From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 08:06:20 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.297~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e150e0402974ca2649842856a2995e62782da7f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch btrfs-populate-otime-when-logging-an-inode-item.patch drm-amdgpu-handle-the-case-of-pci_channel_io_frozen-only-in-amdgpu_pci_resume.patch iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch net-sched-ets-use-old-nbands-while-purging-unused-classes.patch net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch net_sched-sch_ets-implement-lockless-ets_dump.patch nfs-create-an-nfs4_server_set_init_caps-function.patch nfs-don-t-set-nfs_ino_reval_pagecache-in-the-inode-cache-validity.patch nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch nfsv4-fix-nfs4_bitmap_copy_adjust.patch rdma-rxe-return-cqe-error-if-invalid-lkey-was-supplied.patch scsi-lpfc-fix-link-down-processing-to-address-null-pointer-dereference.patch scsi-pm80xx-fix-memory-leak-during-rmmod.patch scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch usb-musb-omap2430-fix-device-leak-at-unbind.patch --- diff --git a/queue-5.10/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch b/queue-5.10/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch new file mode 100644 index 0000000000..0e63c05ec5 --- /dev/null +++ b/queue-5.10/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch @@ -0,0 +1,78 @@ +From stable+bounces-172213-greg=kroah.com@vger.kernel.org Thu Aug 21 20:18:26 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 14:18:16 -0400 +Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig +To: stable@vger.kernel.org +Cc: Damien Le Moal , Hannes Reinecke , Niklas Cassel , Sasha Levin +Message-ID: <20250821181816.887742-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ] + +Improve the description of the possible default SATA link power +management policies and add the missing description for policy 5. +No functional changes. + +Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/Kconfig | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -117,22 +117,39 @@ config SATA_AHCI + + config SATA_MOBILE_LPM_POLICY + int "Default SATA Link Power Management policy for mobile chipsets" +- range 0 4 ++ range 0 5 + default 0 + depends on SATA_AHCI + help + Select the Default SATA Link Power Management (LPM) policy to use + for mobile / laptop variants of chipsets / "South Bridges". + +- The value set has the following meanings: ++ Each policy combines power saving states and features: ++ - Partial: The Phy logic is powered but is in a reduced power ++ state. The exit latency from this state is no longer than ++ 10us). ++ - Slumber: The Phy logic is powered but is in an even lower power ++ state. The exit latency from this state is potentially ++ longer, but no longer than 10ms. ++ - DevSleep: The Phy logic may be powered down. The exit latency from ++ this state is no longer than 20 ms, unless otherwise ++ specified by DETO in the device Identify Device Data log. ++ - HIPM: Host Initiated Power Management (host automatically ++ transitions to partial and slumber). ++ - DIPM: Device Initiated Power Management (device automatically ++ transitions to partial and slumber). ++ ++ The possible values for the default SATA link power management ++ policies are: + 0 => Keep firmware settings +- 1 => Maximum performance +- 2 => Medium power +- 3 => Medium power with Device Initiated PM enabled +- 4 => Minimum power ++ 1 => No power savings (maximum performance) ++ 2 => HIPM (Partial) ++ 3 => HIPM (Partial) and DIPM (Partial and Slumber) ++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber) ++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber) + +- Note "Minimum power" is known to cause issues, including disk +- corruption, with some disks and should not be used. ++ Excluding the value 0, higher values represent policies with higher ++ power savings. + + config SATA_AHCI_PLATFORM + tristate "Platform AHCI SATA support" diff --git a/queue-5.10/btrfs-populate-otime-when-logging-an-inode-item.patch b/queue-5.10/btrfs-populate-otime-when-logging-an-inode-item.patch new file mode 100644 index 0000000000..f299dbfc5b --- /dev/null +++ b/queue-5.10/btrfs-populate-otime-when-logging-an-inode-item.patch @@ -0,0 +1,116 @@ +From stable+bounces-171803-greg=kroah.com@vger.kernel.org Tue Aug 19 16:33:36 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 10:33:27 -0400 +Subject: btrfs: populate otime when logging an inode item +To: stable@vger.kernel.org +Cc: Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin +Message-ID: <20250819143327.512986-1-sashal@kernel.org> + +From: Qu Wenruo + +[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ] + +[TEST FAILURE WITH EXPERIMENTAL FEATURES] +When running test case generic/508, the test case will fail with the new +btrfs shutdown support: + +generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) +# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 +# @@ -1,2 +1,6 @@ +# QA output created by 508 +# Silence is golden +# +Before: +# +After : stat.btime = Thu Jan 1 09:30:00 1970 +# +Before: +# +After : stat.btime = Wed Jul 2 14:53:22 2025 +# ... +# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) +Ran: generic/508 +Failures: generic/508 +Failed 1 of 1 tests + +Please note that the test case requires shutdown support, thus the test +case will be skipped using the current upstream kernel, as it doesn't +have shutdown ioctl support. + +[CAUSE] +The direct cause the 0 time stamp in the log tree: + +leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG +leaf 30507008 flags 0x1(WRITTEN) backref revision 1 +checksum stored e522548d +checksum calced e522548d +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 9 transid 9 size 0 nbytes 0 + block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 + sequence 1 flags 0x0(none) + atime 1751432947.492000000 (2025-07-02 14:39:07) + ctime 1751432947.492000000 (2025-07-02 14:39:07) + mtime 1751432947.492000000 (2025-07-02 14:39:07) + otime 0.0 (1970-01-01 09:30:00) <<< + +But the old fs tree has all the correct time stamp: + +btrfs-progs v6.12 +fs tree key (FS_TREE ROOT_ITEM 0) +leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE +leaf 30425088 flags 0x1(WRITTEN) backref revision 1 +checksum stored 48f6c57e +checksum calced 48f6c57e +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 3 transid 0 size 0 nbytes 16384 + block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 + sequence 0 flags 0x0(none) + atime 1751432947.0 (2025-07-02 14:39:07) + ctime 1751432947.0 (2025-07-02 14:39:07) + mtime 1751432947.0 (2025-07-02 14:39:07) + otime 1751432947.0 (2025-07-02 14:39:07) <<< + +The root cause is that fill_inode_item() in tree-log.c is only +populating a/c/m time, not the otime (or btime in statx output). + +Part of the reason is that, the vfs inode only has a/c/m time, no native +btime support yet. + +[FIX] +Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and +btrfs_inode::i_otime_nsec. + +So what we really need is just fill the otime time stamp in +fill_inode_item() of tree-log.c + +There is another fill_inode_item() in inode.c, which is doing the proper +otime population. + +Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") +CC: stable@vger.kernel.org +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ Adapted token-based API calls ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3921,6 +3921,11 @@ static void fill_inode_item(struct btrfs + btrfs_set_token_timespec_nsec(&token, &item->ctime, + inode->i_ctime.tv_nsec); + ++ btrfs_set_token_timespec_sec(&token, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_sec); ++ btrfs_set_token_timespec_nsec(&token, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_nsec); ++ + btrfs_set_token_inode_nbytes(&token, item, inode_get_bytes(inode)); + + btrfs_set_token_inode_sequence(&token, item, inode_peek_iversion(inode)); diff --git a/queue-5.10/drm-amdgpu-handle-the-case-of-pci_channel_io_frozen-only-in-amdgpu_pci_resume.patch b/queue-5.10/drm-amdgpu-handle-the-case-of-pci_channel_io_frozen-only-in-amdgpu_pci_resume.patch new file mode 100644 index 0000000000..c429452999 --- /dev/null +++ b/queue-5.10/drm-amdgpu-handle-the-case-of-pci_channel_io_frozen-only-in-amdgpu_pci_resume.patch @@ -0,0 +1,70 @@ +From stable+bounces-167102-greg=kroah.com@vger.kernel.org Tue Aug 12 08:37:31 2025 +From: Shivani Agarwal +Date: Mon, 11 Aug 2025 23:23:49 -0700 +Subject: drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, alexander.deucher@amd.com, christian.koenig@amd.com, airlied@gmail.com, simona@ffwll.ch, lijo.lazar@amd.com, mario.limonciello@amd.com, sunil.khatri@amd.com, srinivasan.shanmugam@amd.com, siqueira@igalia.com, cesun102@amd.com, linux@treblig.org, zhangzekun11@huawei.com, andrey.grodzovsky@amd.com, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, Guchun Chen , Sasha Levin , Shivani Agarwal +Message-ID: <20250812062349.149549-1-shivani.agarwal@broadcom.com> + +From: Guchun Chen + +[ Upstream commit 248b061689a40f4fed05252ee2c89f87cf26d7d8 ] + +In current code, when a PCI error state pci_channel_io_normal is detectd, +it will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI +driver will continue the execution of PCI resume callback report_resume by +pci_walk_bridge, and the callback will go into amdgpu_pci_resume +finally, where write lock is releasd unconditionally without acquiring +such lock first. In this case, a deadlock will happen when other threads +start to acquire the read lock. + +To fix this, add a member in amdgpu_device strucutre to cache +pci_channel_state, and only continue the execution in amdgpu_pci_resume +when it's pci_channel_io_frozen. + +Fixes: c9a6b82f45e2 ("drm/amdgpu: Implement DPC recovery") +Suggested-by: Andrey Grodzovsky +Signed-off-by: Guchun Chen +Reviewed-by: Andrey Grodzovsky +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h +@@ -997,6 +997,7 @@ struct amdgpu_device { + + bool in_pci_err_recovery; + struct pci_saved_state *pci_state; ++ pci_channel_state_t pci_channel_state; + }; + + static inline struct amdgpu_device *drm_to_adev(struct drm_device *ddev) +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4944,6 +4944,8 @@ pci_ers_result_t amdgpu_pci_error_detect + return PCI_ERS_RESULT_DISCONNECT; + } + ++ adev->pci_channel_state = state; ++ + switch (state) { + case pci_channel_io_normal: + return PCI_ERS_RESULT_CAN_RECOVER; +@@ -5079,6 +5081,10 @@ void amdgpu_pci_resume(struct pci_dev *p + + DRM_INFO("PCI error: resume callback!!\n"); + ++ /* Only continue execution for the case of pci_channel_io_frozen */ ++ if (adev->pci_channel_state != pci_channel_io_frozen) ++ return; ++ + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; + diff --git a/queue-5.10/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch b/queue-5.10/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch new file mode 100644 index 0000000000..13ee43ccd1 --- /dev/null +++ b/queue-5.10/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch @@ -0,0 +1,51 @@ +From stable+bounces-172484-greg=kroah.com@vger.kernel.org Fri Aug 22 19:55:45 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:55:16 -0400 +Subject: iio: adc: ad_sigma_delta: change to buffer predisable +To: stable@vger.kernel.org +Cc: "David Lechner" , "Nuno Sá" , "Jonathan Cameron" , "Sasha Levin" +Message-ID: <20250822175516.1349300-1-sashal@kernel.org> + +From: David Lechner + +[ Upstream commit 66d4374d97f85516b5a22418c5e798aed2606dec ] + +Change the buffer disable callback from postdisable to predisable. +This balances the existing posteanble callback. Using postdisable +with posteanble can be problematic, for example, if update_scan_mode +fails, it would call postdisable without ever having called posteanble, +so the drivers using this would be in an unexpected state when +postdisable was called. + +Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-v1-1-f2ab85138f1f@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad_sigma_delta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -371,7 +371,7 @@ err_unlock: + return ret; + } + +-static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev) ++static int ad_sd_buffer_predisable(struct iio_dev *indio_dev) + { + struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); + +@@ -432,7 +432,7 @@ static irqreturn_t ad_sd_trigger_handler + + static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = { + .postenable = &ad_sd_buffer_postenable, +- .postdisable = &ad_sd_buffer_postdisable, ++ .predisable = &ad_sd_buffer_predisable, + .validate_scan_mask = &iio_validate_scan_mask_onehot, + }; + diff --git a/queue-5.10/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch b/queue-5.10/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch new file mode 100644 index 0000000000..5734886f21 --- /dev/null +++ b/queue-5.10/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch @@ -0,0 +1,114 @@ +From stable+bounces-171811-greg=kroah.com@vger.kernel.org Tue Aug 19 17:11:09 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 11:09:21 -0400 +Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() +To: stable@vger.kernel.org +Cc: Anshuman Khandual , David Hildenbrand , Dev Jain , Alexander Gordeev , Catalin Marinas , Will Deacon , Ryan Roberts , Paul Walmsley , Palmer Dabbelt , Gerald Schaefer , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Sven Schnelle , Andrew Morton , Sasha Levin +Message-ID: <20250819150921.531532-1-sashal@kernel.org> + +From: Anshuman Khandual + +[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ] + +Memory hot remove unmaps and tears down various kernel page table regions +as required. The ptdump code can race with concurrent modifications of +the kernel page tables. When leaf entries are modified concurrently, the +dump code may log stale or inconsistent information for a VA range, but +this is otherwise not harmful. + +But when intermediate levels of kernel page table are freed, the dump code +will continue to use memory that has been freed and potentially +reallocated for another purpose. In such cases, the ptdump code may +dereference bogus addresses, leading to a number of potential problems. + +To avoid the above mentioned race condition, platforms such as arm64, +riscv and s390 take memory hotplug lock, while dumping kernel page table +via the sysfs interface /sys/kernel/debug/kernel_page_tables. + +Similar race condition exists while checking for pages that might have +been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages +which in turn calls ptdump_check_wx(). Instead of solving this race +condition again, let's just move the memory hotplug lock inside generic +ptdump_check_wx() which will benefit both the scenarios. + +Drop get_online_mems() and put_online_mems() combination from all existing +platform ptdump code paths. + +Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com +Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") +Signed-off-by: Anshuman Khandual +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Alexander Gordeev [s390] +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ryan Roberts +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Alexander Gordeev +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/ptdump_debugfs.c | 3 --- + arch/s390/mm/dump_pagetables.c | 2 -- + mm/ptdump.c | 2 ++ + 3 files changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/arm64/mm/ptdump_debugfs.c ++++ b/arch/arm64/mm/ptdump_debugfs.c +@@ -1,6 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include + #include + + #include +@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file * + { + struct ptdump_info *info = m->private; + +- get_online_mems(); + ptdump_walk(m, info); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -218,11 +218,9 @@ static int ptdump_show(struct seq_file * + .marker = address_markers, + }; + +- get_online_mems(); + mutex_lock(&cpa_mutex); + ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); + mutex_unlock(&cpa_mutex); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -141,6 +141,7 @@ void ptdump_walk_pgd(struct ptdump_state + { + const struct ptdump_range *range = st->range; + ++ get_online_mems(); + mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, +@@ -148,6 +149,7 @@ void ptdump_walk_pgd(struct ptdump_state + range++; + } + mmap_write_unlock(mm); ++ put_online_mems(); + + /* Flush out the last page */ + st->note_page(st, 0, -1, 0); diff --git a/queue-5.10/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch b/queue-5.10/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch new file mode 100644 index 0000000000..2c0aa96cfe --- /dev/null +++ b/queue-5.10/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch @@ -0,0 +1,119 @@ +From stable+bounces-171802-greg=kroah.com@vger.kernel.org Tue Aug 19 16:37:20 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 10:32:53 -0400 +Subject: net/sched: ets: use old 'nbands' while purging unused classes +To: stable@vger.kernel.org +Cc: Davide Caratti , Li Shuang , Petr Machata , Ivan Vecera , Jakub Kicinski , Sasha Levin +Message-ID: <20250819143253.512050-3-sashal@kernel.org> + +From: Davide Caratti + +[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ] + +Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() +after recent changes from Lion [2]. The problem is: in ets_qdisc_change() +we purge unused DWRR queues; the value of 'q->nbands' is the new one, and +the cleanup should be done with the old one. The problem is here since my +first attempts to fix ets_qdisc_change(), but it surfaced again after the +recent qdisc len accounting fixes. Fix it purging idle DWRR queues before +assigning a new value of 'q->nbands', so that all purge operations find a +consistent configuration: + + - old 'q->nbands' because it's needed by ets_class_find() + - old 'q->nstrict' because it's needed by ets_class_is_strict() + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) + Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 + RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 + Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab + RSP: 0018:ffffba186009f400 EFLAGS: 00010202 + RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 + RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 + R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 + R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 + FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ets_class_qlen_notify+0x65/0x90 [sch_ets] + qdisc_tree_reduce_backlog+0x74/0x110 + ets_qdisc_change+0x630/0xa40 [sch_ets] + __tc_modify_qdisc.constprop.0+0x216/0x7f0 + tc_modify_qdisc+0x7c/0x120 + rtnetlink_rcv_msg+0x145/0x3f0 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x245/0x390 + netlink_sendmsg+0x21b/0x470 + ____sys_sendmsg+0x39d/0x3d0 + ___sys_sendmsg+0x9a/0xe0 + __sys_sendmsg+0x7a/0xd0 + do_syscall_64+0x7d/0x160 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f2155114084 + Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 + RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 + RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 + RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f + R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 + R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 + + + [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") +Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Li Shuang +Closes: https://issues.redhat.com/browse/RHEL-108026 +Reviewed-by: Petr Machata +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Davide Caratti +Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -664,6 +664,12 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + ++ for (i = nbands; i < oldbands; i++) { ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) ++ list_del_init(&q->classes[i].alist); ++ qdisc_purge_queue(q->classes[i].qdisc); ++ } ++ + WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { +@@ -671,11 +677,6 @@ static int ets_qdisc_change(struct Qdisc + q->classes[i].deficit = quanta[i]; + } + } +- for (i = q->nbands; i < oldbands; i++) { +- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) +- list_del_init(&q->classes[i].alist); +- qdisc_purge_queue(q->classes[i].qdisc); +- } + WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + diff --git a/queue-5.10/net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch b/queue-5.10/net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch new file mode 100644 index 0000000000..70ccb4d6ea --- /dev/null +++ b/queue-5.10/net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch @@ -0,0 +1,75 @@ +From stable+bounces-171800-greg=kroah.com@vger.kernel.org Tue Aug 19 16:33:13 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 10:32:51 -0400 +Subject: net/sched: sch_ets: properly init all active DRR list handles +To: stable@vger.kernel.org +Cc: Davide Caratti , Cong Wang , "David S. Miller" , Sasha Levin +Message-ID: <20250819143253.512050-1-sashal@kernel.org> + +From: Davide Caratti + +[ Upstream commit 454d3e1ae057a1e09a15905b06b860f60d6c14d0 ] + +leaf classes of ETS qdiscs are served in strict priority or deficit round +robin (DRR), depending on the value of 'nstrict'. Since this value can be +changed while traffic is running, we need to be sure that the active list +of DRR classes can be updated at any time, so: + +1) call INIT_LIST_HEAD(&alist) on all leaf classes in .init(), before the + first packet hits any of them. +2) ensure that 'alist' is not overwritten with zeros when a leaf class is + no more strict priority nor DRR (i.e. array elements beyond 'nbands'). + +Link: https://lore.kernel.org/netdev/YS%2FoZ+f0Nr8eQkzH@dcaratti.users.ipa.redhat.com +Suggested-by: Cong Wang +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -666,7 +666,6 @@ static int ets_qdisc_change(struct Qdisc + + q->nbands = nbands; + for (i = nstrict; i < q->nstrict; i++) { +- INIT_LIST_HEAD(&q->classes[i].alist); + if (q->classes[i].qdisc->q.qlen) { + list_add_tail(&q->classes[i].alist, &q->active); + q->classes[i].deficit = quanta[i]; +@@ -694,7 +693,11 @@ static int ets_qdisc_change(struct Qdisc + ets_offload_change(sch); + for (i = q->nbands; i < oldbands; i++) { + qdisc_put(q->classes[i].qdisc); +- memset(&q->classes[i], 0, sizeof(q->classes[i])); ++ q->classes[i].qdisc = NULL; ++ q->classes[i].quantum = 0; ++ q->classes[i].deficit = 0; ++ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats)); ++ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); + } + return 0; + } +@@ -703,7 +706,7 @@ static int ets_qdisc_init(struct Qdisc * + struct netlink_ext_ack *extack) + { + struct ets_sched *q = qdisc_priv(sch); +- int err; ++ int err, i; + + if (!opt) + return -EINVAL; +@@ -713,6 +716,9 @@ static int ets_qdisc_init(struct Qdisc * + return err; + + INIT_LIST_HEAD(&q->active); ++ for (i = 0; i < TCQ_ETS_MAX_BANDS; i++) ++ INIT_LIST_HEAD(&q->classes[i].alist); ++ + return ets_qdisc_change(sch, opt, extack); + } + diff --git a/queue-5.10/net_sched-sch_ets-implement-lockless-ets_dump.patch b/queue-5.10/net_sched-sch_ets-implement-lockless-ets_dump.patch new file mode 100644 index 0000000000..fcd63f80a1 --- /dev/null +++ b/queue-5.10/net_sched-sch_ets-implement-lockless-ets_dump.patch @@ -0,0 +1,106 @@ +From stable+bounces-171801-greg=kroah.com@vger.kernel.org Tue Aug 19 16:37:13 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 10:32:52 -0400 +Subject: net_sched: sch_ets: implement lockless ets_dump() +To: stable@vger.kernel.org +Cc: Eric Dumazet , Simon Horman , "David S. Miller" , Sasha Levin +Message-ID: <20250819143253.512050-2-sashal@kernel.org> + +From: Eric Dumazet + +[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ] + +Instead of relying on RTNL, ets_dump() can use READ_ONCE() +annotations, paired with WRITE_ONCE() ones in ets_change(). + +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -664,7 +664,7 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + +- q->nbands = nbands; ++ WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { + list_add_tail(&q->classes[i].alist, &q->active); +@@ -676,11 +676,11 @@ static int ets_qdisc_change(struct Qdisc + list_del_init(&q->classes[i].alist); + qdisc_purge_queue(q->classes[i].qdisc); + } +- q->nstrict = nstrict; ++ WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + + for (i = 0; i < q->nbands; i++) +- q->classes[i].quantum = quanta[i]; ++ WRITE_ONCE(q->classes[i].quantum, quanta[i]); + + for (i = oldbands; i < q->nbands; i++) { + q->classes[i].qdisc = queues[i]; +@@ -694,7 +694,7 @@ static int ets_qdisc_change(struct Qdisc + for (i = q->nbands; i < oldbands; i++) { + qdisc_put(q->classes[i].qdisc); + q->classes[i].qdisc = NULL; +- q->classes[i].quantum = 0; ++ WRITE_ONCE(q->classes[i].quantum, 0); + q->classes[i].deficit = 0; + memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats)); + memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); +@@ -751,6 +751,7 @@ static int ets_qdisc_dump(struct Qdisc * + struct ets_sched *q = qdisc_priv(sch); + struct nlattr *opts; + struct nlattr *nest; ++ u8 nbands, nstrict; + int band; + int prio; + int err; +@@ -763,21 +764,22 @@ static int ets_qdisc_dump(struct Qdisc * + if (!opts) + goto nla_err; + +- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands)) ++ nbands = READ_ONCE(q->nbands); ++ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands)) + goto nla_err; + +- if (q->nstrict && +- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict)) ++ nstrict = READ_ONCE(q->nstrict); ++ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict)) + goto nla_err; + +- if (q->nbands > q->nstrict) { ++ if (nbands > nstrict) { + nest = nla_nest_start(skb, TCA_ETS_QUANTA); + if (!nest) + goto nla_err; + +- for (band = q->nstrict; band < q->nbands; band++) { ++ for (band = nstrict; band < nbands; band++) { + if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND, +- q->classes[band].quantum)) ++ READ_ONCE(q->classes[band].quantum))) + goto nla_err; + } + +@@ -789,7 +791,8 @@ static int ets_qdisc_dump(struct Qdisc * + goto nla_err; + + for (prio = 0; prio <= TC_PRIO_MAX; prio++) { +- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio])) ++ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, ++ READ_ONCE(q->prio2band[prio]))) + goto nla_err; + } + diff --git a/queue-5.10/nfs-create-an-nfs4_server_set_init_caps-function.patch b/queue-5.10/nfs-create-an-nfs4_server_set_init_caps-function.patch new file mode 100644 index 0000000000..f9c7b07b64 --- /dev/null +++ b/queue-5.10/nfs-create-an-nfs4_server_set_init_caps-function.patch @@ -0,0 +1,96 @@ +From stable+bounces-169823-greg=kroah.com@vger.kernel.org Fri Aug 15 22:47:43 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:47:30 -0400 +Subject: NFS: Create an nfs4_server_set_init_caps() function +To: stable@vger.kernel.org +Cc: Anna Schumaker , Trond Myklebust , Sasha Levin +Message-ID: <20250815204731.220441-3-sashal@kernel.org> + +From: Anna Schumaker + +[ Upstream commit 01dde76e471229e3437a2686c572f4980b2c483e ] + +And call it before doing an FSINFO probe to reset to the baseline +capabilities before probing. + +Signed-off-by: Anna Schumaker +Signed-off-by: Trond Myklebust +Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/internal.h | 1 + + fs/nfs/nfs4client.c | 33 +++++++++++++++++++-------------- + fs/nfs/nfs4proc.c | 2 ++ + 3 files changed, 22 insertions(+), 14 deletions(-) + +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -222,6 +222,7 @@ extern struct nfs_client * + nfs4_find_client_sessionid(struct net *, const struct sockaddr *, + struct nfs4_sessionid *, u32); + extern struct nfs_server *nfs_create_server(struct fs_context *); ++extern void nfs4_server_set_init_caps(struct nfs_server *); + extern struct nfs_server *nfs4_create_server(struct fs_context *); + extern struct nfs_server *nfs4_create_referral_server(struct fs_context *); + extern int nfs4_update_server(struct nfs_server *server, const char *hostname, +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1025,6 +1025,24 @@ static void nfs4_session_limit_xasize(st + #endif + } + ++void nfs4_server_set_init_caps(struct nfs_server *server) ++{ ++ /* Set the basic capabilities */ ++ server->caps |= server->nfs_client->cl_mvops->init_caps; ++ if (server->flags & NFS_MOUNT_NORDIRPLUS) ++ server->caps &= ~NFS_CAP_READDIRPLUS; ++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) ++ server->caps &= ~NFS_CAP_READ_PLUS; ++ ++ /* ++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower ++ * authentication. ++ */ ++ if (nfs4_disable_idmapping && ++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) ++ server->caps |= NFS_CAP_UIDGID_NOMAP; ++} ++ + static int nfs4_server_common_setup(struct nfs_server *server, + struct nfs_fh *mntfh, bool auth_probe) + { +@@ -1044,20 +1062,7 @@ static int nfs4_server_common_setup(stru + if (error < 0) + goto out; + +- /* Set the basic capabilities */ +- server->caps |= server->nfs_client->cl_mvops->init_caps; +- if (server->flags & NFS_MOUNT_NORDIRPLUS) +- server->caps &= ~NFS_CAP_READDIRPLUS; +- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) +- server->caps &= ~NFS_CAP_READ_PLUS; +- /* +- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower +- * authentication. +- */ +- if (nfs4_disable_idmapping && +- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) +- server->caps |= NFS_CAP_UIDGID_NOMAP; +- ++ nfs4_server_set_init_caps(server); + + /* Probe the root fh to retrieve its FSID and filehandle */ + error = nfs4_get_rootfh(server, mntfh, auth_probe); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3934,6 +3934,8 @@ int nfs4_server_capabilities(struct nfs_ + .interruptible = true, + }; + int err; ++ ++ nfs4_server_set_init_caps(server); + do { + err = nfs4_handle_exception(server, + _nfs4_server_capabilities(server, fhandle), diff --git a/queue-5.10/nfs-don-t-set-nfs_ino_reval_pagecache-in-the-inode-cache-validity.patch b/queue-5.10/nfs-don-t-set-nfs_ino_reval_pagecache-in-the-inode-cache-validity.patch new file mode 100644 index 0000000000..a289469e13 --- /dev/null +++ b/queue-5.10/nfs-don-t-set-nfs_ino_reval_pagecache-in-the-inode-cache-validity.patch @@ -0,0 +1,73 @@ +From stable+bounces-169821-greg=kroah.com@vger.kernel.org Fri Aug 15 22:47:41 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:47:28 -0400 +Subject: NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity +To: stable@vger.kernel.org +Cc: Trond Myklebust , Sasha Levin +Message-ID: <20250815204731.220441-1-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit 36a9346c225270262d9f34e66c91aa1723fa903f ] + +It is no longer necessary to preserve the NFS_INO_REVAL_PAGECACHE flag. + +Signed-off-by: Trond Myklebust +Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/inode.c | 6 ++---- + fs/nfs/nfs4proc.c | 1 - + 2 files changed, 2 insertions(+), 5 deletions(-) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -217,11 +217,12 @@ static void nfs_set_cache_invalid(struct + flags &= ~NFS_INO_INVALID_OTHER; + flags &= ~(NFS_INO_INVALID_CHANGE + | NFS_INO_INVALID_SIZE +- | NFS_INO_REVAL_PAGECACHE + | NFS_INO_INVALID_XATTR); + } else if (flags & NFS_INO_REVAL_PAGECACHE) + flags |= NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_SIZE; + ++ flags &= ~NFS_INO_REVAL_PAGECACHE; ++ + if (!nfs_has_xattr_cache(nfsi)) + flags &= ~NFS_INO_INVALID_XATTR; + if (inode->i_mapping->nrpages == 0) +@@ -1900,7 +1901,6 @@ static int nfs_update_inode(struct inode + nfsi->cache_validity &= ~(NFS_INO_INVALID_ATTR + | NFS_INO_INVALID_ATIME + | NFS_INO_REVAL_FORCED +- | NFS_INO_REVAL_PAGECACHE + | NFS_INO_INVALID_BLOCKS); + + /* Do atomic weak cache consistency updates */ +@@ -1942,7 +1942,6 @@ static int nfs_update_inode(struct inode + } else { + nfsi->cache_validity |= save_cache_validity & + (NFS_INO_INVALID_CHANGE +- | NFS_INO_REVAL_PAGECACHE + | NFS_INO_REVAL_FORCED); + cache_revalidated = false; + } +@@ -1988,7 +1987,6 @@ static int nfs_update_inode(struct inode + } else { + nfsi->cache_validity |= save_cache_validity & + (NFS_INO_INVALID_SIZE +- | NFS_INO_REVAL_PAGECACHE + | NFS_INO_REVAL_FORCED); + cache_revalidated = false; + } +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1213,7 +1213,6 @@ nfs4_update_changeattr_locked(struct ino + | cache_validity; + + if (cinfo->atomic && cinfo->before == inode_peek_iversion_raw(inode)) { +- nfsi->cache_validity &= ~NFS_INO_REVAL_PAGECACHE; + nfsi->attrtimeo_timestamp = jiffies; + } else { + if (S_ISDIR(inode->i_mode)) { diff --git a/queue-5.10/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch b/queue-5.10/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch new file mode 100644 index 0000000000..45580f0890 --- /dev/null +++ b/queue-5.10/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch @@ -0,0 +1,171 @@ +From stable+bounces-169824-greg=kroah.com@vger.kernel.org Fri Aug 15 22:49:40 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:47:31 -0400 +Subject: NFS: Fix the setting of capabilities when automounting a new filesystem +To: stable@vger.kernel.org +Cc: Trond Myklebust , Benjamin Coddington , Sasha Levin +Message-ID: <20250815204731.220441-4-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ] + +Capabilities cannot be inherited when we cross into a new filesystem. +They need to be reset to the minimal defaults, and then probed for +again. + +Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +[ Removed extended capability flags that don't exist in older trees ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 46 ++++++++++++++++++++++++++++++++++++++++++---- + fs/nfs/internal.h | 2 +- + fs/nfs/nfs4client.c | 20 +------------------- + fs/nfs/nfs4proc.c | 2 +- + 4 files changed, 45 insertions(+), 25 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -661,6 +661,44 @@ struct nfs_client *nfs_init_client(struc + } + EXPORT_SYMBOL_GPL(nfs_init_client); + ++static void nfs4_server_set_init_caps(struct nfs_server *server) ++{ ++#if IS_ENABLED(CONFIG_NFS_V4) ++ /* Set the basic capabilities */ ++ server->caps = server->nfs_client->cl_mvops->init_caps; ++ if (server->flags & NFS_MOUNT_NORDIRPLUS) ++ server->caps &= ~NFS_CAP_READDIRPLUS; ++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) ++ server->caps &= ~NFS_CAP_READ_PLUS; ++ ++ /* ++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower ++ * authentication. ++ */ ++ if (nfs4_disable_idmapping && ++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) ++ server->caps |= NFS_CAP_UIDGID_NOMAP; ++#endif ++} ++ ++void nfs_server_set_init_caps(struct nfs_server *server) ++{ ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ break; ++ case 3: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS)) ++ server->caps |= NFS_CAP_READDIRPLUS; ++ break; ++ default: ++ nfs4_server_set_init_caps(server); ++ break; ++ } ++} ++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps); ++ + /* + * Create a version 2 or 3 client + */ +@@ -699,9 +737,6 @@ static int nfs_init_server(struct nfs_se + /* Initialise the client representation from the mount data */ + server->flags = ctx->flags; + server->options = ctx->options; +- server->caps |= NFS_CAP_HARDLINKS|NFS_CAP_SYMLINKS|NFS_CAP_FILEID| +- NFS_CAP_MODE|NFS_CAP_NLINK|NFS_CAP_OWNER|NFS_CAP_OWNER_GROUP| +- NFS_CAP_ATIME|NFS_CAP_CTIME|NFS_CAP_MTIME; + + if (ctx->rsize) + server->rsize = nfs_block_size(ctx->rsize, NULL); +@@ -726,6 +761,8 @@ static int nfs_init_server(struct nfs_se + if (error < 0) + goto error; + ++ nfs_server_set_init_caps(server); ++ + /* Preserve the values of mount_server-related mount options */ + if (ctx->mount_server.addrlen) { + memcpy(&server->mountd_address, &ctx->mount_server.address, +@@ -867,7 +904,6 @@ void nfs_server_copy_userdata(struct nfs + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; + target->acdirmax = source->acdirmax; +- target->caps = source->caps; + target->options = source->options; + target->auth_info = source->auth_info; + target->port = source->port; +@@ -1076,6 +1112,8 @@ struct nfs_server *nfs_clone_server(stru + if (error < 0) + goto out_free_server; + ++ nfs_server_set_init_caps(server); ++ + /* probe the filesystem info for this server filesystem */ + error = nfs_probe_fsinfo(server, fh, fattr_fsinfo); + if (error < 0) +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -222,7 +222,7 @@ extern struct nfs_client * + nfs4_find_client_sessionid(struct net *, const struct sockaddr *, + struct nfs4_sessionid *, u32); + extern struct nfs_server *nfs_create_server(struct fs_context *); +-extern void nfs4_server_set_init_caps(struct nfs_server *); ++extern void nfs_server_set_init_caps(struct nfs_server *); + extern struct nfs_server *nfs4_create_server(struct fs_context *); + extern struct nfs_server *nfs4_create_referral_server(struct fs_context *); + extern int nfs4_update_server(struct nfs_server *server, const char *hostname, +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1025,24 +1025,6 @@ static void nfs4_session_limit_xasize(st + #endif + } + +-void nfs4_server_set_init_caps(struct nfs_server *server) +-{ +- /* Set the basic capabilities */ +- server->caps |= server->nfs_client->cl_mvops->init_caps; +- if (server->flags & NFS_MOUNT_NORDIRPLUS) +- server->caps &= ~NFS_CAP_READDIRPLUS; +- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) +- server->caps &= ~NFS_CAP_READ_PLUS; +- +- /* +- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower +- * authentication. +- */ +- if (nfs4_disable_idmapping && +- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) +- server->caps |= NFS_CAP_UIDGID_NOMAP; +-} +- + static int nfs4_server_common_setup(struct nfs_server *server, + struct nfs_fh *mntfh, bool auth_probe) + { +@@ -1062,7 +1044,7 @@ static int nfs4_server_common_setup(stru + if (error < 0) + goto out; + +- nfs4_server_set_init_caps(server); ++ nfs_server_set_init_caps(server); + + /* Probe the root fh to retrieve its FSID and filehandle */ + error = nfs4_get_rootfh(server, mntfh, auth_probe); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3935,7 +3935,7 @@ int nfs4_server_capabilities(struct nfs_ + }; + int err; + +- nfs4_server_set_init_caps(server); ++ nfs_server_set_init_caps(server); + do { + err = nfs4_handle_exception(server, + _nfs4_server_capabilities(server, fhandle), diff --git a/queue-5.10/nfsv4-fix-nfs4_bitmap_copy_adjust.patch b/queue-5.10/nfsv4-fix-nfs4_bitmap_copy_adjust.patch new file mode 100644 index 0000000000..b3946fa92d --- /dev/null +++ b/queue-5.10/nfsv4-fix-nfs4_bitmap_copy_adjust.patch @@ -0,0 +1,104 @@ +From stable+bounces-169822-greg=kroah.com@vger.kernel.org Fri Aug 15 22:47:43 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:47:29 -0400 +Subject: NFSv4: Fix nfs4_bitmap_copy_adjust() +To: stable@vger.kernel.org +Cc: Trond Myklebust , Sasha Levin +Message-ID: <20250815204731.220441-2-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit a71029b86752e8d40301af235a6bbf4896cc1402 ] + +Don't remove flags from the set retrieved from the cache_validity. +We do want to retrieve all attributes that are listed as being +invalid, whether or not there is a delegation set. + +Signed-off-by: Trond Myklebust +Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -292,7 +292,7 @@ const u32 nfs4_fs_locations_bitmap[3] = + }; + + static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src, +- struct inode *inode) ++ struct inode *inode, unsigned long flags) + { + unsigned long cache_validity; + +@@ -300,22 +300,19 @@ static void nfs4_bitmap_copy_adjust(__u3 + if (!inode || !nfs4_have_delegation(inode, FMODE_READ)) + return; + +- cache_validity = READ_ONCE(NFS_I(inode)->cache_validity); +- if (!(cache_validity & NFS_INO_REVAL_FORCED)) +- cache_validity &= ~(NFS_INO_INVALID_CHANGE +- | NFS_INO_INVALID_SIZE); ++ cache_validity = READ_ONCE(NFS_I(inode)->cache_validity) | flags; + ++ /* Remove the attributes over which we have full control */ ++ dst[1] &= ~FATTR4_WORD1_RAWDEV; + if (!(cache_validity & NFS_INO_INVALID_SIZE)) + dst[0] &= ~FATTR4_WORD0_SIZE; + + if (!(cache_validity & NFS_INO_INVALID_CHANGE)) + dst[0] &= ~FATTR4_WORD0_CHANGE; +-} + +-static void nfs4_bitmap_copy_adjust_setattr(__u32 *dst, +- const __u32 *src, struct inode *inode) +-{ +- nfs4_bitmap_copy_adjust(dst, src, inode); ++ if (!(cache_validity & NFS_INO_INVALID_OTHER)) ++ dst[1] &= ~(FATTR4_WORD1_MODE | FATTR4_WORD1_OWNER | ++ FATTR4_WORD1_OWNER_GROUP); + } + + static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry, +@@ -3379,12 +3376,15 @@ static int nfs4_do_setattr(struct inode + .inode = inode, + .stateid = &arg.stateid, + }; ++ unsigned long adjust_flags = NFS_INO_INVALID_CHANGE; + int err; + ++ if (sattr->ia_valid & (ATTR_MODE|ATTR_UID|ATTR_GID)) ++ adjust_flags |= NFS_INO_INVALID_OTHER; ++ + do { +- nfs4_bitmap_copy_adjust_setattr(bitmask, +- nfs4_bitmask(server, olabel), +- inode); ++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, olabel), ++ inode, adjust_flags); + + err = _nfs4_do_setattr(inode, &arg, &res, cred, ctx); + switch (err) { +@@ -4192,8 +4192,7 @@ static int _nfs4_proc_getattr(struct nfs + if (inode && (server->flags & NFS_MOUNT_SOFTREVAL)) + task_flags |= RPC_TASK_TIMEOUT; + +- nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode); +- ++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode, 0); + nfs_fattr_init(fattr); + nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0); + return nfs4_do_call_sync(server->client, server, &msg, +@@ -4795,8 +4794,8 @@ static int _nfs4_proc_link(struct inode + } + + nfs4_inode_make_writeable(inode); +- nfs4_bitmap_copy_adjust_setattr(bitmask, nfs4_bitmask(server, res.label), inode); +- ++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, res.label), inode, ++ NFS_INO_INVALID_CHANGE); + status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1); + if (!status) { + nfs4_update_changeattr(dir, &res.cinfo, res.fattr->time_start, diff --git a/queue-5.10/rdma-rxe-return-cqe-error-if-invalid-lkey-was-supplied.patch b/queue-5.10/rdma-rxe-return-cqe-error-if-invalid-lkey-was-supplied.patch new file mode 100644 index 0000000000..f2ae72a4d7 --- /dev/null +++ b/queue-5.10/rdma-rxe-return-cqe-error-if-invalid-lkey-was-supplied.patch @@ -0,0 +1,103 @@ +From stable+bounces-167100-greg=kroah.com@vger.kernel.org Tue Aug 12 08:26:13 2025 +From: Shivani Agarwal +Date: Mon, 11 Aug 2025 23:12:31 -0700 +Subject: RDMA/rxe: Return CQE error if invalid lkey was supplied +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, zyjzyj2000@gmail.com, jgg@ziepe.ca, leon@kernel.org, richardcochran@gmail.com, monis@mellanox.com, kamalh@mellanox.com, haggaie@mellanox.com, amirv@mellanox.com, dledford@redhat.com, linux-rdma@vger.kernel.org, netdev@vger.kernel.org, Leon Romanovsky , Jason Gunthorpe , Sasha Levin , Shivani Agarwal +Message-ID: <20250812061231.149309-1-shivani.agarwal@broadcom.com> + +From: Leon Romanovsky + +[ Upstream commit dc07628bd2bbc1da768e265192c28ebd301f509d ] + +RXE is missing update of WQE status in LOCAL_WRITE failures. This caused +the following kernel panic if someone sent an atomic operation with an +explicitly wrong lkey. + +[leonro@vm ~]$ mkt test +test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... + WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] + Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core + CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] + Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff + RSP: 0018:ffff8880158af090 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 + RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 + RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b + R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 + R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c + FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + rxe_do_task+0x130/0x230 [rdma_rxe] + rxe_rcv+0xb11/0x1df0 [rdma_rxe] + rxe_loopback+0x157/0x1e0 [rdma_rxe] + rxe_responder+0x5532/0x7620 [rdma_rxe] + rxe_do_task+0x130/0x230 [rdma_rxe] + rxe_rcv+0x9c8/0x1df0 [rdma_rxe] + rxe_loopback+0x157/0x1e0 [rdma_rxe] + rxe_requester+0x1efd/0x58c0 [rdma_rxe] + rxe_do_task+0x130/0x230 [rdma_rxe] + rxe_post_send+0x998/0x1860 [rdma_rxe] + ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] + ib_uverbs_write+0x847/0xc80 [ib_uverbs] + vfs_write+0x1c5/0x840 + ksys_write+0x176/0x1d0 + do_syscall_64+0x3f/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/11e7b553f3a6f5371c6bb3f57c494bb52b88af99.1620711734.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Acked-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_comp.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_comp.c ++++ b/drivers/infiniband/sw/rxe/rxe_comp.c +@@ -346,13 +346,15 @@ static inline enum comp_state do_read(st + ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE, + &wqe->dma, payload_addr(pkt), + payload_size(pkt), to_mem_obj, NULL); +- if (ret) ++ if (ret) { ++ wqe->status = IB_WC_LOC_PROT_ERR; + return COMPST_ERROR; ++ } + + if (wqe->dma.resid == 0 && (pkt->mask & RXE_END_MASK)) + return COMPST_COMP_ACK; +- else +- return COMPST_UPDATE_COMP; ++ ++ return COMPST_UPDATE_COMP; + } + + static inline enum comp_state do_atomic(struct rxe_qp *qp, +@@ -366,10 +368,12 @@ static inline enum comp_state do_atomic( + ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE, + &wqe->dma, &atomic_orig, + sizeof(u64), to_mem_obj, NULL); +- if (ret) ++ if (ret) { ++ wqe->status = IB_WC_LOC_PROT_ERR; + return COMPST_ERROR; +- else +- return COMPST_COMP_ACK; ++ } ++ ++ return COMPST_COMP_ACK; + } + + static void make_send_cqe(struct rxe_qp *qp, struct rxe_send_wqe *wqe, diff --git a/queue-5.10/scsi-lpfc-fix-link-down-processing-to-address-null-pointer-dereference.patch b/queue-5.10/scsi-lpfc-fix-link-down-processing-to-address-null-pointer-dereference.patch new file mode 100644 index 0000000000..e0a3bb4eaa --- /dev/null +++ b/queue-5.10/scsi-lpfc-fix-link-down-processing-to-address-null-pointer-dereference.patch @@ -0,0 +1,59 @@ +From stable+bounces-167099-greg=kroah.com@vger.kernel.org Tue Aug 12 08:22:10 2025 +From: Shivani Agarwal +Date: Mon, 11 Aug 2025 23:08:22 -0700 +Subject: scsi: lpfc: Fix link down processing to address NULL pointer dereference +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, james.smart@broadcom.com, dick.kennedy@broadcom.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, linux-scsi@vger.kernel.org, James Smart , Justin Tee , Sasha Levin , Shivani Agarwal +Message-ID: <20250812060822.149216-1-shivani.agarwal@broadcom.com> + +From: James Smart + +[ Upstream commit 1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6 ] + +If an FC link down transition while PLOGIs are outstanding to fabric well +known addresses, outstanding ABTS requests may result in a NULL pointer +dereference. Driver unload requests may hang with repeated "2878" log +messages. + +The Link down processing results in ABTS requests for outstanding ELS +requests. The Abort WQEs are sent for the ELSs before the driver had set +the link state to down. Thus the driver is sending the Abort with the +expectation that an ABTS will be sent on the wire. The Abort request is +stalled waiting for the link to come up. In some conditions the driver may +auto-complete the ELSs thus if the link does come up, the Abort completions +may reference an invalid structure. + +Fix by ensuring that Abort set the flag to avoid link traffic if issued due +to conditions where the link failed. + +Link: https://lore.kernel.org/r/20211020211417.88754-7-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_sli.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -11432,10 +11432,12 @@ lpfc_sli_abort_iotag_issue(struct lpfc_h + if (cmdiocb->iocb_flag & LPFC_IO_FOF) + abtsiocbp->iocb_flag |= LPFC_IO_FOF; + +- if (phba->link_state >= LPFC_LINK_UP) +- iabt->ulpCommand = CMD_ABORT_XRI_CN; +- else ++ if (phba->link_state < LPFC_LINK_UP || ++ (phba->sli_rev == LPFC_SLI_REV4 && ++ phba->sli4_hba.link_state.status == LPFC_FC_LA_TYPE_LINK_DOWN)) + iabt->ulpCommand = CMD_CLOSE_XRI_CN; ++ else ++ iabt->ulpCommand = CMD_ABORT_XRI_CN; + + abtsiocbp->iocb_cmpl = lpfc_sli_abort_els_cmpl; + abtsiocbp->vport = vport; diff --git a/queue-5.10/scsi-pm80xx-fix-memory-leak-during-rmmod.patch b/queue-5.10/scsi-pm80xx-fix-memory-leak-during-rmmod.patch new file mode 100644 index 0000000000..b9a82c9576 --- /dev/null +++ b/queue-5.10/scsi-pm80xx-fix-memory-leak-during-rmmod.patch @@ -0,0 +1,68 @@ +From stable+bounces-166983-greg=kroah.com@vger.kernel.org Mon Aug 11 07:34:08 2025 +From: Shivani Agarwal +Date: Sun, 10 Aug 2025 22:20:35 -0700 +Subject: scsi: pm80xx: Fix memory leak during rmmod +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, James.Bottomley@HansenPartnership.com, jinpu.wang@cloud.ionos.com, martin.petersen@oracle.com, linux-scsi@vger.kernel.org, Ajish Koshy , Jack Wang , Viswas G , Sasha Levin , Shivani Agarwal +Message-ID: <20250811052035.145021-1-shivani.agarwal@broadcom.com> + +From: Ajish Koshy + +[ Upstream commit 51e6ed83bb4ade7c360551fa4ae55c4eacea354b ] + +Driver failed to release all memory allocated. This would lead to memory +leak during driver removal. + +Properly free memory when the module is removed. + +Link: https://lore.kernel.org/r/20210906170404.5682-5-Ajish.Koshy@microchip.com +Acked-by: Jack Wang +Signed-off-by: Ajish Koshy +Signed-off-by: Viswas G +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +[Shivani: Modified to apply on 5.10.y] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/pm8001/pm8001_init.c | 11 +++++++++++ + drivers/scsi/pm8001/pm8001_sas.h | 1 + + 2 files changed, 12 insertions(+) + +--- a/drivers/scsi/pm8001/pm8001_init.c ++++ b/drivers/scsi/pm8001/pm8001_init.c +@@ -1166,6 +1166,7 @@ pm8001_init_ccb_tag(struct pm8001_hba_in + goto err_out; + + /* Memory region for ccb_info*/ ++ pm8001_ha->ccb_count = ccb_count; + pm8001_ha->ccb_info = (struct pm8001_ccb_info *) + kcalloc(ccb_count, sizeof(struct pm8001_ccb_info), GFP_KERNEL); + if (!pm8001_ha->ccb_info) { +@@ -1226,6 +1227,16 @@ static void pm8001_pci_remove(struct pci + tasklet_kill(&pm8001_ha->tasklet[j]); + #endif + scsi_host_put(pm8001_ha->shost); ++ ++ for (i = 0; i < pm8001_ha->ccb_count; i++) { ++ dma_free_coherent(&pm8001_ha->pdev->dev, ++ sizeof(struct pm8001_prd) * PM8001_MAX_DMA_SG, ++ pm8001_ha->ccb_info[i].buf_prd, ++ pm8001_ha->ccb_info[i].ccb_dma_handle); ++ } ++ kfree(pm8001_ha->ccb_info); ++ kfree(pm8001_ha->devices); ++ + pm8001_free(pm8001_ha); + kfree(sha->sas_phy); + kfree(sha->sas_port); +--- a/drivers/scsi/pm8001/pm8001_sas.h ++++ b/drivers/scsi/pm8001/pm8001_sas.h +@@ -515,6 +515,7 @@ struct pm8001_hba_info { + u32 iomb_size; /* SPC and SPCV IOMB size */ + struct pm8001_device *devices; + struct pm8001_ccb_info *ccb_info; ++ u32 ccb_count; + #ifdef PM8001_USE_MSIX + int number_of_intr;/*will be used in remove()*/ + char intr_drvname[PM8001_MAX_MSIX_VEC] diff --git a/queue-5.10/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch b/queue-5.10/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch new file mode 100644 index 0000000000..b06d69b978 --- /dev/null +++ b/queue-5.10/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch @@ -0,0 +1,58 @@ +From stable+bounces-172482-greg=kroah.com@vger.kernel.org Fri Aug 22 19:44:22 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 13:43:47 -0400 +Subject: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE +To: stable@vger.kernel.org +Cc: "André Draszik" , "Bart Van Assche" , "Peter Griffin" , "Martin K. Petersen" , "Sasha Levin" +Message-ID: <20250822174347.1341004-1-sashal@kernel.org> + +From: André Draszik + +[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ] + +On Google gs101, the number of UTP transfer request slots (nutrs) is 32, +and in this case the driver ends up programming the UTRL_NEXUS_TYPE +incorrectly as 0. + +This is because the left hand side of the shift is 1, which is of type +int, i.e. 31 bits wide. Shifting by more than that width results in +undefined behaviour. + +Fix this by switching to the BIT() macro, which applies correct type +casting as required. This ensures the correct value is written to +UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift +warning: + + UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 + shift exponent 32 is too large for 32-bit type 'int' + +For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE +write. + +Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs") +Cc: stable@vger.kernel.org +Signed-off-by: André Draszik +Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org +Reviewed-by: Bart Van Assche +Reviewed-by: Peter Griffin +Signed-off-by: Martin K. Petersen +[ Adjusted path from drivers/ufs/host to drivers/scsi/ufs ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufs-exynos.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ufs/ufs-exynos.c ++++ b/drivers/scsi/ufs/ufs-exynos.c +@@ -850,8 +850,8 @@ static int exynos_ufs_post_link(struct u + hci_writel(ufs, 0xa, HCI_DATA_REORDER); + hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE); + hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE); +- hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE); +- hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE); ++ hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE); ++ hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE); + hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN); + + if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB) diff --git a/queue-5.10/series b/queue-5.10/series index 781c9a3889..b0275b3be5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -448,3 +448,22 @@ mm-update-memfd-seal-write-check-to-include-f_seal_write.patch mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch dma-buf-insert-memory-barrier-before-updating-num_fences.patch +drm-amdgpu-handle-the-case-of-pci_channel_io_frozen-only-in-amdgpu_pci_resume.patch +rdma-rxe-return-cqe-error-if-invalid-lkey-was-supplied.patch +scsi-lpfc-fix-link-down-processing-to-address-null-pointer-dereference.patch +scsi-pm80xx-fix-memory-leak-during-rmmod.patch +nfs-don-t-set-nfs_ino_reval_pagecache-in-the-inode-cache-validity.patch +nfsv4-fix-nfs4_bitmap_copy_adjust.patch +nfs-create-an-nfs4_server_set_init_caps-function.patch +nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch +net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch +net_sched-sch_ets-implement-lockless-ets_dump.patch +net-sched-ets-use-old-nbands-while-purging-unused-classes.patch +mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch +ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch +scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch +iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch +soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch +usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch +usb-musb-omap2430-fix-device-leak-at-unbind.patch +btrfs-populate-otime-when-logging-an-inode-item.patch diff --git a/queue-5.10/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch b/queue-5.10/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch new file mode 100644 index 0000000000..3b48a556be --- /dev/null +++ b/queue-5.10/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch @@ -0,0 +1,109 @@ +From stable+bounces-172489-greg=kroah.com@vger.kernel.org Fri Aug 22 20:18:26 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:18:15 -0400 +Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header +To: stable@vger.kernel.org +Cc: Bjorn Andersson , Doug Anderson , Dmitry Baryshkov , Bjorn Andersson , Sasha Levin +Message-ID: <20250822181815.1360340-1-sashal@kernel.org> + +From: Bjorn Andersson + +[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ] + +When the MDT loader is used in remoteproc, the ELF header is sanitized +beforehand, but that's not necessary the case for other clients. + +Validate the size of the firmware buffer to ensure that we don't read +past the end as we iterate over the header. e_phentsize and e_shentsize +are validated as well, to ensure that the assumptions about step size in +the traversal are valid. + +Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom") +Cc: stable@vger.kernel.org +Reported-by: Doug Anderson +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/mdt_loader.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -12,11 +12,43 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + ++static bool mdt_header_valid(const struct firmware *fw) ++{ ++ const struct elf32_hdr *ehdr; ++ size_t phend; ++ size_t shend; ++ ++ if (fw->size < sizeof(*ehdr)) ++ return false; ++ ++ ehdr = (struct elf32_hdr *)fw->data; ++ ++ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG)) ++ return false; ++ ++ if (ehdr->e_phentsize != sizeof(struct elf32_phdr)) ++ return false; ++ ++ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff); ++ if (phend > fw->size) ++ return false; ++ ++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr)) ++ return false; ++ ++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff); ++ if (shend > fw->size) ++ return false; ++ ++ return true; ++} ++ + static bool mdt_phdr_valid(const struct elf32_phdr *phdr) + { + if (phdr->p_type != PT_LOAD) +@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f + phys_addr_t max_addr = 0; + int i; + ++ if (!mdt_header_valid(fw)) ++ return -EINVAL; ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + +@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc + size_t ehdr_size; + void *data; + ++ if (!mdt_header_valid(fw)) ++ return ERR_PTR(-EINVAL); ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + +@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device + if (!fw || !mem_region || !mem_phys || !mem_size) + return -EINVAL; + ++ if (!mdt_header_valid(fw)) ++ return -EINVAL; ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + diff --git a/queue-5.10/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch b/queue-5.10/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch new file mode 100644 index 0000000000..f46134c185 --- /dev/null +++ b/queue-5.10/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch @@ -0,0 +1,60 @@ +From sashal@kernel.org Thu Aug 21 18:14:17 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:14:12 -0400 +Subject: usb: musb: omap2430: Convert to platform remove callback returning void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250821161413.775044-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -432,14 +432,12 @@ err0: + return ret; + } + +-static int omap2430_remove(struct platform_device *pdev) ++static void omap2430_remove(struct platform_device *pdev) + { + struct omap2430_glue *glue = platform_get_drvdata(pdev); + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); +- +- return 0; + } + + #ifdef CONFIG_PM +@@ -509,7 +507,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl + + static struct platform_driver omap2430_driver = { + .probe = omap2430_probe, +- .remove = omap2430_remove, ++ .remove_new = omap2430_remove, + .driver = { + .name = "musb-omap2430", + .pm = DEV_PM_OPS, diff --git a/queue-5.10/usb-musb-omap2430-fix-device-leak-at-unbind.patch b/queue-5.10/usb-musb-omap2430-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..170f6d15f4 --- /dev/null +++ b/queue-5.10/usb-musb-omap2430-fix-device-leak-at-unbind.patch @@ -0,0 +1,66 @@ +From sashal@kernel.org Thu Aug 21 18:14:17 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:14:13 -0400 +Subject: usb: musb: omap2430: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Roger Quadros , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821161413.775044-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ] + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ Removed populate_irqs-related goto changes ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -403,13 +403,13 @@ static int omap2430_probe(struct platfor + ARRAY_SIZE(musb_resources)); + if (ret) { + dev_err(&pdev->dev, "failed to add resources\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + ret = platform_device_add_data(musb, pdata, sizeof(*pdata)); + if (ret) { + dev_err(&pdev->dev, "failed to add platform_data\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + pm_runtime_enable(glue->dev); +@@ -424,7 +424,9 @@ static int omap2430_probe(struct platfor + + err3: + pm_runtime_disable(glue->dev); +- ++err_put_control_otghs: ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + err2: + platform_device_put(musb); + +@@ -438,6 +440,8 @@ static void omap2430_remove(struct platf + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + } + + #ifdef CONFIG_PM