From: Greg Kroah-Hartman Date: Thu, 20 Nov 2025 15:58:11 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.6.117~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d76dc7bba535feaac7c67592ddf47ef784c6839;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch gcov-add-support-for-gcc-15.patch ksmbd-close-accepted-socket-when-per-ip-limit-rejects-connection.patch loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch nfsd-free-copynotify-stateid-in-nfs4_free_ol_stateid.patch strparser-fix-signed-unsigned-mismatch-bug.patch --- diff --git a/queue-6.1/dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch b/queue-6.1/dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch new file mode 100644 index 0000000000..e480e83d25 --- /dev/null +++ b/queue-6.1/dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch @@ -0,0 +1,41 @@ +From 23ee8a2563a0f24cf4964685ced23c32be444ab8 Mon Sep 17 00:00:00 2001 +From: Qinxin Xia +Date: Tue, 28 Oct 2025 20:08:59 +0800 +Subject: dma-mapping: benchmark: Restore padding to ensure uABI remained consistent + +From: Qinxin Xia + +commit 23ee8a2563a0f24cf4964685ced23c32be444ab8 upstream. + +The padding field in the structure was previously reserved to +maintain a stable interface for potential new fields, ensuring +compatibility with user-space shared data structures. +However,it was accidentally removed by tiantao in a prior commit, +which may lead to incompatibility between user space and the kernel. + +This patch reinstates the padding to restore the original structure +layout and preserve compatibility. + +Fixes: 8ddde07a3d28 ("dma-mapping: benchmark: extract a common header file for map_benchmark definition") +Cc: stable@vger.kernel.org +Acked-by: Barry Song +Signed-off-by: Qinxin Xia +Reported-by: Barry Song +Closes: https://lore.kernel.org/lkml/CAGsJ_4waiZ2+NBJG+SCnbNk+nQ_ZF13_Q5FHJqZyxyJTcEop2A@mail.gmail.com/ +Reviewed-by: Jonathan Cameron +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20251028120900.2265511-2-xiaqinxin@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/map_benchmark.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/map_benchmark.h ++++ b/include/linux/map_benchmark.h +@@ -27,5 +27,6 @@ struct map_benchmark { + __u32 dma_dir; /* DMA data direction */ + __u32 dma_trans_ns; /* time for DMA transmission in ns */ + __u32 granule; /* how many PAGE_SIZE will do map/unmap once a time */ ++ __u8 expansion[76]; /* For future use */ + }; + #endif /* _KERNEL_DMA_BENCHMARK_H */ diff --git a/queue-6.1/gcov-add-support-for-gcc-15.patch b/queue-6.1/gcov-add-support-for-gcc-15.patch new file mode 100644 index 0000000000..a5b974af2b --- /dev/null +++ b/queue-6.1/gcov-add-support-for-gcc-15.patch @@ -0,0 +1,40 @@ +From ec4d11fc4b2dd4a2fa8c9d801ee9753b74623554 Mon Sep 17 00:00:00 2001 +From: Peter Oberparleiter +Date: Tue, 28 Oct 2025 12:51:25 +0100 +Subject: gcov: add support for GCC 15 + +From: Peter Oberparleiter + +commit ec4d11fc4b2dd4a2fa8c9d801ee9753b74623554 upstream. + +Using gcov on kernels compiled with GCC 15 results in truncated 16-byte +long .gcda files with no usable data. To fix this, update GCOV_COUNTERS +to match the value defined by GCC 15. + +Tested with GCC 14.3.0 and GCC 15.2.0. + +Link: https://lkml.kernel.org/r/20251028115125.1319410-1-oberpar@linux.ibm.com +Signed-off-by: Peter Oberparleiter +Reported-by: Matthieu Baerts +Closes: https://github.com/linux-test-project/lcov/issues/445 +Tested-by: Matthieu Baerts +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/gcov/gcc_4_7.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/gcov/gcc_4_7.c ++++ b/kernel/gcov/gcc_4_7.c +@@ -18,7 +18,9 @@ + #include + #include "gcov.h" + +-#if (__GNUC__ >= 14) ++#if (__GNUC__ >= 15) ++#define GCOV_COUNTERS 10 ++#elif (__GNUC__ >= 14) + #define GCOV_COUNTERS 9 + #elif (__GNUC__ >= 10) + #define GCOV_COUNTERS 8 diff --git a/queue-6.1/ksmbd-close-accepted-socket-when-per-ip-limit-rejects-connection.patch b/queue-6.1/ksmbd-close-accepted-socket-when-per-ip-limit-rejects-connection.patch new file mode 100644 index 0000000000..dfe4ebc75f --- /dev/null +++ b/queue-6.1/ksmbd-close-accepted-socket-when-per-ip-limit-rejects-connection.patch @@ -0,0 +1,42 @@ +From 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Sat, 8 Nov 2025 22:59:23 +0800 +Subject: ksmbd: close accepted socket when per-IP limit rejects connection + +From: Joshua Rogers + +commit 98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 upstream. + +When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), +the code sets ret = -EAGAIN and continues the accept loop without +closing the just-accepted socket. That leaks one socket per rejected +attempt from a single IP and enables a trivial remote DoS. + +Release client_sk before continuing. + +This bug was found with ZeroPath. + +Cc: stable@vger.kernel.org +Signed-off-by: Joshua Rogers +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_tcp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -282,8 +282,11 @@ static int ksmbd_kthread_fn(void *p) + } + } + up_read(&conn_list_lock); +- if (ret == -EAGAIN) ++ if (ret == -EAGAIN) { ++ /* Per-IP limit hit: release the just-accepted socket. */ ++ sock_release(client_sk); + continue; ++ } + + skip_max_ip_conns_limit: + if (server_conf.max_connections && diff --git a/queue-6.1/loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch b/queue-6.1/loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch new file mode 100644 index 0000000000..3cb0b202b2 --- /dev/null +++ b/queue-6.1/loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch @@ -0,0 +1,56 @@ +From a073d637c8cfbfbab39b7272226a3fbf3b887580 Mon Sep 17 00:00:00 2001 +From: Tianyang Zhang +Date: Sun, 9 Nov 2025 16:02:01 +0800 +Subject: LoongArch: Let {pte,pmd}_modify() record the status of _PAGE_DIRTY + +From: Tianyang Zhang + +commit a073d637c8cfbfbab39b7272226a3fbf3b887580 upstream. + +Now if the PTE/PMD is dirty with _PAGE_DIRTY but without _PAGE_MODIFIED, +after {pte,pmd}_modify() we lose _PAGE_DIRTY, then {pte,pmd}_dirty() +return false and lead to data loss. This can happen in certain scenarios +such as HW PTW doesn't set _PAGE_MODIFIED automatically, so here we need +_PAGE_MODIFIED to record the dirty status (_PAGE_DIRTY). + +The new modification involves checking whether the original PTE/PMD has +the _PAGE_DIRTY flag. If it exists, the _PAGE_MODIFIED bit is also set, +ensuring that the {pte,pmd}_dirty() interface can always return accurate +information. + +Cc: stable@vger.kernel.org +Co-developed-by: Liupu Wang +Signed-off-by: Liupu Wang +Signed-off-by: Tianyang Zhang +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/pgtable.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/loongarch/include/asm/pgtable.h ++++ b/arch/loongarch/include/asm/pgtable.h +@@ -403,6 +403,9 @@ static inline unsigned long pte_accessib + + static inline pte_t pte_modify(pte_t pte, pgprot_t newprot) + { ++ if (pte_val(pte) & _PAGE_DIRTY) ++ pte_val(pte) |= _PAGE_MODIFIED; ++ + return __pte((pte_val(pte) & _PAGE_CHG_MASK) | + (pgprot_val(newprot) & ~_PAGE_CHG_MASK)); + } +@@ -516,9 +519,11 @@ static inline struct page *pmd_page(pmd_ + + static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot) + { +- pmd_val(pmd) = (pmd_val(pmd) & _HPAGE_CHG_MASK) | +- (pgprot_val(newprot) & ~_HPAGE_CHG_MASK); +- return pmd; ++ if (pmd_val(pmd) & _PAGE_DIRTY) ++ pmd_val(pmd) |= _PAGE_MODIFIED; ++ ++ return __pmd((pmd_val(pmd) & _HPAGE_CHG_MASK) | ++ (pgprot_val(newprot) & ~_HPAGE_CHG_MASK)); + } + + static inline pmd_t pmd_mkinvalid(pmd_t pmd) diff --git a/queue-6.1/nfsd-free-copynotify-stateid-in-nfs4_free_ol_stateid.patch b/queue-6.1/nfsd-free-copynotify-stateid-in-nfs4_free_ol_stateid.patch new file mode 100644 index 0000000000..324bb7922a --- /dev/null +++ b/queue-6.1/nfsd-free-copynotify-stateid-in-nfs4_free_ol_stateid.patch @@ -0,0 +1,85 @@ +From 4aa17144d5abc3c756883e3a010246f0dba8b468 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Tue, 14 Oct 2025 13:59:59 -0400 +Subject: NFSD: free copynotify stateid in nfs4_free_ol_stateid() + +From: Olga Kornievskaia + +commit 4aa17144d5abc3c756883e3a010246f0dba8b468 upstream. + +Typically copynotify stateid is freed either when parent's stateid +is being close/freed or in nfsd4_laundromat if the stateid hasn't +been used in a lease period. + +However, in case when the server got an OPEN (which created +a parent stateid), followed by a COPY_NOTIFY using that stateid, +followed by a client reboot. New client instance while doing +CREATE_SESSION would force expire previous state of this client. +It leads to the open state being freed thru release_openowner-> +nfs4_free_ol_stateid() and it finds that it still has copynotify +stateid associated with it. We currently print a warning and is +triggerred + +WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] + +This patch, instead, frees the associated copynotify stateid here. + +If the parent stateid is freed (without freeing the copynotify +stateids associated with it), it leads to the list corruption +when laundromat ends up freeing the copynotify state later. + +[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP +[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink +[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) +[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN +[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 +[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] +[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 +[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 +[ 1626.861182] sp : ffff8000881d7a40 +[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 +[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 +[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 +[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 +[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 +[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 +[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 +[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 +[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 +[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d +[ 1626.868167] Call trace: +[ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) +[ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] +[ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] +[ 1626.869813] laundromat_main+0x24/0x60 [nfsd] +[ 1626.870231] process_one_work+0x584/0x1050 +[ 1626.870595] worker_thread+0x4c4/0xc60 +[ 1626.870893] kthread+0x2f8/0x398 +[ 1626.871146] ret_from_fork+0x10/0x20 +[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) +[ 1626.871892] SMP: stopping secondary CPUs + +Reported-by: rtm@csail.mit.edu +Closes: https://lore.kernel.org/linux-nfs/d8f064c1-a26f-4eed-b4f0-1f7f608f415f@oracle.com/T/#t +Fixes: 624322f1adc5 ("NFSD add COPY_NOTIFY operation") +Cc: stable@vger.kernel.org +Signed-off-by: Olga Kornievskaia +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1499,7 +1499,8 @@ static void nfs4_free_ol_stateid(struct + release_all_access(stp); + if (stp->st_stateowner) + nfs4_put_stateowner(stp->st_stateowner); +- WARN_ON(!list_empty(&stid->sc_cp_list)); ++ if (!list_empty(&stid->sc_cp_list)) ++ nfs4_free_cpntf_statelist(stid->sc_client->net, stid); + kmem_cache_free(stateid_slab, stid); + } + diff --git a/queue-6.1/series b/queue-6.1/series index 3c39b1b494..0683237a7c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -396,3 +396,9 @@ asm-generic-unify-uapi-bitsperlong.h-for-arm64-riscv.patch mtd-onenand-pass-correct-pointer-to-irq-handler.patch netfilter-nf_tables-reject-duplicate-device-on-updat.patch hid-hid-ntrig-prevent-memory-leak-in-ntrig_report_ve.patch +nfsd-free-copynotify-stateid-in-nfs4_free_ol_stateid.patch +gcov-add-support-for-gcc-15.patch +ksmbd-close-accepted-socket-when-per-ip-limit-rejects-connection.patch +strparser-fix-signed-unsigned-mismatch-bug.patch +dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch +loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch diff --git a/queue-6.1/strparser-fix-signed-unsigned-mismatch-bug.patch b/queue-6.1/strparser-fix-signed-unsigned-mismatch-bug.patch new file mode 100644 index 0000000000..036a265db9 --- /dev/null +++ b/queue-6.1/strparser-fix-signed-unsigned-mismatch-bug.patch @@ -0,0 +1,47 @@ +From 4da4e4bde1c453ac5cc2dce5def81d504ae257ee Mon Sep 17 00:00:00 2001 +From: Nate Karstens +Date: Thu, 6 Nov 2025 16:28:33 -0600 +Subject: strparser: Fix signed/unsigned mismatch bug + +From: Nate Karstens + +commit 4da4e4bde1c453ac5cc2dce5def81d504ae257ee upstream. + +The `len` member of the sk_buff is an unsigned int. This is cast to +`ssize_t` (a signed type) for the first sk_buff in the comparison, +but not the second sk_buff. On 32-bit systems, this can result in +an integer underflow for certain values because unsigned arithmetic +is being used. + +This appears to be an oversight: if the intention was to use unsigned +arithmetic, then the first cast would have been omitted. The change +ensures both len values are cast to `ssize_t`. + +The underflow causes an issue with ktls when multiple TLS PDUs are +included in a single TCP segment. The mainline kernel does not use +strparser for ktls anymore, but this is still useful for other +features that still use strparser, and for backporting. + +Signed-off-by: Nate Karstens +Cc: stable@vger.kernel.org +Fixes: 43a0c6751a32 ("strparser: Stream parser for messages") +Reviewed-by: Jacob Keller +Reviewed-by: Sabrina Dubroca +Link: https://patch.msgid.link/20251106222835.1871628-1-nate.karstens@garmin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/strparser/strparser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -238,7 +238,7 @@ static int __strp_recv(read_descriptor_t + strp_parser_err(strp, -EMSGSIZE, desc); + break; + } else if (len <= (ssize_t)head->len - +- skb->len - stm->strp.offset) { ++ (ssize_t)skb->len - stm->strp.offset) { + /* Length must be into new skb (and also + * greater than zero) + */