From: Greg Kroah-Hartman Date: Tue, 12 May 2026 13:29:29 +0000 (+0200) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07bc940c2632158ddb010b221181fbfbe2c527be;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: arm64-signal-preserve-por_el0-if-poe_context-is-missing.patch fanotify-fix-false-positive-on-permission-events.patch kvm-arm64-fix-kvm_vcpu_initialized-macro-parameter.patch loongarch-fix-sym_sigfunc_start-definition-for-32bit.patch loongarch-kvm-compile-switch.s-directly-into-the-kernel.patch mm-hugetlb_cma-round-up-per_node-before-logging-it.patch mptcp-pm-add_addr-rtx-skip-inactive-subflows.patch mtd-spi-nor-debugfs-fix-out-of-bounds-read-in-spi_nor_params_show.patch net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch perf-x86-intel-improve-validation-and-configuration-of-acr-masks.patch --- diff --git a/queue-6.18/arm64-signal-preserve-por_el0-if-poe_context-is-missing.patch b/queue-6.18/arm64-signal-preserve-por_el0-if-poe_context-is-missing.patch new file mode 100644 index 0000000000..03e1cedbea --- /dev/null +++ b/queue-6.18/arm64-signal-preserve-por_el0-if-poe_context-is-missing.patch @@ -0,0 +1,158 @@ +From 030e8a40fff65ca6ac1c04a4d3c08afe72438922 Mon Sep 17 00:00:00 2001 +From: Kevin Brodsky +Date: Mon, 27 Apr 2026 13:03:33 +0100 +Subject: arm64: signal: Preserve POR_EL0 if poe_context is missing + +From: Kevin Brodsky + +commit 030e8a40fff65ca6ac1c04a4d3c08afe72438922 upstream. + +Commit 2e8a1acea859 ("arm64: signal: Improve POR_EL0 handling to +avoid uaccess failures") delayed the write to POR_EL0 in +rt_sigreturn to avoid spurious uaccess failures. This change however +relies on the poe_context frame record being present: on a system +supporting POE, calling sigreturn without a poe_context record now +results in writing arbitrary data from the kernel stack into POR_EL0. + +Fix this by adding a __valid_fields member to struct +user_access_state, and zeroing the struct on allocation. +restore_poe_context() then indicates that the por_el0 field is valid +by setting the corresponding bit in __valid_fields, and +restore_user_access_state() only touches POR_EL0 if there is a valid +value to set it to. This is in line with how POR_EL0 was originally +handled; all frame records are currently optional, except +fpsimd_context. + +To ensure that __valid_fields is kept in sync, fields (currently +just por_el0) are now accessed via accessors and prefixed with __ to +discourage direct access. + +Fixes: 2e8a1acea859 ("arm64: signal: Improve POR_EL0 handling to avoid uaccess failures") +Cc: +Reported-by: Will Deacon +Signed-off-by: Kevin Brodsky +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/signal.c | 54 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 43 insertions(+), 11 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -67,6 +67,9 @@ struct rt_sigframe_user_layout { + unsigned long end_offset; + }; + ++#define TERMINATOR_SIZE round_up(sizeof(struct _aarch64_ctx), 16) ++#define EXTRA_CONTEXT_SIZE round_up(sizeof(struct extra_context), 16) ++ + /* + * Holds any EL0-controlled state that influences unprivileged memory accesses. + * This includes both accesses done in userspace and uaccess done in the kernel. +@@ -74,13 +77,35 @@ struct rt_sigframe_user_layout { + * This state needs to be carefully managed to ensure that it doesn't cause + * uaccess to fail when setting up the signal frame, and the signal handler + * itself also expects a well-defined state when entered. ++ * ++ * The struct should be zero-initialised. Its members should only be accessed ++ * via the accessors below. __valid_fields tracks which of the fields are valid ++ * (have been set to some value). + */ + struct user_access_state { +- u64 por_el0; ++ unsigned int __valid_fields; ++ u64 __por_el0; + }; + +-#define TERMINATOR_SIZE round_up(sizeof(struct _aarch64_ctx), 16) +-#define EXTRA_CONTEXT_SIZE round_up(sizeof(struct extra_context), 16) ++#define UA_STATE_HAS_POR_EL0 BIT(0) ++ ++static void set_ua_state_por_el0(struct user_access_state *ua_state, ++ u64 por_el0) ++{ ++ ua_state->__por_el0 = por_el0; ++ ua_state->__valid_fields |= UA_STATE_HAS_POR_EL0; ++} ++ ++static int get_ua_state_por_el0(const struct user_access_state *ua_state, ++ u64 *por_el0) ++{ ++ if (ua_state->__valid_fields & UA_STATE_HAS_POR_EL0) { ++ *por_el0 = ua_state->__por_el0; ++ return 0; ++ } ++ ++ return -ENOENT; ++} + + /* + * Save the user access state into ua_state and reset it to disable any +@@ -94,7 +119,7 @@ static void save_reset_user_access_state + for (int pkey = 0; pkey < arch_max_pkey(); pkey++) + por_enable_all |= POR_ELx_PERM_PREP(pkey, POE_RWX); + +- ua_state->por_el0 = read_sysreg_s(SYS_POR_EL0); ++ set_ua_state_por_el0(ua_state, read_sysreg_s(SYS_POR_EL0)); + write_sysreg_s(por_enable_all, SYS_POR_EL0); + /* + * No ISB required as we can tolerate spurious Overlay faults - +@@ -122,8 +147,10 @@ static void set_handler_user_access_stat + */ + static void restore_user_access_state(const struct user_access_state *ua_state) + { +- if (system_supports_poe()) +- write_sysreg_s(ua_state->por_el0, SYS_POR_EL0); ++ u64 por_el0; ++ ++ if (get_ua_state_por_el0(ua_state, &por_el0) == 0) ++ write_sysreg_s(por_el0, SYS_POR_EL0); + } + + static void init_user_layout(struct rt_sigframe_user_layout *user) +@@ -333,11 +360,16 @@ static int restore_fpmr_context(struct u + static int preserve_poe_context(struct poe_context __user *ctx, + const struct user_access_state *ua_state) + { +- int err = 0; ++ int err; ++ u64 por_el0; ++ ++ err = get_ua_state_por_el0(ua_state, &por_el0); ++ if (WARN_ON_ONCE(err)) ++ return err; + + __put_user_error(POE_MAGIC, &ctx->head.magic, err); + __put_user_error(sizeof(*ctx), &ctx->head.size, err); +- __put_user_error(ua_state->por_el0, &ctx->por_el0, err); ++ __put_user_error(por_el0, &ctx->por_el0, err); + + return err; + } +@@ -353,7 +385,7 @@ static int restore_poe_context(struct us + + __get_user_error(por_el0, &(user->poe->por_el0), err); + if (!err) +- ua_state->por_el0 = por_el0; ++ set_ua_state_por_el0(ua_state, por_el0); + + return err; + } +@@ -1095,7 +1127,7 @@ SYSCALL_DEFINE0(rt_sigreturn) + { + struct pt_regs *regs = current_pt_regs(); + struct rt_sigframe __user *frame; +- struct user_access_state ua_state; ++ struct user_access_state ua_state = {}; + + /* Always make any pending restarted system calls return -EINTR */ + current->restart_block.fn = do_no_restart_syscall; +@@ -1507,7 +1539,7 @@ static int setup_rt_frame(int usig, stru + { + struct rt_sigframe_user_layout user; + struct rt_sigframe __user *frame; +- struct user_access_state ua_state; ++ struct user_access_state ua_state = {}; + int err = 0; + + fpsimd_save_and_flush_current_state(); diff --git a/queue-6.18/fanotify-fix-false-positive-on-permission-events.patch b/queue-6.18/fanotify-fix-false-positive-on-permission-events.patch new file mode 100644 index 0000000000..0e383d57cf --- /dev/null +++ b/queue-6.18/fanotify-fix-false-positive-on-permission-events.patch @@ -0,0 +1,86 @@ +From 7746e3bd4cc19b5092e00d32d676e329bfcb6900 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 10 Apr 2026 16:49:47 +0200 +Subject: fanotify: fix false positive on permission events + +From: Miklos Szeredi + +commit 7746e3bd4cc19b5092e00d32d676e329bfcb6900 upstream. + +fsnotify_get_mark_safe() may return false for a mark on an unrelated group, +which results in bypassing the permission check. + +Fix by skipping over detached marks that are not in the current group. + +CC: stable@vger.kernel.org +Fixes: abc77577a669 ("fsnotify: Provide framework for dropping SRCU lock in ->handle_event") +Signed-off-by: Miklos Szeredi +Link: https://patch.msgid.link/20260410144950.156160-1-mszeredi@redhat.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 2 +- + fs/notify/mark.c | 18 +++++++++++------- + include/linux/fsnotify_backend.h | 1 + + 3 files changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -444,7 +444,7 @@ static struct fsnotify_mark *fsnotify_fi + return hlist_entry_safe(node, struct fsnotify_mark, obj_list); + } + +-static struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark) ++struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark) + { + struct hlist_node *node = NULL; + +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -453,9 +453,6 @@ EXPORT_SYMBOL_GPL(fsnotify_put_mark); + */ + static bool fsnotify_get_mark_safe(struct fsnotify_mark *mark) + { +- if (!mark) +- return true; +- + if (refcount_inc_not_zero(&mark->refcnt)) { + spin_lock(&mark->lock); + if (mark->flags & FSNOTIFY_MARK_FLAG_ATTACHED) { +@@ -496,15 +493,22 @@ bool fsnotify_prepare_user_wait(struct f + int type; + + fsnotify_foreach_iter_type(type) { ++ struct fsnotify_mark *mark = iter_info->marks[type]; ++ + /* This can fail if mark is being removed */ +- if (!fsnotify_get_mark_safe(iter_info->marks[type])) { +- __release(&fsnotify_mark_srcu); +- goto fail; ++ while (mark && !fsnotify_get_mark_safe(mark)) { ++ if (mark->group == iter_info->current_group) { ++ __release(&fsnotify_mark_srcu); ++ goto fail; ++ } ++ /* This is a mark in an unrelated group, skip */ ++ mark = fsnotify_next_mark(mark); ++ iter_info->marks[type] = mark; + } + } + + /* +- * Now that both marks are pinned by refcount in the inode / vfsmount ++ * Now that all marks are pinned by refcount in the inode / vfsmount / etc + * lists, we can drop SRCU lock, and safely resume the list iteration + * once userspace returns. + */ +--- a/include/linux/fsnotify_backend.h ++++ b/include/linux/fsnotify_backend.h +@@ -912,6 +912,7 @@ extern void fsnotify_clear_marks_by_grou + unsigned int obj_type); + extern void fsnotify_get_mark(struct fsnotify_mark *mark); + extern void fsnotify_put_mark(struct fsnotify_mark *mark); ++struct fsnotify_mark *fsnotify_next_mark(struct fsnotify_mark *mark); + extern void fsnotify_finish_user_wait(struct fsnotify_iter_info *iter_info); + extern bool fsnotify_prepare_user_wait(struct fsnotify_iter_info *iter_info); + diff --git a/queue-6.18/kvm-arm64-fix-kvm_vcpu_initialized-macro-parameter.patch b/queue-6.18/kvm-arm64-fix-kvm_vcpu_initialized-macro-parameter.patch new file mode 100644 index 0000000000..fdcb4e2bbc --- /dev/null +++ b/queue-6.18/kvm-arm64-fix-kvm_vcpu_initialized-macro-parameter.patch @@ -0,0 +1,36 @@ +From d89fdda7dd8a488f922e1175e6782f781ba8a23b Mon Sep 17 00:00:00 2001 +From: Fuad Tabba +Date: Fri, 24 Apr 2026 09:49:06 +0100 +Subject: KVM: arm64: Fix kvm_vcpu_initialized() macro parameter + +From: Fuad Tabba + +commit d89fdda7dd8a488f922e1175e6782f781ba8a23b upstream. + +The macro is defined with parameter 'v' but the body references the +literal token 'vcpu' instead, causing it to silently operate on whatever +'vcpu' resolves to in the caller's scope rather than the value passed by +the caller. All current call sites happen to use a variable named 'vcpu', +so the bug is latent. + +Fixes: e016333745c7 ("KVM: arm64: Only reset vCPU-scoped feature ID regs once") +Signed-off-by: Fuad Tabba +Link: https://patch.msgid.link/20260424084908.370776-5-tabba@google.com +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_host.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -1476,7 +1476,7 @@ static inline bool __vcpu_has_feature(co + #define kvm_vcpu_has_feature(k, f) __vcpu_has_feature(&(k)->arch, (f)) + #define vcpu_has_feature(v, f) __vcpu_has_feature(&(v)->kvm->arch, (f)) + +-#define kvm_vcpu_initialized(v) vcpu_get_flag(vcpu, VCPU_INITIALIZED) ++#define kvm_vcpu_initialized(v) vcpu_get_flag(v, VCPU_INITIALIZED) + + int kvm_trng_call(struct kvm_vcpu *vcpu); + #ifdef CONFIG_KVM diff --git a/queue-6.18/loongarch-fix-sym_sigfunc_start-definition-for-32bit.patch b/queue-6.18/loongarch-fix-sym_sigfunc_start-definition-for-32bit.patch new file mode 100644 index 0000000000..992f63daff --- /dev/null +++ b/queue-6.18/loongarch-fix-sym_sigfunc_start-definition-for-32bit.patch @@ -0,0 +1,33 @@ +From 98b8aebb14fdc0133939fd8fe07d0d98333dc976 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Mon, 4 May 2026 09:00:01 +0800 +Subject: LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT + +From: Huacai Chen + +commit 98b8aebb14fdc0133939fd8fe07d0d98333dc976 upstream. + +The SYM_SIGFUNC_START definition should match sigcontext that the length +of GPRs are 8 bytes for both 32BIT and 64BIT. So replace SZREG with 8 to +fix it. + +Cc: stable@vger.kernel.org +Fixes: e4878c37f6679fde ("LoongArch: vDSO: Emit GNU_EH_FRAME correctly") +Suggested-by: Xi Ruoyao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/linkage.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/loongarch/include/asm/linkage.h ++++ b/arch/loongarch/include/asm/linkage.h +@@ -69,7 +69,7 @@ + 9, 10, 11, 12, 13, 14, 15, 16, \ + 17, 18, 19, 20, 21, 22, 23, 24, \ + 25, 26, 27, 28, 29, 30, 31; \ +- .cfi_offset \num, SC_REGS + \num * SZREG; \ ++ .cfi_offset \num, SC_REGS + \num * 8; \ + .endr; \ + \ + nop; \ diff --git a/queue-6.18/loongarch-kvm-compile-switch.s-directly-into-the-kernel.patch b/queue-6.18/loongarch-kvm-compile-switch.s-directly-into-the-kernel.patch new file mode 100644 index 0000000000..40fc477028 --- /dev/null +++ b/queue-6.18/loongarch-kvm-compile-switch.s-directly-into-the-kernel.patch @@ -0,0 +1,264 @@ +From 5203012fa6045aac4b69d4e7c212e16dcf38ef10 Mon Sep 17 00:00:00 2001 +From: Xianglai Li +Date: Mon, 4 May 2026 09:00:37 +0800 +Subject: LoongArch: KVM: Compile switch.S directly into the kernel + +From: Xianglai Li + +commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream. + +If we directly compile the switch.S file into the kernel, the address of +the kvm_exc_entry function will definitely be within the DMW memory area. +Therefore, we will no longer need to perform a copy relocation of the +kvm_exc_entry. + +So this patch compiles switch.S directly into the kernel, and then remove +the copy relocation execution logic for the kvm_exc_entry function. + +Cc: stable@vger.kernel.org +Signed-off-by: Xianglai Li +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/Kbuild | 2 - + arch/loongarch/include/asm/asm-prototypes.h | 20 ++++++++++++++++ + arch/loongarch/include/asm/kvm_host.h | 3 -- + arch/loongarch/kvm/Makefile | 3 +- + arch/loongarch/kvm/main.c | 35 ++-------------------------- + arch/loongarch/kvm/switch.S | 20 ++++++++++++---- + 6 files changed, 41 insertions(+), 42 deletions(-) + +--- a/arch/loongarch/Kbuild ++++ b/arch/loongarch/Kbuild +@@ -3,7 +3,7 @@ obj-y += mm/ + obj-y += net/ + obj-y += vdso/ + +-obj-$(CONFIG_KVM) += kvm/ ++obj-$(subst m,y,$(CONFIG_KVM)) += kvm/ + + # for cleaning + subdir- += boot +--- a/arch/loongarch/include/asm/asm-prototypes.h ++++ b/arch/loongarch/include/asm/asm-prototypes.h +@@ -20,3 +20,23 @@ asmlinkage void noinstr __no_stack_prote + struct pt_regs *regs, + int (*fn)(void *), + void *fn_arg); ++ ++struct kvm_run; ++struct kvm_vcpu; ++struct loongarch_fpu; ++ ++void kvm_exc_entry(void); ++int kvm_enter_guest(struct kvm_run *run, struct kvm_vcpu *vcpu); ++ ++void kvm_save_fpu(struct loongarch_fpu *fpu); ++void kvm_restore_fpu(struct loongarch_fpu *fpu); ++ ++#ifdef CONFIG_CPU_HAS_LSX ++void kvm_save_lsx(struct loongarch_fpu *fpu); ++void kvm_restore_lsx(struct loongarch_fpu *fpu); ++#endif ++ ++#ifdef CONFIG_CPU_HAS_LASX ++void kvm_save_lasx(struct loongarch_fpu *fpu); ++void kvm_restore_lasx(struct loongarch_fpu *fpu); ++#endif +--- a/arch/loongarch/include/asm/kvm_host.h ++++ b/arch/loongarch/include/asm/kvm_host.h +@@ -85,7 +85,6 @@ struct kvm_context { + struct kvm_world_switch { + int (*exc_entry)(void); + int (*enter_guest)(struct kvm_run *run, struct kvm_vcpu *vcpu); +- unsigned long page_order; + }; + + #define MAX_PGTABLE_LEVELS 4 +@@ -339,8 +338,6 @@ void kvm_exc_entry(void); + int kvm_enter_guest(struct kvm_run *run, struct kvm_vcpu *vcpu); + + extern unsigned long vpid_mask; +-extern const unsigned long kvm_exception_size; +-extern const unsigned long kvm_enter_guest_size; + extern struct kvm_world_switch *kvm_loongarch_ops; + + #define SW_GCSR (1 << 0) +--- a/arch/loongarch/kvm/Makefile ++++ b/arch/loongarch/kvm/Makefile +@@ -7,11 +7,12 @@ include $(srctree)/virt/kvm/Makefile.kvm + + obj-$(CONFIG_KVM) += kvm.o + ++obj-y += switch.o ++ + kvm-y += exit.o + kvm-y += interrupt.o + kvm-y += main.o + kvm-y += mmu.o +-kvm-y += switch.o + kvm-y += timer.o + kvm-y += tlb.o + kvm-y += vcpu.o +--- a/arch/loongarch/kvm/main.c ++++ b/arch/loongarch/kvm/main.c +@@ -340,8 +340,7 @@ void kvm_arch_disable_virtualization_cpu + + static int kvm_loongarch_env_init(void) + { +- int cpu, order, ret; +- void *addr; ++ int cpu, ret; + struct kvm_context *context; + + vmcs = alloc_percpu(struct kvm_context); +@@ -357,30 +356,8 @@ static int kvm_loongarch_env_init(void) + return -ENOMEM; + } + +- /* +- * PGD register is shared between root kernel and kvm hypervisor. +- * So world switch entry should be in DMW area rather than TLB area +- * to avoid page fault reenter. +- * +- * In future if hardware pagetable walking is supported, we won't +- * need to copy world switch code to DMW area. +- */ +- order = get_order(kvm_exception_size + kvm_enter_guest_size); +- addr = (void *)__get_free_pages(GFP_KERNEL, order); +- if (!addr) { +- free_percpu(vmcs); +- vmcs = NULL; +- kfree(kvm_loongarch_ops); +- kvm_loongarch_ops = NULL; +- return -ENOMEM; +- } +- +- memcpy(addr, kvm_exc_entry, kvm_exception_size); +- memcpy(addr + kvm_exception_size, kvm_enter_guest, kvm_enter_guest_size); +- flush_icache_range((unsigned long)addr, (unsigned long)addr + kvm_exception_size + kvm_enter_guest_size); +- kvm_loongarch_ops->exc_entry = addr; +- kvm_loongarch_ops->enter_guest = addr + kvm_exception_size; +- kvm_loongarch_ops->page_order = order; ++ kvm_loongarch_ops->exc_entry = (void *)kvm_exc_entry; ++ kvm_loongarch_ops->enter_guest = (void *)kvm_enter_guest; + + vpid_mask = read_csr_gstat(); + vpid_mask = (vpid_mask & CSR_GSTAT_GIDBIT) >> CSR_GSTAT_GIDBIT_SHIFT; +@@ -414,16 +391,10 @@ static int kvm_loongarch_env_init(void) + + static void kvm_loongarch_env_exit(void) + { +- unsigned long addr; +- + if (vmcs) + free_percpu(vmcs); + + if (kvm_loongarch_ops) { +- if (kvm_loongarch_ops->exc_entry) { +- addr = (unsigned long)kvm_loongarch_ops->exc_entry; +- free_pages(addr, kvm_loongarch_ops->page_order); +- } + kfree(kvm_loongarch_ops); + } + +--- a/arch/loongarch/kvm/switch.S ++++ b/arch/loongarch/kvm/switch.S +@@ -4,9 +4,11 @@ + */ + + #include ++#include + #include + #include + #include ++#include + #include + #include + +@@ -100,8 +102,13 @@ + * - is still in guest mode, such as pgd table/vmid registers etc, + * - will fix with hw page walk enabled in future + * load kvm_vcpu from reserved CSR KVM_VCPU_KS, and save a2 to KVM_TEMP_KS ++ * ++ * PGD register is shared between root kernel and kvm hypervisor. ++ * So world switch entry should be in DMW area rather than TLB area ++ * to avoid page fault re-enter. + */ + .text ++ .p2align PAGE_SHIFT + .cfi_sections .debug_frame + SYM_CODE_START(kvm_exc_entry) + UNWIND_HINT_UNDEFINED +@@ -190,8 +197,8 @@ ret_to_host: + kvm_restore_host_gpr a2 + jr ra + +-SYM_INNER_LABEL(kvm_exc_entry_end, SYM_L_LOCAL) + SYM_CODE_END(kvm_exc_entry) ++EXPORT_SYMBOL_FOR_KVM(kvm_exc_entry) + + /* + * int kvm_enter_guest(struct kvm_run *run, struct kvm_vcpu *vcpu) +@@ -215,8 +222,8 @@ SYM_FUNC_START(kvm_enter_guest) + /* Save kvm_vcpu to kscratch */ + csrwr a1, KVM_VCPU_KS + kvm_switch_to_guest +-SYM_INNER_LABEL(kvm_enter_guest_end, SYM_L_LOCAL) + SYM_FUNC_END(kvm_enter_guest) ++EXPORT_SYMBOL_FOR_KVM(kvm_enter_guest) + + SYM_FUNC_START(kvm_save_fpu) + fpu_save_csr a0 t1 +@@ -224,6 +231,7 @@ SYM_FUNC_START(kvm_save_fpu) + fpu_save_cc a0 t1 t2 + jr ra + SYM_FUNC_END(kvm_save_fpu) ++EXPORT_SYMBOL_FOR_KVM(kvm_save_fpu) + + SYM_FUNC_START(kvm_restore_fpu) + fpu_restore_double a0 t1 +@@ -231,6 +239,7 @@ SYM_FUNC_START(kvm_restore_fpu) + fpu_restore_cc a0 t1 t2 + jr ra + SYM_FUNC_END(kvm_restore_fpu) ++EXPORT_SYMBOL_FOR_KVM(kvm_restore_fpu) + + #ifdef CONFIG_CPU_HAS_LSX + SYM_FUNC_START(kvm_save_lsx) +@@ -239,6 +248,7 @@ SYM_FUNC_START(kvm_save_lsx) + lsx_save_data a0 t1 + jr ra + SYM_FUNC_END(kvm_save_lsx) ++EXPORT_SYMBOL_FOR_KVM(kvm_save_lsx) + + SYM_FUNC_START(kvm_restore_lsx) + lsx_restore_data a0 t1 +@@ -246,6 +256,7 @@ SYM_FUNC_START(kvm_restore_lsx) + fpu_restore_csr a0 t1 t2 + jr ra + SYM_FUNC_END(kvm_restore_lsx) ++EXPORT_SYMBOL_FOR_KVM(kvm_restore_lsx) + #endif + + #ifdef CONFIG_CPU_HAS_LASX +@@ -255,6 +266,7 @@ SYM_FUNC_START(kvm_save_lasx) + lasx_save_data a0 t1 + jr ra + SYM_FUNC_END(kvm_save_lasx) ++EXPORT_SYMBOL_FOR_KVM(kvm_save_lasx) + + SYM_FUNC_START(kvm_restore_lasx) + lasx_restore_data a0 t1 +@@ -262,10 +274,8 @@ SYM_FUNC_START(kvm_restore_lasx) + fpu_restore_csr a0 t1 t2 + jr ra + SYM_FUNC_END(kvm_restore_lasx) ++EXPORT_SYMBOL_FOR_KVM(kvm_restore_lasx) + #endif +- .section ".rodata" +-SYM_DATA(kvm_exception_size, .quad kvm_exc_entry_end - kvm_exc_entry) +-SYM_DATA(kvm_enter_guest_size, .quad kvm_enter_guest_end - kvm_enter_guest) + + #ifdef CONFIG_CPU_HAS_LBT + STACK_FRAME_NON_STANDARD kvm_restore_fpu diff --git a/queue-6.18/mm-hugetlb_cma-round-up-per_node-before-logging-it.patch b/queue-6.18/mm-hugetlb_cma-round-up-per_node-before-logging-it.patch new file mode 100644 index 0000000000..b5449a4c88 --- /dev/null +++ b/queue-6.18/mm-hugetlb_cma-round-up-per_node-before-logging-it.patch @@ -0,0 +1,74 @@ +From 8f5ce56b76303c55b78a87af996e2e0f8535f979 Mon Sep 17 00:00:00 2001 +From: Sang-Heon Jeon +Date: Wed, 22 Apr 2026 23:33:53 +0900 +Subject: mm/hugetlb_cma: round up per_node before logging it + +From: Sang-Heon Jeon + +commit 8f5ce56b76303c55b78a87af996e2e0f8535f979 upstream. + +When the user requests a total hugetlb CMA size without per-node +specification, hugetlb_cma_reserve() computes per_node from +hugetlb_cma_size and the number of nodes that have memory + + per_node = DIV_ROUND_UP(hugetlb_cma_size, + nodes_weight(hugetlb_bootmem_nodes)); + +The reservation loop later computes + + size = round_up(min(per_node, hugetlb_cma_size - reserved), + PAGE_SIZE << order); + +So the actually reserved per_node size is multiple of (PAGE_SIZE << +order), but the logged per_node is not rounded up, so it may be smaller +than the actual reserved size. + +For example, as the existing comment describes, if a 3 GB area is +requested on a machine with 4 NUMA nodes that have memory, 1 GB is +allocated on the first three nodes, but the printed log is + + hugetlb_cma: reserve 3072 MiB, up to 768 MiB per node + +Round per_node up to (PAGE_SIZE << order) before logging so that the +printed log always matches the actual reserved size. No functional change +to the actual reservation size, as the following case analysis shows + +1. remaining (hugetlb_cma_size - reserved) >= rounded per_node + - AS-IS: min() picks unrounded per_node; + round_up() returns rounded per_node + - TO-BE: min() picks rounded per_node; + round_up() returns rounded per_node (no-op) +2. remaining < unrounded per_node + - AS-IS: min() picks remaining; + round_up() returns round_up(remaining) + - TO-BE: min() picks remaining; + round_up() returns round_up(remaining) +3. unrounded per_node <= remaining < rounded per_node + - AS-IS: min() picks unrounded per_node; + round_up() returns rounded per_node + - TO-BE: min() picks remaining; + round_up() returns round_up(remaining) equals rounded per_node + +Link: https://lore.kernel.org/20260422143353.852257-1-ekffu200098@gmail.com +Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") # 5.7 +Signed-off-by: Sang-Heon Jeon +Reviewed-by: Muchun Song +Cc: David Hildenbrand +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb_cma.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/hugetlb_cma.c ++++ b/mm/hugetlb_cma.c +@@ -193,6 +193,7 @@ void __init hugetlb_cma_reserve(int orde + */ + per_node = DIV_ROUND_UP(hugetlb_cma_size, + nodes_weight(hugetlb_bootmem_nodes)); ++ per_node = round_up(per_node, PAGE_SIZE << order); + pr_info("hugetlb_cma: reserve %lu MiB, up to %lu MiB per node\n", + hugetlb_cma_size / SZ_1M, per_node / SZ_1M); + } diff --git a/queue-6.18/mptcp-pm-add_addr-rtx-skip-inactive-subflows.patch b/queue-6.18/mptcp-pm-add_addr-rtx-skip-inactive-subflows.patch new file mode 100644 index 0000000000..ae7516117c --- /dev/null +++ b/queue-6.18/mptcp-pm-add_addr-rtx-skip-inactive-subflows.patch @@ -0,0 +1,64 @@ +From c6d395e2de1306b5fef0344a3c3835fbbfaa18be Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 5 May 2026 17:00:55 +0200 +Subject: mptcp: pm: ADD_ADDR rtx: skip inactive subflows + +From: Matthieu Baerts (NGI0) + +commit c6d395e2de1306b5fef0344a3c3835fbbfaa18be upstream. + +When looking at the maximum RTO amongst the subflows, inactive subflows +were taken into account: that includes stale ones, and the initial one +if it has been already been closed. + +Unusable subflows are now simply skipped. Stale ones are used as an +alternative: if there are only stale ones, to take their maximum RTO and +avoid to eventually fallback to net.mptcp.add_addr_timeout, which is set +to 2 minutes by default. + +Fixes: 30549eebc4d8 ("mptcp: make ADD_ADDR retransmission timeout adaptive") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260505-net-mptcp-pm-fixes-7-1-rc3-v1-7-fca8091060a4@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -305,18 +305,28 @@ static unsigned int mptcp_adjust_add_add + const struct net *net = sock_net((struct sock *)msk); + unsigned int rto = mptcp_get_add_addr_timeout(net); + struct mptcp_subflow_context *subflow; +- unsigned int max = 0; ++ unsigned int max = 0, max_stale = 0; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + struct inet_connection_sock *icsk = inet_csk(ssk); + +- if (icsk->icsk_rto > max) ++ if (!__mptcp_subflow_active(subflow)) ++ continue; ++ ++ if (unlikely(subflow->stale)) { ++ if (icsk->icsk_rto > max_stale) ++ max_stale = icsk->icsk_rto; ++ } else if (icsk->icsk_rto > max) { + max = icsk->icsk_rto; ++ } + } + +- if (max && max < rto) +- rto = max; ++ if (max) ++ return min(max, rto); ++ ++ if (max_stale) ++ return min(max_stale, rto); + + return rto; + } diff --git a/queue-6.18/mtd-spi-nor-debugfs-fix-out-of-bounds-read-in-spi_nor_params_show.patch b/queue-6.18/mtd-spi-nor-debugfs-fix-out-of-bounds-read-in-spi_nor_params_show.patch new file mode 100644 index 0000000000..600b0eedbf --- /dev/null +++ b/queue-6.18/mtd-spi-nor-debugfs-fix-out-of-bounds-read-in-spi_nor_params_show.patch @@ -0,0 +1,60 @@ +From e47029b977e747cb3a9174308fd55762cce70147 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Fri, 17 Apr 2026 15:24:39 +0000 +Subject: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() + +From: Tudor Ambarus + +commit e47029b977e747cb3a9174308fd55762cce70147 upstream. + +Sashiko noticed an out-of-bounds read [1]. + +In spi_nor_params_show(), the snor_f_names array is passed to +spi_nor_print_flags() using sizeof(snor_f_names). + +Since snor_f_names is an array of pointers, sizeof() returns the total +number of bytes occupied by the pointers + (element_count * sizeof(void *)) +rather than the element count itself. On 64-bit systems, this makes the +passed length 8x larger than intended. + +Inside spi_nor_print_flags(), the 'names_len' argument is used to +bounds-check the 'names' array access. An out-of-bounds read occurs +if a flag bit is set that exceeds the array's actual element count +but is within the inflated byte-size count. + +Correct this by using ARRAY_SIZE() to pass the actual number of +string pointers in the array. + +Cc: stable@vger.kernel.org +Fixes: 0257be79fc4a ("mtd: spi-nor: expose internal parameters via debugfs") +Closes: https://sashiko.dev/#/patchset/20260417-die-erase-fix-v2-1-73bb7004ebad%40infineon.com [1] +Signed-off-by: Tudor Ambarus +Reviewed-by: Takahiro Kuwano +Reviewed-by: Michael Walle +Reviewed-by: Pratyush Yadav +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/debugfs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/debugfs.c ++++ b/drivers/mtd/spi-nor/debugfs.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + ++#include + #include + #include + #include +@@ -92,7 +93,8 @@ static int spi_nor_params_show(struct se + seq_printf(s, "address nbytes\t%u\n", nor->addr_nbytes); + + seq_puts(s, "flags\t\t"); +- spi_nor_print_flags(s, nor->flags, snor_f_names, sizeof(snor_f_names)); ++ spi_nor_print_flags(s, nor->flags, snor_f_names, ++ ARRAY_SIZE(snor_f_names)); + seq_puts(s, "\n"); + + seq_puts(s, "\nopcodes\n"); diff --git a/queue-6.18/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch b/queue-6.18/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch new file mode 100644 index 0000000000..2b61ab8735 --- /dev/null +++ b/queue-6.18/net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch @@ -0,0 +1,74 @@ +From 4b9e327991815e128ad3af75c3a04630a63ce3e0 Mon Sep 17 00:00:00 2001 +From: Kai Zen +Date: Thu, 30 Apr 2026 18:26:48 +0300 +Subject: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo + +From: Kai Zen + +commit 4b9e327991815e128ad3af75c3a04630a63ce3e0 upstream. + +rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack +without initialisation: + + struct ifla_vf_broadcast vf_broadcast; + +The struct contains a single fixed 32-byte field: + + /* include/uapi/linux/if_link.h */ + struct ifla_vf_broadcast { + __u8 broadcast[32]; + }; + +The function then copies dev->broadcast into it using dev->addr_len +as the length: + + memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); + +On Ethernet devices (the overwhelming majority of SR-IOV NICs) +dev->addr_len is 6, so only the first 6 bytes of broadcast[] are +written. The remaining 26 bytes retain whatever was previously on +the kernel stack. The full struct is then handed to userspace via: + + nla_put(skb, IFLA_VF_BROADCAST, + sizeof(vf_broadcast), &vf_broadcast) + +leaking up to 26 bytes of uninitialised kernel stack per VF per +RTM_GETLINK request, repeatable. + +The other vf_* structs in the same function are explicitly zeroed +for exactly this reason - see the memset() calls for ivi, +vf_vlan_info, node_guid and port_guid a few lines above. +vf_broadcast was simply missed when it was added. + +Reachability: any unprivileged local process can open AF_NETLINK / +NETLINK_ROUTE without capabilities and send RTM_GETLINK with an +IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks +each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per +VF per request. Stack residue at this call site can include return +addresses and transient sensitive data; KASAN with stack +instrumentation, or KMSAN, will flag the nla_put() when reproduced. + +Zero the on-stack struct before the partial memcpy, matching the +existing pattern used for the other vf_* structs in the same +function. + +Fixes: 75345f888f70 ("ipoib: show VF broadcast address") +Cc: stable@vger.kernel.org +Signed-off-by: Kai Zen +Link: https://patch.msgid.link/3c506e8f936e52b57620269b55c348af05d413a2.1777557228.git.kai.aizen.dev@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/rtnetlink.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1566,6 +1566,7 @@ static noinline_for_stack int rtnl_fill_ + port_guid.vf = ivi.vf; + + memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac)); ++ memset(&vf_broadcast, 0, sizeof(vf_broadcast)); + memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); + vf_vlan.vlan = ivi.vlan; + vf_vlan.qos = ivi.qos; diff --git a/queue-6.18/perf-x86-intel-improve-validation-and-configuration-of-acr-masks.patch b/queue-6.18/perf-x86-intel-improve-validation-and-configuration-of-acr-masks.patch new file mode 100644 index 0000000000..9f5ec5e1a2 --- /dev/null +++ b/queue-6.18/perf-x86-intel-improve-validation-and-configuration-of-acr-masks.patch @@ -0,0 +1,95 @@ +From 5ad732a56be46aabf158c16aa0c095291727aaef Mon Sep 17 00:00:00 2001 +From: Dapeng Mi +Date: Thu, 30 Apr 2026 08:25:54 +0800 +Subject: perf/x86/intel: Improve validation and configuration of ACR masks + +From: Dapeng Mi + +commit 5ad732a56be46aabf158c16aa0c095291727aaef upstream. + +Currently there are several issues on the user space ACR mask validation +and configuration. +- The validation for user space ACR mask (attr.config2) is incomplete, + e.g., the ACR mask could include the index which belongs to another + ACR events group, but it's not validated. +- An early return on an invalid ACR mask caused all subsequent ACR groups + to be skipped. +- The stale hardware ACR mask (hw.config1) is not cleared before setting + new hardware ACR mask. + +The following changes address all of the above issues. +- Figure out the event index group of an ACR group. Any bits in the + user-space mask not present in the index group are now dropped. +- Instead of an early return on invalid bits, drop only the invalid + portions and continue iterating through all ACR events to ensure full + configuration. +- Explicitly clear the stale hardware ACR mask for each event prior to + writing the new configuration. + +Besides, a non-leader event member of ACR group could be disabled in +theory. This could cause bit-shifting errors in the acr_mask of remaining +group members. But since ACR sampling requires all events to be active, +this should not be a big concern in real use case. Add a "FIXME" comment +to notice this risk. + +Fixes: ec980e4facef ("perf/x86/intel: Support auto counter reload") +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260430002558.712334-2-dapeng1.mi@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2980,23 +2980,41 @@ static void intel_pmu_enable_event(struc + static void intel_pmu_acr_late_setup(struct cpu_hw_events *cpuc) + { + struct perf_event *event, *leader; +- int i, j, idx; ++ int i, j, k, bit, idx; + ++ /* ++ * FIXME: ACR mask parsing relies on cpuc->event_list[] (active events only). ++ * Disabling an ACR event causes bit-shifting errors in the acr_mask of ++ * remaining group members. As ACR sampling requires all events to be active, ++ * this limitation is acceptable for now. Revisit if independent event toggling ++ * is required. ++ */ + for (i = 0; i < cpuc->n_events; i++) { + leader = cpuc->event_list[i]; + if (!is_acr_event_group(leader)) + continue; + +- /* The ACR events must be contiguous. */ ++ /* Find the last event of the ACR group. */ + for (j = i; j < cpuc->n_events; j++) { + event = cpuc->event_list[j]; + if (event->group_leader != leader->group_leader) + break; +- for_each_set_bit(idx, (unsigned long *)&event->attr.config2, X86_PMC_IDX_MAX) { +- if (i + idx >= cpuc->n_events || +- !is_acr_event_group(cpuc->event_list[i + idx])) +- return; +- __set_bit(cpuc->assign[i + idx], (unsigned long *)&event->hw.config1); ++ } ++ ++ /* ++ * Translate the user-space ACR mask (attr.config2) into the physical ++ * counter bitmask (hw.config1) for each ACR event in the group. ++ * NOTE: ACR event contiguity is guaranteed by intel_pmu_hw_config(). ++ */ ++ for (k = i; k < j; k++) { ++ event = cpuc->event_list[k]; ++ event->hw.config1 = 0; ++ for_each_set_bit(bit, (unsigned long *)&event->attr.config2, X86_PMC_IDX_MAX) { ++ idx = i + bit; ++ /* Event index of ACR group must locate in [i, j). */ ++ if (idx >= j || !is_acr_event_group(cpuc->event_list[idx])) ++ continue; ++ __set_bit(cpuc->assign[idx], (unsigned long *)&event->hw.config1); + } + } + i = j - 1; diff --git a/queue-6.18/series b/queue-6.18/series index 2a2652e1b8..822ffa45d9 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -82,3 +82,13 @@ spi-sun6i-fix-controller-deregistration.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch spi-s3c64xx-fix-null-deref-on-driver-unbind.patch staging-vme_user-fix-root-device-leak-on-init-failure.patch +fanotify-fix-false-positive-on-permission-events.patch +kvm-arm64-fix-kvm_vcpu_initialized-macro-parameter.patch +mtd-spi-nor-debugfs-fix-out-of-bounds-read-in-spi_nor_params_show.patch +arm64-signal-preserve-por_el0-if-poe_context-is-missing.patch +mm-hugetlb_cma-round-up-per_node-before-logging-it.patch +loongarch-fix-sym_sigfunc_start-definition-for-32bit.patch +loongarch-kvm-compile-switch.s-directly-into-the-kernel.patch +net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch +mptcp-pm-add_addr-rtx-skip-inactive-subflows.patch +perf-x86-intel-improve-validation-and-configuration-of-acr-masks.patch