6.1-stable patches

added patches:
	drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch
	i40e-add-validation-for-ring_len-param.patch
	i40e-fix-idx-validation-in-config-queues-msg.patch
	i40e-fix-validation-of-vf-state-in-get-resources.patch
	i40e-increase-max-descriptors-for-xl710.patch
	kmsan-fix-out-of-bounds-access-to-shadow-memory.patch

diff --git a/queue-6.1/drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch b/queue-6.1/drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch
new file mode 100644 (file)
index 0000000..4e39f88
--- /dev/null
+++ b/queue-6.1/drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch
@@ -0,0 +1,45 @@
+From stable+bounces-181949-greg=kroah.com@vger.kernel.org Mon Sep 29 17:54:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 11:54:09 -0400
+Subject: drm/ast: Use msleep instead of mdelay for edid read
+To: stable@vger.kernel.org
+Cc: Nirmoy Das <nirmoyd@nvidia.com>, Thomas Zimmermann <tzimmermann@suse.de>, KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>, Dave Airlie <airlied@redhat.com>, Jocelyn Falempe <jfalempe@redhat.com>, dri-devel@lists.freedesktop.org, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250929155412.141429-1-sashal@kernel.org>
+
+From: Nirmoy Das <nirmoyd@nvidia.com>
+
+[ Upstream commit c7c31f8dc54aa3c9b2c994b5f1ff7e740a654e97 ]
+
+The busy-waiting in `mdelay()` can cause CPU stalls and kernel timeouts
+during boot.
+
+Signed-off-by: Nirmoy Das <nirmoyd@nvidia.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Tested-by: Carol L Soto csoto@nvidia.com<mailto:csoto@nvidia.com>
+Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port")
+Cc: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.19+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://lore.kernel.org/r/20250917194346.2905522-1-nirmoyd@nvidia.com
+[ Applied change to ast_astdp_read_edid() instead of ast_astdp_read_edid_block() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_dp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ast/ast_dp.c
++++ b/drivers/gpu/drm/ast/ast_dp.c
+@@ -51,7 +51,7 @@ int ast_astdp_read_edid(struct drm_devic
+                        *        of right-click of mouse.
+                        * 2. The Delays are often longer a lot when system resume from S3/S4.
+                        */
+-                      mdelay(j+1);
++                      msleep(j + 1);
+ 
+                       if (!(ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xD1,
+                                                       ASTDP_MCU_FW_EXECUTING) &&

diff --git a/queue-6.1/i40e-add-validation-for-ring_len-param.patch b/queue-6.1/i40e-add-validation-for-ring_len-param.patch
new file mode 100644 (file)
index 0000000..a89b205
--- /dev/null
+++ b/queue-6.1/i40e-add-validation-for-ring_len-param.patch
@@ -0,0 +1,66 @@
+From stable+bounces-181924-greg=kroah.com@vger.kernel.org Mon Sep 29 16:26:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 10:25:17 -0400
+Subject: i40e: add validation for ring_len param
+To: stable@vger.kernel.org
+Cc: Lukasz Czapnik <lukasz.czapnik@intel.com>, Aleksandr Loktionov <aleksandr.loktionov@intel.com>, Przemek Kitszel <przemyslaw.kitszel@intel.com>, Simon Horman <horms@kernel.org>, Rafal Romanowski <rafal.romanowski@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250929142517.86759-2-sashal@kernel.org>
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+[ Upstream commit 55d225670def06b01af2e7a5e0446fbe946289e8 ]
+
+The `ring_len` parameter provided by the virtual function (VF)
+is assigned directly to the hardware memory context (HMC) without
+any validation.
+
+To address this, introduce an upper boundary check for both Tx and Rx
+queue lengths. The maximum number of descriptors supported by the
+hardware is 8k-32.
+Additionally, enforce alignment constraints: Tx rings must be a multiple
+of 8, and Rx rings must be a multiple of 32.
+
+Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -653,6 +653,13 @@ static int i40e_config_vsi_tx_queue(stru
+ 
+       /* only set the required fields */
+       tx_ctx.base = info->dma_ring_addr / 128;
++
++      /* ring_len has to be multiple of 8 */
++      if (!IS_ALIGNED(info->ring_len, 8) ||
++          info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++              ret = -EINVAL;
++              goto error_context;
++      }
+       tx_ctx.qlen = info->ring_len;
+       tx_ctx.rdylist = le16_to_cpu(vsi->info.qs_handle[0]);
+       tx_ctx.rdylist_act = 0;
+@@ -718,6 +725,13 @@ static int i40e_config_vsi_rx_queue(stru
+ 
+       /* only set the required fields */
+       rx_ctx.base = info->dma_ring_addr / 128;
++
++      /* ring_len has to be multiple of 32 */
++      if (!IS_ALIGNED(info->ring_len, 32) ||
++          info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++              ret = -EINVAL;
++              goto error_param;
++      }
+       rx_ctx.qlen = info->ring_len;
+ 
+       if (info->splithdr_enabled) {

diff --git a/queue-6.1/i40e-fix-idx-validation-in-config-queues-msg.patch b/queue-6.1/i40e-fix-idx-validation-in-config-queues-msg.patch
new file mode 100644 (file)
index 0000000..4299c3f
--- /dev/null
+++ b/queue-6.1/i40e-fix-idx-validation-in-config-queues-msg.patch
@@ -0,0 +1,50 @@
+From stable+bounces-181931-greg=kroah.com@vger.kernel.org Mon Sep 29 16:42:50 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 10:42:43 -0400
+Subject: i40e: fix idx validation in config queues msg
+To: stable@vger.kernel.org
+Cc: Lukasz Czapnik <lukasz.czapnik@intel.com>, Aleksandr Loktionov <aleksandr.loktionov@intel.com>, Przemek Kitszel <przemyslaw.kitszel@intel.com>, Simon Horman <horms@kernel.org>, Kamakshi Nellore <nellorex.kamakshi@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250929144243.104777-1-sashal@kernel.org>
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+[ Upstream commit f1ad24c5abe1eaef69158bac1405a74b3c365115 ]
+
+Ensure idx is within range of active/initialized TCs when iterating over
+vf->ch[idx] in i40e_vc_config_queues_msg().
+
+Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Kamakshi Nellore <nellorex.kamakshi@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -2391,7 +2391,7 @@ static int i40e_vc_config_queues_msg(str
+               }
+ 
+               if (vf->adq_enabled) {
+-                      if (idx >= ARRAY_SIZE(vf->ch)) {
++                      if (idx >= vf->num_tc) {
+                               aq_ret = I40E_ERR_NO_AVAILABLE_VSI;
+                               goto error_param;
+                       }
+@@ -2412,7 +2412,7 @@ static int i40e_vc_config_queues_msg(str
+                * to its appropriate VSIs based on TC mapping
+                */
+               if (vf->adq_enabled) {
+-                      if (idx >= ARRAY_SIZE(vf->ch)) {
++                      if (idx >= vf->num_tc) {
+                               aq_ret = I40E_ERR_NO_AVAILABLE_VSI;
+                               goto error_param;
+                       }

diff --git a/queue-6.1/i40e-fix-validation-of-vf-state-in-get-resources.patch b/queue-6.1/i40e-fix-validation-of-vf-state-in-get-resources.patch
new file mode 100644 (file)
index 0000000..6f4bfe9
--- /dev/null
+++ b/queue-6.1/i40e-fix-validation-of-vf-state-in-get-resources.patch
@@ -0,0 +1,77 @@
+From stable+bounces-181932-greg=kroah.com@vger.kernel.org Mon Sep 29 16:46:27 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 10:45:51 -0400
+Subject: i40e: fix validation of VF state in get resources
+To: stable@vger.kernel.org
+Cc: Lukasz Czapnik <lukasz.czapnik@intel.com>, Aleksandr Loktionov <aleksandr.loktionov@intel.com>, Przemek Kitszel <przemyslaw.kitszel@intel.com>, Simon Horman <horms@kernel.org>, Rafal Romanowski <rafal.romanowski@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250929144551.106680-1-sashal@kernel.org>
+
+From: Lukasz Czapnik <lukasz.czapnik@intel.com>
+
+[ Upstream commit 877b7e6ffc23766448236e8732254534c518ba42 ]
+
+VF state I40E_VF_STATE_ACTIVE is not the only state in which
+VF is actually active so it should not be used to determine
+if a VF is allowed to obtain resources.
+
+Use I40E_VF_STATE_RESOURCES_LOADED that is set only in
+i40e_vc_get_vf_resources_msg() and cleared during reset.
+
+Fixes: 61125b8be85d ("i40e: Fix failed opcode appearing if handling messages from VF")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lukasz Czapnik <lukasz.czapnik@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c |    7 ++++++-
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h |    3 ++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -1455,6 +1455,7 @@ static void i40e_trigger_vf_reset(struct
+        * functions that may still be running at this point.
+        */
+       clear_bit(I40E_VF_STATE_INIT, &vf->vf_states);
++      clear_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states);
+ 
+       /* In the case of a VFLR, the HW has already reset the VF and we
+        * just need to clean up, so don't hit the VFRTRIG register.
+@@ -2121,7 +2122,10 @@ static int i40e_vc_get_vf_resources_msg(
+       size_t len = 0;
+       int ret;
+ 
+-      if (!i40e_sync_vf_state(vf, I40E_VF_STATE_INIT)) {
++      i40e_sync_vf_state(vf, I40E_VF_STATE_INIT);
++
++      if (!test_bit(I40E_VF_STATE_INIT, &vf->vf_states) ||
++          test_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states)) {
+               aq_ret = I40E_ERR_PARAM;
+               goto err;
+       }
+@@ -2224,6 +2228,7 @@ static int i40e_vc_get_vf_resources_msg(
+                               vf->default_lan_addr.addr);
+       }
+       set_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states);
++      set_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states);
+ 
+ err:
+       /* send the response back to the VF */
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h
+@@ -39,7 +39,8 @@ enum i40e_vf_states {
+       I40E_VF_STATE_MC_PROMISC,
+       I40E_VF_STATE_UC_PROMISC,
+       I40E_VF_STATE_PRE_ENABLE,
+-      I40E_VF_STATE_RESETTING
++      I40E_VF_STATE_RESETTING,
++      I40E_VF_STATE_RESOURCES_LOADED,
+ };
+ 
+ /* VF capabilities */

diff --git a/queue-6.1/i40e-increase-max-descriptors-for-xl710.patch b/queue-6.1/i40e-increase-max-descriptors-for-xl710.patch
new file mode 100644 (file)
index 0000000..048b11f
--- /dev/null
+++ b/queue-6.1/i40e-increase-max-descriptors-for-xl710.patch
@@ -0,0 +1,105 @@
+From stable+bounces-181925-greg=kroah.com@vger.kernel.org Mon Sep 29 16:26:11 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 10:25:16 -0400
+Subject: i40e: increase max descriptors for XL710
+To: stable@vger.kernel.org
+Cc: Justin Bronder <jsbronder@cold-front.org>, Jacob Keller <jacob.e.keller@intel.com>, Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250929142517.86759-1-sashal@kernel.org>
+
+From: Justin Bronder <jsbronder@cold-front.org>
+
+[ Upstream commit aa6908ca3bd1e713fd6cd8d7193a008f060bf7d9 ]
+
+In Tables 8-12 and 8-22 in the X710/XXV710/XL710 datasheet, the QLEN
+description states that the maximum size of the descriptor queue is 8k
+minus 32, or 8160.
+
+Signed-off-by: Justin Bronder <jsbronder@cold-front.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20231113231047.548659-2-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 55d225670def ("i40e: add validation for ring_len param")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h         |    1 +
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c |   25 +++++++++++++++++++------
+ 2 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -50,6 +50,7 @@
+ #define I40E_MAX_VEB                  16
+ 
+ #define I40E_MAX_NUM_DESCRIPTORS      4096
++#define I40E_MAX_NUM_DESCRIPTORS_XL710        8160
+ #define I40E_MAX_CSR_SPACE            (4 * 1024 * 1024 - 64 * 1024)
+ #define I40E_DEFAULT_NUM_DESCRIPTORS  512
+ #define I40E_REQ_DESCRIPTOR_MULTIPLE  32
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -2012,6 +2012,18 @@ static void i40e_get_drvinfo(struct net_
+               drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
+ }
+ 
++static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
++{
++      struct i40e_hw *hw = &pf->hw;
++
++      switch (hw->mac.type) {
++      case I40E_MAC_XL710:
++              return I40E_MAX_NUM_DESCRIPTORS_XL710;
++      default:
++              return I40E_MAX_NUM_DESCRIPTORS;
++      }
++}
++
+ static void i40e_get_ringparam(struct net_device *netdev,
+                              struct ethtool_ringparam *ring,
+                              struct kernel_ethtool_ringparam *kernel_ring,
+@@ -2021,8 +2033,8 @@ static void i40e_get_ringparam(struct ne
+       struct i40e_pf *pf = np->vsi->back;
+       struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
+ 
+-      ring->rx_max_pending = I40E_MAX_NUM_DESCRIPTORS;
+-      ring->tx_max_pending = I40E_MAX_NUM_DESCRIPTORS;
++      ring->rx_max_pending = i40e_get_max_num_descriptors(pf);
++      ring->tx_max_pending = i40e_get_max_num_descriptors(pf);
+       ring->rx_mini_max_pending = 0;
+       ring->rx_jumbo_max_pending = 0;
+       ring->rx_pending = vsi->rx_rings[0]->count;
+@@ -2047,12 +2059,12 @@ static int i40e_set_ringparam(struct net
+                             struct kernel_ethtool_ringparam *kernel_ring,
+                             struct netlink_ext_ack *extack)
+ {
++      u32 new_rx_count, new_tx_count, max_num_descriptors;
+       struct i40e_ring *tx_rings = NULL, *rx_rings = NULL;
+       struct i40e_netdev_priv *np = netdev_priv(netdev);
+       struct i40e_hw *hw = &np->vsi->back->hw;
+       struct i40e_vsi *vsi = np->vsi;
+       struct i40e_pf *pf = vsi->back;
+-      u32 new_rx_count, new_tx_count;
+       u16 tx_alloc_queue_pairs;
+       int timeout = 50;
+       int i, err = 0;
+@@ -2060,14 +2072,15 @@ static int i40e_set_ringparam(struct net
+       if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending))
+               return -EINVAL;
+ 
+-      if (ring->tx_pending > I40E_MAX_NUM_DESCRIPTORS ||
++      max_num_descriptors = i40e_get_max_num_descriptors(pf);
++      if (ring->tx_pending > max_num_descriptors ||
+           ring->tx_pending < I40E_MIN_NUM_DESCRIPTORS ||
+-          ring->rx_pending > I40E_MAX_NUM_DESCRIPTORS ||
++          ring->rx_pending > max_num_descriptors ||
+           ring->rx_pending < I40E_MIN_NUM_DESCRIPTORS) {
+               netdev_info(netdev,
+                           "Descriptors requested (Tx: %d / Rx: %d) out of range [%d-%d]\n",
+                           ring->tx_pending, ring->rx_pending,
+-                          I40E_MIN_NUM_DESCRIPTORS, I40E_MAX_NUM_DESCRIPTORS);
++                          I40E_MIN_NUM_DESCRIPTORS, max_num_descriptors);
+               return -EINVAL;
+       }
+ 

diff --git a/queue-6.1/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch b/queue-6.1/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch
new file mode 100644 (file)
index 0000000..4ff7f6e
--- /dev/null
+++ b/queue-6.1/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch
@@ -0,0 +1,133 @@
+From stable+bounces-181992-greg=kroah.com@vger.kernel.org Mon Sep 29 21:22:46 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Sep 2025 15:22:34 -0400
+Subject: kmsan: fix out-of-bounds access to shadow memory
+To: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@kernel.org>, Alexander Potapenko <glider@google.com>, Dmitriy Vyukov <dvyukov@google.com>, Marco Elver <elver@google.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250929192234.298716-1-sashal@kernel.org>
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit 85e1ff61060a765d91ee62dc5606d4d547d9d105 ]
+
+Running sha224_kunit on a KMSAN-enabled kernel results in a crash in
+kmsan_internal_set_shadow_origin():
+
+    BUG: unable to handle page fault for address: ffffbc3840291000
+    #PF: supervisor read access in kernel mode
+    #PF: error_code(0x0000) - not-present page
+    PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0
+    Oops: 0000 [#1] SMP NOPTI
+    CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G                 N  6.17.0-rc3 #10 PREEMPT(voluntary)
+    Tainted: [N]=TEST
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
+    RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100
+    [...]
+    Call Trace:
+    <TASK>
+    __msan_memset+0xee/0x1a0
+    sha224_final+0x9e/0x350
+    test_hash_buffer_overruns+0x46f/0x5f0
+    ? kmsan_get_shadow_origin_ptr+0x46/0xa0
+    ? __pfx_test_hash_buffer_overruns+0x10/0x10
+    kunit_try_run_case+0x198/0xa00
+
+This occurs when memset() is called on a buffer that is not 4-byte aligned
+and extends to the end of a guard page, i.e.  the next page is unmapped.
+
+The bug is that the loop at the end of kmsan_internal_set_shadow_origin()
+accesses the wrong shadow memory bytes when the address is not 4-byte
+aligned.  Since each 4 bytes are associated with an origin, it rounds the
+address and size so that it can access all the origins that contain the
+buffer.  However, when it checks the corresponding shadow bytes for a
+particular origin, it incorrectly uses the original unrounded shadow
+address.  This results in reads from shadow memory beyond the end of the
+buffer's shadow memory, which crashes when that memory is not mapped.
+
+To fix this, correctly align the shadow address before accessing the 4
+shadow bytes corresponding to each origin.
+
+Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org
+Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning")
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Tested-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: Alexander Potapenko <glider@google.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Adjust context in tests ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmsan/core.c       |   10 +++++++---
+ mm/kmsan/kmsan_test.c |   16 ++++++++++++++++
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+
+--- a/mm/kmsan/core.c
++++ b/mm/kmsan/core.c
+@@ -258,7 +258,8 @@ void kmsan_internal_set_shadow_origin(vo
+                                     u32 origin, bool checked)
+ {
+       u64 address = (u64)addr;
+-      u32 *shadow_start, *origin_start;
++      void *shadow_start;
++      u32 *aligned_shadow, *origin_start;
+       size_t pad = 0;
+ 
+       KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size));
+@@ -277,9 +278,12 @@ void kmsan_internal_set_shadow_origin(vo
+       }
+       __memset(shadow_start, b, size);
+ 
+-      if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) {
++      if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) {
++              aligned_shadow = shadow_start;
++      } else {
+               pad = address % KMSAN_ORIGIN_SIZE;
+               address -= pad;
++              aligned_shadow = shadow_start - pad;
+               size += pad;
+       }
+       size = ALIGN(size, KMSAN_ORIGIN_SIZE);
+@@ -293,7 +297,7 @@ void kmsan_internal_set_shadow_origin(vo
+        * corresponding shadow slot is zero.
+        */
+       for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) {
+-              if (origin || !shadow_start[i])
++              if (origin || !aligned_shadow[i])
+                       origin_start[i] = origin;
+       }
+ }
+--- a/mm/kmsan/kmsan_test.c
++++ b/mm/kmsan/kmsan_test.c
+@@ -470,6 +470,21 @@ static void test_memcpy_aligned_to_unali
+       KUNIT_EXPECT_TRUE(test, report_matches(&expect));
+ }
+ 
++/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */
++static void test_memset_on_guarded_buffer(struct kunit *test)
++{
++      void *buf = vmalloc(PAGE_SIZE);
++
++      kunit_info(test,
++                 "memset() on ends of guarded buffer should not crash\n");
++
++      for (size_t size = 0; size <= 128; size++) {
++              memset(buf, 0xff, size);
++              memset(buf + PAGE_SIZE - size, 0xff, size);
++      }
++      vfree(buf);
++}
++
+ static noinline void fibonacci(int *array, int size, int start) {
+       if (start < 2 || (start == size))
+               return;
+@@ -515,6 +530,7 @@ static struct kunit_case kmsan_test_case
+       KUNIT_CASE(test_memcpy_aligned_to_aligned),
+       KUNIT_CASE(test_memcpy_aligned_to_unaligned),
+       KUNIT_CASE(test_memcpy_aligned_to_unaligned2),
++      KUNIT_CASE(test_memset_on_guarded_buffer),
+       KUNIT_CASE(test_long_origin_chain),
+       {},
+ };

diff --git a/queue-6.1/series b/queue-6.1/series
index 38e1f6f00973f44303673e4a1d2b8b7bafd57b27..467d908bd14157be2459640c2c944ffbee972d73 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -64,3 +64,9 @@ minmax-fix-indentation-of-__cmp_once-and-__clamp_once.patch
 minmax-avoid-overly-complicated-constant-expressions-in-vm-code.patch
 minmax-simplify-and-clarify-min_t-max_t-implementation.patch
 minmax-add-a-few-more-min_t-max_t-users.patch
+drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch
+i40e-fix-validation-of-vf-state-in-get-resources.patch
+i40e-fix-idx-validation-in-config-queues-msg.patch
+i40e-increase-max-descriptors-for-xl710.patch
+i40e-add-validation-for-ring_len-param.patch
+kmsan-fix-out-of-bounds-access-to-shadow-memory.patch