--- /dev/null
+From 8cbc3001a3264d998d6b6db3e23f935c158abd4d Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 18 Feb 2022 10:03:29 -0500
+Subject: btrfs: do not clean up repair bio if submit fails
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d upstream.
+
+The submit helper will always run bio_endio() on the bio if it fails to
+submit, so cleaning up the bio just leads to a variety of use-after-free
+and NULL pointer dereference bugs because we race with the endio
+function that is cleaning up the bio. Instead just return BLK_STS_OK as
+the repair function has to continue to process the rest of the pages,
+and the endio for the repair bio will do the appropriate cleanup for the
+page that it was given.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[Minor context change fixed.]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -2624,7 +2624,6 @@ int btrfs_repair_one_sector(struct inode
+ const int icsum = bio_offset >> fs_info->sectorsize_bits;
+ struct bio *repair_bio;
+ struct btrfs_io_bio *repair_io_bio;
+- blk_status_t status;
+
+ btrfs_debug(fs_info,
+ "repair read error: read error at %llu", start);
+@@ -2664,13 +2663,13 @@ int btrfs_repair_one_sector(struct inode
+ "repair read error: submitting new read to mirror %d",
+ failrec->this_mirror);
+
+- status = submit_bio_hook(inode, repair_bio, failrec->this_mirror,
+- failrec->bio_flags);
+- if (status) {
+- free_io_failure(failure_tree, tree, failrec);
+- bio_put(repair_bio);
+- }
+- return blk_status_to_errno(status);
++ /*
++ * At this point we have a bio, so any errors from submit_bio_hook()
++ * will be handled by the endio on the repair_bio, so we can't return an
++ * error here.
++ */
++ submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags);
++ return BLK_STS_OK;
+ }
+
+ static void end_page_read(struct page *page, bool uptodate, u64 start, u32 len)
--- /dev/null
+From 28cb13f29faf6290597b24b728dc3100c019356f Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 18 Jun 2024 12:15:01 +0100
+Subject: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 28cb13f29faf6290597b24b728dc3100c019356f upstream.
+
+Instead of doing a BUG_ON() handle the error by returning -EUCLEAN,
+aborting the transaction and logging an error message.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[Minor conflict resolved due to code context change.]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -176,6 +176,14 @@ search_again:
+ ei = btrfs_item_ptr(leaf, path->slots[0],
+ struct btrfs_extent_item);
+ num_refs = btrfs_extent_refs(leaf, ei);
++ if (unlikely(num_refs == 0)) {
++ ret = -EUCLEAN;
++ btrfs_err(fs_info,
++ "unexpected zero reference count for extent item (%llu %u %llu)",
++ key.objectid, key.type, key.offset);
++ btrfs_abort_transaction(trans, ret);
++ goto out_free;
++ }
+ extent_flags = btrfs_extent_flags(leaf, ei);
+ } else {
+ ret = -EINVAL;
+@@ -187,8 +195,6 @@ search_again:
+
+ goto out_free;
+ }
+-
+- BUG_ON(num_refs == 0);
+ } else {
+ num_refs = 0;
+ extent_flags = 0;
+@@ -218,10 +224,19 @@ search_again:
+ goto search_again;
+ }
+ spin_lock(&head->lock);
+- if (head->extent_op && head->extent_op->update_flags)
++ if (head->extent_op && head->extent_op->update_flags) {
+ extent_flags |= head->extent_op->flags_to_set;
+- else
+- BUG_ON(num_refs == 0);
++ } else if (unlikely(num_refs == 0)) {
++ spin_unlock(&head->lock);
++ mutex_unlock(&head->mutex);
++ spin_unlock(&delayed_refs->lock);
++ ret = -EUCLEAN;
++ btrfs_err(fs_info,
++ "unexpected zero reference count for extent %llu (%s)",
++ bytenr, metadata ? "metadata" : "data");
++ btrfs_abort_transaction(trans, ret);
++ goto out_free;
++ }
+
+ num_refs += head->ref_mod;
+ spin_unlock(&head->lock);
--- /dev/null
+From 10206302af856791fbcc27a33ed3c3eb09b2793d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 31 Mar 2025 09:15:32 +0000
+Subject: sctp: add mutual exclusion in proc_sctp_do_udp_port()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 10206302af856791fbcc27a33ed3c3eb09b2793d upstream.
+
+We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start()
+or risk a crash as syzbot reported:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
+CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+ RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653
+Call Trace:
+ <TASK>
+ udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181
+ sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930
+ proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553
+ proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601
+ iter_file_splice_write+0x91c/0x1150 fs/splice.c:738
+ do_splice_from fs/splice.c:935 [inline]
+ direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158
+ splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102
+ do_splice_direct_actor fs/splice.c:1201 [inline]
+ do_splice_direct+0x174/0x240 fs/splice.c:1227
+ do_sendfile+0xafd/0xe50 fs/read_write.c:1368
+ __do_sys_sendfile64 fs/read_write.c:1429 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1415 [inline]
+ __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+
+Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
+Reported-by: syzbot+fae49d997eb56fa7c74d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/67ea5c01.050a0220.1547ec.012b.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/20250331091532.224982-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[Minor conflict resolved due to code context change.]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sysctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sctp/sysctl.c
++++ b/net/sctp/sysctl.c
+@@ -518,6 +518,8 @@ static int proc_sctp_do_auth(struct ctl_
+ return ret;
+ }
+
++static DEFINE_MUTEX(sctp_sysctl_mutex);
++
+ static int proc_sctp_do_udp_port(struct ctl_table *ctl, int write,
+ void *buffer, size_t *lenp, loff_t *ppos)
+ {
+@@ -542,6 +544,7 @@ static int proc_sctp_do_udp_port(struct
+ if (new_value > max || new_value < min)
+ return -EINVAL;
+
++ mutex_lock(&sctp_sysctl_mutex);
+ net->sctp.udp_port = new_value;
+ sctp_udp_sock_stop(net);
+ if (new_value) {
+@@ -554,6 +557,7 @@ static int proc_sctp_do_udp_port(struct
+ lock_sock(sk);
+ sctp_sk(sk)->udp_port = htons(net->sctp.udp_port);
+ release_sock(sk);
++ mutex_unlock(&sctp_sysctl_mutex);
+ }
+
+ return ret;
--- /dev/null
+From ab00ddd802f80e31fc9639c652d736fe3913feae Mon Sep 17 00:00:00 2001
+From: Feng Tang <feng.tang@linux.alibaba.com>
+Date: Wed, 23 Apr 2025 18:36:45 +0800
+Subject: selftests/mm: compaction_test: support platform with huge mount of memory
+
+From: Feng Tang <feng.tang@linux.alibaba.com>
+
+commit ab00ddd802f80e31fc9639c652d736fe3913feae upstream.
+
+When running mm selftest to verify mm patches, 'compaction_test' case
+failed on an x86 server with 1TB memory. And the root cause is that it
+has too much free memory than what the test supports.
+
+The test case tries to allocate 100000 huge pages, which is about 200 GB
+for that x86 server, and when it succeeds, it expects it's large than 1/3
+of 80% of the free memory in system. This logic only works for platform
+with 750 GB ( 200 / (1/3) / 80% ) or less free memory, and may raise false
+alarm for others.
+
+Fix it by changing the fixed page number to self-adjustable number
+according to the real number of free memory.
+
+Link: https://lkml.kernel.org/r/20250423103645.2758-1-feng.tang@linux.alibaba.com
+Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
+Signed-off-by: Feng Tang <feng.tang@linux.alibaba.com>
+Acked-by: Dev Jain <dev.jain@arm.com>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Tested-by: Baolin Wang <baolin.wang@inux.alibaba.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Sri Jayaramappa <sjayaram@akamai.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/vm/compaction_test.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/vm/compaction_test.c
++++ b/tools/testing/selftests/vm/compaction_test.c
+@@ -89,6 +89,8 @@ int check_compaction(unsigned long mem_f
+ int compaction_index = 0;
+ char initial_nr_hugepages[20] = {0};
+ char nr_hugepages[20] = {0};
++ char target_nr_hugepages[24] = {0};
++ int slen;
+
+ /* We want to test with 80% of available memory. Else, OOM killer comes
+ in to play */
+@@ -118,11 +120,18 @@ int check_compaction(unsigned long mem_f
+
+ lseek(fd, 0, SEEK_SET);
+
+- /* Request a large number of huge pages. The Kernel will allocate
+- as much as it can */
+- if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) {
+- ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
++ /*
++ * Request huge pages for about half of the free memory. The Kernel
++ * will allocate as much as it can, and we expect it will get at least 1/3
++ */
++ nr_hugepages_ul = mem_free / hugepage_size / 2;
++ snprintf(target_nr_hugepages, sizeof(target_nr_hugepages),
++ "%lu", nr_hugepages_ul);
++
++ slen = strlen(target_nr_hugepages);
++ if (write(fd, target_nr_hugepages, slen) != slen) {
++ ksft_test_result_fail("Failed to write %lu to /proc/sys/vm/nr_hugepages: %s\n",
++ nr_hugepages_ul, strerror(errno));
+ goto close_fd;
+ }
+
usb-typec-altmodes-displayport-create-sysfs-nodes-as-driver-s-default-device-attribute-group.patch
usb-typec-fix-potential-array-underflow-in-ucsi_ccg_sync_control.patch
usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch
+selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch
+sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch
+btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch
+btrfs-do-not-clean-up-repair-bio-if-submit-fails.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
