From: Greg Kroah-Hartman Date: Mon, 18 Aug 2025 11:22:06 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.12.43~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=549a4fb2d82cf39fda9ccca2a619b748cc2ac19b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch parisc-makefile-fix-a-typo-in-palo.conf.patch tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch --- diff --git a/queue-6.1/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch b/queue-6.1/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch new file mode 100644 index 0000000000..7bf8a9decc --- /dev/null +++ b/queue-6.1/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch @@ -0,0 +1,69 @@ +From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001 +From: Sravan Kumar Gundu +Date: Thu, 31 Jul 2025 15:36:18 -0500 +Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit + +From: Sravan Kumar Gundu + +commit af0db3c1f898144846d4c172531a199bb3ca375d upstream. + +This issue triggers when a userspace program does an ioctl +FBIOPUT_CON2FBMAP by passing console number and frame buffer number. +Ideally this maps console to frame buffer and updates the screen if +console is visible. + +As part of mapping it has to do resize of console according to frame +buffer info. if this resize fails and returns from vc_do_resize() and +continues further. At this point console and new frame buffer are mapped +and sets display vars. Despite failure still it continue to proceed +updating the screen at later stages where vc_data is related to previous +frame buffer and frame buffer info and display vars are mapped to new +frame buffer and eventully leading to out-of-bounds write in +fast_imageblit(). This bheviour is excepted only when fg_console is +equal to requested console which is a visible console and updates screen +with invalid struct references in fbcon_putcs(). + +Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880 +Signed-off-by: Sravan Kumar Gundu +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -808,7 +808,8 @@ static void con2fb_init_display(struct v + fg_vc->vc_rows); + } + +- update_screen(vc_cons[fg_console].d); ++ if (fg_console != unit) ++ update_screen(vc_cons[fg_console].d); + } + + /** +@@ -1353,6 +1354,7 @@ static void fbcon_set_disp(struct fb_inf + struct vc_data *svc; + struct fbcon_ops *ops = info->fbcon_par; + int rows, cols; ++ unsigned long ret = 0; + + p = &fb_display[unit]; + +@@ -1403,11 +1405,10 @@ static void fbcon_set_disp(struct fb_inf + rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + cols /= vc->vc_font.width; + rows /= vc->vc_font.height; +- vc_resize(vc, cols, rows); ++ ret = vc_resize(vc, cols, rows); + +- if (con_is_visible(vc)) { ++ if (con_is_visible(vc) && !ret) + update_screen(vc); +- } + } + + static __inline__ void ywrap_up(struct vc_data *vc, int count) diff --git a/queue-6.1/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch b/queue-6.1/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch new file mode 100644 index 0000000000..bc1c0865dd --- /dev/null +++ b/queue-6.1/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch @@ -0,0 +1,145 @@ +From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Wed, 6 Aug 2025 13:21:51 -0700 +Subject: hv_netvsc: Fix panic during namespace deletion with VF + +From: Haiyang Zhang + +commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream. + +The existing code move the VF NIC to new namespace when NETDEV_REGISTER is +received on netvsc NIC. During deletion of the namespace, +default_device_exit_batch() >> default_device_exit_net() is called. When +netvsc NIC is moved back and registered to the default namespace, it +automatically brings VF NIC back to the default namespace. This will cause +the default_device_exit_net() >> for_each_netdev_safe loop unable to detect +the list end, and hit NULL ptr: + +[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 +[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 +[ 231.450246] #PF: supervisor read access in kernel mode +[ 231.450579] #PF: error_code(0x0000) - not-present page +[ 231.450916] PGD 17b8a8067 P4D 0 +[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI +[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY +[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 +[ 231.452692] Workqueue: netns cleanup_net +[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 +[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 +[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 +[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb +[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 +[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 +[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 +[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 +[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 +[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 +[ 231.458434] Call Trace: +[ 231.458600] +[ 231.458777] ops_undo_list+0x100/0x220 +[ 231.459015] cleanup_net+0x1b8/0x300 +[ 231.459285] process_one_work+0x184/0x340 + +To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid +changing the netdev list when default_device_exit_net() is using it. + +Cc: stable@vger.kernel.org +Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") +Signed-off-by: Haiyang Zhang +Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 3 +++ + drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -1057,6 +1057,7 @@ struct net_device_context { + struct net_device __rcu *vf_netdev; + struct netvsc_vf_pcpu_stats __percpu *vf_stats; + struct delayed_work vf_takeover; ++ struct delayed_work vfns_work; + + /* 1: allocated, serial number is valid. 0: not allocated */ + u32 vf_alloc; +@@ -1071,6 +1072,8 @@ struct net_device_context { + struct netvsc_device_info *saved_netvsc_dev_info; + }; + ++void netvsc_vfns_work(struct work_struct *w); ++ + /* Azure hosts don't support non-TCP port numbers in hashing for fragmented + * packets. We can use ethtool to change UDP hash level when necessary. + */ +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2508,6 +2508,7 @@ static int netvsc_probe(struct hv_device + spin_lock_init(&net_device_ctx->lock); + INIT_LIST_HEAD(&net_device_ctx->reconfig_events); + INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); ++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); + + net_device_ctx->vf_stats + = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); +@@ -2647,6 +2648,8 @@ static int netvsc_remove(struct hv_devic + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); ++ + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev) { + cancel_work_sync(&nvdev->subchan_work); +@@ -2689,6 +2692,7 @@ static int netvsc_suspend(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); + + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev == NULL) { +@@ -2782,6 +2786,27 @@ static void netvsc_event_set_vf_ns(struc + } + } + ++void netvsc_vfns_work(struct work_struct *w) ++{ ++ struct net_device_context *ndev_ctx = ++ container_of(w, struct net_device_context, vfns_work.work); ++ struct net_device *ndev; ++ ++ if (!rtnl_trylock()) { ++ schedule_delayed_work(&ndev_ctx->vfns_work, 1); ++ return; ++ } ++ ++ ndev = hv_get_drvdata(ndev_ctx->device_ctx); ++ if (!ndev) ++ goto out; ++ ++ netvsc_event_set_vf_ns(ndev); ++ ++out: ++ rtnl_unlock(); ++} ++ + /* + * On Hyper-V, every VF interface is matched with a corresponding + * synthetic interface. The synthetic interface is presented first +@@ -2792,10 +2817,12 @@ static int netvsc_netdev_event(struct no + unsigned long event, void *ptr) + { + struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); ++ struct net_device_context *ndev_ctx; + int ret = 0; + + if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { +- netvsc_event_set_vf_ns(event_dev); ++ ndev_ctx = netdev_priv(event_dev); ++ schedule_delayed_work(&ndev_ctx->vfns_work, 0); + return NOTIFY_DONE; + } + diff --git a/queue-6.1/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch b/queue-6.1/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch new file mode 100644 index 0000000000..c4bc038efe --- /dev/null +++ b/queue-6.1/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch @@ -0,0 +1,58 @@ +From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 7 Jul 2025 18:34:01 +0000 +Subject: media: uvcvideo: Do not mark valid metadata as invalid + +From: Ricardo Ribalda + +commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream. + +Currently, the driver performs a length check of the metadata buffer +before the actual metadata size is known and before the metadata is +decided to be copied. This results in valid metadata buffers being +incorrectly marked as invalid. + +Move the length check to occur after the metadata size is determined and +is decided to be copied. + +Cc: stable@vger.kernel.org +Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node") +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1353,12 +1353,6 @@ static void uvc_video_decode_meta(struct + if (!meta_buf || length == 2) + return; + +- if (meta_buf->length - meta_buf->bytesused < +- length + sizeof(meta->ns) + sizeof(meta->sof)) { +- meta_buf->error = 1; +- return; +- } +- + has_pts = mem[1] & UVC_STREAM_PTS; + has_scr = mem[1] & UVC_STREAM_SCR; + +@@ -1379,6 +1373,12 @@ static void uvc_video_decode_meta(struct + !memcmp(scr, stream->clock.last_scr, 6))) + return; + ++ if (meta_buf->length - meta_buf->bytesused < ++ length + sizeof(meta->ns) + sizeof(meta->sof)) { ++ meta_buf->error = 1; ++ return; ++ } ++ + meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused); + local_irq_save(flags); + time = uvc_video_get_time(); diff --git a/queue-6.1/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch b/queue-6.1/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch new file mode 100644 index 0000000000..5a56c3273b --- /dev/null +++ b/queue-6.1/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch @@ -0,0 +1,43 @@ +From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001 +From: Youngjun Lee +Date: Tue, 10 Jun 2025 21:41:07 +0900 +Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() + +From: Youngjun Lee + +commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream. + +The buffer length check before calling uvc_parse_format() only ensured +that the buffer has at least 3 bytes (buflen > 2), buf the function +accesses buffer[3], requiring at least 4 bytes. + +This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. + +Fix it by checking that the buffer has at least 4 bytes in +uvc_parse_format(). + +Signed-off-by: Youngjun Lee +Reviewed-by: Laurent Pinchart +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -233,6 +233,9 @@ static int uvc_parse_format(struct uvc_d + unsigned int i, n; + u8 ftype; + ++ if (buflen < 4) ++ return -EINVAL; ++ + format->type = buffer[2]; + format->index = buffer[3]; + diff --git a/queue-6.1/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch b/queue-6.1/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch new file mode 100644 index 0000000000..58c2c4fe3c --- /dev/null +++ b/queue-6.1/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch @@ -0,0 +1,64 @@ +From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Thu, 31 Jul 2025 02:57:18 -0700 +Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock + +From: Breno Leitao + +commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream. + +When netpoll is enabled, calling pr_warn_once() while holding +kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock +inversion with the netconsole subsystem. This occurs because +pr_warn_once() may trigger netpoll, which eventually leads to +__alloc_skb() and back into kmemleak code, attempting to reacquire +kmemleak_lock. + +This is the path for the deadlock. + +mem_pool_alloc() + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + -> pr_warn_once() + -> netconsole subsystem + -> netpoll + -> __alloc_skb + -> __create_object + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + +Fix this by setting a flag and issuing the pr_warn_once() after +kmemleak_lock is released. + +Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org +Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") +Signed-off-by: Breno Leitao +Reported-by: Jakub Kicinski +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -441,6 +441,7 @@ static struct kmemleak_object *mem_pool_ + { + unsigned long flags; + struct kmemleak_object *object; ++ bool warn = false; + + /* try the slab allocator first */ + if (object_cache) { +@@ -458,8 +459,10 @@ static struct kmemleak_object *mem_pool_ + else if (mem_pool_free_count) + object = &mem_pool[--mem_pool_free_count]; + else +- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); ++ warn = true; + raw_spin_unlock_irqrestore(&kmemleak_lock, flags); ++ if (warn) ++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + + return object; + } diff --git a/queue-6.1/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch b/queue-6.1/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch new file mode 100644 index 0000000000..c881cbc450 --- /dev/null +++ b/queue-6.1/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch @@ -0,0 +1,66 @@ +From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Mon, 28 Jul 2025 15:02:48 -0400 +Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() + +From: Waiman Long + +commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream. + +A soft lockup warning was observed on a relative small system x86-64 +system with 16 GB of memory when running a debug kernel with kmemleak +enabled. + + watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] + +The test system was running a workload with hot unplug happening in +parallel. Then kemleak decided to disable itself due to its inability to +allocate more kmemleak objects. The debug kernel has its +CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. + +The soft lockup happened in kmemleak_do_cleanup() when the existing +kmemleak objects were being removed and deleted one-by-one in a loop via a +workqueue. In this particular case, there are at least 40,000 objects +that need to be processed and given the slowness of a debug kernel and the +fact that a raw_spinlock has to be acquired and released in +__delete_object(), it could take a while to properly handle all these +objects. + +As kmemleak has been disabled in this case, the object removal and +deletion process can be further optimized as locking isn't really needed. +However, it is probably not worth the effort to optimize for such an edge +case that should rarely happen. So the simple solution is to call +cond_resched() at periodic interval in the iteration loop to avoid soft +lockup. + +Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com +Signed-off-by: Waiman Long +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1992,6 +1992,7 @@ static const struct file_operations kmem + static void __kmemleak_do_cleanup(void) + { + struct kmemleak_object *object, *tmp; ++ unsigned int cnt = 0; + + /* + * Kmemleak has already been disabled, no need for RCU list traversal +@@ -2000,6 +2001,10 @@ static void __kmemleak_do_cleanup(void) + list_for_each_entry_safe(object, tmp, &object_list, object_list) { + __remove_object(object); + __delete_object(object); ++ ++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */ ++ if (!(++cnt & 0x3f)) ++ cond_resched(); + } + } + diff --git a/queue-6.1/parisc-makefile-fix-a-typo-in-palo.conf.patch b/queue-6.1/parisc-makefile-fix-a-typo-in-palo.conf.patch new file mode 100644 index 0000000000..7793beab6f --- /dev/null +++ b/queue-6.1/parisc-makefile-fix-a-typo-in-palo.conf.patch @@ -0,0 +1,35 @@ +From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:39:33 -0700 +Subject: parisc: Makefile: fix a typo in palo.conf + +From: Randy Dunlap + +commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream. + +Correct "objree" to "objtree". "objree" is not defined. + +Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile") +Signed-off-by: Randy Dunlap +Cc: Masahiro Yamada +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -137,7 +137,7 @@ palo lifimage: vmlinuz + fi + @if test ! -f "$(PALOCONF)"; then \ + cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \ +- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \ ++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \ + echo 'You should check it and re-run "make palo".'; \ + echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \ + false; \ diff --git a/queue-6.1/series b/queue-6.1/series index 9048c2cb63..c2ce803108 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -256,3 +256,11 @@ btrfs-abort-transaction-during-log-replay-if-walk_log_tree-failed.patch btrfs-zoned-do-not-remove-unwritten-non-data-block-group.patch btrfs-fix-log-tree-replay-failure-due-to-file-with-0-links-and-extents.patch btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch +fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch +hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch +parisc-makefile-fix-a-typo-in-palo.conf.patch +mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch +mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch +media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch +media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch +tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch diff --git a/queue-6.1/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch b/queue-6.1/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch new file mode 100644 index 0000000000..a26a4e0968 --- /dev/null +++ b/queue-6.1/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch @@ -0,0 +1,46 @@ +From a477629baa2a0e9991f640af418e8c973a1c08e3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 19 Jun 2025 11:30:51 +0200 +Subject: tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Willy Tarreau + +commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream. + +While nolibc-test does test syscalls, it doesn't test as much the rest +of the macros, and a wrong spelling of FD_SETBITMASK in commit +feaf75658783a broke programs using either FD_SET() or FD_CLR() without +being noticed. Let's fix these macros. + +Fixes: feaf75658783a ("nolibc: fix fd_set type") +Cc: stable@vger.kernel.org # v6.2+ +Acked-by: Thomas Weißschuh +Signed-off-by: Willy Tarreau +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/types.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/include/nolibc/types.h ++++ b/tools/include/nolibc/types.h +@@ -102,7 +102,7 @@ typedef struct { + int __fd = (fd); \ + if (__fd >= 0) \ + __set->fds[__fd / FD_SETIDXMASK] &= \ +- ~(1U << (__fd & FX_SETBITMASK)); \ ++ ~(1U << (__fd & FD_SETBITMASK)); \ + } while (0) + + #define FD_SET(fd, set) do { \ +@@ -119,7 +119,7 @@ typedef struct { + int __r = 0; \ + if (__fd >= 0) \ + __r = !!(__set->fds[__fd / FD_SETIDXMASK] & \ +-1U << (__fd & FD_SET_BITMASK)); \ ++1U << (__fd & FD_SETBITMASK)); \ + __r; \ + }) +