From: Greg Kroah-Hartman Date: Mon, 29 Apr 2024 13:10:32 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v4.19.313~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4157ac3fcc6d28c7d2f8057eaf165ab1c4aa7c2d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch fbdev-fix-incorrect-address-computation-in-deferred-io.patch mtd-diskonchip-work-around-ubsan-link-failure.patch net-b44-set-pause-params-only-when-interface-is-up.patch phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch stackdepot-respect-__gfp_nolockdep-allocation-flag.patch udp-preserve-the-connected-status-if-only-udp-cmsg.patch wifi-nl80211-don-t-free-null-coalescing-rule.patch --- diff --git a/queue-6.6/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch b/queue-6.6/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch new file mode 100644 index 00000000000..7b6bc941201 --- /dev/null +++ b/queue-6.6/ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch @@ -0,0 +1,78 @@ +From 6e159fd653d7ebf6290358e0330a0cb8a75cf73b Mon Sep 17 00:00:00 2001 +From: Rahul Rameshbabu +Date: Tue, 23 Apr 2024 11:13:03 -0700 +Subject: ethernet: Add helper for assigning packet type when dest address does not match device address + +From: Rahul Rameshbabu + +commit 6e159fd653d7ebf6290358e0330a0cb8a75cf73b upstream. + +Enable reuse of logic in eth_type_trans for determining packet type. + +Suggested-by: Sabrina Dubroca +Cc: stable@vger.kernel.org +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Sabrina Dubroca +Link: https://lore.kernel.org/r/20240423181319.115860-3-rrameshbabu@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/etherdevice.h | 25 +++++++++++++++++++++++++ + net/ethernet/eth.c | 12 +----------- + 2 files changed, 26 insertions(+), 11 deletions(-) + +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -608,6 +608,31 @@ static inline void eth_hw_addr_gen(struc + } + + /** ++ * eth_skb_pkt_type - Assign packet type if destination address does not match ++ * @skb: Assigned a packet type if address does not match @dev address ++ * @dev: Network device used to compare packet address against ++ * ++ * If the destination MAC address of the packet does not match the network ++ * device address, assign an appropriate packet type. ++ */ ++static inline void eth_skb_pkt_type(struct sk_buff *skb, ++ const struct net_device *dev) ++{ ++ const struct ethhdr *eth = eth_hdr(skb); ++ ++ if (unlikely(!ether_addr_equal_64bits(eth->h_dest, dev->dev_addr))) { ++ if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) { ++ if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast)) ++ skb->pkt_type = PACKET_BROADCAST; ++ else ++ skb->pkt_type = PACKET_MULTICAST; ++ } else { ++ skb->pkt_type = PACKET_OTHERHOST; ++ } ++ } ++} ++ ++/** + * eth_skb_pad - Pad buffer to mininum number of octets for Ethernet frame + * @skb: Buffer to pad + * +--- a/net/ethernet/eth.c ++++ b/net/ethernet/eth.c +@@ -164,17 +164,7 @@ __be16 eth_type_trans(struct sk_buff *sk + eth = (struct ethhdr *)skb->data; + skb_pull_inline(skb, ETH_HLEN); + +- if (unlikely(!ether_addr_equal_64bits(eth->h_dest, +- dev->dev_addr))) { +- if (unlikely(is_multicast_ether_addr_64bits(eth->h_dest))) { +- if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast)) +- skb->pkt_type = PACKET_BROADCAST; +- else +- skb->pkt_type = PACKET_MULTICAST; +- } else { +- skb->pkt_type = PACKET_OTHERHOST; +- } +- } ++ eth_skb_pkt_type(skb, dev); + + /* + * Some variants of DSA tagging don't have an ethertype field diff --git a/queue-6.6/fbdev-fix-incorrect-address-computation-in-deferred-io.patch b/queue-6.6/fbdev-fix-incorrect-address-computation-in-deferred-io.patch new file mode 100644 index 00000000000..a7e0bbf1903 --- /dev/null +++ b/queue-6.6/fbdev-fix-incorrect-address-computation-in-deferred-io.patch @@ -0,0 +1,55 @@ +From 78d9161d2bcd442d93d917339297ffa057dbee8c Mon Sep 17 00:00:00 2001 +From: Nam Cao +Date: Tue, 23 Apr 2024 13:50:53 +0200 +Subject: fbdev: fix incorrect address computation in deferred IO + +From: Nam Cao + +commit 78d9161d2bcd442d93d917339297ffa057dbee8c upstream. + +With deferred IO enabled, a page fault happens when data is written to the +framebuffer device. Then driver determines which page is being updated by +calculating the offset of the written virtual address within the virtual +memory area, and uses this offset to get the updated page within the +internal buffer. This page is later copied to hardware (thus the name +"deferred IO"). + +This offset calculation is only correct if the virtual memory area is +mapped to the beginning of the internal buffer. Otherwise this is wrong. +For example, if users do: + mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000); + +Then the virtual memory area will mapped at offset 0xff000 within the +internal buffer. This offset 0xff000 is not accounted for, and wrong page +is updated. + +Correct the calculation by using vmf->pgoff instead. With this change, the +variable "offset" will no longer hold the exact offset value, but it is +rounded down to multiples of PAGE_SIZE. But this is still correct, because +this variable is only used to calculate the page offset. + +Reported-by: Harshit Mogalapalli +Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com +Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") +Cc: +Signed-off-by: Nam Cao +Reviewed-by: Thomas Zimmermann +Tested-by: Harshit Mogalapalli +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20240423115053.4490-1-namcao@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fb_defio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/core/fb_defio.c ++++ b/drivers/video/fbdev/core/fb_defio.c +@@ -196,7 +196,7 @@ err_mutex_unlock: + */ + static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf) + { +- unsigned long offset = vmf->address - vmf->vma->vm_start; ++ unsigned long offset = vmf->pgoff << PAGE_SHIFT; + struct page *page = vmf->page; + + file_update_time(vmf->vma->vm_file); diff --git a/queue-6.6/mtd-diskonchip-work-around-ubsan-link-failure.patch b/queue-6.6/mtd-diskonchip-work-around-ubsan-link-failure.patch new file mode 100644 index 00000000000..b86272b6e82 --- /dev/null +++ b/queue-6.6/mtd-diskonchip-work-around-ubsan-link-failure.patch @@ -0,0 +1,56 @@ +From 21c9fb611c25d5cd038f6fe485232e7884bb0b3d Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 5 Apr 2024 16:30:04 +0200 +Subject: mtd: diskonchip: work around ubsan link failure + +From: Arnd Bergmann + +commit 21c9fb611c25d5cd038f6fe485232e7884bb0b3d upstream. + +I ran into a randconfig build failure with UBSAN using gcc-13.2: + +arm-linux-gnueabi-ld: error: unplaced orphan section `.bss..Lubsan_data31' from `drivers/mtd/nand/raw/diskonchip.o' + +I'm not entirely sure what is going on here, but I suspect this has something +to do with the check for the end of the doc_locations[] array that contains +an (unsigned long)0xffffffff element, which is compared against the signed +(int)0xffffffff. If this is the case, we should get a runtime check for +undefined behavior, but we instead get an unexpected build-time error. + +I would have expected this to work fine on 32-bit architectures despite the +signed integer overflow, though on 64-bit architectures this likely won't +ever work. + +Changing the contition to instead check for the size of the array makes the +code safe everywhere and avoids the ubsan check that leads to the link +error. The loop code goes back to before 2.6.12. + +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20240405143015.717429-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/diskonchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/diskonchip.c ++++ b/drivers/mtd/nand/raw/diskonchip.c +@@ -53,7 +53,7 @@ static unsigned long doc_locations[] __i + 0xe8000, 0xea000, 0xec000, 0xee000, + #endif + #endif +- 0xffffffff }; ++}; + + static struct mtd_info *doclist = NULL; + +@@ -1552,7 +1552,7 @@ static int __init init_nanddoc(void) + if (ret < 0) + return ret; + } else { +- for (i = 0; (doc_locations[i] != 0xffffffff); i++) { ++ for (i = 0; i < ARRAY_SIZE(doc_locations); i++) { + doc_probe(doc_locations[i]); + } + } diff --git a/queue-6.6/net-b44-set-pause-params-only-when-interface-is-up.patch b/queue-6.6/net-b44-set-pause-params-only-when-interface-is-up.patch new file mode 100644 index 00000000000..01e9da9b651 --- /dev/null +++ b/queue-6.6/net-b44-set-pause-params-only-when-interface-is-up.patch @@ -0,0 +1,61 @@ +From e3eb7dd47bd4806f00e104eb6da092c435f9fb21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Peter=20M=C3=BCnster?= +Date: Wed, 24 Apr 2024 15:51:52 +0200 +Subject: net: b44: set pause params only when interface is up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Münster + +commit e3eb7dd47bd4806f00e104eb6da092c435f9fb21 upstream. + +b44_free_rings() accesses b44::rx_buffers (and ::tx_buffers) +unconditionally, but b44::rx_buffers is only valid when the +device is up (they get allocated in b44_open(), and deallocated +again in b44_close()), any other time these are just a NULL pointers. + +So if you try to change the pause params while the network interface +is disabled/administratively down, everything explodes (which likely +netifd tries to do). + +Link: https://github.com/openwrt/openwrt/issues/13789 +Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2) +Cc: stable@vger.kernel.org +Reported-by: Peter Münster +Suggested-by: Jonas Gorski +Signed-off-by: Vaclav Svoboda +Tested-by: Peter Münster +Reviewed-by: Andrew Lunn +Signed-off-by: Peter Münster +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/87y192oolj.fsf@a16n.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/b44.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/broadcom/b44.c ++++ b/drivers/net/ethernet/broadcom/b44.c +@@ -2009,12 +2009,14 @@ static int b44_set_pauseparam(struct net + bp->flags |= B44_FLAG_TX_PAUSE; + else + bp->flags &= ~B44_FLAG_TX_PAUSE; +- if (bp->flags & B44_FLAG_PAUSE_AUTO) { +- b44_halt(bp); +- b44_init_rings(bp); +- b44_init_hw(bp, B44_FULL_RESET); +- } else { +- __b44_set_flow_ctrl(bp, bp->flags); ++ if (netif_running(dev)) { ++ if (bp->flags & B44_FLAG_PAUSE_AUTO) { ++ b44_halt(bp); ++ b44_init_rings(bp); ++ b44_init_hw(bp, B44_FULL_RESET); ++ } else { ++ __b44_set_flow_ctrl(bp, bp->flags); ++ } + } + spin_unlock_irq(&bp->lock); + diff --git a/queue-6.6/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch b/queue-6.6/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch new file mode 100644 index 00000000000..fa08243ab5c --- /dev/null +++ b/queue-6.6/phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch @@ -0,0 +1,55 @@ +From ee13e1f3c72b9464a4d73017c060ab503eed653a Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Thu, 4 Apr 2024 17:01:03 -0700 +Subject: phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE + +From: Stephen Boyd + +commit ee13e1f3c72b9464a4d73017c060ab503eed653a upstream. + +The register base that was used to write to the QSERDES_DP_PHY_MODE +register was 'dp_dp_phy' before commit 815891eee668 ("phy: +qcom-qmp-combo: Introduce orientation variable"). There isn't any +explanation in the commit why this is changed, so I suspect it was an +oversight or happened while being extracted from some other series. +Oddly the value being 0x4c or 0x5c doesn't seem to matter for me, so I +suspect this is dead code, but that can be fixed in another patch. It's +not good to write to the wrong register space, and maybe some other +version of this phy relies on this. + +Cc: Douglas Anderson +Cc: Abhinav Kumar +Cc: Dmitry Baryshkov +Cc: Neil Armstrong +Cc: Abel Vesa +Cc: Steev Klimaszewski +Cc: Johan Hovold +Cc: Bjorn Andersson +Cc: stable@vger.kernel.org # 6.5 +Fixes: 815891eee668 ("phy: qcom-qmp-combo: Introduce orientation variable") +Signed-off-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Reviewed-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20240405000111.1450598-1-swboyd@chromium.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -2047,9 +2047,9 @@ static bool qmp_combo_configure_dp_mode( + writel(val, qmp->dp_dp_phy + QSERDES_DP_PHY_PD_CTL); + + if (reverse) +- writel(0x4c, qmp->pcs + QSERDES_DP_PHY_MODE); ++ writel(0x4c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE); + else +- writel(0x5c, qmp->pcs + QSERDES_DP_PHY_MODE); ++ writel(0x5c, qmp->dp_dp_phy + QSERDES_DP_PHY_MODE); + + return reverse; + } diff --git a/queue-6.6/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch b/queue-6.6/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch new file mode 100644 index 00000000000..fd89e7be801 --- /dev/null +++ b/queue-6.6/phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch @@ -0,0 +1,87 @@ +From 5abed58a8bde6d349bde364a160510b5bb904d18 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Thu, 4 Apr 2024 16:43:44 -0700 +Subject: phy: qcom: qmp-combo: Fix VCO div offset on v3 + +From: Stephen Boyd + +commit 5abed58a8bde6d349bde364a160510b5bb904d18 upstream. + +Commit ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to +setup clocks") changed the offset that is used to write to +DP_PHY_VCO_DIV from QSERDES_V3_DP_PHY_VCO_DIV to +QSERDES_V4_DP_PHY_VCO_DIV. Unfortunately, this offset is different +between v3 and v4 phys: + + #define QSERDES_V3_DP_PHY_VCO_DIV 0x064 + #define QSERDES_V4_DP_PHY_VCO_DIV 0x070 + +meaning that we write the wrong register on v3 phys now. Add another +generic register to 'regs' and use it here instead of a version specific +define to fix this. + +This was discovered after Abhinav looked over register dumps with me +from sc7180 Trogdor devices that started failing to light up the +external display with v6.6 based kernels. It turns out that some +monitors are very specific about their link clk frequency and if the +default power on reset value is still there the monitor will show a +blank screen or a garbled display. Other monitors are perfectly happy to +get a bad clock signal. + +Cc: Douglas Anderson +Cc: Abhinav Kumar +Cc: Dmitry Baryshkov +Fixes: ec17373aebd0 ("phy: qcom: qmp-combo: extract common function to setup clocks") +Signed-off-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240404234345.1446300-1-swboyd@chromium.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -112,6 +112,7 @@ enum qphy_reg_layout { + QPHY_COM_BIAS_EN_CLKBUFLR_EN, + + QPHY_DP_PHY_STATUS, ++ QPHY_DP_PHY_VCO_DIV, + + QPHY_TX_TX_POL_INV, + QPHY_TX_TX_DRV_LVL, +@@ -137,6 +138,7 @@ static const unsigned int qmp_v3_usb3phy + [QPHY_COM_BIAS_EN_CLKBUFLR_EN] = QSERDES_V3_COM_BIAS_EN_CLKBUFLR_EN, + + [QPHY_DP_PHY_STATUS] = QSERDES_V3_DP_PHY_STATUS, ++ [QPHY_DP_PHY_VCO_DIV] = QSERDES_V3_DP_PHY_VCO_DIV, + + [QPHY_TX_TX_POL_INV] = QSERDES_V3_TX_TX_POL_INV, + [QPHY_TX_TX_DRV_LVL] = QSERDES_V3_TX_TX_DRV_LVL, +@@ -161,6 +163,7 @@ static const unsigned int qmp_v45_usb3ph + [QPHY_COM_BIAS_EN_CLKBUFLR_EN] = QSERDES_V4_COM_BIAS_EN_CLKBUFLR_EN, + + [QPHY_DP_PHY_STATUS] = QSERDES_V4_DP_PHY_STATUS, ++ [QPHY_DP_PHY_VCO_DIV] = QSERDES_V4_DP_PHY_VCO_DIV, + + [QPHY_TX_TX_POL_INV] = QSERDES_V4_TX_TX_POL_INV, + [QPHY_TX_TX_DRV_LVL] = QSERDES_V4_TX_TX_DRV_LVL, +@@ -2059,6 +2062,7 @@ static int qmp_combo_configure_dp_clocks + const struct phy_configure_opts_dp *dp_opts = &qmp->dp_opts; + u32 phy_vco_div; + unsigned long pixel_freq; ++ const struct qmp_phy_cfg *cfg = qmp->cfg; + + switch (dp_opts->link_rate) { + case 1620: +@@ -2081,7 +2085,7 @@ static int qmp_combo_configure_dp_clocks + /* Other link rates aren't supported */ + return -EINVAL; + } +- writel(phy_vco_div, qmp->dp_dp_phy + QSERDES_V4_DP_PHY_VCO_DIV); ++ writel(phy_vco_div, qmp->dp_dp_phy + cfg->regs[QPHY_DP_PHY_VCO_DIV]); + + clk_set_rate(qmp->dp_link_hw.clk, dp_opts->link_rate * 100000); + clk_set_rate(qmp->dp_pixel_hw.clk, pixel_freq); diff --git a/queue-6.6/series b/queue-6.6/series index 7ccc829c663..b45dc2a658a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -146,3 +146,12 @@ irqchip-gic-v3-its-prevent-double-free-on-error.patch acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch acpi-cppc-fix-access-width-used-for-pcc-registers.patch +ethernet-add-helper-for-assigning-packet-type-when-dest-address-does-not-match-device-address.patch +net-b44-set-pause-params-only-when-interface-is-up.patch +stackdepot-respect-__gfp_nolockdep-allocation-flag.patch +fbdev-fix-incorrect-address-computation-in-deferred-io.patch +udp-preserve-the-connected-status-if-only-udp-cmsg.patch +wifi-nl80211-don-t-free-null-coalescing-rule.patch +mtd-diskonchip-work-around-ubsan-link-failure.patch +phy-qcom-qmp-combo-fix-register-base-for-qserdes_dp_phy_mode.patch +phy-qcom-qmp-combo-fix-vco-div-offset-on-v3.patch diff --git a/queue-6.6/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch b/queue-6.6/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch new file mode 100644 index 00000000000..aef4bb4a50e --- /dev/null +++ b/queue-6.6/stackdepot-respect-__gfp_nolockdep-allocation-flag.patch @@ -0,0 +1,95 @@ +From 6fe60465e1d53ea321ee909be26d97529e8f746c Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Thu, 18 Apr 2024 16:11:33 +0200 +Subject: stackdepot: respect __GFP_NOLOCKDEP allocation flag + +From: Andrey Ryabinin + +commit 6fe60465e1d53ea321ee909be26d97529e8f746c upstream. + +If stack_depot_save_flags() allocates memory it always drops +__GFP_NOLOCKDEP flag. So when KASAN tries to track __GFP_NOLOCKDEP +allocation we may end up with lockdep splat like bellow: + +====================================================== + WARNING: possible circular locking dependency detected + 6.9.0-rc3+ #49 Not tainted + ------------------------------------------------------ + kswapd0/149 is trying to acquire lock: + ffff88811346a920 +(&xfs_nondir_ilock_class){++++}-{4:4}, at: xfs_reclaim_inode+0x3ac/0x590 +[xfs] + + but task is already holding lock: + ffffffff8bb33100 (fs_reclaim){+.+.}-{0:0}, at: +balance_pgdat+0x5d9/0xad0 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + -> #1 (fs_reclaim){+.+.}-{0:0}: + __lock_acquire+0x7da/0x1030 + lock_acquire+0x15d/0x400 + fs_reclaim_acquire+0xb5/0x100 + prepare_alloc_pages.constprop.0+0xc5/0x230 + __alloc_pages+0x12a/0x3f0 + alloc_pages_mpol+0x175/0x340 + stack_depot_save_flags+0x4c5/0x510 + kasan_save_stack+0x30/0x40 + kasan_save_track+0x10/0x30 + __kasan_slab_alloc+0x83/0x90 + kmem_cache_alloc+0x15e/0x4a0 + __alloc_object+0x35/0x370 + __create_object+0x22/0x90 + __kmalloc_node_track_caller+0x477/0x5b0 + krealloc+0x5f/0x110 + xfs_iext_insert_raw+0x4b2/0x6e0 [xfs] + xfs_iext_insert+0x2e/0x130 [xfs] + xfs_iread_bmbt_block+0x1a9/0x4d0 [xfs] + xfs_btree_visit_block+0xfb/0x290 [xfs] + xfs_btree_visit_blocks+0x215/0x2c0 [xfs] + xfs_iread_extents+0x1a2/0x2e0 [xfs] + xfs_buffered_write_iomap_begin+0x376/0x10a0 [xfs] + iomap_iter+0x1d1/0x2d0 + iomap_file_buffered_write+0x120/0x1a0 + xfs_file_buffered_write+0x128/0x4b0 [xfs] + vfs_write+0x675/0x890 + ksys_write+0xc3/0x160 + do_syscall_64+0x94/0x170 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + +Always preserve __GFP_NOLOCKDEP to fix this. + +Link: https://lkml.kernel.org/r/20240418141133.22950-1-ryabinin.a.a@gmail.com +Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") +Signed-off-by: Andrey Ryabinin +Reported-by: Xiubo Li +Closes: https://lore.kernel.org/all/a0caa289-ca02-48eb-9bf2-d86fd47b71f4@redhat.com/ +Reported-by: Damien Le Moal +Closes: https://lore.kernel.org/all/f9ff999a-e170-b66b-7caf-293f2b147ac2@opensource.wdc.com/ +Suggested-by: Dave Chinner +Tested-by: Xiubo Li +Cc: Christoph Hellwig +Cc: Alexander Potapenko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/stackdepot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/stackdepot.c ++++ b/lib/stackdepot.c +@@ -402,10 +402,10 @@ depot_stack_handle_t __stack_depot_save( + /* + * Zero out zone modifiers, as we don't have specific zone + * requirements. Keep the flags related to allocation in atomic +- * contexts and I/O. ++ * contexts, I/O, nolockdep. + */ + alloc_flags &= ~GFP_ZONEMASK; +- alloc_flags &= (GFP_ATOMIC | GFP_KERNEL); ++ alloc_flags &= (GFP_ATOMIC | GFP_KERNEL | __GFP_NOLOCKDEP); + alloc_flags |= __GFP_NOWARN; + page = alloc_pages(alloc_flags, DEPOT_POOL_ORDER); + if (page) diff --git a/queue-6.6/udp-preserve-the-connected-status-if-only-udp-cmsg.patch b/queue-6.6/udp-preserve-the-connected-status-if-only-udp-cmsg.patch new file mode 100644 index 00000000000..22226cab430 --- /dev/null +++ b/queue-6.6/udp-preserve-the-connected-status-if-only-udp-cmsg.patch @@ -0,0 +1,70 @@ +From 680d11f6e5427b6af1321932286722d24a8b16c1 Mon Sep 17 00:00:00 2001 +From: Yick Xie +Date: Fri, 19 Apr 2024 01:06:10 +0800 +Subject: udp: preserve the connected status if only UDP cmsg + +From: Yick Xie + +commit 680d11f6e5427b6af1321932286722d24a8b16c1 upstream. + +If "udp_cmsg_send()" returned 0 (i.e. only UDP cmsg), +"connected" should not be set to 0. Otherwise it stops +the connected socket from using the cached route. + +Fixes: 2e8de8576343 ("udp: add gso segment cmsg") +Signed-off-by: Yick Xie +Cc: stable@vger.kernel.org +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20240418170610.867084-1-yick.xie@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 5 +++-- + net/ipv6/udp.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1124,16 +1124,17 @@ int udp_sendmsg(struct sock *sk, struct + + if (msg->msg_controllen) { + err = udp_cmsg_send(sk, msg, &ipc.gso_size); +- if (err > 0) ++ if (err > 0) { + err = ip_cmsg_send(sk, msg, &ipc, + sk->sk_family == AF_INET6); ++ connected = 0; ++ } + if (unlikely(err < 0)) { + kfree(ipc.opt); + return err; + } + if (ipc.opt) + free = 1; +- connected = 0; + } + if (!ipc.opt) { + struct ip_options_rcu *inet_opt; +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1476,9 +1476,11 @@ do_udp_sendmsg: + ipc6.opt = opt; + + err = udp_cmsg_send(sk, msg, &ipc6.gso_size); +- if (err > 0) ++ if (err > 0) { + err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, fl6, + &ipc6); ++ connected = false; ++ } + if (err < 0) { + fl6_sock_release(flowlabel); + return err; +@@ -1490,7 +1492,6 @@ do_udp_sendmsg: + } + if (!(opt->opt_nflen|opt->opt_flen)) + opt = NULL; +- connected = false; + } + if (!opt) { + opt = txopt_get(np); diff --git a/queue-6.6/wifi-nl80211-don-t-free-null-coalescing-rule.patch b/queue-6.6/wifi-nl80211-don-t-free-null-coalescing-rule.patch new file mode 100644 index 00000000000..164ddb1dc29 --- /dev/null +++ b/queue-6.6/wifi-nl80211-don-t-free-null-coalescing-rule.patch @@ -0,0 +1,32 @@ +From 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 18 Apr 2024 10:52:23 +0200 +Subject: wifi: nl80211: don't free NULL coalescing rule + +From: Johannes Berg + +commit 801ea33ae82d6a9d954074fbcf8ea9d18f1543a7 upstream. + +If the parsing fails, we can dereference a NULL pointer here. + +Cc: stable@vger.kernel.org +Fixes: be29b99a9b51 ("cfg80211/nl80211: Add packet coalesce support") +Reviewed-by: Miriam Rachel Korenblit +Link: https://msgid.link/20240418105220.b328f80406e7.Id75d961050deb05b3e4e354e024866f350c68103@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -14052,6 +14052,8 @@ static int nl80211_set_coalesce(struct s + error: + for (i = 0; i < new_coalesce.n_rules; i++) { + tmp_rule = &new_coalesce.rules[i]; ++ if (!tmp_rule) ++ continue; + for (j = 0; j < tmp_rule->n_patterns; j++) + kfree(tmp_rule->patterns[j].mask); + kfree(tmp_rule->patterns);