos == 0 && cfid->dirents.file == NULL) { ++ cfid->dirents.file = file; + cfid->dirents.pos = 2; + } + /* +@@ -1142,7 +1144,7 @@ int cifs_readdir(struct file *file, stru + } else { + if (cfid) { + mutex_lock(&cfid->dirents.de_mutex); +- finished_cached_dirents_count(&cfid->dirents, ctx); ++ finished_cached_dirents_count(&cfid->dirents, ctx, file); + mutex_unlock(&cfid->dirents.de_mutex); + } + cifs_dbg(FYI, "Could not find entry\n"); +@@ -1183,7 +1185,7 @@ int cifs_readdir(struct file *file, stru + ctx->pos++; + if (cfid) { + mutex_lock(&cfid->dirents.de_mutex); +- update_cached_dirents_count(&cfid->dirents, ctx); ++ update_cached_dirents_count(&cfid->dirents, file); + mutex_unlock(&cfid->dirents.de_mutex); + } + diff --git a/queue-6.6/udmabuf-use-sgtable-based-scatterlist-wrappers.patch b/queue-6.6/udmabuf-use-sgtable-based-scatterlist-wrappers.patch new file mode 100644 index 00000000000..b84870dc4cc --- /dev/null +++ b/queue-6.6/udmabuf-use-sgtable-based-scatterlist-wrappers.patch @@ -0,0 +1,50 @@ +From afe382843717d44b24ef5014d57dcbaab75a4052 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski <m.szyprowski@samsung.com> +Date: Wed, 7 May 2025 18:09:12 +0200 +Subject: udmabuf: use sgtable-based scatterlist wrappers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Szyprowski <m.szyprowski@samsung.com> + +commit afe382843717d44b24ef5014d57dcbaab75a4052 upstream. + +Use common wrappers operating directly on the struct sg_table objects to +fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() +functions have to be called with the number of elements originally passed +to dma_map_sg_*() function, not the one returned in sgtable's nents. + +Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access") +CC: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com> +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Christian König <christian.koenig@amd.com> +Link: https://lore.kernel.org/r/20250507160913.2084079-3-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/dma-buf/udmabuf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -161,8 +161,7 @@ static int begin_cpu_udmabuf(struct dma_ + ubuf->sg = NULL; + } + } else { +- dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents, +- direction); ++ dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction); + } + + return ret; +@@ -177,7 +176,7 @@ static int end_cpu_udmabuf(struct dma_bu + if (!ubuf->sg) + return -EINVAL; + +- dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction); ++ dma_sync_sgtable_for_device(dev, ubuf->sg, direction); + return 0; + } + |