From: Greg Kroah-Hartman Date: Mon, 18 Aug 2025 11:22:24 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.12.43~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c665512e051e7e6175138e7c6749d1334ba53b4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch mm-slab-restore-numa-policy-support-for-large-kmalloc.patch net-sched-ets-use-old-nbands-while-purging-unused-classes.patch parisc-makefile-fix-a-typo-in-palo.conf.patch rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch --- diff --git a/queue-6.12/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch b/queue-6.12/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch new file mode 100644 index 0000000000..0abaaa7bd6 --- /dev/null +++ b/queue-6.12/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch @@ -0,0 +1,69 @@ +From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001 +From: Sravan Kumar Gundu +Date: Thu, 31 Jul 2025 15:36:18 -0500 +Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit + +From: Sravan Kumar Gundu + +commit af0db3c1f898144846d4c172531a199bb3ca375d upstream. + +This issue triggers when a userspace program does an ioctl +FBIOPUT_CON2FBMAP by passing console number and frame buffer number. +Ideally this maps console to frame buffer and updates the screen if +console is visible. + +As part of mapping it has to do resize of console according to frame +buffer info. if this resize fails and returns from vc_do_resize() and +continues further. At this point console and new frame buffer are mapped +and sets display vars. Despite failure still it continue to proceed +updating the screen at later stages where vc_data is related to previous +frame buffer and frame buffer info and display vars are mapped to new +frame buffer and eventully leading to out-of-bounds write in +fast_imageblit(). This bheviour is excepted only when fg_console is +equal to requested console which is a visible console and updates screen +with invalid struct references in fbcon_putcs(). + +Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880 +Signed-off-by: Sravan Kumar Gundu +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -826,7 +826,8 @@ static void con2fb_init_display(struct v + fg_vc->vc_rows); + } + +- update_screen(vc_cons[fg_console].d); ++ if (fg_console != unit) ++ update_screen(vc_cons[fg_console].d); + } + + /** +@@ -1363,6 +1364,7 @@ static void fbcon_set_disp(struct fb_inf + struct vc_data *svc; + struct fbcon_ops *ops = info->fbcon_par; + int rows, cols; ++ unsigned long ret = 0; + + p = &fb_display[unit]; + +@@ -1413,11 +1415,10 @@ static void fbcon_set_disp(struct fb_inf + rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + cols /= vc->vc_font.width; + rows /= vc->vc_font.height; +- vc_resize(vc, cols, rows); ++ ret = vc_resize(vc, cols, rows); + +- if (con_is_visible(vc)) { ++ if (con_is_visible(vc) && !ret) + update_screen(vc); +- } + } + + static __inline__ void ywrap_up(struct vc_data *vc, int count) diff --git a/queue-6.12/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch b/queue-6.12/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch new file mode 100644 index 0000000000..919663eaef --- /dev/null +++ b/queue-6.12/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch @@ -0,0 +1,145 @@ +From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Wed, 6 Aug 2025 13:21:51 -0700 +Subject: hv_netvsc: Fix panic during namespace deletion with VF + +From: Haiyang Zhang + +commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream. + +The existing code move the VF NIC to new namespace when NETDEV_REGISTER is +received on netvsc NIC. During deletion of the namespace, +default_device_exit_batch() >> default_device_exit_net() is called. When +netvsc NIC is moved back and registered to the default namespace, it +automatically brings VF NIC back to the default namespace. This will cause +the default_device_exit_net() >> for_each_netdev_safe loop unable to detect +the list end, and hit NULL ptr: + +[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 +[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 +[ 231.450246] #PF: supervisor read access in kernel mode +[ 231.450579] #PF: error_code(0x0000) - not-present page +[ 231.450916] PGD 17b8a8067 P4D 0 +[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI +[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY +[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 +[ 231.452692] Workqueue: netns cleanup_net +[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 +[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 +[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 +[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb +[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 +[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 +[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 +[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 +[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 +[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 +[ 231.458434] Call Trace: +[ 231.458600] +[ 231.458777] ops_undo_list+0x100/0x220 +[ 231.459015] cleanup_net+0x1b8/0x300 +[ 231.459285] process_one_work+0x184/0x340 + +To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid +changing the netdev list when default_device_exit_net() is using it. + +Cc: stable@vger.kernel.org +Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") +Signed-off-by: Haiyang Zhang +Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 3 +++ + drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -1061,6 +1061,7 @@ struct net_device_context { + struct net_device __rcu *vf_netdev; + struct netvsc_vf_pcpu_stats __percpu *vf_stats; + struct delayed_work vf_takeover; ++ struct delayed_work vfns_work; + + /* 1: allocated, serial number is valid. 0: not allocated */ + u32 vf_alloc; +@@ -1075,6 +1076,8 @@ struct net_device_context { + struct netvsc_device_info *saved_netvsc_dev_info; + }; + ++void netvsc_vfns_work(struct work_struct *w); ++ + /* Azure hosts don't support non-TCP port numbers in hashing for fragmented + * packets. We can use ethtool to change UDP hash level when necessary. + */ +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2516,6 +2516,7 @@ static int netvsc_probe(struct hv_device + spin_lock_init(&net_device_ctx->lock); + INIT_LIST_HEAD(&net_device_ctx->reconfig_events); + INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); ++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); + + net_device_ctx->vf_stats + = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); +@@ -2658,6 +2659,8 @@ static void netvsc_remove(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); ++ + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev) { + cancel_work_sync(&nvdev->subchan_work); +@@ -2699,6 +2702,7 @@ static int netvsc_suspend(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); + + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev == NULL) { +@@ -2792,6 +2796,27 @@ static void netvsc_event_set_vf_ns(struc + } + } + ++void netvsc_vfns_work(struct work_struct *w) ++{ ++ struct net_device_context *ndev_ctx = ++ container_of(w, struct net_device_context, vfns_work.work); ++ struct net_device *ndev; ++ ++ if (!rtnl_trylock()) { ++ schedule_delayed_work(&ndev_ctx->vfns_work, 1); ++ return; ++ } ++ ++ ndev = hv_get_drvdata(ndev_ctx->device_ctx); ++ if (!ndev) ++ goto out; ++ ++ netvsc_event_set_vf_ns(ndev); ++ ++out: ++ rtnl_unlock(); ++} ++ + /* + * On Hyper-V, every VF interface is matched with a corresponding + * synthetic interface. The synthetic interface is presented first +@@ -2802,10 +2827,12 @@ static int netvsc_netdev_event(struct no + unsigned long event, void *ptr) + { + struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); ++ struct net_device_context *ndev_ctx; + int ret = 0; + + if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { +- netvsc_event_set_vf_ns(event_dev); ++ ndev_ctx = netdev_priv(event_dev); ++ schedule_delayed_work(&ndev_ctx->vfns_work, 0); + return NOTIFY_DONE; + } + diff --git a/queue-6.12/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch b/queue-6.12/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch new file mode 100644 index 0000000000..c7b71ff0e0 --- /dev/null +++ b/queue-6.12/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch @@ -0,0 +1,58 @@ +From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 7 Jul 2025 18:34:01 +0000 +Subject: media: uvcvideo: Do not mark valid metadata as invalid + +From: Ricardo Ribalda + +commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream. + +Currently, the driver performs a length check of the metadata buffer +before the actual metadata size is known and before the metadata is +decided to be copied. This results in valid metadata buffers being +incorrectly marked as invalid. + +Move the length check to occur after the metadata size is determined and +is decided to be copied. + +Cc: stable@vger.kernel.org +Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node") +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1437,12 +1437,6 @@ static void uvc_video_decode_meta(struct + if (!meta_buf || length == 2) + return; + +- if (meta_buf->length - meta_buf->bytesused < +- length + sizeof(meta->ns) + sizeof(meta->sof)) { +- meta_buf->error = 1; +- return; +- } +- + has_pts = mem[1] & UVC_STREAM_PTS; + has_scr = mem[1] & UVC_STREAM_SCR; + +@@ -1463,6 +1457,12 @@ static void uvc_video_decode_meta(struct + !memcmp(scr, stream->clock.last_scr, 6))) + return; + ++ if (meta_buf->length - meta_buf->bytesused < ++ length + sizeof(meta->ns) + sizeof(meta->sof)) { ++ meta_buf->error = 1; ++ return; ++ } ++ + meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused); + local_irq_save(flags); + time = uvc_video_get_time(); diff --git a/queue-6.12/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch b/queue-6.12/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch new file mode 100644 index 0000000000..853f2b53d2 --- /dev/null +++ b/queue-6.12/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch @@ -0,0 +1,43 @@ +From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001 +From: Youngjun Lee +Date: Tue, 10 Jun 2025 21:41:07 +0900 +Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() + +From: Youngjun Lee + +commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream. + +The buffer length check before calling uvc_parse_format() only ensured +that the buffer has at least 3 bytes (buflen > 2), buf the function +accesses buffer[3], requiring at least 4 bytes. + +This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. + +Fix it by checking that the buffer has at least 4 bytes in +uvc_parse_format(). + +Signed-off-by: Youngjun Lee +Reviewed-by: Laurent Pinchart +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -235,6 +235,9 @@ static int uvc_parse_format(struct uvc_d + unsigned int i, n; + u8 ftype; + ++ if (buflen < 4) ++ return -EINVAL; ++ + format->type = buffer[2]; + format->index = buffer[3]; + format->frames = frames; diff --git a/queue-6.12/media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch b/queue-6.12/media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch new file mode 100644 index 0000000000..15c610b576 --- /dev/null +++ b/queue-6.12/media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch @@ -0,0 +1,42 @@ +From f7546da1d6eb8928efb89b7faacbd6c2f8f0de5c Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 11 Jul 2025 11:41:58 +0200 +Subject: media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() + +From: Marek Szyprowski + +commit f7546da1d6eb8928efb89b7faacbd6c2f8f0de5c upstream. + +Commit 6f1466123d73 ("media: s5p-mfc: Add YV12 and I420 multiplanar +format support") added support for the new formats to s5p-mfc driver, +what in turn required some internal calls to the v4l2_format_info() +function while setting up formats. This in turn broke support for the +"old" tiled NV12MT* formats, which are not recognized by this function. +Fix this by adding those variants of NV12M pixel format to +v4l2_format_info() function database. + +Fixes: 6f1466123d73 ("media: s5p-mfc: Add YV12 and I420 multiplanar format support") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-common.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -312,6 +312,12 @@ const struct v4l2_format_info *v4l2_form + { .format = V4L2_PIX_FMT_NV61M, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 1 }, + { .format = V4L2_PIX_FMT_P012M, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 2, 4, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2 }, + ++ /* Tiled YUV formats, non contiguous variant */ ++ { .format = V4L2_PIX_FMT_NV12MT, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2, ++ .block_w = { 64, 32, 0, 0 }, .block_h = { 32, 16, 0, 0 }}, ++ { .format = V4L2_PIX_FMT_NV12MT_16X16, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2, ++ .block_w = { 16, 8, 0, 0 }, .block_h = { 16, 8, 0, 0 }}, ++ + /* Bayer RGB formats */ + { .format = V4L2_PIX_FMT_SBGGR8, .pixel_enc = V4L2_PIXEL_ENC_BAYER, .mem_planes = 1, .comp_planes = 1, .bpp = { 1, 0, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 1, .vdiv = 1 }, + { .format = V4L2_PIX_FMT_SGBRG8, .pixel_enc = V4L2_PIXEL_ENC_BAYER, .mem_planes = 1, .comp_planes = 1, .bpp = { 1, 0, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 1, .vdiv = 1 }, diff --git a/queue-6.12/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch b/queue-6.12/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch new file mode 100644 index 0000000000..c63f60cc50 --- /dev/null +++ b/queue-6.12/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch @@ -0,0 +1,197 @@ +From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001 +From: Vedang Nagar +Date: Mon, 19 May 2025 12:42:22 +0530 +Subject: media: venus: Fix OOB read due to missing payload bound check + +From: Vedang Nagar + +commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 upstream. + +Currently, The event_seq_changed() handler processes a variable number +of properties sent by the firmware. The number of properties is indicated +by the firmware and used to iterate over the payload. However, the +payload size is not being validated against the actual message length. + +This can lead to out-of-bounds memory access if the firmware provides a +property count that exceeds the data available in the payload. Such a +condition can result in kernel crashes or potential information leaks if +memory beyond the buffer is accessed. + +Fix this by properly validating the remaining size of the payload before +each property access and updating bounds accordingly as properties are +parsed. + +This ensures that property parsing is safely bounded within the received +message buffer and protects against malformed or malicious firmware +behavior. + +Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") +Cc: stable@vger.kernel.org +Signed-off-by: Vedang Nagar +Reviewed-by: Vikash Garodia +Reviewed-by: Bryan O'Donoghue +Co-developed-by: Dikshita Agarwal +Signed-off-by: Dikshita Agarwal +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++--------- + 1 file changed, 58 insertions(+), 25 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven + struct hfi_buffer_requirements *bufreq; + struct hfi_extradata_input_crop *crop; + struct hfi_dpb_counts *dpb_count; ++ u32 ptype, rem_bytes; ++ u32 size_read = 0; + u8 *data_ptr; +- u32 ptype; + + inst->error = HFI_ERR_NONE; + +@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven + break; + default: + inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; +- goto done; ++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); ++ return; + } + + event.event_type = pkt->event_data1; + + num_properties_changed = pkt->event_data2; +- if (!num_properties_changed) { +- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; +- goto done; +- } ++ if (!num_properties_changed) ++ goto error; + + data_ptr = (u8 *)&pkt->ext_event_data[0]; ++ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); ++ + do { ++ if (rem_bytes < sizeof(u32)) ++ goto error; + ptype = *((u32 *)data_ptr); ++ ++ data_ptr += sizeof(u32); ++ rem_bytes -= sizeof(u32); ++ + switch (ptype) { + case HFI_PROPERTY_PARAM_FRAME_SIZE: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_framesize)) ++ goto error; ++ + frame_sz = (struct hfi_framesize *)data_ptr; + event.width = frame_sz->width; + event.height = frame_sz->height; +- data_ptr += sizeof(*frame_sz); ++ size_read = sizeof(struct hfi_framesize); + break; + case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_profile_level)) ++ goto error; ++ + profile_level = (struct hfi_profile_level *)data_ptr; + event.profile = profile_level->profile; + event.level = profile_level->level; +- data_ptr += sizeof(*profile_level); ++ size_read = sizeof(struct hfi_profile_level); + break; + case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_bit_depth)) ++ goto error; ++ + pixel_depth = (struct hfi_bit_depth *)data_ptr; + event.bit_depth = pixel_depth->bit_depth; +- data_ptr += sizeof(*pixel_depth); ++ size_read = sizeof(struct hfi_bit_depth); + break; + case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_pic_struct)) ++ goto error; ++ + pic_struct = (struct hfi_pic_struct *)data_ptr; + event.pic_struct = pic_struct->progressive_only; +- data_ptr += sizeof(*pic_struct); ++ size_read = sizeof(struct hfi_pic_struct); + break; + case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_colour_space)) ++ goto error; ++ + colour_info = (struct hfi_colour_space *)data_ptr; + event.colour_space = colour_info->colour_space; +- data_ptr += sizeof(*colour_info); ++ size_read = sizeof(struct hfi_colour_space); + break; + case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(u32)) ++ goto error; ++ + event.entropy_mode = *(u32 *)data_ptr; +- data_ptr += sizeof(u32); ++ size_read = sizeof(u32); + break; + case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_buffer_requirements)) ++ goto error; ++ + bufreq = (struct hfi_buffer_requirements *)data_ptr; + event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); +- data_ptr += sizeof(*bufreq); ++ size_read = sizeof(struct hfi_buffer_requirements); + break; + case HFI_INDEX_EXTRADATA_INPUT_CROP: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) ++ goto error; ++ + crop = (struct hfi_extradata_input_crop *)data_ptr; + event.input_crop.left = crop->left; + event.input_crop.top = crop->top; + event.input_crop.width = crop->width; + event.input_crop.height = crop->height; +- data_ptr += sizeof(*crop); ++ size_read = sizeof(struct hfi_extradata_input_crop); + break; + case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_dpb_counts)) ++ goto error; ++ + dpb_count = (struct hfi_dpb_counts *)data_ptr; + event.buf_count = dpb_count->fw_min_cnt; +- data_ptr += sizeof(*dpb_count); ++ size_read = sizeof(struct hfi_dpb_counts); + break; + default: ++ size_read = 0; + break; + } ++ data_ptr += size_read; ++ rem_bytes -= size_read; + num_properties_changed--; + } while (num_properties_changed > 0); + +-done: ++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); ++ return; ++ ++error: ++ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + } + diff --git a/queue-6.12/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch b/queue-6.12/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch new file mode 100644 index 0000000000..86281f3713 --- /dev/null +++ b/queue-6.12/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch @@ -0,0 +1,64 @@ +From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Thu, 31 Jul 2025 02:57:18 -0700 +Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock + +From: Breno Leitao + +commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream. + +When netpoll is enabled, calling pr_warn_once() while holding +kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock +inversion with the netconsole subsystem. This occurs because +pr_warn_once() may trigger netpoll, which eventually leads to +__alloc_skb() and back into kmemleak code, attempting to reacquire +kmemleak_lock. + +This is the path for the deadlock. + +mem_pool_alloc() + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + -> pr_warn_once() + -> netconsole subsystem + -> netpoll + -> __alloc_skb + -> __create_object + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + +Fix this by setting a flag and issuing the pr_warn_once() after +kmemleak_lock is released. + +Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org +Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") +Signed-off-by: Breno Leitao +Reported-by: Jakub Kicinski +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -465,6 +465,7 @@ static struct kmemleak_object *mem_pool_ + { + unsigned long flags; + struct kmemleak_object *object; ++ bool warn = false; + + /* try the slab allocator first */ + if (object_cache) { +@@ -483,8 +484,10 @@ static struct kmemleak_object *mem_pool_ + else if (mem_pool_free_count) + object = &mem_pool[--mem_pool_free_count]; + else +- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); ++ warn = true; + raw_spin_unlock_irqrestore(&kmemleak_lock, flags); ++ if (warn) ++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + + return object; + } diff --git a/queue-6.12/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch b/queue-6.12/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch new file mode 100644 index 0000000000..bf7a542458 --- /dev/null +++ b/queue-6.12/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch @@ -0,0 +1,66 @@ +From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Mon, 28 Jul 2025 15:02:48 -0400 +Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() + +From: Waiman Long + +commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream. + +A soft lockup warning was observed on a relative small system x86-64 +system with 16 GB of memory when running a debug kernel with kmemleak +enabled. + + watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] + +The test system was running a workload with hot unplug happening in +parallel. Then kemleak decided to disable itself due to its inability to +allocate more kmemleak objects. The debug kernel has its +CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. + +The soft lockup happened in kmemleak_do_cleanup() when the existing +kmemleak objects were being removed and deleted one-by-one in a loop via a +workqueue. In this particular case, there are at least 40,000 objects +that need to be processed and given the slowness of a debug kernel and the +fact that a raw_spinlock has to be acquired and released in +__delete_object(), it could take a while to properly handle all these +objects. + +As kmemleak has been disabled in this case, the object removal and +deletion process can be further optimized as locking isn't really needed. +However, it is probably not worth the effort to optimize for such an edge +case that should rarely happen. So the simple solution is to call +cond_resched() at periodic interval in the iteration loop to avoid soft +lockup. + +Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com +Signed-off-by: Waiman Long +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -2107,6 +2107,7 @@ static const struct file_operations kmem + static void __kmemleak_do_cleanup(void) + { + struct kmemleak_object *object, *tmp; ++ unsigned int cnt = 0; + + /* + * Kmemleak has already been disabled, no need for RCU list traversal +@@ -2115,6 +2116,10 @@ static void __kmemleak_do_cleanup(void) + list_for_each_entry_safe(object, tmp, &object_list, object_list) { + __remove_object(object); + __delete_object(object); ++ ++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */ ++ if (!(++cnt & 0x3f)) ++ cond_resched(); + } + } + diff --git a/queue-6.12/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch b/queue-6.12/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch new file mode 100644 index 0000000000..b43db9dcd1 --- /dev/null +++ b/queue-6.12/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch @@ -0,0 +1,131 @@ +From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 +From: Anshuman Khandual +Date: Fri, 20 Jun 2025 10:54:27 +0530 +Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() + +From: Anshuman Khandual + +commit 59305202c67fea50378dcad0cc199dbc13a0e99a upstream. + +Memory hot remove unmaps and tears down various kernel page table regions +as required. The ptdump code can race with concurrent modifications of +the kernel page tables. When leaf entries are modified concurrently, the +dump code may log stale or inconsistent information for a VA range, but +this is otherwise not harmful. + +But when intermediate levels of kernel page table are freed, the dump code +will continue to use memory that has been freed and potentially +reallocated for another purpose. In such cases, the ptdump code may +dereference bogus addresses, leading to a number of potential problems. + +To avoid the above mentioned race condition, platforms such as arm64, +riscv and s390 take memory hotplug lock, while dumping kernel page table +via the sysfs interface /sys/kernel/debug/kernel_page_tables. + +Similar race condition exists while checking for pages that might have +been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages +which in turn calls ptdump_check_wx(). Instead of solving this race +condition again, let's just move the memory hotplug lock inside generic +ptdump_check_wx() which will benefit both the scenarios. + +Drop get_online_mems() and put_online_mems() combination from all existing +platform ptdump code paths. + +Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com +Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") +Signed-off-by: Anshuman Khandual +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Alexander Gordeev [s390] +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ryan Roberts +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Alexander Gordeev +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/ptdump_debugfs.c | 3 --- + arch/riscv/mm/ptdump.c | 3 --- + arch/s390/mm/dump_pagetables.c | 2 -- + mm/ptdump.c | 2 ++ + 4 files changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/arm64/mm/ptdump_debugfs.c ++++ b/arch/arm64/mm/ptdump_debugfs.c +@@ -1,6 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include + #include + + #include +@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file * + { + struct ptdump_info *info = m->private; + +- get_online_mems(); + ptdump_walk(m, info); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -6,7 +6,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -371,9 +370,7 @@ bool ptdump_check_wx(void) + + static int ptdump_show(struct seq_file *m, void *v) + { +- get_online_mems(); + ptdump_walk(m, m->private); +- put_online_mems(); + + return 0; + } +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -203,11 +203,9 @@ static int ptdump_show(struct seq_file * + .marker = markers, + }; + +- get_online_mems(); + mutex_lock(&cpa_mutex); + ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); + mutex_unlock(&cpa_mutex); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -153,6 +153,7 @@ void ptdump_walk_pgd(struct ptdump_state + { + const struct ptdump_range *range = st->range; + ++ get_online_mems(); + mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, +@@ -160,6 +161,7 @@ void ptdump_walk_pgd(struct ptdump_state + range++; + } + mmap_write_unlock(mm); ++ put_online_mems(); + + /* Flush out the last page */ + st->note_page(st, 0, -1, 0); diff --git a/queue-6.12/mm-slab-restore-numa-policy-support-for-large-kmalloc.patch b/queue-6.12/mm-slab-restore-numa-policy-support-for-large-kmalloc.patch new file mode 100644 index 0000000000..d348ca8e54 --- /dev/null +++ b/queue-6.12/mm-slab-restore-numa-policy-support-for-large-kmalloc.patch @@ -0,0 +1,42 @@ +From e2d18cbf178775ad377ad88ee55e6e183c38d262 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Mon, 2 Jun 2025 13:02:12 +0200 +Subject: mm, slab: restore NUMA policy support for large kmalloc + +From: Vlastimil Babka + +commit e2d18cbf178775ad377ad88ee55e6e183c38d262 upstream. + +The slab allocator observes the task's NUMA policy in various places +such as allocating slab pages. Large kmalloc() allocations used to do +that too, until an unintended change by c4cab557521a ("mm/slab_common: +cleanup kmalloc_large()") resulted in ignoring mempolicy and just +preferring the local node. Restore the NUMA policy support. + +Fixes: c4cab557521a ("mm/slab_common: cleanup kmalloc_large()") +Cc: +Acked-by: Christoph Lameter (Ampere) +Acked-by: Roman Gushchin +Reviewed-by: Harry Yoo +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4225,7 +4225,12 @@ static void *___kmalloc_large_node(size_ + flags = kmalloc_fix_flags(flags); + + flags |= __GFP_COMP; +- folio = (struct folio *)alloc_pages_node_noprof(node, flags, order); ++ ++ if (node == NUMA_NO_NODE) ++ folio = (struct folio *)alloc_pages_noprof(flags, order); ++ else ++ folio = (struct folio *)__alloc_pages_noprof(flags, order, node, NULL); ++ + if (folio) { + ptr = folio_address(folio); + lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B, diff --git a/queue-6.12/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch b/queue-6.12/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch new file mode 100644 index 0000000000..679eaf5bd5 --- /dev/null +++ b/queue-6.12/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch @@ -0,0 +1,115 @@ +From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 12 Aug 2025 18:40:29 +0200 +Subject: net/sched: ets: use old 'nbands' while purging unused classes + +From: Davide Caratti + +commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 upstream. + +Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() +after recent changes from Lion [2]. The problem is: in ets_qdisc_change() +we purge unused DWRR queues; the value of 'q->nbands' is the new one, and +the cleanup should be done with the old one. The problem is here since my +first attempts to fix ets_qdisc_change(), but it surfaced again after the +recent qdisc len accounting fixes. Fix it purging idle DWRR queues before +assigning a new value of 'q->nbands', so that all purge operations find a +consistent configuration: + + - old 'q->nbands' because it's needed by ets_class_find() + - old 'q->nstrict' because it's needed by ets_class_is_strict() + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) + Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 + RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 + Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab + RSP: 0018:ffffba186009f400 EFLAGS: 00010202 + RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 + RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 + R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 + R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 + FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ets_class_qlen_notify+0x65/0x90 [sch_ets] + qdisc_tree_reduce_backlog+0x74/0x110 + ets_qdisc_change+0x630/0xa40 [sch_ets] + __tc_modify_qdisc.constprop.0+0x216/0x7f0 + tc_modify_qdisc+0x7c/0x120 + rtnetlink_rcv_msg+0x145/0x3f0 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x245/0x390 + netlink_sendmsg+0x21b/0x470 + ____sys_sendmsg+0x39d/0x3d0 + ___sys_sendmsg+0x9a/0xe0 + __sys_sendmsg+0x7a/0xd0 + do_syscall_64+0x7d/0x160 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f2155114084 + Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 + RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 + RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 + RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f + R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 + R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 + + + [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") +Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Li Shuang +Closes: https://issues.redhat.com/browse/RHEL-108026 +Reviewed-by: Petr Machata +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Davide Caratti +Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + ++ for (i = nbands; i < oldbands; i++) { ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) ++ list_del_init(&q->classes[i].alist); ++ qdisc_purge_queue(q->classes[i].qdisc); ++ } ++ + WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { +@@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc + q->classes[i].deficit = quanta[i]; + } + } +- for (i = q->nbands; i < oldbands; i++) { +- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) +- list_del_init(&q->classes[i].alist); +- qdisc_purge_queue(q->classes[i].qdisc); +- } + WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + diff --git a/queue-6.12/parisc-makefile-fix-a-typo-in-palo.conf.patch b/queue-6.12/parisc-makefile-fix-a-typo-in-palo.conf.patch new file mode 100644 index 0000000000..3e1aad747c --- /dev/null +++ b/queue-6.12/parisc-makefile-fix-a-typo-in-palo.conf.patch @@ -0,0 +1,35 @@ +From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:39:33 -0700 +Subject: parisc: Makefile: fix a typo in palo.conf + +From: Randy Dunlap + +commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream. + +Correct "objree" to "objtree". "objree" is not defined. + +Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile") +Signed-off-by: Randy Dunlap +Cc: Masahiro Yamada +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -139,7 +139,7 @@ palo lifimage: vmlinuz + fi + @if test ! -f "$(PALOCONF)"; then \ + cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \ +- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \ ++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \ + echo 'You should check it and re-run "make palo".'; \ + echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \ + false; \ diff --git a/queue-6.12/rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch b/queue-6.12/rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch new file mode 100644 index 0000000000..ab7b73f0bc --- /dev/null +++ b/queue-6.12/rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch @@ -0,0 +1,95 @@ +From c18646248fed07683d4cee8a8af933fc4fe83c0d Mon Sep 17 00:00:00 2001 +From: Pedro Falcato +Date: Tue, 29 Jul 2025 13:03:48 +0100 +Subject: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages + +From: Pedro Falcato + +commit c18646248fed07683d4cee8a8af933fc4fe83c0d upstream. + +Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), +we have been doing this: + +static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, + size_t size) +[...] + /* Calculate the number of bytes we need to push, for this page + * specifically */ + size_t bytes = min_t(size_t, PAGE_SIZE - offset, size); + /* If we can't splice it, then copy it in, as normal */ + if (!sendpage_ok(page[i])) + msg.msg_flags &= ~MSG_SPLICE_PAGES; + /* Set the bvec pointing to the page, with len $bytes */ + bvec_set_page(&bvec, page[i], bytes, offset); + /* Set the iter to $size, aka the size of the whole sendpages (!!!) */ + iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); +try_page_again: + lock_sock(sk); + /* Sendmsg with $size size (!!!) */ + rv = tcp_sendmsg_locked(sk, &msg, size); + +This means we've been sending oversized iov_iters and tcp_sendmsg calls +for a while. This has a been a benign bug because sendpage_ok() always +returned true. With the recent slab allocator changes being slowly +introduced into next (that disallow sendpage on large kmalloc +allocations), we have recently hit out-of-bounds crashes, due to slight +differences in iov_iter behavior between the MSG_SPLICE_PAGES and +"regular" copy paths: + +(MSG_SPLICE_PAGES) +skb_splice_from_iter + iov_iter_extract_pages + iov_iter_extract_bvec_pages + uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere + skb_splice_from_iter gets a "short" read + +(!MSG_SPLICE_PAGES) +skb_copy_to_page_nocache copy=iov_iter_count + [...] + copy_from_iter + /* this doesn't help */ + if (unlikely(iter->count < len)) + len = iter->count; + iterate_bvec + ... and we run off the bvecs + +Fix this by properly setting the iov_iter's byte count, plus sending the +correct byte count to tcp_sendmsg_locked. + +Link: https://patch.msgid.link/r/20250729120348.495568-1-pfalcato@suse.de +Cc: stable@vger.kernel.org +Fixes: c2ff29e99a76 ("siw: Inline do_tcp_sendpages()") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202507220801.50a7210-lkp@intel.com +Reviewed-by: David Howells +Signed-off-by: Pedro Falcato +Acked-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -334,18 +334,17 @@ static int siw_tcp_sendpages(struct sock + if (!sendpage_ok(page[i])) + msg.msg_flags &= ~MSG_SPLICE_PAGES; + bvec_set_page(&bvec, page[i], bytes, offset); +- iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); ++ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, bytes); + + try_page_again: + lock_sock(sk); +- rv = tcp_sendmsg_locked(sk, &msg, size); ++ rv = tcp_sendmsg_locked(sk, &msg, bytes); + release_sock(sk); + + if (rv > 0) { + size -= rv; + sent += rv; + if (rv != bytes) { +- offset += rv; + bytes -= rv; + goto try_page_again; + } diff --git a/queue-6.12/series b/queue-6.12/series index b3aa5c0eac..76637ede13 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -404,3 +404,18 @@ btrfs-zoned-do-not-select-metadata-bg-as-finish-target.patch btrfs-fix-iteration-bug-in-__qgroup_excl_accounting.patch btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch xfs-fix-scrub-trace-with-null-pointer-in-quotacheck.patch +userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch +fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch +net-sched-ets-use-old-nbands-while-purging-unused-classes.patch +hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch +parisc-makefile-fix-a-typo-in-palo.conf.patch +mm-slab-restore-numa-policy-support-for-large-kmalloc.patch +mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch +mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch +mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch +media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch +media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch +media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch +media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch +tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch +rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch diff --git a/queue-6.12/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch b/queue-6.12/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch new file mode 100644 index 0000000000..30cda99e42 --- /dev/null +++ b/queue-6.12/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch @@ -0,0 +1,46 @@ +From a477629baa2a0e9991f640af418e8c973a1c08e3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 19 Jun 2025 11:30:51 +0200 +Subject: tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Willy Tarreau + +commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream. + +While nolibc-test does test syscalls, it doesn't test as much the rest +of the macros, and a wrong spelling of FD_SETBITMASK in commit +feaf75658783a broke programs using either FD_SET() or FD_CLR() without +being noticed. Let's fix these macros. + +Fixes: feaf75658783a ("nolibc: fix fd_set type") +Cc: stable@vger.kernel.org # v6.2+ +Acked-by: Thomas Weißschuh +Signed-off-by: Willy Tarreau +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/types.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/include/nolibc/types.h ++++ b/tools/include/nolibc/types.h +@@ -127,7 +127,7 @@ typedef struct { + int __fd = (fd); \ + if (__fd >= 0) \ + __set->fds[__fd / FD_SETIDXMASK] &= \ +- ~(1U << (__fd & FX_SETBITMASK)); \ ++ ~(1U << (__fd & FD_SETBITMASK)); \ + } while (0) + + #define FD_SET(fd, set) do { \ +@@ -144,7 +144,7 @@ typedef struct { + int __r = 0; \ + if (__fd >= 0) \ + __r = !!(__set->fds[__fd / FD_SETIDXMASK] & \ +-1U << (__fd & FD_SET_BITMASK)); \ ++1U << (__fd & FD_SETBITMASK)); \ + __r; \ + }) + diff --git a/queue-6.12/userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch b/queue-6.12/userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch new file mode 100644 index 0000000000..e23d8d2d92 --- /dev/null +++ b/queue-6.12/userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch @@ -0,0 +1,57 @@ +From aba6faec0103ed8f169be8dce2ead41fcb689446 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Wed, 6 Aug 2025 15:00:22 -0700 +Subject: userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry + +From: Suren Baghdasaryan + +commit aba6faec0103ed8f169be8dce2ead41fcb689446 upstream. + +When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with +obtaining a folio and accessing it even though the entry is swp_entry_t. +Add the missing check and let split_huge_pmd() handle migration entries. +While at it also remove unnecessary folio check. + +[surenb@google.com: remove extra folio check, per David] + Link: https://lkml.kernel.org/r/20250807200418.1963585-1-surenb@google.com +Link: https://lkml.kernel.org/r/20250806220022.926763-1-surenb@google.com +Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") +Signed-off-by: Suren Baghdasaryan +Reported-by: syzbot+b446dbe27035ef6bd6c2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68794b5c.a70a0220.693ce.0050.GAE@google.com/ +Reviewed-by: Peter Xu +Acked-by: David Hildenbrand +Cc: Andrea Arcangeli +Cc: Lokesh Gidra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -1800,13 +1800,16 @@ ssize_t move_pages(struct userfaultfd_ct + /* Check if we can move the pmd without splitting it. */ + if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) || + !pmd_none(dst_pmdval)) { +- struct folio *folio = pmd_folio(*src_pmd); ++ /* Can be a migration entry */ ++ if (pmd_present(*src_pmd)) { ++ struct folio *folio = pmd_folio(*src_pmd); + +- if (!folio || (!is_huge_zero_folio(folio) && +- !PageAnonExclusive(&folio->page))) { +- spin_unlock(ptl); +- err = -EBUSY; +- break; ++ if (!is_huge_zero_folio(folio) && ++ !PageAnonExclusive(&folio->page)) { ++ spin_unlock(ptl); ++ err = -EBUSY; ++ break; ++ } + } + + spin_unlock(ptl);