diff options
31 files changed, 2322 insertions, 0 deletions
diff --git a/queue-6.12/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch b/queue-6.12/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch new file mode 100644 index 00000000000..edb71bbf27d --- /dev/null +++ b/queue-6.12/atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch @@ -0,0 +1,75 @@ +From 7851263998d4269125fd6cb3fdbfc7c6db853859 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima <kuniyu@google.com> +Date: Mon, 16 Jun 2025 11:21:15 -0700 +Subject: atm: Revert atm_account_tx() if copy_from_iter_full() fails. + +From: Kuniyuki Iwashima <kuniyu@google.com> + +commit 7851263998d4269125fd6cb3fdbfc7c6db853859 upstream. + +In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by +atm_account_tx(). + +It is expected to be reverted by atm_pop_raw() later called by +vcc->dev->ops->send(vcc, skb). + +However, vcc_sendmsg() misses the same revert when copy_from_iter_full() +fails, and then we will leak a socket. + +Let's factorise the revert part as atm_return_tx() and call it in +the failure path. + +Note that the corresponding sk_wmem_alloc operation can be found in +alloc_tx() as of the blamed commit. + + $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Simon Horman <horms@kernel.org> +Closes: https://lore.kernel.org/netdev/20250614161959.GR414686@horms.kernel.org/ +Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> +Link: https://patch.msgid.link/20250616182147.963333-3-kuni1840@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + include/linux/atmdev.h | 6 ++++++ + net/atm/common.c | 1 + + net/atm/raw.c | 2 +- + 3 files changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/atmdev.h ++++ b/include/linux/atmdev.h +@@ -249,6 +249,12 @@ static inline void atm_account_tx(struct + ATM_SKB(skb)->atm_options = vcc->atm_options; + } + ++static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb) ++{ ++ WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, ++ &sk_atm(vcc)->sk_wmem_alloc)); ++} ++ + static inline void atm_force_charge(struct atm_vcc *vcc,int truesize) + { + atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc); +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -635,6 +635,7 @@ int vcc_sendmsg(struct socket *sock, str + + skb->dev = NULL; /* for paths shared with net_device interfaces */ + if (!copy_from_iter_full(skb_put(skb, size), size, &m->msg_iter)) { ++ atm_return_tx(vcc, skb); + kfree_skb(skb); + error = -EFAULT; + goto out; +--- a/net/atm/raw.c ++++ b/net/atm/raw.c +@@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc * + + pr_debug("(%d) %d -= %d\n", + vcc->vci, sk_wmem_alloc_get(sk), ATM_SKB(skb)->acct_truesize); +- WARN_ON(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize, &sk->sk_wmem_alloc)); ++ atm_return_tx(vcc, skb); + dev_kfree_skb_any(skb); + sk->sk_write_space(sk); + } diff --git a/queue-6.12/cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch b/queue-6.12/cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch new file mode 100644 index 00000000000..036dba8f388 --- /dev/null +++ b/queue-6.12/cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch @@ -0,0 +1,78 @@ +From 66d590b828b1fd9fa337047ae58fe1c4c6f43609 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N <sprasad@microsoft.com> +Date: Mon, 2 Jun 2025 22:37:12 +0530 +Subject: cifs: deal with the channel loading lag while picking channels + +From: Shyam Prasad N <sprasad@microsoft.com> + +commit 66d590b828b1fd9fa337047ae58fe1c4c6f43609 upstream. + +Our current approach to select a channel for sending requests is this: +1. iterate all channels to find the min and max queue depth +2. if min and max are not the same, pick the channel with min depth +3. if min and max are same, round robin, as all channels are equally loaded + +The problem with this approach is that there's a lag between selecting +a channel and sending the request (that increases the queue depth on the channel). +While these numbers will eventually catch up, there could be a skew in the +channel usage, depending on the application's I/O parallelism and the server's +speed of handling requests. + +With sufficient parallelism, this lag can artificially increase the queue depth, +thereby impacting the performance negatively. + +This change will change the step 1 above to start the iteration from the last +selected channel. This is to reduce the skew in channel usage even in the presence +of this lag. + +Fixes: ea90708d3cf3 ("cifs: use the least loaded channel for sending requests") +Cc: <stable@vger.kernel.org> +Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/transport.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -1029,14 +1029,16 @@ struct TCP_Server_Info *cifs_pick_channe + uint index = 0; + unsigned int min_in_flight = UINT_MAX, max_in_flight = 0; + struct TCP_Server_Info *server = NULL; +- int i; ++ int i, start, cur; + + if (!ses) + return NULL; + + spin_lock(&ses->chan_lock); ++ start = atomic_inc_return(&ses->chan_seq); + for (i = 0; i < ses->chan_count; i++) { +- server = ses->chans[i].server; ++ cur = (start + i) % ses->chan_count; ++ server = ses->chans[cur].server; + if (!server || server->terminate) + continue; + +@@ -1053,17 +1055,15 @@ struct TCP_Server_Info *cifs_pick_channe + */ + if (server->in_flight < min_in_flight) { + min_in_flight = server->in_flight; +- index = i; ++ index = cur; + } + if (server->in_flight > max_in_flight) + max_in_flight = server->in_flight; + } + + /* if all channels are equally loaded, fall back to round-robin */ +- if (min_in_flight == max_in_flight) { +- index = (uint)atomic_inc_return(&ses->chan_seq); +- index %= ses->chan_count; +- } ++ if (min_in_flight == max_in_flight) ++ index = (uint)start % ses->chan_count; + + server = ses->chans[index].server; + spin_unlock(&ses->chan_lock); diff --git a/queue-6.12/cifs-do-not-disable-interface-polling-on-failure.patch b/queue-6.12/cifs-do-not-disable-interface-polling-on-failure.patch new file mode 100644 index 00000000000..ca3fdc704ff --- /dev/null +++ b/queue-6.12/cifs-do-not-disable-interface-polling-on-failure.patch @@ -0,0 +1,69 @@ +From 42ca547b13a20e7cbb04fbdf8d5f089ac4bb35b7 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N <sprasad@microsoft.com> +Date: Mon, 2 Jun 2025 22:37:17 +0530 +Subject: cifs: do not disable interface polling on failure + +From: Shyam Prasad N <sprasad@microsoft.com> + +commit 42ca547b13a20e7cbb04fbdf8d5f089ac4bb35b7 upstream. + +When a server has multichannel enabled, we keep polling the server +for interfaces periodically. However, when this query fails, we +disable the polling. This can be problematic as it takes away the +chance for the server to start advertizing again. + +This change reschedules the delayed work, even if the current call +failed. That way, multichannel sessions can recover. + +Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> +Cc: stable@vger.kernel.org +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/connect.c | 6 +----- + fs/smb/client/smb2pdu.c | 9 +++++---- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -132,13 +132,9 @@ static void smb2_query_server_interfaces + rc = server->ops->query_server_interfaces(xid, tcon, false); + free_xid(xid); + +- if (rc) { +- if (rc == -EOPNOTSUPP) +- return; +- ++ if (rc) + cifs_dbg(FYI, "%s: failed to query server interfaces: %d\n", + __func__, rc); +- } + + queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, + (SMB_INTERFACE_POLL_INTERVAL * HZ)); +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -440,6 +440,10 @@ skip_sess_setup: + free_xid(xid); + ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES; + ++ /* regardless of rc value, setup polling */ ++ queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, ++ (SMB_INTERFACE_POLL_INTERVAL * HZ)); ++ + mutex_unlock(&ses->session_mutex); + + if (rc == -EOPNOTSUPP && ses->chan_count > 1) { +@@ -460,11 +464,8 @@ skip_sess_setup: + if (ses->chan_max > ses->chan_count && + ses->iface_count && + !SERVER_IS_CHAN(server)) { +- if (ses->chan_count == 1) { ++ if (ses->chan_count == 1) + cifs_server_dbg(VFS, "supports multichannel now\n"); +- queue_delayed_work(cifsiod_wq, &tcon->query_interfaces, +- (SMB_INTERFACE_POLL_INTERVAL * HZ)); +- } + + cifs_try_adding_channels(ses); + } diff --git a/queue-6.12/cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch b/queue-6.12/cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch new file mode 100644 index 00000000000..e006b9e9837 --- /dev/null +++ b/queue-6.12/cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch @@ -0,0 +1,86 @@ +From b5e3e6e28cf3853566ba5d816f79aba5be579158 Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N <sprasad@microsoft.com> +Date: Mon, 2 Jun 2025 22:37:15 +0530 +Subject: cifs: serialize other channels when query server interfaces is pending + +From: Shyam Prasad N <sprasad@microsoft.com> + +commit b5e3e6e28cf3853566ba5d816f79aba5be579158 upstream. + +Today, during smb2_reconnect, session_mutex is released as soon as +the tcon is reconnected and is in a good state. However, in case +multichannel is enabled, there is also a query of server interfaces that +follows. We've seen that this query can race with reconnects of other +channels, causing them to step on each other with reconnects. + +This change extends the hold of session_mutex till after the query of +server interfaces is complete. In order to avoid recursive smb2_reconnect +checks during query ioctl, this change also introduces a session flag +for sessions where such a query is in progress. + +Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> +Cc: stable@vger.kernel.org +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/cifsglob.h | 1 + + fs/smb/client/smb2pdu.c | 24 ++++++++++++++++++------ + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/smb/client/cifsglob.h ++++ b/fs/smb/client/cifsglob.h +@@ -1058,6 +1058,7 @@ struct cifs_chan { + }; + + #define CIFS_SES_FLAG_SCALE_CHANNELS (0x1) ++#define CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES (0x2) + + /* + * Session structure. One of these for each uid session with a particular host +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -428,14 +428,19 @@ skip_sess_setup: + if (!rc && + (server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL) && + server->ops->query_server_interfaces) { +- mutex_unlock(&ses->session_mutex); +- + /* +- * query server network interfaces, in case they change ++ * query server network interfaces, in case they change. ++ * Also mark the session as pending this update while the query ++ * is in progress. This will be used to avoid calling ++ * smb2_reconnect recursively. + */ ++ ses->flags |= CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES; + xid = get_xid(); + rc = server->ops->query_server_interfaces(xid, tcon, false); + free_xid(xid); ++ ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES; ++ ++ mutex_unlock(&ses->session_mutex); + + if (rc == -EOPNOTSUPP && ses->chan_count > 1) { + /* +@@ -577,11 +582,18 @@ static int smb2_ioctl_req_init(u32 opcod + struct TCP_Server_Info *server, + void **request_buf, unsigned int *total_len) + { +- /* Skip reconnect only for FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs */ +- if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) { ++ /* ++ * Skip reconnect in one of the following cases: ++ * 1. For FSCTL_VALIDATE_NEGOTIATE_INFO IOCTLs ++ * 2. For FSCTL_QUERY_NETWORK_INTERFACE_INFO IOCTL when called from ++ * smb2_reconnect (indicated by CIFS_SES_FLAG_SCALE_CHANNELS ses flag) ++ */ ++ if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO || ++ (opcode == FSCTL_QUERY_NETWORK_INTERFACE_INFO && ++ (tcon->ses->flags & CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES))) + return __smb2_plain_req_init(SMB2_IOCTL, tcon, server, + request_buf, total_len); +- } ++ + return smb2_plain_req_init(SMB2_IOCTL, tcon, server, + request_buf, total_len); + } diff --git a/queue-6.12/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch b/queue-6.12/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch new file mode 100644 index 00000000000..1c0f5b2a5aa --- /dev/null +++ b/queue-6.12/drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch @@ -0,0 +1,47 @@ +From 50695153d7ddde3b1696dbf0085be0033bf3ddb3 Mon Sep 17 00:00:00 2001 +From: Andrew Morton <akpm@linux-foundation.org> +Date: Sat, 7 Jun 2025 17:43:18 -0700 +Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite + +From: Andrew Morton <akpm@linux-foundation.org> + +commit 50695153d7ddde3b1696dbf0085be0033bf3ddb3 upstream. + +In + +riocm_cdev_ioctl(RIO_CM_CHAN_SEND) + -> cm_chan_msg_send() + -> riocm_ch_send() + +cm_chan_msg_send() checks that userspace didn't send too much data but +riocm_ch_send() failed to check that userspace sent sufficient data. The +result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr +which were outside the bounds of the space which cm_chan_msg_send() +allocated. + +Address this by teaching riocm_ch_send() to check that the entire +rio_ch_chan_hdr was copied in from userspace. + +Reported-by: maher azz <maherazz04@gmail.com> +Cc: Matt Porter <mporter@kernel.crashing.org> +Cc: Alexandre Bounine <alex.bou9@gmail.com> +Cc: Linus Torvalds <torvalds@linuxfoundation.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/rapidio/rio_cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rapidio/rio_cm.c ++++ b/drivers/rapidio/rio_cm.c +@@ -789,6 +789,9 @@ static int riocm_ch_send(u16 ch_id, void + if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) + return -EINVAL; + ++ if (len < sizeof(struct rio_ch_chan_hdr)) ++ return -EINVAL; /* insufficient data from user */ ++ + ch = riocm_get_channel(ch_id); + if (!ch) { + riocm_error("%s(%d) ch_%d not found", current->comm, diff --git a/queue-6.12/io_uring-fix-task-leak-issue-in-io_wq_create.patch b/queue-6.12/io_uring-fix-task-leak-issue-in-io_wq_create.patch new file mode 100644 index 00000000000..f9937d31d7e --- /dev/null +++ b/queue-6.12/io_uring-fix-task-leak-issue-in-io_wq_create.patch @@ -0,0 +1,35 @@ +From 89465d923bda180299e69ee2800aab84ad0ba689 Mon Sep 17 00:00:00 2001 +From: Penglei Jiang <superman.xpt@gmail.com> +Date: Sun, 15 Jun 2025 09:39:06 -0700 +Subject: io_uring: fix task leak issue in io_wq_create() + +From: Penglei Jiang <superman.xpt@gmail.com> + +commit 89465d923bda180299e69ee2800aab84ad0ba689 upstream. + +Add missing put_task_struct() in the error path + +Cc: stable@vger.kernel.org +Fixes: 0f8baa3c9802 ("io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls()") +Signed-off-by: Penglei Jiang <superman.xpt@gmail.com> +Link: https://lore.kernel.org/r/20250615163906.2367-1-superman.xpt@gmail.com +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + io_uring/io-wq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1204,8 +1204,10 @@ struct io_wq *io_wq_create(unsigned boun + atomic_set(&wq->worker_refs, 1); + init_completion(&wq->worker_done); + ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node); +- if (ret) ++ if (ret) { ++ put_task_struct(wq->task); + goto err; ++ } + + return wq; + err: diff --git a/queue-6.12/io_uring-kbuf-don-t-truncate-end-buffer-for-multiple-buffer-peeks.patch b/queue-6.12/io_uring-kbuf-don-t-truncate-end-buffer-for-multiple-buffer-peeks.patch new file mode 100644 index 00000000000..d9f39bd051c --- /dev/null +++ b/queue-6.12/io_uring-kbuf-don-t-truncate-end-buffer-for-multiple-buffer-peeks.patch @@ -0,0 +1,38 @@ +From 26ec15e4b0c1d7b25214d9c0be1d50492e2f006c Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Fri, 13 Jun 2025 11:01:49 -0600 +Subject: io_uring/kbuf: don't truncate end buffer for multiple buffer peeks + +From: Jens Axboe <axboe@kernel.dk> + +commit 26ec15e4b0c1d7b25214d9c0be1d50492e2f006c upstream. + +If peeking a bunch of buffers, normally io_ring_buffers_peek() will +truncate the end buffer. This isn't optimal as presumably more data will +be arriving later, and hence it's better to stop with the last full +buffer rather than truncate the end buffer. + +Cc: stable@vger.kernel.org +Fixes: 35c8711c8fc4 ("io_uring/kbuf: add helpers for getting/peeking multiple buffers") +Reported-by: Christian Mazakas <christian.mazakas@gmail.com> +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + io_uring/kbuf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -262,8 +262,11 @@ static int io_ring_buffers_peek(struct i + /* truncate end piece, if needed, for non partial buffers */ + if (len > arg->max_len) { + len = arg->max_len; +- if (!(bl->flags & IOBL_INC)) ++ if (!(bl->flags & IOBL_INC)) { ++ if (iov != arg->iovs) ++ break; + buf->len = len; ++ } + } + + iov->iov_base = u64_to_user_ptr(buf->addr); diff --git a/queue-6.12/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch b/queue-6.12/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch new file mode 100644 index 00000000000..6f1aef7a000 --- /dev/null +++ b/queue-6.12/jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch @@ -0,0 +1,80 @@ +From 2b6d96503255a3ed676cd70f8368870c6d6a25c6 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin <pchelkin@ispras.ru> +Date: Tue, 25 Mar 2025 19:32:13 +0300 +Subject: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places + +From: Fedor Pchelkin <pchelkin@ispras.ru> + +commit 2b6d96503255a3ed676cd70f8368870c6d6a25c6 upstream. + +Fuzzing hit another invalid pointer dereference due to the lack of +checking whether jffs2_prealloc_raw_node_refs() completed successfully. +Subsequent logic implies that the node refs have been allocated. + +Handle that. The code is ready for propagating the error upwards. + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 +Call Trace: + jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] + jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 + jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 + jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 + generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 + __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 + generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 + call_write_iter include/linux/fs.h:2039 [inline] + do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 + do_iter_write+0x18c/0x710 fs/read_write.c:866 + vfs_writev+0x1db/0x6a0 fs/read_write.c:939 + do_pwritev fs/read_write.c:1036 [inline] + __do_sys_pwritev fs/read_write.c:1083 [inline] + __se_sys_pwritev fs/read_write.c:1078 [inline] + __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 + do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x67/0xd1 + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Fixes: f560928baa60 ("[JFFS2] Allocate node_ref for wasted space when skipping to page boundary") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> +Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/jffs2/erase.c | 4 +++- + fs/jffs2/scan.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -425,7 +425,9 @@ static void jffs2_mark_erased_block(stru + .totlen = cpu_to_je32(c->cleanmarker_size) + }; + +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ if (ret) ++ goto filebad; + + marker.hdr_crc = cpu_to_je32(crc32(0, &marker, sizeof(struct jffs2_unknown_node)-4)); + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -256,7 +256,9 @@ int jffs2_scan_medium(struct jffs2_sb_in + + jffs2_dbg(1, "%s(): Skipping %d bytes in nextblock to ensure page alignment\n", + __func__, skip); +- jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, c->nextblock, 1); ++ if (ret) ++ goto out; + jffs2_scan_dirty_space(c, c->nextblock, skip); + } + #endif diff --git a/queue-6.12/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch b/queue-6.12/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch new file mode 100644 index 00000000000..ad59dd44def --- /dev/null +++ b/queue-6.12/jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch @@ -0,0 +1,87 @@ +From ec9e6f22bce433b260ea226de127ec68042849b0 Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov <a.sadovnikov@ispras.ru> +Date: Fri, 7 Mar 2025 16:34:09 +0000 +Subject: jffs2: check that raw node were preallocated before writing summary + +From: Artem Sadovnikov <a.sadovnikov@ispras.ru> + +commit ec9e6f22bce433b260ea226de127ec68042849b0 upstream. + +Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault +injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't +check return value of jffs2_prealloc_raw_node_refs and simply lets any +error propagate into jffs2_sum_write_data, which eventually calls +jffs2_link_node_ref in order to link the summary to an expectedly allocated +node. + +kernel BUG at fs/jffs2/nodelist.c:592! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI +CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 +Call Trace: + <TASK> + jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] + jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 + jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 + jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 + jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 + jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 + generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 + __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 + generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 + call_write_iter include/linux/fs.h:2265 [inline] + do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 + do_iter_write+0x186/0x710 fs/read_write.c:861 + vfs_iter_write+0x70/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 + do_splice_from fs/splice.c:763 [inline] + direct_splice_actor+0x10c/0x170 fs/splice.c:950 + splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 + do_splice_direct+0x1a9/0x280 fs/splice.c:1002 + do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Fix this issue by checking return value of jffs2_prealloc_raw_node_refs +before calling jffs2_sum_write_data. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 2f785402f39b ("[JFFS2] Reduce visibility of raw_node_ref to upper layers of JFFS2 code.") +Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru> +Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/jffs2/summary.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/jffs2/summary.c ++++ b/fs/jffs2/summary.c +@@ -858,7 +858,10 @@ int jffs2_sum_write_sumnode(struct jffs2 + spin_unlock(&c->erase_completion_lock); + + jeb = c->nextblock; +- jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ret = jffs2_prealloc_raw_node_refs(c, jeb, 1); ++ ++ if (ret) ++ goto out; + + if (!c->summary->sum_num || !c->summary->sum_list_head) { + JFFS2_WARNING("Empty summary info!!!\n"); +@@ -872,6 +875,8 @@ int jffs2_sum_write_sumnode(struct jffs2 + datasize += padsize; + + ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize); ++ ++out: + spin_lock(&c->erase_completion_lock); + return ret; + } diff --git a/queue-6.12/ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch b/queue-6.12/ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch new file mode 100644 index 00000000000..574471fab3e --- /dev/null +++ b/queue-6.12/ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch @@ -0,0 +1,50 @@ +From 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Fri, 13 Jun 2025 10:12:43 +0900 +Subject: ksmbd: fix null pointer dereference in destroy_previous_session + +From: Namjae Jeon <linkinjeon@kernel.org> + +commit 7ac5b66acafcc9292fb935d7e03790f2b8b2dc0e upstream. + +If client set ->PreviousSessionId on kerberos session setup stage, +NULL pointer dereference error will happen. Since sess->user is not +set yet, It can pass the user argument as NULL to destroy_previous_session. +sess->user will be set in ksmbd_krb5_authenticate(). So this patch move +calling destroy_previous_session() after ksmbd_krb5_authenticate(). + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391 +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/server/smb2pdu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1605,17 +1605,18 @@ static int krb5_authenticate(struct ksmb + out_len = work->response_sz - + (le16_to_cpu(rsp->SecurityBufferOffset) + 4); + +- /* Check previous session */ +- prev_sess_id = le64_to_cpu(req->PreviousSessionId); +- if (prev_sess_id && prev_sess_id != sess->id) +- destroy_previous_session(conn, sess->user, prev_sess_id); +- + retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, + out_blob, &out_len); + if (retval) { + ksmbd_debug(SMB, "krb5 authentication failed\n"); + return -EINVAL; + } ++ ++ /* Check previous session */ ++ prev_sess_id = le64_to_cpu(req->PreviousSessionId); ++ if (prev_sess_id && prev_sess_id != sess->id) ++ destroy_previous_session(conn, sess->user, prev_sess_id); ++ + rsp->SecurityBufferLength = cpu_to_le16(out_len); + + if ((conn->sign || server_conf.enforced_signing) || diff --git a/queue-6.12/loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch b/queue-6.12/loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch new file mode 100644 index 00000000000..0551faf8ac2 --- /dev/null +++ b/queue-6.12/loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch @@ -0,0 +1,90 @@ +From 52c22661c79a7b6af7fad9f77200738fc6c51878 Mon Sep 17 00:00:00 2001 +From: Huacai Chen <chenhuacai@loongson.cn> +Date: Fri, 30 May 2025 21:45:48 +0800 +Subject: LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg + +From: Huacai Chen <chenhuacai@loongson.cn> + +commit 52c22661c79a7b6af7fad9f77200738fc6c51878 upstream. + +When building kernel with LLVM there are occasionally such errors: + +In file included from ./include/linux/spinlock.h:59: +In file included from ./include/linux/irqflags.h:17: +arch/loongarch/include/asm/irqflags.h:38:3: error: must not be $r0 or $r1 + 38 | "csrxchg %[val], %[mask], %[reg]\n\t" + | ^ +<inline asm>:1:16: note: instantiated into assembly here + 1 | csrxchg $a1, $ra, 0 + | ^ + +To prevent the compiler from allocating $r0 or $r1 for the "mask" of the +csrxchg instruction, the 'q' constraint must be used but Clang < 21 does +not support it. So force to use $t0 in the inline asm, in order to avoid +using $r0/$r1 while keeping the backward compatibility. + +Cc: stable@vger.kernel.org +Link: https://github.com/llvm/llvm-project/pull/141037 +Reviewed-by: Yanteng Si <si.yanteng@linux.dev> +Suggested-by: WANG Rui <wangrui@loongson.cn> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/include/asm/irqflags.h | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/loongarch/include/asm/irqflags.h ++++ b/arch/loongarch/include/asm/irqflags.h +@@ -14,40 +14,48 @@ + static inline void arch_local_irq_enable(void) + { + u32 flags = CSR_CRMD_IE; ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + } + + static inline void arch_local_irq_disable(void) + { + u32 flags = 0; ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + } + + static inline unsigned long arch_local_irq_save(void) + { + u32 flags = 0; ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + return flags; + } + + static inline void arch_local_irq_restore(unsigned long flags) + { ++ register u32 mask asm("t0") = CSR_CRMD_IE; ++ + __asm__ __volatile__( + "csrxchg %[val], %[mask], %[reg]\n\t" + : [val] "+r" (flags) +- : [mask] "r" (CSR_CRMD_IE), [reg] "i" (LOONGARCH_CSR_CRMD) ++ : [mask] "r" (mask), [reg] "i" (LOONGARCH_CSR_CRMD) + : "memory"); + } + diff --git a/queue-6.12/loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch b/queue-6.12/loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch new file mode 100644 index 00000000000..137aebe935a --- /dev/null +++ b/queue-6.12/loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch @@ -0,0 +1,48 @@ +From ee084fa96123ede8b0563a1b5a9b23adc43cd50d Mon Sep 17 00:00:00 2001 +From: Tianyang Zhang <zhangtianyang@loongson.cn> +Date: Fri, 30 May 2025 21:45:57 +0800 +Subject: LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() + +From: Tianyang Zhang <zhangtianyang@loongson.cn> + +commit ee084fa96123ede8b0563a1b5a9b23adc43cd50d upstream. + +ERROR INFO: + +CPU 25 Unable to handle kernel paging request at virtual address 0x0 + ... + Call Trace: + [<900000000023c30c>] huge_pte_offset+0x3c/0x58 + [<900000000057fd4c>] hugetlb_follow_page_mask+0x74/0x438 + [<900000000051fee8>] __get_user_pages+0xe0/0x4c8 + [<9000000000522414>] faultin_page_range+0x84/0x380 + [<9000000000564e8c>] madvise_vma_behavior+0x534/0xa48 + [<900000000056689c>] do_madvise+0x1bc/0x3e8 + [<9000000000566df4>] sys_madvise+0x24/0x38 + [<90000000015b9e88>] do_syscall+0x78/0x98 + [<9000000000221f18>] handle_syscall+0xb8/0x158 + +In some cases, pmd may be NULL and rely on NULL as the return value for +processing, so it is necessary to determine this situation here. + +Cc: stable@vger.kernel.org +Fixes: bd51834d1cf6 ("LoongArch: Return NULL from huge_pte_offset() for invalid PMD") +Signed-off-by: Tianyang Zhang <zhangtianyang@loongson.cn> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/mm/hugetlbpage.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/loongarch/mm/hugetlbpage.c ++++ b/arch/loongarch/mm/hugetlbpage.c +@@ -47,7 +47,8 @@ pte_t *huge_pte_offset(struct mm_struct + pmd = pmd_offset(pud, addr); + } + } +- return pmd_none(pmdp_get(pmd)) ? NULL : (pte_t *) pmd; ++ ++ return (!pmd || pmd_none(pmdp_get(pmd))) ? NULL : (pte_t *) pmd; + } + + uint64_t pmd_to_entrylo(unsigned long pmd_val) diff --git a/queue-6.12/loongarch-vdso-correctly-use-asm-parameters-in-syscall-wrappers.patch b/queue-6.12/loongarch-vdso-correctly-use-asm-parameters-in-syscall-wrappers.patch new file mode 100644 index 00000000000..88f1298bbfa --- /dev/null +++ b/queue-6.12/loongarch-vdso-correctly-use-asm-parameters-in-syscall-wrappers.patch @@ -0,0 +1,82 @@ +From e242bbbb6d7ac7556aa1e358294dc7e3c82cc902 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de> +Date: Thu, 5 Jun 2025 20:34:18 +0800 +Subject: LoongArch: vDSO: Correctly use asm parameters in syscall wrappers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh <thomas.weissschuh@linutronix.de> + +commit e242bbbb6d7ac7556aa1e358294dc7e3c82cc902 upstream. + +The syscall wrappers use the "a0" register for two different register +variables, both the first argument and the return value. Here the "ret" +variable is used as both input and output while the argument register is +only used as input. Clang treats the conflicting input parameters as an +undefined behaviour and optimizes away the argument assignment. + +The code seems to work by chance for the most part today but that may +change in the future. Specifically clock_gettime_fallback() fails with +clockids from 16 to 23, as implemented by the upcoming auxiliary clocks. + +Switch the "ret" register variable to a pure output, similar to the +other architectures' vDSO code. This works in both clang and GCC. + +Link: https://lore.kernel.org/lkml/20250602102825-42aa84f0-23f1-4d10-89fc-e8bbaffd291a@linutronix.de/ +Link: https://lore.kernel.org/lkml/20250519082042.742926976@linutronix.de/ +Fixes: c6b99bed6b8f ("LoongArch: Add VDSO and VSYSCALL support") +Fixes: 18efd0b10e0f ("LoongArch: vDSO: Wire up getrandom() vDSO implementation") +Cc: stable@vger.kernel.org +Reviewed-by: Nathan Chancellor <nathan@kernel.org> +Reviewed-by: Yanteng Si <si.yanteng@linux.dev> +Reviewed-by: WANG Xuerui <git@xen0n.name> +Reviewed-by: Xi Ruoyao <xry111@xry111.site> +Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/loongarch/include/asm/vdso/getrandom.h | 2 +- + arch/loongarch/include/asm/vdso/gettimeofday.h | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/loongarch/include/asm/vdso/getrandom.h ++++ b/arch/loongarch/include/asm/vdso/getrandom.h +@@ -20,7 +20,7 @@ static __always_inline ssize_t getrandom + + asm volatile( + " syscall 0\n" +- : "+r" (ret) ++ : "=r" (ret) + : "r" (nr), "r" (buffer), "r" (len), "r" (flags) + : "$t0", "$t1", "$t2", "$t3", "$t4", "$t5", "$t6", "$t7", "$t8", + "memory"); +--- a/arch/loongarch/include/asm/vdso/gettimeofday.h ++++ b/arch/loongarch/include/asm/vdso/gettimeofday.h +@@ -25,7 +25,7 @@ static __always_inline long gettimeofday + + asm volatile( + " syscall 0\n" +- : "+r" (ret) ++ : "=r" (ret) + : "r" (nr), "r" (tv), "r" (tz) + : "$t0", "$t1", "$t2", "$t3", "$t4", "$t5", "$t6", "$t7", + "$t8", "memory"); +@@ -44,7 +44,7 @@ static __always_inline long clock_gettim + + asm volatile( + " syscall 0\n" +- : "+r" (ret) ++ : "=r" (ret) + : "r" (nr), "r" (clkid), "r" (ts) + : "$t0", "$t1", "$t2", "$t3", "$t4", "$t5", "$t6", "$t7", + "$t8", "memory"); +@@ -63,7 +63,7 @@ static __always_inline int clock_getres_ + + asm volatile( + " syscall 0\n" +- : "+r" (ret) ++ : "=r" (ret) + : "r" (nr), "r" (clkid), "r" (ts) + : "$t0", "$t1", "$t2", "$t3", "$t4", "$t5", "$t6", "$t7", + "$t8", "memory"); diff --git a/queue-6.12/mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch b/queue-6.12/mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch new file mode 100644 index 00000000000..4cbe265b607 --- /dev/null +++ b/queue-6.12/mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch @@ -0,0 +1,95 @@ +From 383c4613c67c26e90e8eebb72e3083457d02033f Mon Sep 17 00:00:00 2001 +From: Ryan Roberts <ryan.roberts@arm.com> +Date: Fri, 6 Jun 2025 10:28:07 +0100 +Subject: mm: close theoretical race where stale TLB entries could linger + +From: Ryan Roberts <ryan.roberts@arm.com> + +commit 383c4613c67c26e90e8eebb72e3083457d02033f upstream. + +Commit 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a +parallel reclaim leaving stale TLB entries") described a theoretical race +as such: + + +""" +Nadav Amit identified a theoretical race between page reclaim and mprotect +due to TLB flushes being batched outside of the PTL being held. + +He described the race as follows: + + CPU0 CPU1 + ---- ---- + user accesses memory using RW PTE + [PTE now cached in TLB] + try_to_unmap_one() + ==> ptep_get_and_clear() + ==> set_tlb_ubc_flush_pending() + mprotect(addr, PROT_READ) + ==> change_pte_range() + ==> [ PTE non-present - no flush ] + + user writes using cached RW PTE + ... + + try_to_unmap_flush() + +The same type of race exists for reads when protecting for PROT_NONE and +also exists for operations that can leave an old TLB entry behind such as +munmap, mremap and madvise. +""" + +The solution was to introduce flush_tlb_batched_pending() and call it +under the PTL from mprotect/madvise/munmap/mremap to complete any pending +tlb flushes. + +However, while madvise_free_pte_range() and +madvise_cold_or_pageout_pte_range() were both retro-fitted to call +flush_tlb_batched_pending() immediately after initially acquiring the PTL, +they both temporarily release the PTL to split a large folio if they +stumble upon one. In this case, where re-acquiring the PTL +flush_tlb_batched_pending() must be called again, but it previously was +not. Let's fix that. + +There are 2 Fixes: tags here: the first is the commit that fixed +madvise_free_pte_range(). The second is the commit that added +madvise_cold_or_pageout_pte_range(), which looks like it copy/pasted the +faulty pattern from madvise_free_pte_range(). + +This is a theoretical bug discovered during code review. + +Link: https://lkml.kernel.org/r/20250606092809.4194056-1-ryan.roberts@arm.com +Fixes: 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") +Fixes: 9c276cc65a58 ("mm: introduce MADV_COLD") +Signed-off-by: Ryan Roberts <ryan.roberts@arm.com> +Reviewed-by: Jann Horn <jannh@google.com> +Acked-by: David Hildenbrand <david@redhat.com> +Cc: Liam Howlett <liam.howlett@oracle.com> +Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> +Cc: Mel Gorman <mgorman <mgorman@suse.de> +Cc: Vlastimil Babka <vbabka@suse.cz> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + mm/madvise.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -495,6 +495,7 @@ restart: + pte_offset_map_lock(mm, pmd, addr, &ptl); + if (!start_pte) + break; ++ flush_tlb_batched_pending(mm); + arch_enter_lazy_mmu_mode(); + if (!err) + nr = 0; +@@ -728,6 +729,7 @@ static int madvise_free_pte_range(pmd_t + start_pte = pte; + if (!start_pte) + break; ++ flush_tlb_batched_pending(mm); + arch_enter_lazy_mmu_mode(); + if (!err) + nr = 0; diff --git a/queue-6.12/net-clear-the-dst-when-changing-skb-protocol.patch b/queue-6.12/net-clear-the-dst-when-changing-skb-protocol.patch new file mode 100644 index 00000000000..92a103cbbcd --- /dev/null +++ b/queue-6.12/net-clear-the-dst-when-changing-skb-protocol.patch @@ -0,0 +1,118 @@ +From ba9db6f907ac02215e30128770f85fbd7db2fcf9 Mon Sep 17 00:00:00 2001 +From: Jakub Kicinski <kuba@kernel.org> +Date: Mon, 9 Jun 2025 17:12:44 -0700 +Subject: net: clear the dst when changing skb protocol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski <kuba@kernel.org> + +commit ba9db6f907ac02215e30128770f85fbd7db2fcf9 upstream. + +A not-so-careful NAT46 BPF program can crash the kernel +if it indiscriminately flips ingress packets from v4 to v6: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ip6_rcv_core (net/ipv6/ip6_input.c:190:20) + ipv6_rcv (net/ipv6/ip6_input.c:306:8) + process_backlog (net/core/dev.c:6186:4) + napi_poll (net/core/dev.c:6906:9) + net_rx_action (net/core/dev.c:7028:13) + do_softirq (kernel/softirq.c:462:3) + netif_rx (net/core/dev.c:5326:3) + dev_loopback_xmit (net/core/dev.c:4015:2) + ip_mc_finish_output (net/ipv4/ip_output.c:363:8) + NF_HOOK (./include/linux/netfilter.h:314:9) + ip_mc_output (net/ipv4/ip_output.c:400:5) + dst_output (./include/net/dst.h:459:9) + ip_local_out (net/ipv4/ip_output.c:130:9) + ip_send_skb (net/ipv4/ip_output.c:1496:8) + udp_send_skb (net/ipv4/udp.c:1040:8) + udp_sendmsg (net/ipv4/udp.c:1328:10) + +The output interface has a 4->6 program attached at ingress. +We try to loop the multicast skb back to the sending socket. +Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr +and changes skb->protocol to v6. We enter ip6_rcv_core which +tries to use skb_dst(). But the dst is still an IPv4 one left +after IPv4 mcast output. + +Clear the dst in all BPF helpers which change the protocol. +Try to preserve metadata dsts, those may carry non-routing +metadata. + +Cc: stable@vger.kernel.org +Reviewed-by: Maciej Żenczykowski <maze@google.com> +Acked-by: Daniel Borkmann <daniel@iogearbox.net> +Fixes: d219df60a70e ("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()") +Fixes: 1b00e0dfe7d0 ("bpf: update skb->protocol in bpf_skb_net_grow") +Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") +Reviewed-by: Willem de Bruijn <willemb@google.com> +Link: https://patch.msgid.link/20250610001245.1981782-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/filter.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3249,6 +3249,13 @@ static const struct bpf_func_proto bpf_s + .arg1_type = ARG_PTR_TO_CTX, + }; + ++static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto) ++{ ++ skb->protocol = htons(proto); ++ if (skb_valid_dst(skb)) ++ skb_dst_drop(skb); ++} ++ + static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len) + { + /* Caller already did skb_cow() with len as headroom, +@@ -3345,7 +3352,7 @@ static int bpf_skb_proto_4_to_6(struct s + } + } + +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + skb_clear_hash(skb); + + return 0; +@@ -3375,7 +3382,7 @@ static int bpf_skb_proto_6_to_4(struct s + } + } + +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + skb_clear_hash(skb); + + return 0; +@@ -3566,10 +3573,10 @@ static int bpf_skb_net_grow(struct sk_bu + /* Match skb->protocol to new outer l3 protocol */ + if (skb->protocol == htons(ETH_P_IP) && + flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6) +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + else if (skb->protocol == htons(ETH_P_IPV6) && + flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV4) +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + } + + if (skb_is_gso(skb)) { +@@ -3622,10 +3629,10 @@ static int bpf_skb_net_shrink(struct sk_ + /* Match skb->protocol to new outer l3 protocol */ + if (skb->protocol == htons(ETH_P_IP) && + flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV6) +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + else if (skb->protocol == htons(ETH_P_IPV6) && + flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV4) +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + + if (skb_is_gso(skb)) { + struct skb_shared_info *shinfo = skb_shinfo(skb); diff --git a/queue-6.12/net_sched-sch_sfq-reject-invalid-perturb-period.patch b/queue-6.12/net_sched-sch_sfq-reject-invalid-perturb-period.patch new file mode 100644 index 00000000000..5c226d4e7bd --- /dev/null +++ b/queue-6.12/net_sched-sch_sfq-reject-invalid-perturb-period.patch @@ -0,0 +1,72 @@ +From 7ca52541c05c832d32b112274f81a985101f9ba8 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 11 Jun 2025 08:35:01 +0000 +Subject: net_sched: sch_sfq: reject invalid perturb period + +From: Eric Dumazet <edumazet@google.com> + +commit 7ca52541c05c832d32b112274f81a985101f9ba8 upstream. + +Gerrard Tai reported that SFQ perturb_period has no range check yet, +and this can be used to trigger a race condition fixed in a separate patch. + +We want to make sure ctl->perturb_period * HZ will not overflow +and is positive. + +Tested: + +tc qd add dev lo root sfq perturb -10 # negative value : error +Error: sch_sfq: invalid perturb period. + +tc qd add dev lo root sfq perturb 1000000000 # too big : error +Error: sch_sfq: invalid perturb period. + +tc qd add dev lo root sfq perturb 2000000 # acceptable value +tc -s -d qd sh dev lo +qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec + Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) + backlog 0b 0p requeues 0 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250611083501.1810459-1-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sched/sch_sfq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch, + NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); + return -EINVAL; + } ++ ++ if (ctl->perturb_period < 0 || ++ ctl->perturb_period > INT_MAX / HZ) { ++ NL_SET_ERR_MSG_MOD(extack, "invalid perturb period"); ++ return -EINVAL; ++ } ++ perturb_period = ctl->perturb_period * HZ; ++ + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, + ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) + return -EINVAL; +@@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch, + headdrop = q->headdrop; + maxdepth = q->maxdepth; + maxflows = q->maxflows; +- perturb_period = q->perturb_period; + quantum = q->quantum; + flags = q->flags; + + /* update and validate configuration */ + if (ctl->quantum) + quantum = ctl->quantum; +- perturb_period = ctl->perturb_period * HZ; + if (ctl->flows) + maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS); + if (ctl->divisor) { diff --git a/queue-6.12/nvme-always-punt-polled-uring_cmd-end_io-work-to-task_work.patch b/queue-6.12/nvme-always-punt-polled-uring_cmd-end_io-work-to-task_work.patch new file mode 100644 index 00000000000..2e0b51cc9e0 --- /dev/null +++ b/queue-6.12/nvme-always-punt-polled-uring_cmd-end_io-work-to-task_work.patch @@ -0,0 +1,59 @@ +From 9ce6c9875f3e995be5fd720b65835291f8a609b1 Mon Sep 17 00:00:00 2001 +From: Jens Axboe <axboe@kernel.dk> +Date: Fri, 13 Jun 2025 13:37:41 -0600 +Subject: nvme: always punt polled uring_cmd end_io work to task_work + +From: Jens Axboe <axboe@kernel.dk> + +commit 9ce6c9875f3e995be5fd720b65835291f8a609b1 upstream. + +Currently NVMe uring_cmd completions will complete locally, if they are +polled. This is done because those completions are always invoked from +task context. And while that is true, there's no guarantee that it's +invoked under the right ring context, or even task. If someone does +NVMe passthrough via multiple threads and with a limited number of +poll queues, then ringA may find completions from ringB. For that case, +completing the request may not be sound. + +Always just punt the passthrough completions via task_work, which will +redirect the completion, if needed. + +Cc: stable@vger.kernel.org +Fixes: 585079b6e425 ("nvme: wire up async polling for io passthrough commands") +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/nvme/host/ioctl.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/drivers/nvme/host/ioctl.c ++++ b/drivers/nvme/host/ioctl.c +@@ -442,21 +442,14 @@ static enum rq_end_io_ret nvme_uring_cmd + pdu->result = le64_to_cpu(nvme_req(req)->result.u64); + + /* +- * For iopoll, complete it directly. Note that using the uring_cmd +- * helper for this is safe only because we check blk_rq_is_poll(). +- * As that returns false if we're NOT on a polled queue, then it's +- * safe to use the polled completion helper. +- * +- * Otherwise, move the completion to task work. ++ * IOPOLL could potentially complete this request directly, but ++ * if multiple rings are polling on the same queue, then it's possible ++ * for one ring to find completions for another ring. Punting the ++ * completion via task_work will always direct it to the right ++ * location, rather than potentially complete requests for ringA ++ * under iopoll invocations from ringB. + */ +- if (blk_rq_is_poll(req)) { +- if (pdu->bio) +- blk_rq_unmap_user(pdu->bio); +- io_uring_cmd_iopoll_done(ioucmd, pdu->result, pdu->status); +- } else { +- io_uring_cmd_do_in_task_lazy(ioucmd, nvme_uring_task_cb); +- } +- ++ io_uring_cmd_do_in_task_lazy(ioucmd, nvme_uring_task_cb); + return RQ_END_IO_FREE; + } + diff --git a/queue-6.12/platform-loongarch-laptop-add-backlight-power-control-support.patch b/queue-6.12/platform-loongarch-laptop-add-backlight-power-control-support.patch new file mode 100644 index 00000000000..885488d758c --- /dev/null +++ b/queue-6.12/platform-loongarch-laptop-add-backlight-power-control-support.patch @@ -0,0 +1,145 @@ +From 53c762b47f726e4079a1f06f684bce2fc0d56fba Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Thu, 5 Jun 2025 20:34:46 +0800 +Subject: platform/loongarch: laptop: Add backlight power control support + +From: Yao Zi <ziyao@disroot.org> + +commit 53c762b47f726e4079a1f06f684bce2fc0d56fba upstream. + +loongson_laptop_turn_{on,off}_backlight() are designed for controlling +the power of the backlight, but they aren't really used in the driver +previously. + +Unify these two functions since they only differ in arguments passed to +ACPI method, and wire up loongson_laptop_backlight_update() to update +the power state of the backlight as well. Tested on the TongFang L860-T2 +Loongson-3A5000 laptop. + +Cc: stable@vger.kernel.org +Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver") +Signed-off-by: Yao Zi <ziyao@disroot.org> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/loongarch/loongson-laptop.c | 73 +++++++++++++-------------- + 1 file changed, 37 insertions(+), 36 deletions(-) + +--- a/drivers/platform/loongarch/loongson-laptop.c ++++ b/drivers/platform/loongarch/loongson-laptop.c +@@ -56,8 +56,7 @@ static struct input_dev *generic_inputde + static acpi_handle hotkey_handle; + static struct key_entry hotkey_keycode_map[GENERIC_HOTKEY_MAP_MAX]; + +-int loongson_laptop_turn_on_backlight(void); +-int loongson_laptop_turn_off_backlight(void); ++static bool bl_powered; + static int loongson_laptop_backlight_update(struct backlight_device *bd); + + /* 2. ACPI Helpers and device model */ +@@ -354,16 +353,42 @@ static int ec_backlight_level(u8 level) + return level; + } + ++static int ec_backlight_set_power(bool state) ++{ ++ int status; ++ union acpi_object arg0 = { ACPI_TYPE_INTEGER }; ++ struct acpi_object_list args = { 1, &arg0 }; ++ ++ arg0.integer.value = state; ++ status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL); ++ if (ACPI_FAILURE(status)) { ++ pr_info("Loongson lvds error: 0x%x\n", status); ++ return -EIO; ++ } ++ ++ return 0; ++} ++ + static int loongson_laptop_backlight_update(struct backlight_device *bd) + { +- int lvl = ec_backlight_level(bd->props.brightness); ++ bool target_powered = !backlight_is_blank(bd); ++ int ret = 0, lvl = ec_backlight_level(bd->props.brightness); + + if (lvl < 0) + return -EIO; ++ + if (ec_set_brightness(lvl)) + return -EIO; + +- return 0; ++ if (target_powered != bl_powered) { ++ ret = ec_backlight_set_power(target_powered); ++ if (ret < 0) ++ return ret; ++ ++ bl_powered = target_powered; ++ } ++ ++ return ret; + } + + static int loongson_laptop_get_brightness(struct backlight_device *bd) +@@ -384,7 +409,7 @@ static const struct backlight_ops backli + + static int laptop_backlight_register(void) + { +- int status = 0; ++ int status = 0, ret; + struct backlight_properties props; + + memset(&props, 0, sizeof(props)); +@@ -392,44 +417,20 @@ static int laptop_backlight_register(voi + if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d")) + return -EIO; + ++ ret = ec_backlight_set_power(true); ++ if (ret) ++ return ret; ++ ++ bl_powered = true; ++ + props.max_brightness = status; + props.brightness = ec_get_brightness(); ++ props.power = BACKLIGHT_POWER_ON; + props.type = BACKLIGHT_PLATFORM; + + backlight_device_register("loongson_laptop", + NULL, NULL, &backlight_laptop_ops, &props); + +- return 0; +-} +- +-int loongson_laptop_turn_on_backlight(void) +-{ +- int status; +- union acpi_object arg0 = { ACPI_TYPE_INTEGER }; +- struct acpi_object_list args = { 1, &arg0 }; +- +- arg0.integer.value = 1; +- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL); +- if (ACPI_FAILURE(status)) { +- pr_info("Loongson lvds error: 0x%x\n", status); +- return -ENODEV; +- } +- +- return 0; +-} +- +-int loongson_laptop_turn_off_backlight(void) +-{ +- int status; +- union acpi_object arg0 = { ACPI_TYPE_INTEGER }; +- struct acpi_object_list args = { 1, &arg0 }; +- +- arg0.integer.value = 0; +- status = acpi_evaluate_object(NULL, "\\BLSW", &args, NULL); +- if (ACPI_FAILURE(status)) { +- pr_info("Loongson lvds error: 0x%x\n", status); +- return -ENODEV; +- } + + return 0; + } diff --git a/queue-6.12/platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch b/queue-6.12/platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch new file mode 100644 index 00000000000..39a8338274a --- /dev/null +++ b/queue-6.12/platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch @@ -0,0 +1,41 @@ +From 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Thu, 5 Jun 2025 20:34:46 +0800 +Subject: platform/loongarch: laptop: Get brightness setting from EC on probe + +From: Yao Zi <ziyao@disroot.org> + +commit 1205088fd0393bd9eae96b62bf1e4b9eb1b73edf upstream. + +Previously during driver probe, 1 is unconditionally taken as current +brightness value and set to props.brightness, which will be considered +as the brightness before suspend and restored to EC on resume. Since a +brightness value of 1 almost never matches EC's state on coldboot (my +laptop's EC defaults to 80), this causes surprising changes of screen +brightness on the first time of resume after coldboot. + +Let's get brightness from EC and take it as the current brightness on +probe of the laptop driver to avoid the surprising behavior. Tested on +TongFang L860-T2 Loongson-3A5000 laptop. + +Cc: stable@vger.kernel.org +Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver") +Signed-off-by: Yao Zi <ziyao@disroot.org> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/loongarch/loongson-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/loongarch/loongson-laptop.c ++++ b/drivers/platform/loongarch/loongson-laptop.c +@@ -392,8 +392,8 @@ static int laptop_backlight_register(voi + if (!acpi_evalf(hotkey_handle, &status, "ECLL", "d")) + return -EIO; + +- props.brightness = 1; + props.max_brightness = status; ++ props.brightness = ec_get_brightness(); + props.type = BACKLIGHT_PLATFORM; + + backlight_device_register("loongson_laptop", diff --git a/queue-6.12/platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch b/queue-6.12/platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch new file mode 100644 index 00000000000..2f401f3c99d --- /dev/null +++ b/queue-6.12/platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch @@ -0,0 +1,46 @@ +From f78fb2576f22b0ba5297412a9aa7691920666c41 Mon Sep 17 00:00:00 2001 +From: Yao Zi <ziyao@disroot.org> +Date: Thu, 5 Jun 2025 20:34:46 +0800 +Subject: platform/loongarch: laptop: Unregister generic_sub_drivers on exit + +From: Yao Zi <ziyao@disroot.org> + +commit f78fb2576f22b0ba5297412a9aa7691920666c41 upstream. + +Without correct unregisteration, ACPI notify handlers and the platform +drivers installed by generic_subdriver_init() will become dangling +references after removing the loongson_laptop module, triggering various +kernel faults when a hotkey is sent or at kernel shutdown. + +Cc: stable@vger.kernel.org +Fixes: 6246ed09111f ("LoongArch: Add ACPI-based generic laptop driver") +Signed-off-by: Yao Zi <ziyao@disroot.org> +Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/loongarch/loongson-laptop.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/platform/loongarch/loongson-laptop.c ++++ b/drivers/platform/loongarch/loongson-laptop.c +@@ -611,11 +611,17 @@ static int __init generic_acpi_laptop_in + + static void __exit generic_acpi_laptop_exit(void) + { ++ int i; ++ + if (generic_inputdev) { +- if (input_device_registered) +- input_unregister_device(generic_inputdev); +- else ++ if (!input_device_registered) { + input_free_device(generic_inputdev); ++ } else { ++ input_unregister_device(generic_inputdev); ++ ++ for (i = 0; i < ARRAY_SIZE(generic_sub_drivers); i++) ++ generic_subdriver_exit(&generic_sub_drivers[i]); ++ } + } + } + diff --git a/queue-6.12/platform-x86-ideapad-laptop-use-usleep_range-for-ec-polling.patch b/queue-6.12/platform-x86-ideapad-laptop-use-usleep_range-for-ec-polling.patch new file mode 100644 index 00000000000..7389140bb22 --- /dev/null +++ b/queue-6.12/platform-x86-ideapad-laptop-use-usleep_range-for-ec-polling.patch @@ -0,0 +1,122 @@ +From 5808c34216954cd832bd4b8bc52dfa287049122b Mon Sep 17 00:00:00 2001 +From: Rong Zhang <i@rong.moe> +Date: Mon, 26 May 2025 04:18:07 +0800 +Subject: platform/x86: ideapad-laptop: use usleep_range() for EC polling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rong Zhang <i@rong.moe> + +commit 5808c34216954cd832bd4b8bc52dfa287049122b upstream. + +It was reported that ideapad-laptop sometimes causes some recent (since +2024) Lenovo ThinkBook models shut down when: + - suspending/resuming + - closing/opening the lid + - (dis)connecting a charger + - reading/writing some sysfs properties, e.g., fan_mode, touchpad + - pressing down some Fn keys, e.g., Brightness Up/Down (Fn+F5/F6) + - (seldom) loading the kmod + +The issue has existed since the launch day of such models, and there +have been some out-of-tree workarounds (see Link:) for the issue. One +disables some functionalities, while another one simply shortens +IDEAPAD_EC_TIMEOUT. The disabled functionalities have read_ec_data() in +their call chains, which calls schedule() between each poll. + +It turns out that these models suffer from the indeterminacy of +schedule() because of their low tolerance for being polled too +frequently. Sometimes schedule() returns too soon due to the lack of +ready tasks, causing the margin between two polls to be too short. +In this case, the command is somehow aborted, and too many subsequent +polls (they poll for "nothing!") may eventually break the state machine +in the EC, resulting in a hard shutdown. This explains why shortening +IDEAPAD_EC_TIMEOUT works around the issue - it reduces the total number +of polls sent to the EC. + +Even when it doesn't lead to a shutdown, frequent polls may also disturb +the ongoing operation and notably delay (+ 10-20ms) the availability of +EC response. This phenomenon is unlikely to be exclusive to the models +mentioned above, so dropping the schedule() manner should also slightly +improve the responsiveness of various models. + +Fix these issues by migrating to usleep_range(150, 300). The interval is +chosen to add some margin to the minimal 50us and considering EC +responses are usually available after 150-2500us based on my test. It +should be enough to fix these issues on all models subject to the EC bug +without introducing latency on other models. + +Tested on ThinkBook 14 G7+ ASP and solved both issues. No regression was +introduced in the test on a model without the EC bug (ThinkBook X IMH, +thanks Eric). + +Link: https://github.com/ty2/ideapad-laptop-tb2024g6plus/commit/6c5db18c9e8109873c2c90a7d2d7f552148f7ad4 +Link: https://github.com/ferstar/ideapad-laptop-tb/commit/42d1e68e5009529d31bd23f978f636f79c023e80 +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218771 +Fixes: 6a09f21dd1e2 ("ideapad: add ACPI helpers") +Cc: stable@vger.kernel.org +Tested-by: Felix Yan <felixonmars@archlinux.org> +Tested-by: Eric Long <i@hack3r.moe> +Tested-by: Jianfei Zhang <zhangjianfei3@gmail.com> +Tested-by: Mingcong Bai <jeffbai@aosc.io> +Tested-by: Minh Le <minhld139@gmail.com> +Tested-by: Sicheng Zhu <Emmet_Z@outlook.com> +Signed-off-by: Rong Zhang <i@rong.moe> +Link: https://lore.kernel.org/r/20250525201833.37939-1-i@rong.moe +Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> +Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/x86/ideapad-laptop.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/ideapad-laptop.c ++++ b/drivers/platform/x86/ideapad-laptop.c +@@ -15,6 +15,7 @@ + #include <linux/bug.h> + #include <linux/cleanup.h> + #include <linux/debugfs.h> ++#include <linux/delay.h> + #include <linux/device.h> + #include <linux/dmi.h> + #include <linux/i8042.h> +@@ -267,6 +268,20 @@ static void ideapad_shared_exit(struct i + */ + #define IDEAPAD_EC_TIMEOUT 200 /* in ms */ + ++/* ++ * Some models (e.g., ThinkBook since 2024) have a low tolerance for being ++ * polled too frequently. Doing so may break the state machine in the EC, ++ * resulting in a hard shutdown. ++ * ++ * It is also observed that frequent polls may disturb the ongoing operation ++ * and notably delay the availability of EC response. ++ * ++ * These values are used as the delay before the first poll and the interval ++ * between subsequent polls to solve the above issues. ++ */ ++#define IDEAPAD_EC_POLL_MIN_US 150 ++#define IDEAPAD_EC_POLL_MAX_US 300 ++ + static int eval_int(acpi_handle handle, const char *name, unsigned long *res) + { + unsigned long long result; +@@ -383,7 +398,7 @@ static int read_ec_data(acpi_handle hand + end_jiffies = jiffies + msecs_to_jiffies(IDEAPAD_EC_TIMEOUT) + 1; + + while (time_before(jiffies, end_jiffies)) { +- schedule(); ++ usleep_range(IDEAPAD_EC_POLL_MIN_US, IDEAPAD_EC_POLL_MAX_US); + + err = eval_vpcr(handle, 1, &val); + if (err) +@@ -414,7 +429,7 @@ static int write_ec_cmd(acpi_handle hand + end_jiffies = jiffies + msecs_to_jiffies(IDEAPAD_EC_TIMEOUT) + 1; + + while (time_before(jiffies, end_jiffies)) { +- schedule(); ++ usleep_range(IDEAPAD_EC_POLL_MIN_US, IDEAPAD_EC_POLL_MAX_US); + + err = eval_vpcr(handle, 1, &val); + if (err) diff --git a/queue-6.12/platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch b/queue-6.12/platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch new file mode 100644 index 00000000000..8bcc26ac1b3 --- /dev/null +++ b/queue-6.12/platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch @@ -0,0 +1,59 @@ +From 685f88c72a0c4d12d3bd2ff50286938f14486f85 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Date: Fri, 6 Jun 2025 13:53:00 -0700 +Subject: platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> + +commit 685f88c72a0c4d12d3bd2ff50286938f14486f85 upstream. + +Address a Smatch static checker warning regarding an unchecked +dereference in the function call: +set_cdie_id(i, cluster_info, plat_info) +when plat_info is NULL. + +Instead of addressing this one case, in general if plat_info is NULL +then it can cause other issues. For example in a two package system it +will give warning for duplicate sysfs entry as package ID will be always +zero for both packages when creating string for attribute group name. + +plat_info is derived from TPMI ID TPMI_BUS_INFO, which is integral to +the core TPMI design. Therefore, it should not be NULL on a production +platform. Consequently, the module should fail to load if plat_info is +NULL. + +Reported-by: Dan Carpenter <dan.carpenter@linaro.org> +Closes: https://lore.kernel.org/platform-driver-x86/aEKvGCLd1qmX04Tc@stanley.mountain/T/#u +Fixes: 8a54e2253e4c ("platform/x86/intel-uncore-freq: Uncore frequency control via TPMI") +Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250606205300.2384494-1-srinivas.pandruvada@linux.intel.com +Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> +Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c ++++ b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-tpmi.c +@@ -467,10 +467,13 @@ static int uncore_probe(struct auxiliary + + /* Get the package ID from the TPMI core */ + plat_info = tpmi_get_platform_data(auxdev); +- if (plat_info) +- pkg = plat_info->package_id; +- else ++ if (unlikely(!plat_info)) { + dev_info(&auxdev->dev, "Platform information is NULL\n"); ++ ret = -ENODEV; ++ goto err_rem_common; ++ } ++ ++ pkg = plat_info->package_id; + + for (i = 0; i < num_resources; ++i) { + struct tpmi_uncore_power_domain_info *pd_info; diff --git a/queue-6.12/sched_ext-sched-core-don-t-call-scx_group_set_weight-prematurely-from-sched_create_group.patch b/queue-6.12/sched_ext-sched-core-don-t-call-scx_group_set_weight-prematurely-from-sched_create_group.patch new file mode 100644 index 00000000000..639ff4cb495 --- /dev/null +++ b/queue-6.12/sched_ext-sched-core-don-t-call-scx_group_set_weight-prematurely-from-sched_create_group.patch @@ -0,0 +1,84 @@ +From 33796b91871ad4010c8188372dd1faf97cf0f1c0 Mon Sep 17 00:00:00 2001 +From: Tejun Heo <tj@kernel.org> +Date: Mon, 16 Jun 2025 10:13:25 -1000 +Subject: sched_ext, sched/core: Don't call scx_group_set_weight() prematurely from sched_create_group() + +From: Tejun Heo <tj@kernel.org> + +commit 33796b91871ad4010c8188372dd1faf97cf0f1c0 upstream. + +During task_group creation, sched_create_group() calls +scx_group_set_weight() with CGROUP_WEIGHT_DFL to initialize the sched_ext +portion. This is premature and ends up calling ops.cgroup_set_weight() with +an incorrect @cgrp before ops.cgroup_init() is called. + +sched_create_group() should just initialize SCX related fields in the new +task_group. Fix it by factoring out scx_tg_init() from sched_init() and +making sched_create_group() call that function instead of +scx_group_set_weight(). + +v2: Retain CONFIG_EXT_GROUP_SCHED ifdef in sched_init() as removing it leads + to build failures on !CONFIG_GROUP_SCHED configs. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Fixes: 819513666966 ("sched_ext: Add cgroup support") +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/sched/core.c | 4 ++-- + kernel/sched/ext.c | 5 +++++ + kernel/sched/ext.h | 2 ++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -8423,7 +8423,7 @@ void __init sched_init(void) + init_cfs_bandwidth(&root_task_group.cfs_bandwidth, NULL); + #endif /* CONFIG_FAIR_GROUP_SCHED */ + #ifdef CONFIG_EXT_GROUP_SCHED +- root_task_group.scx_weight = CGROUP_WEIGHT_DFL; ++ scx_tg_init(&root_task_group); + #endif /* CONFIG_EXT_GROUP_SCHED */ + #ifdef CONFIG_RT_GROUP_SCHED + root_task_group.rt_se = (struct sched_rt_entity **)ptr; +@@ -8863,7 +8863,7 @@ struct task_group *sched_create_group(st + if (!alloc_rt_sched_group(tg, parent)) + goto err; + +- scx_group_set_weight(tg, CGROUP_WEIGHT_DFL); ++ scx_tg_init(tg); + alloc_uclamp_sched_group(tg, parent); + + return tg; +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -3918,6 +3918,11 @@ static void scx_cgroup_warn_missing_idle + cgroup_warned_missing_idle = true; + } + ++void scx_tg_init(struct task_group *tg) ++{ ++ tg->scx_weight = CGROUP_WEIGHT_DFL; ++} ++ + int scx_tg_online(struct task_group *tg) + { + int ret = 0; +--- a/kernel/sched/ext.h ++++ b/kernel/sched/ext.h +@@ -70,6 +70,7 @@ static inline void scx_update_idle(struc + + #ifdef CONFIG_CGROUP_SCHED + #ifdef CONFIG_EXT_GROUP_SCHED ++void scx_tg_init(struct task_group *tg); + int scx_tg_online(struct task_group *tg); + void scx_tg_offline(struct task_group *tg); + int scx_cgroup_can_attach(struct cgroup_taskset *tset); +@@ -79,6 +80,7 @@ void scx_cgroup_cancel_attach(struct cgr + void scx_group_set_weight(struct task_group *tg, unsigned long cgrp_weight); + void scx_group_set_idle(struct task_group *tg, bool idle); + #else /* CONFIG_EXT_GROUP_SCHED */ ++static inline void scx_tg_init(struct task_group *tg) {} + static inline int scx_tg_online(struct task_group *tg) { return 0; } + static inline void scx_tg_offline(struct task_group *tg) {} + static inline int scx_cgroup_can_attach(struct cgroup_taskset *tset) { return 0; } diff --git a/queue-6.12/scsi-s390-zfcp-ensure-synchronous-unit_add.patch b/queue-6.12/scsi-s390-zfcp-ensure-synchronous-unit_add.patch new file mode 100644 index 00000000000..e4b4279fc48 --- /dev/null +++ b/queue-6.12/scsi-s390-zfcp-ensure-synchronous-unit_add.patch @@ -0,0 +1,46 @@ +From 9697ca0d53e3db357be26d2414276143c4a2cd49 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter <oberpar@linux.ibm.com> +Date: Tue, 3 Jun 2025 20:21:56 +0200 +Subject: scsi: s390: zfcp: Ensure synchronous unit_add + +From: Peter Oberparleiter <oberpar@linux.ibm.com> + +commit 9697ca0d53e3db357be26d2414276143c4a2cd49 upstream. + +Improve the usability of the unit_add sysfs attribute by ensuring that +the associated FCP LUN scan processing is completed synchronously. This +enables configuration tooling to consistently determine the end of the +scan process to allow for serialization of follow-on actions. + +While the scan process associated with unit_add typically completes +synchronously, it is deferred to an asynchronous background process if +unit_add is used before initial remote port scanning has completed. This +occurs when unit_add is used immediately after setting the associated FCP +device online. + +To ensure synchronous unit_add processing, wait for remote port scanning +to complete before initiating the FCP LUN scan. + +Cc: stable@vger.kernel.org +Reviewed-by: M Nikhil <nikh1092@linux.ibm.com> +Reviewed-by: Nihar Panda <niharp@linux.ibm.com> +Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com> +Signed-off-by: Nihar Panda <niharp@linux.ibm.com> +Link: https://lore.kernel.org/r/20250603182252.2287285-2-niharp@linux.ibm.com +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/s390/scsi/zfcp_sysfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/s390/scsi/zfcp_sysfs.c ++++ b/drivers/s390/scsi/zfcp_sysfs.c +@@ -450,6 +450,8 @@ static ssize_t zfcp_sysfs_unit_add_store + if (kstrtoull(buf, 0, (unsigned long long *) &fcp_lun)) + return -EINVAL; + ++ flush_work(&port->rport_work); ++ + retval = zfcp_unit_add(port, fcp_lun); + if (retval) + return retval; diff --git a/queue-6.12/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch b/queue-6.12/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch new file mode 100644 index 00000000000..94ffea874f1 --- /dev/null +++ b/queue-6.12/scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch @@ -0,0 +1,76 @@ +From b2f966568faaad326de97481096d0f3dc0971c43 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui <decui@microsoft.com> +Date: Fri, 6 Jun 2025 13:57:39 -0700 +Subject: scsi: storvsc: Increase the timeouts to storvsc_timeout + +From: Dexuan Cui <decui@microsoft.com> + +commit b2f966568faaad326de97481096d0f3dc0971c43 upstream. + +Currently storvsc_timeout is only used in storvsc_sdev_configure(), and +5s and 10s are used elsewhere. It turns out that rarely the 5s is not +enough on Azure, so let's use storvsc_timeout everywhere. + +In case a timeout happens and storvsc_channel_init() returns an error, +close the VMBus channel so that any host-to-guest messages in the +channel's ringbuffer, which might come late, can be safely ignored. + +Add a "const" to storvsc_timeout. + +Cc: stable@kernel.org +Signed-off-by: Dexuan Cui <decui@microsoft.com> +Link: https://lore.kernel.org/r/1749243459-10419-1-git-send-email-decui@microsoft.com +Reviewed-by: Long Li <longli@microsoft.com> +Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/scsi/storvsc_drv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -362,7 +362,7 @@ MODULE_PARM_DESC(ring_avail_percent_lowa + /* + * Timeout in seconds for all devices managed by this driver. + */ +-static int storvsc_timeout = 180; ++static const int storvsc_timeout = 180; + + #if IS_ENABLED(CONFIG_SCSI_FC_ATTRS) + static struct scsi_transport_template *fc_transport_template; +@@ -768,7 +768,7 @@ static void handle_multichannel_storage + return; + } + +- t = wait_for_completion_timeout(&request->wait_event, 10*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) { + dev_err(dev, "Failed to create sub-channel: timed out\n"); + return; +@@ -833,7 +833,7 @@ static int storvsc_execute_vstor_op(stru + if (ret != 0) + return ret; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return -ETIMEDOUT; + +@@ -1351,6 +1351,8 @@ static int storvsc_connect_to_vsp(struct + return ret; + + ret = storvsc_channel_init(device, is_fc); ++ if (ret) ++ vmbus_close(device->channel); + + return ret; + } +@@ -1668,7 +1670,7 @@ static int storvsc_host_reset_handler(st + if (ret != 0) + return FAILED; + +- t = wait_for_completion_timeout(&request->wait_event, 5*HZ); ++ t = wait_for_completion_timeout(&request->wait_event, storvsc_timeout * HZ); + if (t == 0) + return TIMEOUT_ERROR; + diff --git a/queue-6.12/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch b/queue-6.12/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch new file mode 100644 index 00000000000..a67983a1ee6 --- /dev/null +++ b/queue-6.12/selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch @@ -0,0 +1,152 @@ +From f287822688eeb44ae1cf6ac45701d965efc33218 Mon Sep 17 00:00:00 2001 +From: "Xin Li (Intel)" <xin@zytor.com> +Date: Mon, 9 Jun 2025 01:40:54 -0700 +Subject: selftests/x86: Add a test to detect infinite SIGTRAP handler loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xin Li (Intel) <xin@zytor.com> + +commit f287822688eeb44ae1cf6ac45701d965efc33218 upstream. + +When FRED is enabled, if the Trap Flag (TF) is set without an external +debugger attached, it can lead to an infinite loop in the SIGTRAP +handler. To avoid this, the software event flag in the augmented SS +must be cleared, ensuring that no single-step trap remains pending when +ERETU completes. + +This test checks for that specific scenario—verifying whether the kernel +correctly prevents an infinite SIGTRAP loop in this edge case when FRED +is enabled. + +The test should _always_ pass with IDT event delivery, thus no need to +disable the test even when FRED is not enabled. + +Signed-off-by: Xin Li (Intel) <xin@zytor.com> +Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> +Tested-by: Sohil Mehta <sohil.mehta@intel.com> +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250609084054.2083189-3-xin%40zytor.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + tools/testing/selftests/x86/Makefile | 2 + tools/testing/selftests/x86/sigtrap_loop.c | 101 +++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/x86/sigtrap_loop.c + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -12,7 +12,7 @@ CAN_BUILD_WITH_NOPIE := $(shell ./check_ + + TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ + check_initial_reg_state sigreturn iopl ioperm \ +- test_vsyscall mov_ss_trap \ ++ test_vsyscall mov_ss_trap sigtrap_loop \ + syscall_arg_fault fsgsbase_restore sigaltstack + TARGETS_C_BOTHBITS += nx_stack + TARGETS_C_32BIT_ONLY := entry_from_vm86 test_syscall_vdso unwind_vdso \ +--- /dev/null ++++ b/tools/testing/selftests/x86/sigtrap_loop.c +@@ -0,0 +1,101 @@ ++// SPDX-License-Identifier: GPL-2.0-only ++/* ++ * Copyright (C) 2025 Intel Corporation ++ */ ++#define _GNU_SOURCE ++ ++#include <err.h> ++#include <signal.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <sys/ucontext.h> ++ ++#ifdef __x86_64__ ++# define REG_IP REG_RIP ++#else ++# define REG_IP REG_EIP ++#endif ++ ++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), int flags) ++{ ++ struct sigaction sa; ++ ++ memset(&sa, 0, sizeof(sa)); ++ sa.sa_sigaction = handler; ++ sa.sa_flags = SA_SIGINFO | flags; ++ sigemptyset(&sa.sa_mask); ++ ++ if (sigaction(sig, &sa, 0)) ++ err(1, "sigaction"); ++ ++ return; ++} ++ ++static void sigtrap(int sig, siginfo_t *info, void *ctx_void) ++{ ++ ucontext_t *ctx = (ucontext_t *)ctx_void; ++ static unsigned int loop_count_on_same_ip; ++ static unsigned long last_trap_ip; ++ ++ if (last_trap_ip == ctx->uc_mcontext.gregs[REG_IP]) { ++ printf("\tTrapped at %016lx\n", last_trap_ip); ++ ++ /* ++ * If the same IP is hit more than 10 times in a row, it is ++ * _considered_ an infinite loop. ++ */ ++ if (++loop_count_on_same_ip > 10) { ++ printf("[FAIL]\tDetected SIGTRAP infinite loop\n"); ++ exit(1); ++ } ++ ++ return; ++ } ++ ++ loop_count_on_same_ip = 0; ++ last_trap_ip = ctx->uc_mcontext.gregs[REG_IP]; ++ printf("\tTrapped at %016lx\n", last_trap_ip); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ sethandler(SIGTRAP, sigtrap, 0); ++ ++ /* ++ * Set the Trap Flag (TF) to single-step the test code, therefore to ++ * trigger a SIGTRAP signal after each instruction until the TF is ++ * cleared. ++ * ++ * Because the arithmetic flags are not significant here, the TF is ++ * set by pushing 0x302 onto the stack and then popping it into the ++ * flags register. ++ * ++ * Four instructions in the following asm code are executed with the ++ * TF set, thus the SIGTRAP handler is expected to run four times. ++ */ ++ printf("[RUN]\tSIGTRAP infinite loop detection\n"); ++ asm volatile( ++#ifdef __x86_64__ ++ /* ++ * Avoid clobbering the redzone ++ * ++ * Equivalent to "sub $128, %rsp", however -128 can be encoded ++ * in a single byte immediate while 128 uses 4 bytes. ++ */ ++ "add $-128, %rsp\n\t" ++#endif ++ "push $0x302\n\t" ++ "popf\n\t" ++ "nop\n\t" ++ "nop\n\t" ++ "push $0x202\n\t" ++ "popf\n\t" ++#ifdef __x86_64__ ++ "sub $-128, %rsp\n\t" ++#endif ++ ); ++ ++ printf("[OK]\tNo SIGTRAP infinite loop detected\n"); ++ return 0; ++} diff --git a/queue-6.12/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch b/queue-6.12/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch new file mode 100644 index 00000000000..fbd78895e30 --- /dev/null +++ b/queue-6.12/selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch @@ -0,0 +1,41 @@ +From 86c8db86af43f52f682e53a0f2f0828683be1e52 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <stephen.smalley.work@gmail.com> +Date: Fri, 13 Jun 2025 15:37:05 -0400 +Subject: selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stephen Smalley <stephen.smalley.work@gmail.com> + +commit 86c8db86af43f52f682e53a0f2f0828683be1e52 upstream. + +We should count the terminating NUL byte as part of the ctx_len. +Otherwise, UBSAN logs a warning: + UBSAN: array-index-out-of-bounds in security/selinux/xfrm.c:99:14 + index 60 is out of range for type 'char [*]' + +The allocation itself is correct so there is no actual out of bounds +indexing, just a warning. + +Cc: stable@vger.kernel.org +Suggested-by: Christian Göttsche <cgzones@googlemail.com> +Link: https://lore.kernel.org/selinux/CAEjxPJ6tA5+LxsGfOJokzdPeRomBHjKLBVR6zbrg+_w3ZZbM3A@mail.gmail.com/ +Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + security/selinux/xfrm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/xfrm.c ++++ b/security/selinux/xfrm.c +@@ -94,7 +94,7 @@ static int selinux_xfrm_alloc_user(struc + + ctx->ctx_doi = XFRM_SC_DOI_LSM; + ctx->ctx_alg = XFRM_SC_ALG_SELINUX; +- ctx->ctx_len = str_len; ++ ctx->ctx_len = str_len + 1; + memcpy(ctx->ctx_str, &uctx[1], str_len); + ctx->ctx_str[str_len] = '\0'; + rc = security_context_to_sid(ctx->ctx_str, str_len, diff --git a/queue-6.12/series b/queue-6.12/series index 5d31e2bd973..7cd8810369a 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -295,3 +295,33 @@ platform-x86-dell_rbu-fix-list-usage.patch platform-x86-dell_rbu-stop-overwriting-data-buffer.patch powerpc-vdso-fix-build-of-vdso32-with-pcrel.patch powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch +io_uring-kbuf-don-t-truncate-end-buffer-for-multiple-buffer-peeks.patch +io_uring-fix-task-leak-issue-in-io_wq_create.patch +drivers-rapidio-rio_cm.c-prevent-possible-heap-overwrite.patch +platform-loongarch-laptop-get-brightness-setting-from-ec-on-probe.patch +platform-loongarch-laptop-unregister-generic_sub_drivers-on-exit.patch +platform-loongarch-laptop-add-backlight-power-control-support.patch +loongarch-vdso-correctly-use-asm-parameters-in-syscall-wrappers.patch +loongarch-avoid-using-r0-r1-as-mask-for-csrxchg.patch +loongarch-fix-panic-caused-by-null-pmd-in-huge_pte_offset.patch +jffs2-check-that-raw-node-were-preallocated-before-writing-summary.patch +jffs2-check-jffs2_prealloc_raw_node_refs-result-in-few-other-places.patch +cifs-deal-with-the-channel-loading-lag-while-picking-channels.patch +cifs-serialize-other-channels-when-query-server-interfaces-is-pending.patch +cifs-do-not-disable-interface-polling-on-failure.patch +smb-improve-directory-cache-reuse-for-readdir-operations.patch +scsi-storvsc-increase-the-timeouts-to-storvsc_timeout.patch +scsi-s390-zfcp-ensure-synchronous-unit_add.patch +nvme-always-punt-polled-uring_cmd-end_io-work-to-task_work.patch +net_sched-sch_sfq-reject-invalid-perturb-period.patch +net-clear-the-dst-when-changing-skb-protocol.patch +mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch +udmabuf-use-sgtable-based-scatterlist-wrappers.patch +x86-virt-tdx-avoid-indirect-calls-to-tdx-assembly-functions.patch +selftests-x86-add-a-test-to-detect-infinite-sigtrap-handler-loop.patch +ksmbd-fix-null-pointer-dereference-in-destroy_previous_session.patch +platform-x86-ideapad-laptop-use-usleep_range-for-ec-polling.patch +selinux-fix-selinux_xfrm_alloc_user-to-set-correct-ctx_len.patch +platform-x86-intel-uncore-freq-fail-module-load-when-plat_info-is-null.patch +sched_ext-sched-core-don-t-call-scx_group_set_weight-prematurely-from-sched_create_group.patch +atm-revert-atm_account_tx-if-copy_from_iter_full-fails.patch diff --git a/queue-6.12/smb-improve-directory-cache-reuse-for-readdir-operations.patch b/queue-6.12/smb-improve-directory-cache-reuse-for-readdir-operations.patch new file mode 100644 index 00000000000..48b420b0f0e --- /dev/null +++ b/queue-6.12/smb-improve-directory-cache-reuse-for-readdir-operations.patch @@ -0,0 +1,153 @@ +From 72dd7961a4bb4fa1fc456169a61dd12e68e50645 Mon Sep 17 00:00:00 2001 +From: Bharath SM <bharathsm.hsk@gmail.com> +Date: Wed, 11 Jun 2025 16:59:02 +0530 +Subject: smb: improve directory cache reuse for readdir operations + +From: Bharath SM <bharathsm.hsk@gmail.com> + +commit 72dd7961a4bb4fa1fc456169a61dd12e68e50645 upstream. + +Currently, cached directory contents were not reused across subsequent +'ls' operations because the cache validity check relied on comparing +the ctx pointer, which changes with each readdir invocation. As a +result, the cached dir entries was not marked as valid and the cache was +not utilized for subsequent 'ls' operations. + +This change uses the file pointer, which remains consistent across all +readdir calls for a given directory instance, to associate and validate +the cache. As a result, cached directory contents can now be +correctly reused, improving performance for repeated directory listings. + +Performance gains with local windows SMB server: + +Without the patch and default actimeo=1: + 1000 directory enumeration operations on dir with 10k files took 135.0s + +With this patch and actimeo=0: + 1000 directory enumeration operations on dir with 10k files took just 5.1s + +Signed-off-by: Bharath SM <bharathsm@microsoft.com> +Reviewed-by: Shyam Prasad N <sprasad@microsoft.com> +Cc: stable@vger.kernel.org +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/smb/client/cached_dir.h | 8 ++++---- + fs/smb/client/readdir.c | 28 +++++++++++++++------------- + 2 files changed, 19 insertions(+), 17 deletions(-) + +--- a/fs/smb/client/cached_dir.h ++++ b/fs/smb/client/cached_dir.h +@@ -21,10 +21,10 @@ struct cached_dirent { + struct cached_dirents { + bool is_valid:1; + bool is_failed:1; +- struct dir_context *ctx; /* +- * Only used to make sure we only take entries +- * from a single context. Never dereferenced. +- */ ++ struct file *file; /* ++ * Used to associate the cache with a single ++ * open file instance. ++ */ + struct mutex de_mutex; + int pos; /* Expected ctx->pos */ + struct list_head entries; +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -850,9 +850,9 @@ static bool emit_cached_dirents(struct c + } + + static void update_cached_dirents_count(struct cached_dirents *cde, +- struct dir_context *ctx) ++ struct file *file) + { +- if (cde->ctx != ctx) ++ if (cde->file != file) + return; + if (cde->is_valid || cde->is_failed) + return; +@@ -861,9 +861,9 @@ static void update_cached_dirents_count( + } + + static void finished_cached_dirents_count(struct cached_dirents *cde, +- struct dir_context *ctx) ++ struct dir_context *ctx, struct file *file) + { +- if (cde->ctx != ctx) ++ if (cde->file != file) + return; + if (cde->is_valid || cde->is_failed) + return; +@@ -876,11 +876,12 @@ static void finished_cached_dirents_coun + static void add_cached_dirent(struct cached_dirents *cde, + struct dir_context *ctx, + const char *name, int namelen, +- struct cifs_fattr *fattr) ++ struct cifs_fattr *fattr, ++ struct file *file) + { + struct cached_dirent *de; + +- if (cde->ctx != ctx) ++ if (cde->file != file) + return; + if (cde->is_valid || cde->is_failed) + return; +@@ -910,7 +911,8 @@ static void add_cached_dirent(struct cac + static bool cifs_dir_emit(struct dir_context *ctx, + const char *name, int namelen, + struct cifs_fattr *fattr, +- struct cached_fid *cfid) ++ struct cached_fid *cfid, ++ struct file *file) + { + bool rc; + ino_t ino = cifs_uniqueid_to_ino_t(fattr->cf_uniqueid); +@@ -922,7 +924,7 @@ static bool cifs_dir_emit(struct dir_con + if (cfid) { + mutex_lock(&cfid->dirents.de_mutex); + add_cached_dirent(&cfid->dirents, ctx, name, namelen, +- fattr); ++ fattr, file); + mutex_unlock(&cfid->dirents.de_mutex); + } + +@@ -1022,7 +1024,7 @@ static int cifs_filldir(char *find_entry + cifs_prime_dcache(file_dentry(file), &name, &fattr); + + return !cifs_dir_emit(ctx, name.name, name.len, +- &fattr, cfid); ++ &fattr, cfid, file); + } + + +@@ -1073,8 +1075,8 @@ int cifs_readdir(struct file *file, stru + * we need to initialize scanning and storing the + * directory content. + */ +- if (ctx->pos == 0 && cfid->dirents.ctx == NULL) { +- cfid->dirents.ctx = ctx; ++ if (ctx->pos == 0 && cfid->dirents.file == NULL) { ++ cfid->dirents.file = file; + cfid->dirents.pos = 2; + } + /* +@@ -1142,7 +1144,7 @@ int cifs_readdir(struct file *file, stru + } else { + if (cfid) { + mutex_lock(&cfid->dirents.de_mutex); +- finished_cached_dirents_count(&cfid->dirents, ctx); ++ finished_cached_dirents_count(&cfid->dirents, ctx, file); + mutex_unlock(&cfid->dirents.de_mutex); + } + cifs_dbg(FYI, "Could not find entry\n"); +@@ -1183,7 +1185,7 @@ int cifs_readdir(struct file *file, stru + ctx->pos++; + if (cfid) { + mutex_lock(&cfid->dirents.de_mutex); +- update_cached_dirents_count(&cfid->dirents, ctx); ++ update_cached_dirents_count(&cfid->dirents, file); + mutex_unlock(&cfid->dirents.de_mutex); + } + diff --git a/queue-6.12/udmabuf-use-sgtable-based-scatterlist-wrappers.patch b/queue-6.12/udmabuf-use-sgtable-based-scatterlist-wrappers.patch new file mode 100644 index 00000000000..7192a90583f --- /dev/null +++ b/queue-6.12/udmabuf-use-sgtable-based-scatterlist-wrappers.patch @@ -0,0 +1,50 @@ +From afe382843717d44b24ef5014d57dcbaab75a4052 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski <m.szyprowski@samsung.com> +Date: Wed, 7 May 2025 18:09:12 +0200 +Subject: udmabuf: use sgtable-based scatterlist wrappers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Szyprowski <m.szyprowski@samsung.com> + +commit afe382843717d44b24ef5014d57dcbaab75a4052 upstream. + +Use common wrappers operating directly on the struct sg_table objects to +fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() +functions have to be called with the number of elements originally passed +to dma_map_sg_*() function, not the one returned in sgtable's nents. + +Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access") +CC: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com> +Reviewed-by: Christian König <christian.koenig@amd.com> +Signed-off-by: Christian König <christian.koenig@amd.com> +Link: https://lore.kernel.org/r/20250507160913.2084079-3-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/dma-buf/udmabuf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -223,8 +223,7 @@ static int begin_cpu_udmabuf(struct dma_ + ubuf->sg = NULL; + } + } else { +- dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents, +- direction); ++ dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction); + } + + return ret; +@@ -239,7 +238,7 @@ static int end_cpu_udmabuf(struct dma_bu + if (!ubuf->sg) + return -EINVAL; + +- dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction); ++ dma_sync_sgtable_for_device(dev, ubuf->sg, direction); + return 0; + } + diff --git a/queue-6.12/x86-virt-tdx-avoid-indirect-calls-to-tdx-assembly-functions.patch b/queue-6.12/x86-virt-tdx-avoid-indirect-calls-to-tdx-assembly-functions.patch new file mode 100644 index 00000000000..3ecb03f16da --- /dev/null +++ b/queue-6.12/x86-virt-tdx-avoid-indirect-calls-to-tdx-assembly-functions.patch @@ -0,0 +1,68 @@ +From 0b3bc018e86afdc0cbfef61328c63d5c08f8b370 Mon Sep 17 00:00:00 2001 +From: Kai Huang <kai.huang@intel.com> +Date: Sat, 7 Jun 2025 01:07:37 +1200 +Subject: x86/virt/tdx: Avoid indirect calls to TDX assembly functions + +From: Kai Huang <kai.huang@intel.com> + +commit 0b3bc018e86afdc0cbfef61328c63d5c08f8b370 upstream. + +Two 'static inline' TDX helper functions (sc_retry() and +sc_retry_prerr()) take function pointer arguments which refer to +assembly functions. Normally, the compiler inlines the TDX helper, +realizes that the function pointer targets are completely static -- +thus can be resolved at compile time -- and generates direct call +instructions. + +But, other times (like when CONFIG_CC_OPTIMIZE_FOR_SIZE=y), the +compiler declines to inline the helpers and will instead generate +indirect call instructions. + +Indirect calls to assembly functions require special annotation (for +various Control Flow Integrity mechanisms). But TDX assembly +functions lack the special annotations and can only be called +directly. + +Annotate both the helpers as '__always_inline' to prod the compiler +into maintaining the direct calls. There is no guarantee here, but +Peter has volunteered to report the compiler bug if this assumption +ever breaks[1]. + +Fixes: 1e66a7e27539 ("x86/virt/tdx: Handle SEAMCALL no entropy error in common code") +Fixes: df01f5ae07dd ("x86/virt/tdx: Add SEAMCALL error printing for module initialization") +Signed-off-by: Kai Huang <kai.huang@intel.com> +Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/20250605145914.GW39944@noisy.programming.kicks-ass.net/ [1] +Link: https://lore.kernel.org/all/20250606130737.30713-1-kai.huang%40intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/x86/include/asm/tdx.h | 2 +- + arch/x86/virt/vmx/tdx/tdx.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/tdx.h ++++ b/arch/x86/include/asm/tdx.h +@@ -97,7 +97,7 @@ void tdx_init(void); + + typedef u64 (*sc_func_t)(u64 fn, struct tdx_module_args *args); + +-static inline u64 sc_retry(sc_func_t func, u64 fn, ++static __always_inline u64 sc_retry(sc_func_t func, u64 fn, + struct tdx_module_args *args) + { + int retry = RDRAND_RETRY_LOOPS; +--- a/arch/x86/virt/vmx/tdx/tdx.c ++++ b/arch/x86/virt/vmx/tdx/tdx.c +@@ -69,8 +69,9 @@ static inline void seamcall_err_ret(u64 + args->r9, args->r10, args->r11); + } + +-static inline int sc_retry_prerr(sc_func_t func, sc_err_func_t err_func, +- u64 fn, struct tdx_module_args *args) ++static __always_inline int sc_retry_prerr(sc_func_t func, ++ sc_err_func_t err_func, ++ u64 fn, struct tdx_module_args *args) + { + u64 sret = sc_retry(func, fn, args); + |