From: Greg Kroah-Hartman Date: Sun, 29 Jun 2025 12:52:08 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34fe04c13f60be644309b0677eb4e539497b8601;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch drm-xe-display-add-check-for-alloc_ordered_workqueue.patch fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch i2c-robotfuzz-osif-disable-zero-length-read-messages.patch i2c-tiny-usb-disable-zero-length-read-messages.patch lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch revert-riscv-define-task_size_max-for-__access_ok.patch revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch smb-client-remove-t-from-tp_printk-statements.patch --- diff --git a/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch new file mode 100644 index 0000000000..ee95b6606b --- /dev/null +++ b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch @@ -0,0 +1,37 @@ +From bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 Mon Sep 17 00:00:00 2001 +From: Oliver Schramm +Date: Sun, 22 Jun 2025 00:30:01 +0200 +Subject: ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 + +From: Oliver Schramm + +commit bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 upstream. + +It's smaller brother has already received the patch to enable the microphone, +now add it too to the DMI quirk table. + +Cc: stable@vger.kernel.org +Signed-off-by: Oliver Schramm +Link: https://patch.msgid.link/20250621223000.11817-2-oliver.schramm97@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -356,6 +356,13 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83J3"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"), + } diff --git a/queue-6.12/ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch b/queue-6.12/ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch new file mode 100644 index 0000000000..1e931c8897 --- /dev/null +++ b/queue-6.12/ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch @@ -0,0 +1,41 @@ +From 3e0809b1664b9dc650d9dbca9a2d3ac690d4f661 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Tue, 24 Jun 2025 09:40:30 +0200 +Subject: ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk + +From: Niklas Cassel + +commit 3e0809b1664b9dc650d9dbca9a2d3ac690d4f661 upstream. + +ASUS store the board name in DMI_PRODUCT_NAME rather than +DMI_PRODUCT_VERSION. (Apparently it is only Lenovo that stores the +model-name in DMI_PRODUCT_VERSION.) + +Use the correct DMI identifier, DMI_PRODUCT_NAME, to match the +ASUSPRO-D840SA board, such that the quirk actually gets applied. + +Cc: stable@vger.kernel.org +Reported-by: Andy Yang +Tested-by: Andy Yang +Closes: https://lore.kernel.org/linux-ide/aFb3wXAwJSSJUB7o@ryzen/ +Fixes: b5acc3628898 ("ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard") +Reviewed-by: Hans de Goede +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250624074029.963028-2-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1456,7 +1456,7 @@ static bool ahci_broken_lpm(struct pci_d + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +- DMI_MATCH(DMI_PRODUCT_VERSION, "ASUSPRO D840MB_M840SA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "ASUSPRO D840MB_M840SA"), + }, + /* 320 is broken, there is no known good version. */ + }, diff --git a/queue-6.12/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-6.12/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch new file mode 100644 index 0000000000..040579470d --- /dev/null +++ b/queue-6.12/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch @@ -0,0 +1,50 @@ +From a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Thu, 5 Jun 2025 11:28:46 +0300 +Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 upstream. + +Reading DPCD registers has side-effects in general. In particular +accessing registers outside of the link training register range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly +forbidden by the DP v2.1 Standard, see + +3.6.5.1 DPTX AUX Transaction Handling Mandates +3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates + +Based on my tests, accessing the DPCD_REV register during the link +training of an UHBR TBT DP tunnel sink leads to link training failures. + +Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the +DPCD register access quirk. + +Cc: +Cc: Ville Syrjälä +Cc: Jani Nikula +Acked-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com +(cherry picked from commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/display/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -664,7 +664,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * monitor doesn't power down exactly after the throw away read. + */ + if (!aux->is_remote) { +- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV); ++ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS); + if (ret < 0) + return ret; + } diff --git a/queue-6.12/drm-xe-display-add-check-for-alloc_ordered_workqueue.patch b/queue-6.12/drm-xe-display-add-check-for-alloc_ordered_workqueue.patch new file mode 100644 index 0000000000..4fa2de81b4 --- /dev/null +++ b/queue-6.12/drm-xe-display-add-check-for-alloc_ordered_workqueue.patch @@ -0,0 +1,39 @@ +From 62207293479e6c03ef498a70f2914c51f4d31d2c Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Fri, 16 May 2025 15:16:55 +0300 +Subject: drm/xe/display: Add check for alloc_ordered_workqueue() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haoxiang Li + +commit 62207293479e6c03ef498a70f2914c51f4d31d2c upstream. + +Add check for the return value of alloc_ordered_workqueue() +in xe_display_create() to catch potential exception. + +Fixes: 44e694958b95 ("drm/xe/display: Implement display support") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Matthew Auld +Link: https://lore.kernel.org/r/4ee1b0e5d1626ce1dde2e82af05c2edaed50c3aa.1747397638.git.jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit 5b62d63395d5b7d4094e7cd380bccae4b25415cb) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/display/xe_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/xe/display/xe_display.c ++++ b/drivers/gpu/drm/xe/display/xe_display.c +@@ -96,6 +96,8 @@ int xe_display_create(struct xe_device * + spin_lock_init(&xe->display.fb_tracking.lock); + + xe->display.hotplug.dp_wq = alloc_ordered_workqueue("xe-dp", 0); ++ if (!xe->display.hotplug.dp_wq) ++ return -ENOMEM; + + return drmm_add_action_or_reset(&xe->drm, display_destroy, NULL); + } diff --git a/queue-6.12/fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch b/queue-6.12/fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch new file mode 100644 index 0000000000..069b68245d --- /dev/null +++ b/queue-6.12/fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch @@ -0,0 +1,39 @@ +From 4a5e85f4eb8fd18b1266342d100e4f0849544ca0 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 17 Jun 2025 16:35:32 +0200 +Subject: fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio + +From: David Hildenbrand + +commit 4a5e85f4eb8fd18b1266342d100e4f0849544ca0 upstream. + +is_zero_pfn() does not work for the huge zero folio. Fix it by using +is_huge_zero_pmd(). + +This can cause the PAGEMAP_SCAN ioctl against /proc/pid/pagemap to +present pages as PAGE_IS_PRESENT rather than as PAGE_IS_PFNZERO. + +Found by code inspection. + +Link: https://lkml.kernel.org/r/20250617143532.2375383-1-david@redhat.com +Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") +Signed-off-by: David Hildenbrand +Cc: Muhammad Usama Anjum +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -2155,7 +2155,7 @@ static unsigned long pagemap_thp_categor + categories |= PAGE_IS_FILE; + } + +- if (is_zero_pfn(pmd_pfn(pmd))) ++ if (is_huge_zero_pmd(pmd)) + categories |= PAGE_IS_PFNZERO; + if (pmd_soft_dirty(pmd)) + categories |= PAGE_IS_SOFT_DIRTY; diff --git a/queue-6.12/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch b/queue-6.12/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..f80fc3674c --- /dev/null +++ b/queue-6.12/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch @@ -0,0 +1,47 @@ +From 56ad91c1aa9c18064348edf69308080b03c9dc48 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 22 May 2025 08:42:35 +0200 +Subject: i2c: robotfuzz-osif: disable zero-length read messages + +From: Wolfram Sang + +commit 56ad91c1aa9c18064348edf69308080b03c9dc48 upstream. + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.") +Signed-off-by: Wolfram Sang +Cc: # v3.14+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250522064234.3721-2-wsa+renesas@sang-engineering.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c +@@ -111,6 +111,11 @@ static u32 osif_func(struct i2c_adapter + return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL; + } + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks osif_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + static const struct i2c_algorithm osif_algorithm = { + .xfer = osif_xfer, + .functionality = osif_func, +@@ -143,6 +148,7 @@ static int osif_probe(struct usb_interfa + + priv->adapter.owner = THIS_MODULE; + priv->adapter.class = I2C_CLASS_HWMON; ++ priv->adapter.quirks = &osif_quirks; + priv->adapter.algo = &osif_algorithm; + priv->adapter.algo_data = priv; + snprintf(priv->adapter.name, sizeof(priv->adapter.name), diff --git a/queue-6.12/i2c-tiny-usb-disable-zero-length-read-messages.patch b/queue-6.12/i2c-tiny-usb-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..dd174a4726 --- /dev/null +++ b/queue-6.12/i2c-tiny-usb-disable-zero-length-read-messages.patch @@ -0,0 +1,47 @@ +From cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 22 May 2025 08:43:49 +0200 +Subject: i2c: tiny-usb: disable zero-length read messages + +From: Wolfram Sang + +commit cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 upstream. + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Fixes: e8c76eed2ecd ("i2c: New i2c-tiny-usb bus driver") +Signed-off-by: Wolfram Sang +Cc: # v2.6.22+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250522064349.3823-2-wsa+renesas@sang-engineering.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tiny-usb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-tiny-usb.c ++++ b/drivers/i2c/busses/i2c-tiny-usb.c +@@ -138,6 +138,11 @@ out: + return ret; + } + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks usb_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + /* This is the actual algorithm we define */ + static const struct i2c_algorithm usb_algorithm = { + .xfer = usb_xfer, +@@ -246,6 +251,7 @@ static int i2c_tiny_usb_probe(struct usb + /* setup i2c adapter description */ + dev->adapter.owner = THIS_MODULE; + dev->adapter.class = I2C_CLASS_HWMON; ++ dev->adapter.quirks = &usb_quirks; + dev->adapter.algo = &usb_algorithm; + dev->adapter.algo_data = dev; + snprintf(dev->adapter.name, sizeof(dev->adapter.name), diff --git a/queue-6.12/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch b/queue-6.12/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch new file mode 100644 index 0000000000..9ddea0e18e --- /dev/null +++ b/queue-6.12/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch @@ -0,0 +1,85 @@ +From df831e97739405ecbaddb85516bc7d4d1c933d6b Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Thu, 19 Jun 2025 21:26:55 +0800 +Subject: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() + +From: Yu Kuai + +commit df831e97739405ecbaddb85516bc7d4d1c933d6b upstream. + +While testing null_blk with configfs, echo 0 > poll_queues will trigger +following panic: + +BUG: kernel NULL pointer dereference, address: 0000000000000010 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 +RIP: 0010:__bitmap_or+0x48/0x70 +Call Trace: + + __group_cpus_evenly+0x822/0x8c0 + group_cpus_evenly+0x2d9/0x490 + blk_mq_map_queues+0x1e/0x110 + null_map_queues+0xc9/0x170 [null_blk] + blk_mq_update_queue_map+0xdb/0x160 + blk_mq_update_nr_hw_queues+0x22b/0x560 + nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] + nullb_device_poll_queues_store+0xa4/0x130 [null_blk] + configfs_write_iter+0x109/0x1d0 + vfs_write+0x26e/0x6f0 + ksys_write+0x79/0x180 + __x64_sys_write+0x1d/0x30 + x64_sys_call+0x45c4/0x45f0 + do_syscall_64+0xa5/0x240 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from +kcalloc(), and later ZERO_SIZE_PTR will be deferenced. + +Fix the problem by checking numgrps first in group_cpus_evenly(), and +return NULL directly if numgrps is zero. + +[yukuai3@huawei.com: also fix the non-SMP version] + Link: https://lkml.kernel.org/r/20250620010958.1265984-1-yukuai1@huaweicloud.com +Link: https://lkml.kernel.org/r/20250619132655.3318883-1-yukuai1@huaweicloud.com +Fixes: 6a6dcae8f486 ("blk-mq: Build default queue map via group_cpus_evenly()") +Signed-off-by: Yu Kuai +Reviewed-by: Ming Lei +Reviewed-by: Jens Axboe +Cc: ErKun Yang +Cc: John Garry +Cc: Thomas Gleinxer +Cc: "zhangyi (F)" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/group_cpus.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/lib/group_cpus.c ++++ b/lib/group_cpus.c +@@ -352,6 +352,9 @@ struct cpumask *group_cpus_evenly(unsign + int ret = -ENOMEM; + struct cpumask *masks = NULL; + ++ if (numgrps == 0) ++ return NULL; ++ + if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL)) + return NULL; + +@@ -426,8 +429,12 @@ struct cpumask *group_cpus_evenly(unsign + #else /* CONFIG_SMP */ + struct cpumask *group_cpus_evenly(unsigned int numgrps) + { +- struct cpumask *masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL); ++ struct cpumask *masks; + ++ if (numgrps == 0) ++ return NULL; ++ ++ masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL); + if (!masks) + return NULL; + diff --git a/queue-6.12/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch b/queue-6.12/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch new file mode 100644 index 0000000000..97ab5f08ce --- /dev/null +++ b/queue-6.12/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch @@ -0,0 +1,36 @@ +From 4f489fe6afb395dbc79840efa3c05440b760d883 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 19 Jun 2025 11:36:07 -0700 +Subject: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write + +From: SeongJae Park + +commit 4f489fe6afb395dbc79840efa3c05440b760d883 upstream. + +memcg_path_store() assigns a newly allocated memory buffer to +filter->memcg_path, without deallocating the previously allocated and +assigned memory buffer. As a result, users can leak kernel memory by +continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak +by deallocating the previously set memory buffer. + +Link: https://lkml.kernel.org/r/20250619183608.6647-2-sj@kernel.org +Fixes: 7ee161f18b5d ("mm/damon/sysfs-schemes: implement filter directory") +Signed-off-by: SeongJae Park +Cc: Shuah Khan +Cc: [6.3.x] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -423,6 +423,7 @@ static ssize_t memcg_path_store(struct k + return -ENOMEM; + + strscpy(path, buf, count + 1); ++ kfree(filter->memcg_path); + filter->memcg_path = path; + return count; + } diff --git a/queue-6.12/revert-riscv-define-task_size_max-for-__access_ok.patch b/queue-6.12/revert-riscv-define-task_size_max-for-__access_ok.patch new file mode 100644 index 0000000000..f27f974987 --- /dev/null +++ b/queue-6.12/revert-riscv-define-task_size_max-for-__access_ok.patch @@ -0,0 +1,58 @@ +From 890ba5be6335dbbbc99af14ea007befb5f83f174 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Thu, 19 Jun 2025 17:58:58 +0200 +Subject: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" + +From: Nam Cao + +commit 890ba5be6335dbbbc99af14ea007befb5f83f174 upstream. + +This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for +__access_ok()"). + +This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(), +because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some +computation. + +The reasoning was that all user addresses are less than LONG_MAX, and all +kernel addresses are greater than LONG_MAX. Therefore access_ok() can +filter kernel addresses. + +Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but +access_ok() let them pass. That was thought to be okay, because they are +not valid addresses at hardware level. + +Unfortunately, one case is missed: get_user_pages_fast() happily accepts +addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses +get_user_pages_fast(). This causes the problem reported by Robert [1]. + +Therefore, revert this commit. TASK_SIZE_MAX is changed to the default: +TASK_SIZE. + +This unfortunately reduces performance, because TASK_SIZE is more expensive +to compute compared to LONG_MAX. But correctness first, we can think about +optimization later, if required. + +Reported-by: +Closes: https://lore.kernel.org/linux-riscv/77605.1750245028@localhost/ +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Alexandre Ghiti +Fixes: ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()") +Link: https://lore.kernel.org/r/20250619155858.1249789-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/pgtable.h | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -916,7 +916,6 @@ static inline pte_t pte_swp_clear_exclus + */ + #ifdef CONFIG_64BIT + #define TASK_SIZE_64 (PGDIR_SIZE * PTRS_PER_PGD / 2) +-#define TASK_SIZE_MAX LONG_MAX + + #ifdef CONFIG_COMPAT + #define TASK_SIZE_32 (_AC(0x80000000, UL) - PAGE_SIZE) diff --git a/queue-6.12/revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch b/queue-6.12/revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch new file mode 100644 index 0000000000..f9eeca0a88 --- /dev/null +++ b/queue-6.12/revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch @@ -0,0 +1,59 @@ +From 2f73c62d4e13df67380ff6faca39eec2bf08dd93 Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Fri, 20 Jun 2025 13:09:39 +0200 +Subject: Revert "riscv: misaligned: fix sleeping function called during misaligned access handling" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nam Cao + +commit 2f73c62d4e13df67380ff6faca39eec2bf08dd93 upstream. + +This reverts commit 61a74ad25462 ("riscv: misaligned: fix sleeping function +called during misaligned access handling"). The commit addresses a sleeping +in atomic context problem, but it is not the correct fix as explained by +Clément: + +"Using nofault would lead to failure to read from user memory that is paged +out for instance. This is not really acceptable, we should handle user +misaligned access even at an address that would generate a page fault." + +This bug has been properly fixed by commit 453805f0a28f ("riscv: +misaligned: enable IRQs while handling misaligned accesses"). + +Revert this improper fix. + +Link: https://lore.kernel.org/linux-riscv/b779beed-e44e-4a5e-9551-4647682b0d21@rivosinc.com/ +Signed-off-by: Nam Cao +Cc: stable@vger.kernel.org +Reviewed-by: Clément Léger +Reviewed-by: Alexandre Ghiti +Fixes: 61a74ad25462 ("riscv: misaligned: fix sleeping function called during misaligned access handling") +Link: https://lore.kernel.org/r/20250620110939.1642735-1-namcao@linutronix.de +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/traps_misaligned.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/riscv/kernel/traps_misaligned.c ++++ b/arch/riscv/kernel/traps_misaligned.c +@@ -429,7 +429,7 @@ int handle_misaligned_load(struct pt_reg + + val.data_u64 = 0; + if (user_mode(regs)) { +- if (copy_from_user_nofault(&val, (u8 __user *)addr, len)) ++ if (copy_from_user(&val, (u8 __user *)addr, len)) + return -1; + } else { + memcpy(&val, (u8 *)addr, len); +@@ -530,7 +530,7 @@ int handle_misaligned_store(struct pt_re + return -EOPNOTSUPP; + + if (user_mode(regs)) { +- if (copy_to_user_nofault((u8 __user *)addr, &val, len)) ++ if (copy_to_user((u8 __user *)addr, &val, len)) + return -1; + } else { + memcpy((u8 *)addr, &val, len); diff --git a/queue-6.12/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch b/queue-6.12/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch new file mode 100644 index 0000000000..684d3224ad --- /dev/null +++ b/queue-6.12/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch @@ -0,0 +1,47 @@ +From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 11 Jun 2025 22:20:10 +0300 +Subject: s390/pkey: Prevent overflow in size calculation for memdup_user() + +From: Fedor Pchelkin + +commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream. + +Number of apqn target list entries contained in 'nr_apqns' variable is +determined by userspace via an ioctl call so the result of the product in +calculation of size passed to memdup_user() may overflow. + +In this case the actual size of the allocated area and the value +describing it won't be in sync leading to various types of unpredictable +behaviour later. + +Use a proper memdup_array_user() helper which returns an error if an +overflow is detected. Note that it is different from when nr_apqns is +initially zero - that case is considered valid and should be handled in +subsequent pkey_handler implementations. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Holger Dengler +Reviewed-by: Heiko Carstens +Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/pkey_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -85,7 +85,7 @@ static void *_copy_apqns_from_user(void + if (!uapqns || nr_apqns == 0) + return NULL; + +- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); ++ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn)); + } + + static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs) diff --git a/queue-6.12/series b/queue-6.12/series index e902778ca4..249f10f2aa 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -83,3 +83,16 @@ accel-ivpu-separate-db-id-and-cmdq-id-allocations-fr.patch accel-ivpu-add-debugfs-interface-for-setting-hws-pri.patch accel-ivpu-trigger-device-recovery-on-engine-reset-r.patch af_unix-don-t-leave-consecutive-consumed-oob-skbs.patch +i2c-tiny-usb-disable-zero-length-read-messages.patch +i2c-robotfuzz-osif-disable-zero-length-read-messages.patch +ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch +smb-client-remove-t-from-tp_printk-statements.patch +mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch +asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch +s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch +fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch +lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch +revert-riscv-define-task_size_max-for-__access_ok.patch +revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch +drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch +drm-xe-display-add-check-for-alloc_ordered_workqueue.patch diff --git a/queue-6.12/smb-client-remove-t-from-tp_printk-statements.patch b/queue-6.12/smb-client-remove-t-from-tp_printk-statements.patch new file mode 100644 index 0000000000..7f4a0e7621 --- /dev/null +++ b/queue-6.12/smb-client-remove-t-from-tp_printk-statements.patch @@ -0,0 +1,137 @@ +From e97f9540ce001503a4539f337da742c1dfa7d86a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Jun 2025 10:13:04 +0200 +Subject: smb: client: remove \t from TP_printk statements + +From: Stefan Metzmacher + +commit e97f9540ce001503a4539f337da742c1dfa7d86a upstream. + +The generate '[FAILED TO PARSE]' strings in trace-cmd report output like this: + + rm-5298 [001] 6084.533748493: smb3_exit_err: [FAILED TO PARSE] xid=972 func_name=cifs_rmdir rc=-39 + rm-5298 [001] 6084.533959234: smb3_enter: [FAILED TO PARSE] xid=973 func_name=cifs_closedir + rm-5298 [001] 6084.533967630: smb3_close_enter: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361 + rm-5298 [001] 6084.534004008: smb3_cmd_enter: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566 + rm-5298 [001] 6084.552248232: smb3_cmd_done: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566 + rm-5298 [001] 6084.552280542: smb3_close_done: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361 + rm-5298 [001] 6084.552316034: smb3_exit_done: [FAILED TO PARSE] xid=973 func_name=cifs_closedir + +Cc: stable@vger.kernel.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/trace.h | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/fs/smb/client/trace.h ++++ b/fs/smb/client/trace.h +@@ -140,7 +140,7 @@ DECLARE_EVENT_CLASS(smb3_rw_err_class, + __entry->len = len; + __entry->rc = rc; + ), +- TP_printk("\tR=%08x[%x] xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", ++ TP_printk("R=%08x[%x] xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", + __entry->rreq_debug_id, __entry->rreq_debug_index, + __entry->xid, __entry->sesid, __entry->tid, __entry->fid, + __entry->offset, __entry->len, __entry->rc) +@@ -190,7 +190,7 @@ DECLARE_EVENT_CLASS(smb3_other_err_class + __entry->len = len; + __entry->rc = rc; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d", + __entry->xid, __entry->sesid, __entry->tid, __entry->fid, + __entry->offset, __entry->len, __entry->rc) + ) +@@ -247,7 +247,7 @@ DECLARE_EVENT_CLASS(smb3_copy_range_err_ + __entry->len = len; + __entry->rc = rc; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x rc=%d", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x rc=%d", + __entry->xid, __entry->sesid, __entry->tid, __entry->target_fid, + __entry->src_offset, __entry->target_fid, __entry->target_offset, __entry->len, __entry->rc) + ) +@@ -298,7 +298,7 @@ DECLARE_EVENT_CLASS(smb3_copy_range_done + __entry->target_offset = target_offset; + __entry->len = len; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x", + __entry->xid, __entry->sesid, __entry->tid, __entry->target_fid, + __entry->src_offset, __entry->target_fid, __entry->target_offset, __entry->len) + ) +@@ -482,7 +482,7 @@ DECLARE_EVENT_CLASS(smb3_fd_class, + __entry->tid = tid; + __entry->sesid = sesid; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx", + __entry->xid, __entry->sesid, __entry->tid, __entry->fid) + ) + +@@ -521,7 +521,7 @@ DECLARE_EVENT_CLASS(smb3_fd_err_class, + __entry->sesid = sesid; + __entry->rc = rc; + ), +- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d", ++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d", + __entry->xid, __entry->sesid, __entry->tid, __entry->fid, + __entry->rc) + ) +@@ -793,7 +793,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_err_class, + __entry->status = status; + __entry->rc = rc; + ), +- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d", ++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d", + __entry->sesid, __entry->tid, __entry->cmd, __entry->mid, + __entry->status, __entry->rc) + ) +@@ -828,7 +828,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_done_class, + __entry->cmd = cmd; + __entry->mid = mid; + ), +- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu", ++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu", + __entry->sesid, __entry->tid, + __entry->cmd, __entry->mid) + ) +@@ -866,7 +866,7 @@ DECLARE_EVENT_CLASS(smb3_mid_class, + __entry->when_sent = when_sent; + __entry->when_received = when_received; + ), +- TP_printk("\tcmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu", ++ TP_printk("cmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu", + __entry->cmd, __entry->mid, __entry->pid, __entry->when_sent, + __entry->when_received) + ) +@@ -897,7 +897,7 @@ DECLARE_EVENT_CLASS(smb3_exit_err_class, + __assign_str(func_name); + __entry->rc = rc; + ), +- TP_printk("\t%s: xid=%u rc=%d", ++ TP_printk("%s: xid=%u rc=%d", + __get_str(func_name), __entry->xid, __entry->rc) + ) + +@@ -923,7 +923,7 @@ DECLARE_EVENT_CLASS(smb3_sync_err_class, + __entry->ino = ino; + __entry->rc = rc; + ), +- TP_printk("\tino=%lu rc=%d", ++ TP_printk("ino=%lu rc=%d", + __entry->ino, __entry->rc) + ) + +@@ -949,7 +949,7 @@ DECLARE_EVENT_CLASS(smb3_enter_exit_clas + __entry->xid = xid; + __assign_str(func_name); + ), +- TP_printk("\t%s: xid=%u", ++ TP_printk("%s: xid=%u", + __get_str(func_name), __entry->xid) + ) +