From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Mar 2025 06:58:50 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.6.84~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b54f221b90716c9743d7869c38497326054fbf5;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	leds-mlxreg-use-devm_mutex_init-for-mutex-initialization.patch
	lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
	tcp-fix-forever-orphan-socket-caused-by-tcp_abort.patch
	tcp-fix-races-in-tcp_abort.patch
---

diff --git a/queue-6.1/leds-mlxreg-use-devm_mutex_init-for-mutex-initialization.patch b/queue-6.1/leds-mlxreg-use-devm_mutex_init-for-mutex-initialization.patch
new file mode 100644
index 0000000000..89aebc4c72
--- /dev/null
+++ b/queue-6.1/leds-mlxreg-use-devm_mutex_init-for-mutex-initialization.patch
@@ -0,0 +1,69 @@
+From efc347b9efee1c2b081f5281d33be4559fa50a16 Mon Sep 17 00:00:00 2001
+From: George Stark <gnstark@salutedevices.com>
+Date: Thu, 11 Apr 2024 19:10:31 +0300
+Subject: leds: mlxreg: Use devm_mutex_init() for mutex initialization
+
+From: George Stark <gnstark@salutedevices.com>
+
+commit efc347b9efee1c2b081f5281d33be4559fa50a16 upstream.
+
+In this driver LEDs are registered using devm_led_classdev_register()
+so they are automatically unregistered after module's remove() is done.
+led_classdev_unregister() calls module's led_set_brightness() to turn off
+the LEDs and that callback uses mutex which was destroyed already
+in module's remove() so use devm API instead.
+
+Signed-off-by: George Stark <gnstark@salutedevices.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20240411161032.609544-8-gnstark@salutedevices.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-mlxreg.c |   16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/drivers/leds/leds-mlxreg.c
++++ b/drivers/leds/leds-mlxreg.c
+@@ -258,6 +258,7 @@ static int mlxreg_led_probe(struct platf
+ {
+ 	struct mlxreg_core_platform_data *led_pdata;
+ 	struct mlxreg_led_priv_data *priv;
++	int err;
+ 
+ 	led_pdata = dev_get_platdata(&pdev->dev);
+ 	if (!led_pdata) {
+@@ -269,28 +270,21 @@ static int mlxreg_led_probe(struct platf
+ 	if (!priv)
+ 		return -ENOMEM;
+ 
+-	mutex_init(&priv->access_lock);
++	err = devm_mutex_init(&pdev->dev, &priv->access_lock);
++	if (err)
++		return err;
++
+ 	priv->pdev = pdev;
+ 	priv->pdata = led_pdata;
+ 
+ 	return mlxreg_led_config(priv);
+ }
+ 
+-static int mlxreg_led_remove(struct platform_device *pdev)
+-{
+-	struct mlxreg_led_priv_data *priv = dev_get_drvdata(&pdev->dev);
+-
+-	mutex_destroy(&priv->access_lock);
+-
+-	return 0;
+-}
+-
+ static struct platform_driver mlxreg_led_driver = {
+ 	.driver = {
+ 	    .name = "leds-mlxreg",
+ 	},
+ 	.probe = mlxreg_led_probe,
+-	.remove = mlxreg_led_remove,
+ };
+ 
+ module_platform_driver(mlxreg_led_driver);
diff --git a/queue-6.1/lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch b/queue-6.1/lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
new file mode 100644
index 0000000000..95ddcaa41f
--- /dev/null
+++ b/queue-6.1/lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
@@ -0,0 +1,62 @@
+From 5ac9b4e935dfc6af41eee2ddc21deb5c36507a9f Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Thu, 17 Oct 2024 10:47:13 -0700
+Subject: lib/buildid: Handle memfd_secret() files in build_id_parse()
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit 5ac9b4e935dfc6af41eee2ddc21deb5c36507a9f upstream.
+
+>From memfd_secret(2) manpage:
+
+  The memory areas backing the file created with memfd_secret(2) are
+  visible only to the processes that have access to the file descriptor.
+  The memory region is removed from the kernel page tables and only the
+  page tables of the processes holding the file descriptor map the
+  corresponding physical memory. (Thus, the pages in the region can't be
+  accessed by the kernel itself, so that, for example, pointers to the
+  region can't be passed to system calls.)
+
+We need to handle this special case gracefully in build ID fetching
+code. Return -EFAULT whenever secretmem file is passed to build_id_parse()
+family of APIs. Original report and repro can be found in [0].
+
+  [0] https://lore.kernel.org/bpf/ZwyG8Uro%2FSyTXAni@ly-workstation/
+
+Fixes: de3ec364c3c3 ("lib/buildid: add single folio-based file reader abstraction")
+Reported-by: Yi Lai <yi1.lai@intel.com>
+Suggested-by: Shakeel Butt <shakeel.butt@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Shakeel Butt <shakeel.butt@linux.dev>
+Link: https://lore.kernel.org/bpf/20241017175431.6183-A-hca@linux.ibm.com
+Link: https://lore.kernel.org/bpf/20241017174713.2157873-1-andrii@kernel.org
+[ Chen Linxuan: backport same logic without folio-based changes ]
+Fixes: 88a16a130933 ("perf: Add build id data in mmap2 event")
+Signed-off-by: Chen Linxuan <chenlinxuan@deepin.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/buildid.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/lib/buildid.c
++++ b/lib/buildid.c
+@@ -5,6 +5,7 @@
+ #include <linux/elf.h>
+ #include <linux/kernel.h>
+ #include <linux/pagemap.h>
++#include <linux/secretmem.h>
+ 
+ #define BUILD_ID 3
+ 
+@@ -157,6 +158,10 @@ int build_id_parse(struct vm_area_struct
+ 	if (!vma->vm_file)
+ 		return -EINVAL;
+ 
++	/* reject secretmem folios created with memfd_secret() */
++	if (vma_is_secretmem(vma))
++		return -EFAULT;
++
+ 	page = find_get_page(vma->vm_file->f_mapping, 0);
+ 	if (!page)
+ 		return -EFAULT;	/* page not mapped */
diff --git a/queue-6.1/series b/queue-6.1/series
index 9e4d756958..4e11a95157 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -122,3 +122,7 @@ clk-samsung-update-pll-locktime-for-pll142xx-used-on-fsd-platform.patch
 asoc-amd-yc-support-mic-on-another-lenovo-thinkpad-e16-gen-2-model.patch
 qlcnic-fix-memory-leak-issues-in-qlcnic_sriov_common.c.patch
 rust-disallow-btf-generation-with-rust-lto.patch
+lib-buildid-handle-memfd_secret-files-in-build_id_parse.patch
+tcp-fix-races-in-tcp_abort.patch
+tcp-fix-forever-orphan-socket-caused-by-tcp_abort.patch
+leds-mlxreg-use-devm_mutex_init-for-mutex-initialization.patch
diff --git a/queue-6.1/tcp-fix-forever-orphan-socket-caused-by-tcp_abort.patch b/queue-6.1/tcp-fix-forever-orphan-socket-caused-by-tcp_abort.patch
new file mode 100644
index 0000000000..eb730721c8
--- /dev/null
+++ b/queue-6.1/tcp-fix-forever-orphan-socket-caused-by-tcp_abort.patch
@@ -0,0 +1,93 @@
+From bac76cf89816bff06c4ec2f3df97dc34e150a1c4 Mon Sep 17 00:00:00 2001
+From: Xueming Feng <kuro@kuroa.me>
+Date: Mon, 26 Aug 2024 18:23:27 +0800
+Subject: tcp: fix forever orphan socket caused by tcp_abort
+
+From: Xueming Feng <kuro@kuroa.me>
+
+commit bac76cf89816bff06c4ec2f3df97dc34e150a1c4 upstream.
+
+We have some problem closing zero-window fin-wait-1 tcp sockets in our
+environment. This patch come from the investigation.
+
+Previously tcp_abort only sends out reset and calls tcp_done when the
+socket is not SOCK_DEAD, aka orphan. For orphan socket, it will only
+purging the write queue, but not close the socket and left it to the
+timer.
+
+While purging the write queue, tp->packets_out and sk->sk_write_queue
+is cleared along the way. However tcp_retransmit_timer have early
+return based on !tp->packets_out and tcp_probe_timer have early
+return based on !sk->sk_write_queue.
+
+This caused ICSK_TIME_RETRANS and ICSK_TIME_PROBE0 not being resched
+and socket not being killed by the timers, converting a zero-windowed
+orphan into a forever orphan.
+
+This patch removes the SOCK_DEAD check in tcp_abort, making it send
+reset to peer and close the socket accordingly. Preventing the
+timer-less orphan from happening.
+
+According to Lorenzo's email in the v1 thread, the check was there to
+prevent force-closing the same socket twice. That situation is handled
+by testing for TCP_CLOSE inside lock, and returning -ENOENT if it is
+already closed.
+
+The -ENOENT code comes from the associate patch Lorenzo made for
+iproute2-ss; link attached below, which also conform to RFC 9293.
+
+At the end of the patch, tcp_write_queue_purge(sk) is removed because it
+was already called in tcp_done_with_error().
+
+p.s. This is the same patch with v2. Resent due to mis-labeled "changes
+requested" on patchwork.kernel.org.
+
+Link: https://patchwork.ozlabs.org/project/netdev/patch/1450773094-7978-3-git-send-email-lorenzo@google.com/
+Fixes: c1e64e298b8c ("net: diag: Support destroying TCP sockets.")
+Signed-off-by: Xueming Feng <kuro@kuroa.me>
+Tested-by: Lorenzo Colitti <lorenzo@google.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240826102327.1461482-1-kuro@kuroa.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[youngmin: Resolved minor conflict in net/ipv4/tcp.c]
+Signed-off-by: Youngmin Nam <youngmin.nam@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c |   15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -4745,6 +4745,12 @@ int tcp_abort(struct sock *sk, int err)
+ 	/* Don't race with userspace socket closes such as tcp_close. */
+ 	lock_sock(sk);
+ 
++	/* Avoid closing the same socket twice. */
++	if (sk->sk_state == TCP_CLOSE) {
++		release_sock(sk);
++		return -ENOENT;
++	}
++
+ 	if (sk->sk_state == TCP_LISTEN) {
+ 		tcp_set_state(sk, TCP_CLOSE);
+ 		inet_csk_listen_stop(sk);
+@@ -4754,15 +4760,12 @@ int tcp_abort(struct sock *sk, int err)
+ 	local_bh_disable();
+ 	bh_lock_sock(sk);
+ 
+-	if (!sock_flag(sk, SOCK_DEAD)) {
+-		if (tcp_need_reset(sk->sk_state))
+-			tcp_send_active_reset(sk, GFP_ATOMIC);
+-		tcp_done_with_error(sk, err);
+-	}
++	if (tcp_need_reset(sk->sk_state))
++		tcp_send_active_reset(sk, GFP_ATOMIC);
++	tcp_done_with_error(sk, err);
+ 
+ 	bh_unlock_sock(sk);
+ 	local_bh_enable();
+-	tcp_write_queue_purge(sk);
+ 	release_sock(sk);
+ 	return 0;
+ }
diff --git a/queue-6.1/tcp-fix-races-in-tcp_abort.patch b/queue-6.1/tcp-fix-races-in-tcp_abort.patch
new file mode 100644
index 0000000000..e6c7a54a82
--- /dev/null
+++ b/queue-6.1/tcp-fix-races-in-tcp_abort.patch
@@ -0,0 +1,46 @@
+From 5ce4645c23cf5f048eb8e9ce49e514bababdee85 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 28 May 2024 12:52:52 +0000
+Subject: tcp: fix races in tcp_abort()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5ce4645c23cf5f048eb8e9ce49e514bababdee85 upstream.
+
+tcp_abort() has the same issue than the one fixed in the prior patch
+in tcp_write_err().
+
+In order to get consistent results from tcp_poll(), we must call
+sk_error_report() after tcp_done().
+
+We can use tcp_done_with_error() to centralize this logic.
+
+Fixes: c1e64e298b8c ("net: diag: Support destroying TCP sockets.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20240528125253.1966136-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[youngmin: Resolved minor conflict in net/ipv4/tcp.c]
+Signed-off-by: Youngmin Nam <youngmin.nam@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c |    6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -4755,13 +4755,9 @@ int tcp_abort(struct sock *sk, int err)
+ 	bh_lock_sock(sk);
+ 
+ 	if (!sock_flag(sk, SOCK_DEAD)) {
+-		WRITE_ONCE(sk->sk_err, err);
+-		/* This barrier is coupled with smp_rmb() in tcp_poll() */
+-		smp_wmb();
+-		sk_error_report(sk);
+ 		if (tcp_need_reset(sk->sk_state))
+ 			tcp_send_active_reset(sk, GFP_ATOMIC);
+-		tcp_done(sk);
++		tcp_done_with_error(sk, err);
+ 	}
+ 
+ 	bh_unlock_sock(sk);