Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch b/queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch
new file mode 100644 (file)
index 0000000..d9a7df9
--- /dev/null
+++ b/queue-5.15/acpi-prm-change-handler_addr-type-to-void-pointer.patch
@@ -0,0 +1,50 @@
+From e2e522ef7a01c48f39d4552bac619bfac2fb6745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 13:53:43 +0100
+Subject: ACPI: PRM: Change handler_addr type to void pointer
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 353efd5e97a7973d78f2634274b57309d0966e29 ]
+
+handler_addr is a virtual address passed to efi_call_virt_pointer.
+While x86 currently type cast it into the pointer in it's arch specific
+arch_efi_call_virt() implementation, ARM64 is restrictive for right
+reasons.
+
+Convert the handler_addr type from u64 to void pointer.
+
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Stable-dep-of: 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/prmt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
+index 8d876bdb08f68..6da424f1f133f 100644
+--- a/drivers/acpi/prmt.c
++++ b/drivers/acpi/prmt.c
+@@ -53,7 +53,7 @@ static LIST_HEAD(prm_module_list);
+ 
+ struct prm_handler_info {
+       guid_t guid;
+-      u64 handler_addr;
++      void *handler_addr;
+       u64 static_data_buffer_addr;
+       u64 acpi_param_buffer_addr;
+ 
+@@ -136,7 +136,7 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end)
+               th = &tm->handlers[cur_handler];
+ 
+               guid_copy(&th->guid, (guid_t *)handler_info->handler_guid);
+-              th->handler_addr = efi_pa_va_lookup(handler_info->handler_address);
++              th->handler_addr = (void *)efi_pa_va_lookup(handler_info->handler_address);
+               th->static_data_buffer_addr = efi_pa_va_lookup(handler_info->static_data_buffer_address);
+               th->acpi_param_buffer_addr = efi_pa_va_lookup(handler_info->acpi_param_buffer_address);
+       } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info)));
+-- 
+2.43.0
+

diff --git a/queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch b/queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch
new file mode 100644 (file)
index 0000000..58f4b60
--- /dev/null
+++ b/queue-5.15/acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch
@@ -0,0 +1,119 @@
+From 4829c847ef829ebcf36bebb1e4ca4fb8f03aaf06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 04:50:10 +0800
+Subject: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context
+
+From: Koba Ko <kobak@nvidia.com>
+
+[ Upstream commit 088984c8d54c0053fc4ae606981291d741c5924b ]
+
+PRMT needs to find the correct type of block to translate the PA-VA
+mapping for EFI runtime services.
+
+The issue arises because the PRMT is finding a block of type
+EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services
+as described in Section 2.2.2 (Runtime Services) of the UEFI
+Specification [1]. Since the PRM handler is a type of runtime service,
+this causes an exception when the PRM handler is called.
+
+    [Firmware Bug]: Unable to handle paging request in EFI runtime service
+    WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341
+        __efi_queue_work+0x11c/0x170
+    Call trace:
+
+Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM
+context.
+
+If no suitable block is found, a warning message will be printed, but
+the procedure continues to manage the next PRM handler.
+
+However, if the PRM handler is actually called without proper allocation,
+it would result in a failure during error handling.
+
+By using the correct memory types for runtime services, ensure that the
+PRM handler and the context are properly mapped in the virtual address
+space during runtime, preventing the paging request error.
+
+The issue is really that only memory that has been remapped for runtime
+by the firmware can be used by the PRM handler, and so the region needs
+to have the EFI_MEMORY_RUNTIME attribute.
+
+Link: https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf # [1]
+Fixes: cefc7ca46235 ("ACPI: PRM: implement OperationRegion handler for the PlatformRtMechanism subtype")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Koba Ko <kobak@nvidia.com>
+Reviewed-by: Matthew R. Ochs <mochs@nvidia.com>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://patch.msgid.link/20241012205010.4165798-1-kobak@nvidia.com
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/prmt.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
+index 6da424f1f133f..63ead3f1d2947 100644
+--- a/drivers/acpi/prmt.c
++++ b/drivers/acpi/prmt.c
+@@ -72,17 +72,21 @@ struct prm_module_info {
+       struct prm_handler_info handlers[];
+ };
+ 
+-static u64 efi_pa_va_lookup(u64 pa)
++static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa)
+ {
+       efi_memory_desc_t *md;
+       u64 pa_offset = pa & ~PAGE_MASK;
+       u64 page = pa & PAGE_MASK;
+ 
+       for_each_efi_memory_desc(md) {
+-              if (md->phys_addr < pa && pa < md->phys_addr + PAGE_SIZE * md->num_pages)
++              if ((md->attribute & EFI_MEMORY_RUNTIME) &&
++                  (md->phys_addr < pa && pa < md->phys_addr + PAGE_SIZE * md->num_pages)) {
+                       return pa_offset + md->virt_addr + page - md->phys_addr;
++              }
+       }
+ 
++      pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa);
++
+       return 0;
+ }
+ 
+@@ -136,9 +140,15 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end)
+               th = &tm->handlers[cur_handler];
+ 
+               guid_copy(&th->guid, (guid_t *)handler_info->handler_guid);
+-              th->handler_addr = (void *)efi_pa_va_lookup(handler_info->handler_address);
+-              th->static_data_buffer_addr = efi_pa_va_lookup(handler_info->static_data_buffer_address);
+-              th->acpi_param_buffer_addr = efi_pa_va_lookup(handler_info->acpi_param_buffer_address);
++              th->handler_addr =
++                      (void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address);
++
++              th->static_data_buffer_addr =
++                      efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address);
++
++              th->acpi_param_buffer_addr =
++                      efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address);
++
+       } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info)));
+ 
+       return 0;
+@@ -232,6 +242,13 @@ static acpi_status acpi_platformrt_space_handler(u32 function,
+               if (!handler || !module)
+                       goto invalid_guid;
+ 
++              if (!handler->handler_addr ||
++                  !handler->static_data_buffer_addr ||
++                  !handler->acpi_param_buffer_addr) {
++                      buffer->prm_status = PRM_HANDLER_ERROR;
++                      return AE_OK;
++              }
++
+               ACPI_COPY_NAMESEG(context.signature, "PRMC");
+               context.revision = 0x0;
+               context.reserved = 0x0;
+-- 
+2.43.0
+

diff --git a/queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch b/queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch
new file mode 100644 (file)
index 0000000..760200f
--- /dev/null
+++ b/queue-5.15/acpi-prm-remove-unnecessary-blank-lines.patch
@@ -0,0 +1,58 @@
+From 333b050cd932395cf09eb3962c21d8518d837dbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Oct 2021 11:23:16 +0800
+Subject: ACPI: PRM: Remove unnecessary blank lines
+
+From: Aubrey Li <aubrey.li@intel.com>
+
+[ Upstream commit caa2bd07f5c5f09acf62072906daeaa667e2b645 ]
+
+Just remove unnecessary blank lines, no other code changes
+
+Signed-off-by: Aubrey Li <aubrey.li@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/prmt.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
+index 09c0af8a46f0a..8d876bdb08f68 100644
+--- a/drivers/acpi/prmt.c
++++ b/drivers/acpi/prmt.c
+@@ -49,7 +49,6 @@ struct prm_context_buffer {
+ };
+ #pragma pack()
+ 
+-
+ static LIST_HEAD(prm_module_list);
+ 
+ struct prm_handler_info {
+@@ -73,7 +72,6 @@ struct prm_module_info {
+       struct prm_handler_info handlers[];
+ };
+ 
+-
+ static u64 efi_pa_va_lookup(u64 pa)
+ {
+       efi_memory_desc_t *md;
+@@ -88,7 +86,6 @@ static u64 efi_pa_va_lookup(u64 pa)
+       return 0;
+ }
+ 
+-
+ #define get_first_handler(a) ((struct acpi_prmt_handler_info *) ((char *) (a) + a->handler_info_offset))
+ #define get_next_handler(a) ((struct acpi_prmt_handler_info *) (sizeof(struct acpi_prmt_handler_info) + (char *) a))
+ 
+@@ -171,7 +168,6 @@ static void *find_guid_info(const guid_t *guid, u8 mode)
+       return NULL;
+ }
+ 
+-
+ static struct prm_module_info *find_prm_module(const guid_t *guid)
+ {
+       return (struct prm_module_info *)find_guid_info(guid, GET_MODULE);
+-- 
+2.43.0
+

diff --git a/queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch b/queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch
new file mode 100644 (file)
index 0000000..8cbd887
--- /dev/null
+++ b/queue-5.15/cgroup-fix-potential-overflow-issue-when-checking-ma.patch
@@ -0,0 +1,59 @@
+From c95aa34609c12072a7b27bbd6bd4726180365d79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 07:22:46 +0000
+Subject: cgroup: Fix potential overflow issue when checking max_depth
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 3cc4e13bb1617f6a13e5e6882465984148743cf4 ]
+
+cgroup.max.depth is the maximum allowed descent depth below the current
+cgroup. If the actual descent depth is equal or larger, an attempt to
+create a new child cgroup will fail. However due to the cgroup->max_depth
+is of int type and having the default value INT_MAX, the condition
+'level > cgroup->max_depth' will never be satisfied, and it will cause
+an overflow of the level after it reaches to INT_MAX.
+
+Fix it by starting the level from 0 and using '>=' instead.
+
+It's worth mentioning that this issue is unlikely to occur in reality,
+as it's impossible to have a depth of INT_MAX hierarchy, but should be
+be avoided logically.
+
+Fixes: 1a926e0bbab8 ("cgroup: implement hierarchy limits")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 999fef6d12282..9ba87c5de1a87 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -5527,7 +5527,7 @@ static bool cgroup_check_hierarchy_limits(struct cgroup *parent)
+ {
+       struct cgroup *cgroup;
+       int ret = false;
+-      int level = 1;
++      int level = 0;
+ 
+       lockdep_assert_held(&cgroup_mutex);
+ 
+@@ -5535,7 +5535,7 @@ static bool cgroup_check_hierarchy_limits(struct cgroup *parent)
+               if (cgroup->nr_descendants >= cgroup->max_descendants)
+                       goto fail;
+ 
+-              if (level > cgroup->max_depth)
++              if (level >= cgroup->max_depth)
+                       goto fail;
+ 
+               level++;
+-- 
+2.43.0
+

diff --git a/queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch b/queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch
new file mode 100644 (file)
index 0000000..26b7b01
--- /dev/null
+++ b/queue-5.15/ksmbd-fix-user-after-free-from-session-log-off.patch
@@ -0,0 +1,162 @@
+From a5559d1a10da8405782f6232e67dc96d1b3e9b85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:42:57 +0900
+Subject: ksmbd: fix user-after-free from session log off
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 7aa8804c0b67b3cb263a472d17f2cb50d7f1a930 ]
+
+There is racy issue between smb2 session log off and smb2 session setup.
+It will cause user-after-free from session log off.
+This add session_lock when setting SMB2_SESSION_EXPIRED and referece
+count to session struct not to free session while it is being used.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25282
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/mgmt/user_session.c | 26 +++++++++++++++++++++-----
+ fs/ksmbd/mgmt/user_session.h |  4 ++++
+ fs/ksmbd/server.c            |  2 ++
+ fs/ksmbd/smb2pdu.c           |  8 +++++++-
+ 4 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ksmbd/mgmt/user_session.c b/fs/ksmbd/mgmt/user_session.c
+index 15f68ee050894..844db95e66511 100644
+--- a/fs/ksmbd/mgmt/user_session.c
++++ b/fs/ksmbd/mgmt/user_session.c
+@@ -176,9 +176,10 @@ static void ksmbd_expire_session(struct ksmbd_conn *conn)
+ 
+       down_write(&conn->session_lock);
+       xa_for_each(&conn->sessions, id, sess) {
+-              if (sess->state != SMB2_SESSION_VALID ||
+-                  time_after(jiffies,
+-                             sess->last_active + SMB2_SESSION_TIMEOUT)) {
++              if (atomic_read(&sess->refcnt) == 0 &&
++                  (sess->state != SMB2_SESSION_VALID ||
++                   time_after(jiffies,
++                             sess->last_active + SMB2_SESSION_TIMEOUT))) {
+                       xa_erase(&conn->sessions, sess->id);
+                       hash_del(&sess->hlist);
+                       ksmbd_session_destroy(sess);
+@@ -268,8 +269,6 @@ struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id)
+ 
+       down_read(&sessions_table_lock);
+       sess = __session_lookup(id);
+-      if (sess)
+-              sess->last_active = jiffies;
+       up_read(&sessions_table_lock);
+ 
+       return sess;
+@@ -288,6 +287,22 @@ struct ksmbd_session *ksmbd_session_lookup_all(struct ksmbd_conn *conn,
+       return sess;
+ }
+ 
++void ksmbd_user_session_get(struct ksmbd_session *sess)
++{
++      atomic_inc(&sess->refcnt);
++}
++
++void ksmbd_user_session_put(struct ksmbd_session *sess)
++{
++      if (!sess)
++              return;
++
++      if (atomic_read(&sess->refcnt) <= 0)
++              WARN_ON(1);
++      else
++              atomic_dec(&sess->refcnt);
++}
++
+ struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn,
+                                                   u64 sess_id)
+ {
+@@ -356,6 +371,7 @@ static struct ksmbd_session *__session_create(int protocol)
+       xa_init(&sess->rpc_handle_list);
+       sess->sequence_number = 1;
+       rwlock_init(&sess->tree_conns_lock);
++      atomic_set(&sess->refcnt, 1);
+ 
+       ret = __init_smb2_session(sess);
+       if (ret)
+diff --git a/fs/ksmbd/mgmt/user_session.h b/fs/ksmbd/mgmt/user_session.h
+index 63cb08fffde84..ce91b1d698e71 100644
+--- a/fs/ksmbd/mgmt/user_session.h
++++ b/fs/ksmbd/mgmt/user_session.h
+@@ -61,6 +61,8 @@ struct ksmbd_session {
+       struct ksmbd_file_table         file_table;
+       unsigned long                   last_active;
+       rwlock_t                        tree_conns_lock;
++
++      atomic_t                        refcnt;
+ };
+ 
+ static inline int test_session_flag(struct ksmbd_session *sess, int bit)
+@@ -101,4 +103,6 @@ void ksmbd_release_tree_conn_id(struct ksmbd_session *sess, int id);
+ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name);
+ void ksmbd_session_rpc_close(struct ksmbd_session *sess, int id);
+ int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id);
++void ksmbd_user_session_get(struct ksmbd_session *sess);
++void ksmbd_user_session_put(struct ksmbd_session *sess);
+ #endif /* __USER_SESSION_MANAGEMENT_H__ */
+diff --git a/fs/ksmbd/server.c b/fs/ksmbd/server.c
+index 63b01f7d97031..09ebcf39d5bcb 100644
+--- a/fs/ksmbd/server.c
++++ b/fs/ksmbd/server.c
+@@ -238,6 +238,8 @@ static void __handle_ksmbd_work(struct ksmbd_work *work,
+       } while (is_chained == true);
+ 
+ send:
++      if (work->sess)
++              ksmbd_user_session_put(work->sess);
+       if (work->tcon)
+               ksmbd_tree_connect_put(work->tcon);
+       smb3_preauth_hash_rsp(work);
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 089dc2f51229a..54f7cf7a98b2b 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -606,8 +606,10 @@ int smb2_check_user_session(struct ksmbd_work *work)
+ 
+       /* Check for validity of user session */
+       work->sess = ksmbd_session_lookup_all(conn, sess_id);
+-      if (work->sess)
++      if (work->sess) {
++              ksmbd_user_session_get(work->sess);
+               return 1;
++      }
+       ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id);
+       return -ENOENT;
+ }
+@@ -1761,6 +1763,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
+               }
+ 
+               conn->binding = true;
++              ksmbd_user_session_get(sess);
+       } else if ((conn->dialect < SMB30_PROT_ID ||
+                   server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
+                  (req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
+@@ -1787,6 +1790,7 @@ int smb2_sess_setup(struct ksmbd_work *work)
+               }
+ 
+               conn->binding = false;
++              ksmbd_user_session_get(sess);
+       }
+       work->sess = sess;
+ 
+@@ -2235,7 +2239,9 @@ int smb2_session_logoff(struct ksmbd_work *work)
+       }
+ 
+       ksmbd_destroy_file_table(&sess->file_table);
++      down_write(&conn->session_lock);
+       sess->state = SMB2_SESSION_EXPIRED;
++      up_write(&conn->session_lock);
+ 
+       ksmbd_free_user(sess->user);
+       sess->user = NULL;
+-- 
+2.43.0
+

diff --git a/queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch b/queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch
new file mode 100644 (file)
index 0000000..6f0c38c
--- /dev/null
+++ b/queue-5.15/selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch
@@ -0,0 +1,70 @@
+From f5078cf9efe2e44475472c36fcc0b3505d4cb941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 00:07:52 -0500
+Subject: selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map
+ test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Donet Tom <donettom@linux.ibm.com>
+
+[ Upstream commit 76503e1fa1a53ef041a120825d5ce81c7fe7bdd7 ]
+
+The hmm2 double_map test was failing due to an incorrect buffer->mirror
+size.  The buffer->mirror size was 6, while buffer->ptr size was 6 *
+PAGE_SIZE.  The test failed because the kernel's copy_to_user function was
+attempting to copy a 6 * PAGE_SIZE buffer to buffer->mirror.  Since the
+size of buffer->mirror was incorrect, copy_to_user failed.
+
+This patch corrects the buffer->mirror size to 6 * PAGE_SIZE.
+
+Test Result without this patch
+==============================
+ #  RUN           hmm2.hmm2_device_private.double_map ...
+ # hmm-tests.c:1680:double_map:Expected ret (-14) == 0 (0)
+ # double_map: Test terminated by assertion
+ #          FAIL  hmm2.hmm2_device_private.double_map
+ not ok 53 hmm2.hmm2_device_private.double_map
+
+Test Result with this patch
+===========================
+ #  RUN           hmm2.hmm2_device_private.double_map ...
+ #            OK  hmm2.hmm2_device_private.double_map
+ ok 53 hmm2.hmm2_device_private.double_map
+
+Link: https://lkml.kernel.org/r/20240927050752.51066-1-donettom@linux.ibm.com
+Fixes: fee9f6d1b8df ("mm/hmm/test: add selftests for HMM")
+Signed-off-by: Donet Tom <donettom@linux.ibm.com>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Cc: Jérôme Glisse <jglisse@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Ralph Campbell <rcampbell@nvidia.com>
+Cc: Jason Gunthorpe <jgg@mellanox.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/hmm-tests.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vm/hmm-tests.c b/tools/testing/selftests/vm/hmm-tests.c
+index 203323967b507..a8f69d991243d 100644
+--- a/tools/testing/selftests/vm/hmm-tests.c
++++ b/tools/testing/selftests/vm/hmm-tests.c
+@@ -1482,7 +1482,7 @@ TEST_F(hmm2, double_map)
+ 
+       buffer->fd = -1;
+       buffer->size = size;
+-      buffer->mirror = malloc(npages);
++      buffer->mirror = malloc(size);
+       ASSERT_NE(buffer->mirror, NULL);
+ 
+       /* Reserve a range of addresses. */
+-- 
+2.43.0
+

diff --git a/queue-5.15/series b/queue-5.15/series
new file mode 100644 (file)
index 0000000..c1805eb
--- /dev/null
+++ b/queue-5.15/series
@@ -0,0 +1,6 @@
+selftests-mm-fix-incorrect-buffer-mirror-size-in-hmm.patch
+ksmbd-fix-user-after-free-from-session-log-off.patch
+acpi-prm-remove-unnecessary-blank-lines.patch
+acpi-prm-change-handler_addr-type-to-void-pointer.patch
+acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch
+cgroup-fix-potential-overflow-issue-when-checking-ma.patch