6.10-stable patches

added patches:
	net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch
	xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch

diff --git a/queue-6.10/net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch b/queue-6.10/net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch
new file mode 100644 (file)
index 0000000..fd075bb
--- /dev/null
+++ b/queue-6.10/net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch
@@ -0,0 +1,48 @@
+From 0a50c35277f96481a5a6ed5faf347f282040c57d Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@kernel.org>
+Date: Thu, 29 Aug 2024 15:03:20 +0300
+Subject: net: ethernet: ti: am65-cpsw: Fix NULL dereference on XDP_TX
+
+From: Roger Quadros <rogerq@kernel.org>
+
+commit 0a50c35277f96481a5a6ed5faf347f282040c57d upstream.
+
+If number of TX queues are set to 1 we get a NULL pointer
+dereference during XDP_TX.
+
+~# ethtool -L eth0 tx 1
+~# ./xdp-trafficgen udp -A <ipv6-src> -a <ipv6-dst> eth0 -t 2
+Transmitting on eth0 (ifindex 2)
+[  241.135257] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
+
+Fix this by using actual TX queues instead of max TX queues
+when picking the TX channel in am65_cpsw_ndo_xdp_xmit().
+
+Fixes: 8acacc40f733 ("net: ethernet: ti: am65-cpsw: Add minimal XDP support")
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Acked-by: Julien Panis <jpanis@baylibre.com>
+Reviewed-by: MD Danish Anwar <danishanwar@ti.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -1918,12 +1918,13 @@ static int am65_cpsw_ndo_bpf(struct net_
+ static int am65_cpsw_ndo_xdp_xmit(struct net_device *ndev, int n,
+                                 struct xdp_frame **frames, u32 flags)
+ {
++      struct am65_cpsw_common *common = am65_ndev_to_common(ndev);
+       struct am65_cpsw_tx_chn *tx_chn;
+       struct netdev_queue *netif_txq;
+       int cpu = smp_processor_id();
+       int i, nxmit = 0;
+ 
+-      tx_chn = &am65_ndev_to_common(ndev)->tx_chns[cpu % AM65_CPSW_MAX_TX_QUEUES];
++      tx_chn = &common->tx_chns[cpu % common->tx_ch_num];
+       netif_txq = netdev_get_tx_queue(ndev, tx_chn->id);
+ 
+       __netif_tx_lock(netif_txq, cpu);

diff --git a/queue-6.10/series b/queue-6.10/series
index f9e41c202c08169e353aec79c010fa9f6583a0dc..cce8fb225e6da06a7b1f7fd3393db5ddcf8eba13 100644 (file)
--- a/queue-6.10/series
+++ b/queue-6.10/series
@@ -1,2 +1,4 @@
 libfs-fix-get_stashed_dentry.patch
 sch-netem-fix-use-after-free-in-netem_dequeue.patch
+xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch
+net-ethernet-ti-am65-cpsw-fix-null-dereference-on-xdp_tx.patch

diff --git a/queue-6.10/xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch b/queue-6.10/xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch
new file mode 100644 (file)
index 0000000..7104092
--- /dev/null
+++ b/queue-6.10/xfs-xfs_finobt_count_blocks-walks-the-wrong-btree.patch
@@ -0,0 +1,63 @@
+From 95179935beadccaf0f0bb461adb778731e293da4 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Thu, 22 Aug 2024 16:59:33 -0700
+Subject: xfs: xfs_finobt_count_blocks() walks the wrong btree
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit 95179935beadccaf0f0bb461adb778731e293da4 upstream.
+
+As a result of the factoring in commit 14dd46cf31f4 ("xfs: split
+xfs_inobt_init_cursor"), mount started taking a long time on a
+user's filesystem.  For Anders, this made mount times regress from
+under a second to over 15 minutes for a filesystem with only 30
+million inodes in it.
+
+Anders bisected it down to the above commit, but even then the bug
+was not obvious. In this commit, over 20 calls to
+xfs_inobt_init_cursor() were modified, and some we modified to call
+a new function named xfs_finobt_init_cursor().
+
+If that takes you a moment to reread those function names to see
+what the rename was, then you have realised why this bug wasn't
+spotted during review. And it wasn't spotted on inspection even
+after the bisect pointed at this commit - a single missing "f" isn't
+the easiest thing for a human eye to notice....
+
+The result is that xfs_finobt_count_blocks() now incorrectly calls
+xfs_inobt_init_cursor() so it is now walking the inobt instead of
+the finobt. Hence when there are lots of allocated inodes in a
+filesystem, mount takes a -long- time run because it now walks a
+massive allocated inode btrees instead of the small, nearly empty
+free inode btrees. It also means all the finobt space reservations
+are wrong, so mount could potentially given ENOSPC on kernel
+upgrade.
+
+In hindsight, commit 14dd46cf31f4 should have been two commits - the
+first to convert the finobt callers to the new API, the second to
+modify the xfs_inobt_init_cursor() API for the inobt callers. That
+would have made the bug very obvious during review.
+
+Fixes: 14dd46cf31f4 ("xfs: split xfs_inobt_init_cursor")
+Reported-by: Anders Blomdell <anders.blomdell@gmail.com>
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Chandan Babu R <chandanbabu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/libxfs/xfs_ialloc_btree.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/libxfs/xfs_ialloc_btree.c
++++ b/fs/xfs/libxfs/xfs_ialloc_btree.c
+@@ -749,7 +749,7 @@ xfs_finobt_count_blocks(
+       if (error)
+               return error;
+ 
+-      cur = xfs_inobt_init_cursor(pag, tp, agbp);
++      cur = xfs_finobt_init_cursor(pag, tp, agbp);
+       error = xfs_btree_count_blocks(cur, tree_blocks);
+       xfs_btree_del_cursor(cur, error);
+       xfs_trans_brelse(tp, agbp);