From: Greg Kroah-Hartman Date: Mon, 20 Jan 2025 13:54:05 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.73~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45e2a62307c2840020b2c086cb4a9f0b939bb583;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: drm-nouveau-disp-fix-missing-backlight-control-on-macbook-5-1.patch filemap-avoid-truncating-64-bit-offset-to-32-bits.patch fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch i2c-atr-fix-client-detach.patch mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch mptcp-fix-spurious-wake-up-on-under-memory-pressure.patch net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch net-ncsi-fix-locking-in-get-mac-address-handling.patch nouveau-fence-handle-cross-device-fences-properly.patch selftests-mptcp-avoid-spurious-errors-on-disconnect.patch tools-fix-atomic_set-definition-to-set-the-value-correctly.patch vsock-bpf-return-early-if-transport-is-not-assigned.patch vsock-prevent-null-ptr-deref-in-vsock_.patch vsock-reset-socket-state-when-de-assigning-the-transport.patch vsock-virtio-cancel-close-work-in-the-destructor.patch vsock-virtio-discard-packets-if-the-transport-changes.patch --- diff --git a/queue-6.12/drm-nouveau-disp-fix-missing-backlight-control-on-macbook-5-1.patch b/queue-6.12/drm-nouveau-disp-fix-missing-backlight-control-on-macbook-5-1.patch new file mode 100644 index 0000000000..c84640327b --- /dev/null +++ b/queue-6.12/drm-nouveau-disp-fix-missing-backlight-control-on-macbook-5-1.patch @@ -0,0 +1,38 @@ +From 35243fc777566ccb3370e175cf591fea0f81f68c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 2 Jan 2025 12:49:36 +0100 +Subject: drm/nouveau/disp: Fix missing backlight control on Macbook 5,1 + +From: Takashi Iwai + +commit 35243fc777566ccb3370e175cf591fea0f81f68c upstream. + +Macbook 5,1 with MCP79 lost its backlight control since the recent +change for supporting GSP-RM; it rewrote the whole nv50 backlight +control code and each display engine is supposed to have an entry for +IOR bl callback, but it didn't cover mcp77. + +This patch adds the missing bl entry initialization for mcp77 display +engine to recover the backlight control. + +Fixes: 2274ce7e3681 ("drm/nouveau/disp: add output backlight control methods") +Cc: stable@vger.kernel.org +Link: https://bugzilla.suse.com/show_bug.cgi?id=1223838 +Signed-off-by: Takashi Iwai +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20250102114944.11499-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c +@@ -31,6 +31,7 @@ mcp77_sor = { + .state = g94_sor_state, + .power = nv50_sor_power, + .clock = nv50_sor_clock, ++ .bl = &nv50_sor_bl, + .hdmi = &g84_sor_hdmi, + .dp = &g94_sor_dp, + }; diff --git a/queue-6.12/filemap-avoid-truncating-64-bit-offset-to-32-bits.patch b/queue-6.12/filemap-avoid-truncating-64-bit-offset-to-32-bits.patch new file mode 100644 index 0000000000..6d464fa146 --- /dev/null +++ b/queue-6.12/filemap-avoid-truncating-64-bit-offset-to-32-bits.patch @@ -0,0 +1,35 @@ +From f505e6c91e7a22d10316665a86d79f84d9f0ba76 Mon Sep 17 00:00:00 2001 +From: Marco Nelissen +Date: Thu, 2 Jan 2025 11:04:11 -0800 +Subject: filemap: avoid truncating 64-bit offset to 32 bits + +From: Marco Nelissen + +commit f505e6c91e7a22d10316665a86d79f84d9f0ba76 upstream. + +On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a +64-bit value to 32 bits, leading to a possible infinite loop when writing +to an xfs filesystem. + +Link: https://lkml.kernel.org/r/20250102190540.1356838-1-marco.nelissen@gmail.com +Fixes: 54fa39ac2e00 ("iomap: use mapping_seek_hole_data") +Signed-off-by: Marco Nelissen +Cc: Matthew Wilcox (Oracle) +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -3004,7 +3004,7 @@ static inline loff_t folio_seek_hole_dat + if (ops->is_partially_uptodate(folio, offset, bsz) == + seek_data) + break; +- start = (start + bsz) & ~(bsz - 1); ++ start = (start + bsz) & ~((u64)bsz - 1); + offset += bsz; + } while (offset < folio_size(folio)); + unlock: diff --git a/queue-6.12/fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch b/queue-6.12/fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch new file mode 100644 index 0000000000..6c85bb4f63 --- /dev/null +++ b/queue-6.12/fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch @@ -0,0 +1,49 @@ +From cbc5dde0a461240046e8a41c43d7c3b76d5db952 Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Fri, 10 Jan 2025 10:28:21 -0500 +Subject: fs/proc: fix softlockup in __read_vmcore (part 2) + +From: Rik van Riel + +commit cbc5dde0a461240046e8a41c43d7c3b76d5db952 upstream. + +Since commit 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") the +number of softlockups in __read_vmcore at kdump time have gone down, but +they still happen sometimes. + +In a memory constrained environment like the kdump image, a softlockup is +not just a harmless message, but it can interfere with things like RCU +freeing memory, causing the crashdump to get stuck. + +The second loop in __read_vmcore has a lot more opportunities for natural +sleep points, like scheduling out while waiting for a data write to +happen, but apparently that is not always enough. + +Add a cond_resched() to the second loop in __read_vmcore to (hopefully) +get rid of the softlockups. + +Link: https://lkml.kernel.org/r/20250110102821.2a37581b@fangorn +Fixes: 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") +Signed-off-by: Rik van Riel +Reported-by: Breno Leitao +Cc: Baoquan He +Cc: Dave Young +Cc: Vivek Goyal +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/vmcore.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/proc/vmcore.c ++++ b/fs/proc/vmcore.c +@@ -404,6 +404,8 @@ static ssize_t __read_vmcore(struct iov_ + if (!iov_iter_count(iter)) + return acc; + } ++ ++ cond_resched(); + } + + return acc; diff --git a/queue-6.12/gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch b/queue-6.12/gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch new file mode 100644 index 0000000000..bbf1d93298 --- /dev/null +++ b/queue-6.12/gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch @@ -0,0 +1,200 @@ +From 9860370c2172704b6b4f0075a0c2a29fd84af96a Mon Sep 17 00:00:00 2001 +From: Sean Anderson +Date: Fri, 10 Jan 2025 11:33:54 -0500 +Subject: gpio: xilinx: Convert gpio_lock to raw spinlock + +From: Sean Anderson + +commit 9860370c2172704b6b4f0075a0c2a29fd84af96a upstream. + +irq_chip functions may be called in raw spinlock context. Therefore, we +must also use a raw spinlock for our own internal locking. + +This fixes the following lockdep splat: + +[ 5.349336] ============================= +[ 5.353349] [ BUG: Invalid wait context ] +[ 5.357361] 6.13.0-rc5+ #69 Tainted: G W +[ 5.363031] ----------------------------- +[ 5.367045] kworker/u17:1/44 is trying to lock: +[ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) +[ 5.380079] other info that might help us debug this: +[ 5.385138] context-{5:5} +[ 5.387762] 5 locks held by kworker/u17:1/44: +[ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204) +[ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205) +[ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006) +[ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596) +[ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614) +[ 5.436472] stack backtrace: +[ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69 +[ 5.448690] Tainted: [W]=WARN +[ 5.451656] Hardware name: xlnx,zynqmp (DT) +[ 5.455845] Workqueue: events_unbound deferred_probe_work_func +[ 5.461699] Call trace: +[ 5.464147] show_stack+0x18/0x24 C +[ 5.467821] dump_stack_lvl (lib/dump_stack.c:123) +[ 5.471501] dump_stack (lib/dump_stack.c:130) +[ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176) +[ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814) +[ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) +[ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8)) +[ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) +[ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250) +[ 5.497645] irq_startup (kernel/irq/chip.c:270) +[ 5.501143] __setup_irq (kernel/irq/manage.c:1807) +[ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208) + +Fixes: a32c7caea292 ("gpio: gpio-xilinx: Add interrupt support") +Signed-off-by: Sean Anderson +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250110163354.2012654-1-sean.anderson@linux.dev +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-xilinx.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/gpio/gpio-xilinx.c ++++ b/drivers/gpio/gpio-xilinx.c +@@ -65,7 +65,7 @@ struct xgpio_instance { + DECLARE_BITMAP(state, 64); + DECLARE_BITMAP(last_irq_read, 64); + DECLARE_BITMAP(dir, 64); +- spinlock_t gpio_lock; /* For serializing operations */ ++ raw_spinlock_t gpio_lock; /* For serializing operations */ + int irq; + DECLARE_BITMAP(enable, 64); + DECLARE_BITMAP(rising_edge, 64); +@@ -179,14 +179,14 @@ static void xgpio_set(struct gpio_chip * + struct xgpio_instance *chip = gpiochip_get_data(gc); + int bit = xgpio_to_bit(chip, gpio); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + /* Write to GPIO signal and set its direction to output */ + __assign_bit(bit, chip->state, val); + + xgpio_write_ch(chip, XGPIO_DATA_OFFSET, bit, chip->state); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + } + + /** +@@ -210,7 +210,7 @@ static void xgpio_set_multiple(struct gp + bitmap_remap(hw_mask, mask, chip->sw_map, chip->hw_map, 64); + bitmap_remap(hw_bits, bits, chip->sw_map, chip->hw_map, 64); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + bitmap_replace(state, chip->state, hw_bits, hw_mask, 64); + +@@ -218,7 +218,7 @@ static void xgpio_set_multiple(struct gp + + bitmap_copy(chip->state, state, 64); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + } + + /** +@@ -236,13 +236,13 @@ static int xgpio_dir_in(struct gpio_chip + struct xgpio_instance *chip = gpiochip_get_data(gc); + int bit = xgpio_to_bit(chip, gpio); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + /* Set the GPIO bit in shadow register and set direction as input */ + __set_bit(bit, chip->dir); + xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + + return 0; + } +@@ -265,7 +265,7 @@ static int xgpio_dir_out(struct gpio_chi + struct xgpio_instance *chip = gpiochip_get_data(gc); + int bit = xgpio_to_bit(chip, gpio); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + /* Write state of GPIO signal */ + __assign_bit(bit, chip->state, val); +@@ -275,7 +275,7 @@ static int xgpio_dir_out(struct gpio_chi + __clear_bit(bit, chip->dir); + xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir); + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + + return 0; + } +@@ -398,7 +398,7 @@ static void xgpio_irq_mask(struct irq_da + int bit = xgpio_to_bit(chip, irq_offset); + u32 mask = BIT(bit / 32), temp; + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + __clear_bit(bit, chip->enable); + +@@ -408,7 +408,7 @@ static void xgpio_irq_mask(struct irq_da + temp &= ~mask; + xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp); + } +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + + gpiochip_disable_irq(&chip->gc, irq_offset); + } +@@ -428,7 +428,7 @@ static void xgpio_irq_unmask(struct irq_ + + gpiochip_enable_irq(&chip->gc, irq_offset); + +- spin_lock_irqsave(&chip->gpio_lock, flags); ++ raw_spin_lock_irqsave(&chip->gpio_lock, flags); + + __set_bit(bit, chip->enable); + +@@ -447,7 +447,7 @@ static void xgpio_irq_unmask(struct irq_ + xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, val); + } + +- spin_unlock_irqrestore(&chip->gpio_lock, flags); ++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags); + } + + /** +@@ -512,7 +512,7 @@ static void xgpio_irqhandler(struct irq_ + + chained_irq_enter(irqchip, desc); + +- spin_lock(&chip->gpio_lock); ++ raw_spin_lock(&chip->gpio_lock); + + xgpio_read_ch_all(chip, XGPIO_DATA_OFFSET, all); + +@@ -529,7 +529,7 @@ static void xgpio_irqhandler(struct irq_ + bitmap_copy(chip->last_irq_read, all, 64); + bitmap_or(all, rising, falling, 64); + +- spin_unlock(&chip->gpio_lock); ++ raw_spin_unlock(&chip->gpio_lock); + + dev_dbg(gc->parent, "IRQ rising %*pb falling %*pb\n", 64, rising, 64, falling); + +@@ -620,7 +620,7 @@ static int xgpio_probe(struct platform_d + bitmap_set(chip->hw_map, 0, width[0]); + bitmap_set(chip->hw_map, 32, width[1]); + +- spin_lock_init(&chip->gpio_lock); ++ raw_spin_lock_init(&chip->gpio_lock); + + chip->gc.base = -1; + chip->gc.ngpio = bitmap_weight(chip->hw_map, 64); diff --git a/queue-6.12/i2c-atr-fix-client-detach.patch b/queue-6.12/i2c-atr-fix-client-detach.patch new file mode 100644 index 0000000000..8145f922ef --- /dev/null +++ b/queue-6.12/i2c-atr-fix-client-detach.patch @@ -0,0 +1,43 @@ +From cefc479cbb50399dec0c8e996f3539c48a1ee9dd Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Fri, 22 Nov 2024 14:26:18 +0200 +Subject: i2c: atr: Fix client detach + +From: Tomi Valkeinen + +commit cefc479cbb50399dec0c8e996f3539c48a1ee9dd upstream. + +i2c-atr catches the BUS_NOTIFY_DEL_DEVICE event on the bus and removes +the translation by calling i2c_atr_detach_client(). + +However, BUS_NOTIFY_DEL_DEVICE happens when the device is about to be +removed from this bus, i.e. before removal, and thus before calling +.remove() on the driver. If the driver happens to do any i2c +transactions in its remove(), they will fail. + +Fix this by catching BUS_NOTIFY_REMOVED_DEVICE instead, thus removing +the translation only after the device is actually removed. + +Fixes: a076a860acae ("media: i2c: add I2C Address Translator (ATR) support") +Cc: stable@vger.kernel.org +Signed-off-by: Tomi Valkeinen +Reviewed-by: Luca Ceresoli +Reviewed-by: Romain Gantois +Tested-by: Romain Gantois +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-atr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/i2c-atr.c ++++ b/drivers/i2c/i2c-atr.c +@@ -412,7 +412,7 @@ static int i2c_atr_bus_notifier_call(str + dev_name(dev), ret); + break; + +- case BUS_NOTIFY_DEL_DEVICE: ++ case BUS_NOTIFY_REMOVED_DEVICE: + i2c_atr_detach_client(client->adapter, client); + break; + diff --git a/queue-6.12/mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch b/queue-6.12/mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch new file mode 100644 index 0000000000..e30431434c --- /dev/null +++ b/queue-6.12/mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch @@ -0,0 +1,72 @@ +From 2ca06a2f65310aeef30bb69b7405437a14766e4d Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 13 Jan 2025 16:44:56 +0100 +Subject: mptcp: be sure to send ack when mptcp-level window re-opens + +From: Paolo Abeni + +commit 2ca06a2f65310aeef30bb69b7405437a14766e4d upstream. + +mptcp_cleanup_rbuf() is responsible to send acks when the user-space +reads enough data to update the receive windows significantly. + +It tries hard to avoid acquiring the subflow sockets locks by checking +conditions similar to the ones implemented at the TCP level. + +To avoid too much code duplication - the MPTCP protocol can't reuse the +TCP helpers as part of the relevant status is maintained into the msk +socket - and multiple costly window size computation, mptcp_cleanup_rbuf +uses a rough estimate for the most recently advertised window size: +the MPTCP receive free space, as recorded as at last-ack time. + +Unfortunately the above does not allow mptcp_cleanup_rbuf() to detect +a zero to non-zero win change in some corner cases, skipping the +tcp_cleanup_rbuf call and leaving the peer stuck. + +After commit ea66758c1795 ("tcp: allow MPTCP to update the announced +window"), MPTCP has actually cheap access to the announced window value. +Use it in mptcp_cleanup_rbuf() for a more accurate ack generation. + +Fixes: e3859603ba13 ("mptcp: better msk receive window updates") +Cc: stable@vger.kernel.org +Reported-by: Jakub Kicinski +Closes: https://lore.kernel.org/20250107131845.5e5de3c5@kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-1-0d986ee7b1b6@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -607,7 +607,6 @@ static bool mptcp_established_options_ds + } + opts->ext_copy.use_ack = 1; + opts->suboptions = OPTION_MPTCP_DSS; +- WRITE_ONCE(msk->old_wspace, __mptcp_space((struct sock *)msk)); + + /* Add kind/length/subtype/flag overhead if mapping is not populated */ + if (dss_size == 0) +@@ -1288,7 +1287,7 @@ static void mptcp_set_rwin(struct tcp_so + } + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_RCVWNDCONFLICT); + } +- return; ++ goto update_wspace; + } + + if (rcv_wnd_new != rcv_wnd_old) { +@@ -1313,6 +1312,9 @@ raise_win: + th->window = htons(new_win); + MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_RCVWNDSHARED); + } ++ ++update_wspace: ++ WRITE_ONCE(msk->old_wspace, tp->rcv_wnd); + } + + __sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) diff --git a/queue-6.12/mptcp-fix-spurious-wake-up-on-under-memory-pressure.patch b/queue-6.12/mptcp-fix-spurious-wake-up-on-under-memory-pressure.patch new file mode 100644 index 0000000000..24ecd74b7a --- /dev/null +++ b/queue-6.12/mptcp-fix-spurious-wake-up-on-under-memory-pressure.patch @@ -0,0 +1,47 @@ +From e226d9259dc4f5d2c19e6682ad1356fa97cf38f4 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 13 Jan 2025 16:44:57 +0100 +Subject: mptcp: fix spurious wake-up on under memory pressure + +From: Paolo Abeni + +commit e226d9259dc4f5d2c19e6682ad1356fa97cf38f4 upstream. + +The wake-up condition currently implemented by mptcp_epollin_ready() +is wrong, as it could mark the MPTCP socket as readable even when +no data are present and the system is under memory pressure. + +Explicitly check for some data being available in the receive queue. + +Fixes: 5684ab1a0eff ("mptcp: give rcvlowat some love") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-2-0d986ee7b1b6@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -760,10 +760,15 @@ static inline u64 mptcp_data_avail(const + + static inline bool mptcp_epollin_ready(const struct sock *sk) + { ++ u64 data_avail = mptcp_data_avail(mptcp_sk(sk)); ++ ++ if (!data_avail) ++ return false; ++ + /* mptcp doesn't have to deal with small skbs in the receive queue, +- * at it can always coalesce them ++ * as it can always coalesce them + */ +- return (mptcp_data_avail(mptcp_sk(sk)) >= sk->sk_rcvlowat) || ++ return (data_avail >= sk->sk_rcvlowat) || + (mem_cgroup_sockets_enabled && sk->sk_memcg && + mem_cgroup_under_socket_pressure(sk->sk_memcg)) || + READ_ONCE(tcp_memory_pressure); diff --git a/queue-6.12/net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch b/queue-6.12/net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch new file mode 100644 index 0000000000..158fb05306 --- /dev/null +++ b/queue-6.12/net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch @@ -0,0 +1,93 @@ +From 6be7aca91009865d8c2b73589270224a6b6e67ab Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Sun, 12 Jan 2025 22:59:59 +0100 +Subject: net: ethernet: xgbe: re-add aneg to supported features in PHY quirks + +From: Heiner Kallweit + +commit 6be7aca91009865d8c2b73589270224a6b6e67ab upstream. + +In 4.19, before the switch to linkmode bitmaps, PHY_GBIT_FEATURES +included feature bits for aneg and TP/MII ports. + + SUPPORTED_TP | \ + SUPPORTED_MII) + + SUPPORTED_10baseT_Full) + + SUPPORTED_100baseT_Full) + + SUPPORTED_1000baseT_Full) + + PHY_100BT_FEATURES | \ + PHY_DEFAULT_FEATURES) + + PHY_1000BT_FEATURES) + +Referenced commit expanded PHY_GBIT_FEATURES, silently removing +PHY_DEFAULT_FEATURES. The removed part can be re-added by using +the new PHY_GBIT_FEATURES definition. +Not clear to me is why nobody seems to have noticed this issue. + +I stumbled across this when checking what it takes to make +phy_10_100_features_array et al private to phylib. + +Fixes: d0939c26c53a ("net: ethernet: xgbe: expand PHY_GBIT_FEAUTRES") +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Link: https://patch.msgid.link/46521973-7738-4157-9f5e-0bb6f694acba@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -923,7 +923,6 @@ static void xgbe_phy_free_phy_device(str + + static bool xgbe_phy_finisar_phy_quirks(struct xgbe_prv_data *pdata) + { +- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, }; + struct xgbe_phy_data *phy_data = pdata->phy_data; + unsigned int phy_id = phy_data->phydev->phy_id; + +@@ -945,14 +944,7 @@ static bool xgbe_phy_finisar_phy_quirks( + phy_write(phy_data->phydev, 0x04, 0x0d01); + phy_write(phy_data->phydev, 0x00, 0x9140); + +- linkmode_set_bit_array(phy_10_100_features_array, +- ARRAY_SIZE(phy_10_100_features_array), +- supported); +- linkmode_set_bit_array(phy_gbit_features_array, +- ARRAY_SIZE(phy_gbit_features_array), +- supported); +- +- linkmode_copy(phy_data->phydev->supported, supported); ++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES); + + phy_support_asym_pause(phy_data->phydev); + +@@ -964,7 +956,6 @@ static bool xgbe_phy_finisar_phy_quirks( + + static bool xgbe_phy_belfuse_phy_quirks(struct xgbe_prv_data *pdata) + { +- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, }; + struct xgbe_phy_data *phy_data = pdata->phy_data; + struct xgbe_sfp_eeprom *sfp_eeprom = &phy_data->sfp_eeprom; + unsigned int phy_id = phy_data->phydev->phy_id; +@@ -1028,13 +1019,7 @@ static bool xgbe_phy_belfuse_phy_quirks( + reg = phy_read(phy_data->phydev, 0x00); + phy_write(phy_data->phydev, 0x00, reg & ~0x00800); + +- linkmode_set_bit_array(phy_10_100_features_array, +- ARRAY_SIZE(phy_10_100_features_array), +- supported); +- linkmode_set_bit_array(phy_gbit_features_array, +- ARRAY_SIZE(phy_gbit_features_array), +- supported); +- linkmode_copy(phy_data->phydev->supported, supported); ++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES); + phy_support_asym_pause(phy_data->phydev); + + netif_dbg(pdata, drv, pdata->netdev, diff --git a/queue-6.12/net-ncsi-fix-locking-in-get-mac-address-handling.patch b/queue-6.12/net-ncsi-fix-locking-in-get-mac-address-handling.patch new file mode 100644 index 0000000000..bd5a71d3bf --- /dev/null +++ b/queue-6.12/net-ncsi-fix-locking-in-get-mac-address-handling.patch @@ -0,0 +1,128 @@ +From 9e2bbab94b88295dcc57c7580393c9ee08d7314d Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Thu, 9 Jan 2025 17:50:54 +0300 +Subject: net/ncsi: fix locking in Get MAC Address handling + +From: Paul Fertser + +commit 9e2bbab94b88295dcc57c7580393c9ee08d7314d upstream. + +Obtaining RTNL lock in a response handler is not allowed since it runs +in an atomic softirq context. Postpone setting the MAC address by adding +a dedicated step to the configuration FSM. + +Fixes: 790071347a0a ("net/ncsi: change from ndo_set_mac_address to dev_set_mac_address") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20241129-potin-revert-ncsi-set-mac-addr-v1-1-94ea2cb596af@gmail.com +Signed-off-by: Paul Fertser +Tested-by: Potin Lai +Link: https://patch.msgid.link/20250109145054.30925-1-fercerpav@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ncsi/internal.h | 2 ++ + net/ncsi/ncsi-manage.c | 16 ++++++++++++++-- + net/ncsi/ncsi-rsp.c | 19 ++++++------------- + 3 files changed, 22 insertions(+), 15 deletions(-) + +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -289,6 +289,7 @@ enum { + ncsi_dev_state_config_sp = 0x0301, + ncsi_dev_state_config_cis, + ncsi_dev_state_config_oem_gma, ++ ncsi_dev_state_config_apply_mac, + ncsi_dev_state_config_clear_vids, + ncsi_dev_state_config_svf, + ncsi_dev_state_config_ev, +@@ -322,6 +323,7 @@ struct ncsi_dev_priv { + #define NCSI_DEV_RESHUFFLE 4 + #define NCSI_DEV_RESET 8 /* Reset state of NC */ + unsigned int gma_flag; /* OEM GMA flag */ ++ struct sockaddr pending_mac; /* MAC address received from GMA */ + spinlock_t lock; /* Protect the NCSI device */ + unsigned int package_probe_id;/* Current ID during probe */ + unsigned int package_num; /* Number of packages */ +--- a/net/ncsi/ncsi-manage.c ++++ b/net/ncsi/ncsi-manage.c +@@ -1038,7 +1038,7 @@ static void ncsi_configure_channel(struc + : ncsi_dev_state_config_clear_vids; + break; + case ncsi_dev_state_config_oem_gma: +- nd->state = ncsi_dev_state_config_clear_vids; ++ nd->state = ncsi_dev_state_config_apply_mac; + + nca.package = np->id; + nca.channel = nc->id; +@@ -1050,10 +1050,22 @@ static void ncsi_configure_channel(struc + nca.type = NCSI_PKT_CMD_OEM; + ret = ncsi_gma_handler(&nca, nc->version.mf_id); + } +- if (ret < 0) ++ if (ret < 0) { ++ nd->state = ncsi_dev_state_config_clear_vids; + schedule_work(&ndp->work); ++ } + + break; ++ case ncsi_dev_state_config_apply_mac: ++ rtnl_lock(); ++ ret = dev_set_mac_address(dev, &ndp->pending_mac, NULL); ++ rtnl_unlock(); ++ if (ret < 0) ++ netdev_warn(dev, "NCSI: 'Writing MAC address to device failed\n"); ++ ++ nd->state = ncsi_dev_state_config_clear_vids; ++ ++ fallthrough; + case ncsi_dev_state_config_clear_vids: + case ncsi_dev_state_config_svf: + case ncsi_dev_state_config_ev: +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -628,16 +628,14 @@ static int ncsi_rsp_handler_snfc(struct + static int ncsi_rsp_handler_oem_gma(struct ncsi_request *nr, int mfr_id) + { + struct ncsi_dev_priv *ndp = nr->ndp; ++ struct sockaddr *saddr = &ndp->pending_mac; + struct net_device *ndev = ndp->ndev.dev; + struct ncsi_rsp_oem_pkt *rsp; +- struct sockaddr saddr; + u32 mac_addr_off = 0; +- int ret = 0; + + /* Get the response header */ + rsp = (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp); + +- saddr.sa_family = ndev->type; + ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE; + if (mfr_id == NCSI_OEM_MFR_BCM_ID) + mac_addr_off = BCM_MAC_ADDR_OFFSET; +@@ -646,22 +644,17 @@ static int ncsi_rsp_handler_oem_gma(stru + else if (mfr_id == NCSI_OEM_MFR_INTEL_ID) + mac_addr_off = INTEL_MAC_ADDR_OFFSET; + +- memcpy(saddr.sa_data, &rsp->data[mac_addr_off], ETH_ALEN); ++ saddr->sa_family = ndev->type; ++ memcpy(saddr->sa_data, &rsp->data[mac_addr_off], ETH_ALEN); + if (mfr_id == NCSI_OEM_MFR_BCM_ID || mfr_id == NCSI_OEM_MFR_INTEL_ID) +- eth_addr_inc((u8 *)saddr.sa_data); +- if (!is_valid_ether_addr((const u8 *)saddr.sa_data)) ++ eth_addr_inc((u8 *)saddr->sa_data); ++ if (!is_valid_ether_addr((const u8 *)saddr->sa_data)) + return -ENXIO; + + /* Set the flag for GMA command which should only be called once */ + ndp->gma_flag = 1; + +- rtnl_lock(); +- ret = dev_set_mac_address(ndev, &saddr, NULL); +- rtnl_unlock(); +- if (ret < 0) +- netdev_warn(ndev, "NCSI: 'Writing mac address to device failed\n"); +- +- return ret; ++ return 0; + } + + /* Response handler for Mellanox card */ diff --git a/queue-6.12/nouveau-fence-handle-cross-device-fences-properly.patch b/queue-6.12/nouveau-fence-handle-cross-device-fences-properly.patch new file mode 100644 index 0000000000..5570c7ffa4 --- /dev/null +++ b/queue-6.12/nouveau-fence-handle-cross-device-fences-properly.patch @@ -0,0 +1,52 @@ +From 1f9910b41c857a892b83801feebdc7bdf38c5985 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 9 Jan 2025 10:55:53 +1000 +Subject: nouveau/fence: handle cross device fences properly + +From: Dave Airlie + +commit 1f9910b41c857a892b83801feebdc7bdf38c5985 upstream. + +The fence sync logic doesn't handle a fence sync across devices +as it tries to write to a channel offset from one device into +the fence bo from a different device, which won't work so well. + +This patch fixes that to avoid using the sync path in the case +where the fences come from different nouveau drm devices. + +This works fine on a single device as the fence bo is shared +across the devices, and mapped into each channels vma space, +the channel offsets are therefore okay to pass between sides, +so one channel can sync on the seqnos from the other by using +the offset into it's vma. + +Signed-off-by: Dave Airlie +Cc: stable@vger.kernel.org +Reviewed-by: Ben Skeggs +[ Fix compilation issue; remove version log from commit messsage. + - Danilo ] +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/20250109005553.623947-1-airlied@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_fence.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -387,11 +387,13 @@ nouveau_fence_sync(struct nouveau_bo *nv + if (f) { + struct nouveau_channel *prev; + bool must_wait = true; ++ bool local; + + rcu_read_lock(); + prev = rcu_dereference(f->channel); +- if (prev && (prev == chan || +- fctx->sync(f, prev, chan) == 0)) ++ local = prev && prev->cli->drm == chan->cli->drm; ++ if (local && (prev == chan || ++ fctx->sync(f, prev, chan) == 0)) + must_wait = false; + rcu_read_unlock(); + if (!must_wait) diff --git a/queue-6.12/selftests-mptcp-avoid-spurious-errors-on-disconnect.patch b/queue-6.12/selftests-mptcp-avoid-spurious-errors-on-disconnect.patch new file mode 100644 index 0000000000..33106e5736 --- /dev/null +++ b/queue-6.12/selftests-mptcp-avoid-spurious-errors-on-disconnect.patch @@ -0,0 +1,128 @@ +From 218cc166321fb3cc8786677ffe0d09a78778a910 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Mon, 13 Jan 2025 16:44:58 +0100 +Subject: selftests: mptcp: avoid spurious errors on disconnect +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Abeni + +commit 218cc166321fb3cc8786677ffe0d09a78778a910 upstream. + +The disconnect test-case generates spurious errors: + + INFO: disconnect + INFO: extra options: -I 3 -i /tmp/tmp.r43niviyoI + 01 ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 140ms) [FAIL] + file received by server does not match (in, out): + Unexpected revents: POLLERR/POLLNVAL(19) + -rw-r--r-- 1 root root 10028676 Jan 10 10:47 /tmp/tmp.r43niviyoI.disconnect + Trailing bytes are: + ��\����R���!8��u2��5N% + -rw------- 1 root root 9992290 Jan 10 10:47 /tmp/tmp.Os4UbnWbI1 + Trailing bytes are: + ��\����R���!8��u2��5N% + 02 ns1 MPTCP -> ns1 (dead:beef:1::1:10001) MPTCP (duration 206ms) [ OK ] + 03 ns1 MPTCP -> ns1 (dead:beef:1::1:10002) TCP (duration 31ms) [ OK ] + 04 ns1 TCP -> ns1 (dead:beef:1::1:10003) MPTCP (duration 26ms) [ OK ] + [FAIL] Tests of the full disconnection have failed + Time: 2 seconds + +The root cause is actually in the user-space bits: the test program +currently disconnects as soon as all the pending data has been spooled, +generating an FASTCLOSE. If such option reaches the peer before the +latter has reached the closed status, the msk socket will report an +error to the user-space, as per protocol specification, causing the +above failure. + +Address the issue explicitly waiting for all the relevant sockets to +reach a closed status before performing the disconnect. + +Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-3-0d986ee7b1b6@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++++++++++++++++------ + 1 file changed, 32 insertions(+), 11 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -25,6 +25,8 @@ + #include + #include + ++#include ++ + #include + #include + +@@ -1211,23 +1213,42 @@ static void parse_setsock_options(const + exit(1); + } + +-void xdisconnect(int fd, int addrlen) ++void xdisconnect(int fd) + { +- struct sockaddr_storage empty; ++ socklen_t addrlen = sizeof(struct sockaddr_storage); ++ struct sockaddr_storage addr, empty; + int msec_sleep = 10; +- int queued = 1; +- int i; ++ void *raw_addr; ++ int i, cmdlen; ++ char cmd[128]; ++ ++ /* get the local address and convert it to string */ ++ if (getsockname(fd, (struct sockaddr *)&addr, &addrlen) < 0) ++ xerror("getsockname"); ++ ++ if (addr.ss_family == AF_INET) ++ raw_addr = &(((struct sockaddr_in *)&addr)->sin_addr); ++ else if (addr.ss_family == AF_INET6) ++ raw_addr = &(((struct sockaddr_in6 *)&addr)->sin6_addr); ++ else ++ xerror("bad family"); ++ ++ strcpy(cmd, "ss -M | grep -q "); ++ cmdlen = strlen(cmd); ++ if (!inet_ntop(addr.ss_family, raw_addr, &cmd[cmdlen], ++ sizeof(cmd) - cmdlen)) ++ xerror("inet_ntop"); + + shutdown(fd, SHUT_WR); + +- /* while until the pending data is completely flushed, the later ++ /* ++ * wait until the pending data is completely flushed and all ++ * the MPTCP sockets reached the closed status. + * disconnect will bypass/ignore/drop any pending data. + */ + for (i = 0; ; i += msec_sleep) { +- if (ioctl(fd, SIOCOUTQ, &queued) < 0) +- xerror("can't query out socket queue: %d", errno); +- +- if (!queued) ++ /* closed socket are not listed by 'ss' */ ++ if (system(cmd) != 0) + break; + + if (i > poll_timeout) +@@ -1281,9 +1302,9 @@ again: + return ret; + + if (cfg_truncate > 0) { +- xdisconnect(fd, peer->ai_addrlen); ++ xdisconnect(fd); + } else if (--cfg_repeat > 0) { +- xdisconnect(fd, peer->ai_addrlen); ++ xdisconnect(fd); + + /* the socket could be unblocking at this point, we need the + * connect to be blocking diff --git a/queue-6.12/series b/queue-6.12/series index 23324d0156..6d3e566157 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -76,3 +76,20 @@ alsa-hda-realtek-add-support-for-ayaneo-system-using-cs35l41-hda.patch alsa-hda-realtek-fixup-asus-ga605w.patch alsa-hda-realtek-fixup-asus-h7606w.patch zram-fix-potential-uaf-of-zram-table.patch +i2c-atr-fix-client-detach.patch +mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch +mptcp-fix-spurious-wake-up-on-under-memory-pressure.patch +selftests-mptcp-avoid-spurious-errors-on-disconnect.patch +net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch +vsock-bpf-return-early-if-transport-is-not-assigned.patch +vsock-virtio-discard-packets-if-the-transport-changes.patch +vsock-virtio-cancel-close-work-in-the-destructor.patch +vsock-reset-socket-state-when-de-assigning-the-transport.patch +vsock-prevent-null-ptr-deref-in-vsock_.patch +nouveau-fence-handle-cross-device-fences-properly.patch +drm-nouveau-disp-fix-missing-backlight-control-on-macbook-5-1.patch +net-ncsi-fix-locking-in-get-mac-address-handling.patch +filemap-avoid-truncating-64-bit-offset-to-32-bits.patch +fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch +gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch +tools-fix-atomic_set-definition-to-set-the-value-correctly.patch diff --git a/queue-6.12/tools-fix-atomic_set-definition-to-set-the-value-correctly.patch b/queue-6.12/tools-fix-atomic_set-definition-to-set-the-value-correctly.patch new file mode 100644 index 0000000000..ecc879093e --- /dev/null +++ b/queue-6.12/tools-fix-atomic_set-definition-to-set-the-value-correctly.patch @@ -0,0 +1,50 @@ +From 4bbb6df62c54e6a2c1fcce4908df768f0cfa1e91 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Fri, 27 Dec 2024 14:22:20 -0800 +Subject: tools: fix atomic_set() definition to set the value correctly + +From: Suren Baghdasaryan + +commit 4bbb6df62c54e6a2c1fcce4908df768f0cfa1e91 upstream. + +Currently vma test is failing because of the new vma_assert_attached() +assertion. The check is failing because previous refcount_set() inside +vma_mark_attached() is a NoOp. Fix the definition of atomic_set() to +correctly set the value of the atomic. + +Link: https://lkml.kernel.org/r/20241227222220.1726384-1-surenb@google.com +Fixes: 9325b8b5a1cb ("tools: add skeleton code for userland testing of VMA logic") +Signed-off-by: Suren Baghdasaryan +Reviewed-by: Lorenzo Stoakes +Cc: Jann Horn +Cc: Liam R. Howlett +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/shared/linux/maple_tree.h | 2 +- + tools/testing/vma/linux/atomic.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/shared/linux/maple_tree.h ++++ b/tools/testing/shared/linux/maple_tree.h +@@ -2,6 +2,6 @@ + #define atomic_t int32_t + #define atomic_inc(x) uatomic_inc(x) + #define atomic_read(x) uatomic_read(x) +-#define atomic_set(x, y) do {} while (0) ++#define atomic_set(x, y) uatomic_set(x, y) + #define U8_MAX UCHAR_MAX + #include "../../../../include/linux/maple_tree.h" +--- a/tools/testing/vma/linux/atomic.h ++++ b/tools/testing/vma/linux/atomic.h +@@ -6,7 +6,7 @@ + #define atomic_t int32_t + #define atomic_inc(x) uatomic_inc(x) + #define atomic_read(x) uatomic_read(x) +-#define atomic_set(x, y) do {} while (0) ++#define atomic_set(x, y) uatomic_set(x, y) + #define U8_MAX UCHAR_MAX + + #endif /* _LINUX_ATOMIC_H */ diff --git a/queue-6.12/vsock-bpf-return-early-if-transport-is-not-assigned.patch b/queue-6.12/vsock-bpf-return-early-if-transport-is-not-assigned.patch new file mode 100644 index 0000000000..b6669136aa --- /dev/null +++ b/queue-6.12/vsock-bpf-return-early-if-transport-is-not-assigned.patch @@ -0,0 +1,84 @@ +From f6abafcd32f9cfc4b1a2f820ecea70773e26d423 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:08 +0100 +Subject: vsock/bpf: return early if transport is not assigned + +From: Stefano Garzarella + +commit f6abafcd32f9cfc4b1a2f820ecea70773e26d423 upstream. + +Some of the core functions can only be called if the transport +has been assigned. + +As Michal reported, a socket might have the transport at NULL, +for example after a failed connect(), causing the following trace: + + BUG: kernel NULL pointer dereference, address: 00000000000000a0 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0 + Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+ + RIP: 0010:vsock_connectible_has_data+0x1f/0x40 + Call Trace: + vsock_bpf_recvmsg+0xca/0x5e0 + sock_recvmsg+0xb9/0xc0 + __sys_recvfrom+0xb3/0x130 + __x64_sys_recvfrom+0x20/0x30 + do_syscall_64+0x93/0x180 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +So we need to check the `vsk->transport` in vsock_bpf_recvmsg(), +especially for connected sockets (stream/seqpacket) as we already +do in __vsock_connectible_recvmsg(). + +Fixes: 634f1a7110b4 ("vsock: support sockmap") +Cc: stable@vger.kernel.org +Reported-by: Michal Luczaj +Closes: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/ +Tested-by: Michal Luczaj +Reported-by: syzbot+3affdbfc986ecd9200fd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/ +Tested-by: syzbot+3affdbfc986ecd9200fd@syzkaller.appspotmail.com +Reviewed-by: Hyunwoo Kim +Acked-by: Michael S. Tsirkin +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vsock_bpf.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/vmw_vsock/vsock_bpf.c ++++ b/net/vmw_vsock/vsock_bpf.c +@@ -77,6 +77,7 @@ static int vsock_bpf_recvmsg(struct sock + size_t len, int flags, int *addr_len) + { + struct sk_psock *psock; ++ struct vsock_sock *vsk; + int copied; + + psock = sk_psock_get(sk); +@@ -84,6 +85,13 @@ static int vsock_bpf_recvmsg(struct sock + return __vsock_recvmsg(sk, msg, len, flags); + + lock_sock(sk); ++ vsk = vsock_sk(sk); ++ ++ if (!vsk->transport) { ++ copied = -ENODEV; ++ goto out; ++ } ++ + if (vsock_has_data(sk, psock) && sk_psock_queue_empty(psock)) { + release_sock(sk); + sk_psock_put(sk, psock); +@@ -108,6 +116,7 @@ static int vsock_bpf_recvmsg(struct sock + copied = sk_msg_recvmsg(sk, psock, msg, len, flags); + } + ++out: + release_sock(sk); + sk_psock_put(sk, psock); + diff --git a/queue-6.12/vsock-prevent-null-ptr-deref-in-vsock_.patch b/queue-6.12/vsock-prevent-null-ptr-deref-in-vsock_.patch new file mode 100644 index 0000000000..97eaf05616 --- /dev/null +++ b/queue-6.12/vsock-prevent-null-ptr-deref-in-vsock_.patch @@ -0,0 +1,70 @@ +From 91751e248256efc111e52e15115840c35d85abaf Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:11 +0100 +Subject: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] + +From: Stefano Garzarella + +commit 91751e248256efc111e52e15115840c35d85abaf upstream. + +Recent reports have shown how we sometimes call vsock_*_has_data() +when a vsock socket has been de-assigned from a transport (see attached +links), but we shouldn't. + +Previous commits should have solved the real problems, but we may have +more in the future, so to avoid null-ptr-deref, we can return 0 +(no space, no data available) but with a warning. + +This way the code should continue to run in a nearly consistent state +and have a warning that allows us to debug future problems. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/ +Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/ +Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/ +Co-developed-by: Hyunwoo Kim +Signed-off-by: Hyunwoo Kim +Co-developed-by: Wongi Lee +Signed-off-by: Wongi Lee +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Reviewed-by: Hyunwoo Kim +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -879,6 +879,9 @@ EXPORT_SYMBOL_GPL(vsock_create_connected + + s64 vsock_stream_has_data(struct vsock_sock *vsk) + { ++ if (WARN_ON(!vsk->transport)) ++ return 0; ++ + return vsk->transport->stream_has_data(vsk); + } + EXPORT_SYMBOL_GPL(vsock_stream_has_data); +@@ -887,6 +890,9 @@ s64 vsock_connectible_has_data(struct vs + { + struct sock *sk = sk_vsock(vsk); + ++ if (WARN_ON(!vsk->transport)) ++ return 0; ++ + if (sk->sk_type == SOCK_SEQPACKET) + return vsk->transport->seqpacket_has_data(vsk); + else +@@ -896,6 +902,9 @@ EXPORT_SYMBOL_GPL(vsock_connectible_has_ + + s64 vsock_stream_has_space(struct vsock_sock *vsk) + { ++ if (WARN_ON(!vsk->transport)) ++ return 0; ++ + return vsk->transport->stream_has_space(vsk); + } + EXPORT_SYMBOL_GPL(vsock_stream_has_space); diff --git a/queue-6.12/vsock-reset-socket-state-when-de-assigning-the-transport.patch b/queue-6.12/vsock-reset-socket-state-when-de-assigning-the-transport.patch new file mode 100644 index 0000000000..6475a3d5fa --- /dev/null +++ b/queue-6.12/vsock-reset-socket-state-when-de-assigning-the-transport.patch @@ -0,0 +1,45 @@ +From a24009bc9be60242651a21702609381b5092459e Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:10 +0100 +Subject: vsock: reset socket state when de-assigning the transport + +From: Stefano Garzarella + +commit a24009bc9be60242651a21702609381b5092459e upstream. + +Transport's release() and destruct() are called when de-assigning the +vsock transport. These callbacks can touch some socket state like +sock flags, sk_state, and peer_shutdown. + +Since we are reassigning the socket to a new transport during +vsock_connect(), let's reset these fields to have a clean state with +the new transport. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -491,6 +491,15 @@ int vsock_assign_transport(struct vsock_ + */ + vsk->transport->release(vsk); + vsock_deassign_transport(vsk); ++ ++ /* transport's release() and destruct() can touch some socket ++ * state, since we are reassigning the socket to a new transport ++ * during vsock_connect(), let's reset these fields to have a ++ * clean state. ++ */ ++ sock_reset_flag(sk, SOCK_DONE); ++ sk->sk_state = TCP_CLOSE; ++ vsk->peer_shutdown = 0; + } + + /* We increase the module refcnt to prevent the transport unloading diff --git a/queue-6.12/vsock-virtio-cancel-close-work-in-the-destructor.patch b/queue-6.12/vsock-virtio-cancel-close-work-in-the-destructor.patch new file mode 100644 index 0000000000..471bfc5f7f --- /dev/null +++ b/queue-6.12/vsock-virtio-cancel-close-work-in-the-destructor.patch @@ -0,0 +1,101 @@ +From df137da9d6d166e87e40980e36eb8e0bc90483ef Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:09 +0100 +Subject: vsock/virtio: cancel close work in the destructor + +From: Stefano Garzarella + +commit df137da9d6d166e87e40980e36eb8e0bc90483ef upstream. + +During virtio_transport_release() we can schedule a delayed work to +perform the closing of the socket before destruction. + +The destructor is called either when the socket is really destroyed +(reference counter to zero), or it can also be called when we are +de-assigning the transport. + +In the former case, we are sure the delayed work has completed, because +it holds a reference until it completes, so the destructor will +definitely be called after the delayed work is finished. +But in the latter case, the destructor is called by AF_VSOCK core, just +after the release(), so there may still be delayed work scheduled. + +Refactor the code, moving the code to delete the close work already in +the do_close() to a new function. Invoke it during destruction to make +sure we don't leave any pending work. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Reported-by: Hyunwoo Kim +Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/ +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Tested-by: Hyunwoo Kim +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -26,6 +26,9 @@ + /* Threshold for detecting small packets to copy */ + #define GOOD_COPY_LEN 128 + ++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, ++ bool cancel_timeout); ++ + static const struct virtio_transport * + virtio_transport_get_ops(struct vsock_sock *vsk) + { +@@ -1109,6 +1112,8 @@ void virtio_transport_destruct(struct vs + { + struct virtio_vsock_sock *vvs = vsk->trans; + ++ virtio_transport_cancel_close_work(vsk, true); ++ + kfree(vvs); + vsk->trans = NULL; + } +@@ -1204,17 +1209,11 @@ static void virtio_transport_wait_close( + } + } + +-static void virtio_transport_do_close(struct vsock_sock *vsk, +- bool cancel_timeout) ++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, ++ bool cancel_timeout) + { + struct sock *sk = sk_vsock(vsk); + +- sock_set_flag(sk, SOCK_DONE); +- vsk->peer_shutdown = SHUTDOWN_MASK; +- if (vsock_stream_has_data(vsk) <= 0) +- sk->sk_state = TCP_CLOSING; +- sk->sk_state_change(sk); +- + if (vsk->close_work_scheduled && + (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) { + vsk->close_work_scheduled = false; +@@ -1226,6 +1225,20 @@ static void virtio_transport_do_close(st + } + } + ++static void virtio_transport_do_close(struct vsock_sock *vsk, ++ bool cancel_timeout) ++{ ++ struct sock *sk = sk_vsock(vsk); ++ ++ sock_set_flag(sk, SOCK_DONE); ++ vsk->peer_shutdown = SHUTDOWN_MASK; ++ if (vsock_stream_has_data(vsk) <= 0) ++ sk->sk_state = TCP_CLOSING; ++ sk->sk_state_change(sk); ++ ++ virtio_transport_cancel_close_work(vsk, cancel_timeout); ++} ++ + static void virtio_transport_close_timeout(struct work_struct *work) + { + struct vsock_sock *vsk = diff --git a/queue-6.12/vsock-virtio-discard-packets-if-the-transport-changes.patch b/queue-6.12/vsock-virtio-discard-packets-if-the-transport-changes.patch new file mode 100644 index 0000000000..0889610ada --- /dev/null +++ b/queue-6.12/vsock-virtio-discard-packets-if-the-transport-changes.patch @@ -0,0 +1,47 @@ +From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Fri, 10 Jan 2025 09:35:07 +0100 +Subject: vsock/virtio: discard packets if the transport changes + +From: Stefano Garzarella + +commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 upstream. + +If the socket has been de-assigned or assigned to another transport, +we must discard any packets received because they are not expected +and would cause issues when we access vsk->transport. + +A possible scenario is described by Hyunwoo Kim in the attached link, +where after a first connect() interrupted by a signal, and a second +connect() failed, we can find `vsk->transport` at NULL, leading to a +NULL pointer dereference. + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Cc: stable@vger.kernel.org +Reported-by: Hyunwoo Kim +Reported-by: Wongi Lee +Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/ +Signed-off-by: Stefano Garzarella +Reviewed-by: Hyunwoo Kim +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1628,8 +1628,11 @@ void virtio_transport_recv_pkt(struct vi + + lock_sock(sk); + +- /* Check if sk has been closed before lock_sock */ +- if (sock_flag(sk, SOCK_DONE)) { ++ /* Check if sk has been closed or assigned to another transport before ++ * lock_sock (note: listener sockets are not assigned to any transport) ++ */ ++ if (sock_flag(sk, SOCK_DONE) || ++ (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) { + (void)virtio_transport_reset_no_sock(t, skb); + release_sock(sk); + sock_put(sk);