From: Greg Kroah-Hartman Date: Thu, 11 Sep 2025 12:49:32 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.10.244~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95fe9a1c922aa75917471a53db38b971bc16130f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch media-i2c-imx214-fix-link-frequency-validation.patch media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch mm-introduce-and-use-pgd-p4d-_populate_kernel.patch mm-rmap-reject-hugetlb-folios-in-folio_make_device_exclusive.patch net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch tracing-do-not-add-length-to-print-format-in-synthetic-events.patch --- diff --git a/queue-5.15/kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch b/queue-5.15/kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch new file mode 100644 index 0000000000..8fde135279 --- /dev/null +++ b/queue-5.15/kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch @@ -0,0 +1,57 @@ +From 7a19afee6fb39df63ddea7ce78976d8c521178c6 Mon Sep 17 00:00:00 2001 +From: Yeoreum Yun +Date: Fri, 1 Aug 2025 13:02:36 +0100 +Subject: kunit: kasan_test: disable fortify string checker on kasan_strings() test + +From: Yeoreum Yun + +commit 7a19afee6fb39df63ddea7ce78976d8c521178c6 upstream. + +Similar to commit 09c6304e38e4 ("kasan: test: fix compatibility with +FORTIFY_SOURCE") the kernel is panicing in kasan_string(). + +This is due to the `src` and `ptr` not being hidden from the optimizer +which would disable the runtime fortify string checker. + +Call trace: + __fortify_panic+0x10/0x20 (P) + kasan_strings+0x980/0x9b0 + kunit_try_run_case+0x68/0x190 + kunit_generic_run_threadfn_adapter+0x34/0x68 + kthread+0x1c4/0x228 + ret_from_fork+0x10/0x20 + Code: d503233f a9bf7bfd 910003fd 9424b243 (d4210000) + ---[ end trace 0000000000000000 ]--- + note: kunit_try_catch[128] exited with irqs disabled + note: kunit_try_catch[128] exited with preempt_count 1 + # kasan_strings: try faulted: last +** replaying previous printk message ** + # kasan_strings: try faulted: last line seen mm/kasan/kasan_test_c.c:1600 + # kasan_strings: internal error occurred preventing test case from running: -4 + +Link: https://lkml.kernel.org/r/20250801120236.2962642-1-yeoreum.yun@arm.com +Fixes: 73228c7ecc5e ("KASAN: port KASAN Tests to KUnit") +Signed-off-by: Yeoreum Yun +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Dmitriy Vyukov +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Yeoreum Yun +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_kasan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -917,6 +917,7 @@ static void kasan_strings(struct kunit * + + ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); ++ OPTIMIZER_HIDE_VAR(ptr); + + kfree(ptr); + diff --git a/queue-5.15/media-i2c-imx214-fix-link-frequency-validation.patch b/queue-5.15/media-i2c-imx214-fix-link-frequency-validation.patch new file mode 100644 index 0000000000..1ea9f65458 --- /dev/null +++ b/queue-5.15/media-i2c-imx214-fix-link-frequency-validation.patch @@ -0,0 +1,90 @@ +From stable+bounces-178965-greg=kroah.com@vger.kernel.org Mon Sep 8 22:47:00 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 16:46:50 -0400 +Subject: media: i2c: imx214: Fix link frequency validation +To: stable@vger.kernel.org +Cc: "André Apitzsch" , "Ricardo Ribalda" , "Sakari Ailus" , "Hans Verkuil" , "Sasha Levin" +Message-ID: <20250908204650.2336993-1-sashal@kernel.org> + +From: André Apitzsch + +[ Upstream commit acc294519f1749041e1b8c74d46bbf6c57d8b061 ] + +The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then +IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), +which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) + +Parsing the PLL registers with the defined 24MHz input. We're in single +PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends +up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 +"Frame rate calculation formula" says "Pixel rate +[pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically +agrees with my number above. + +3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg +0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link +frequency of 600MHz due to DDR. +That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. + +Keep the previous link frequency for backward compatibility. + +Acked-by: Ricardo Ribalda +Signed-off-by: André Apitzsch +Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +[ changed dev_err() to dev_err_probe() for the final error case ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx214.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/media/i2c/imx214.c ++++ b/drivers/media/i2c/imx214.c +@@ -20,7 +20,9 @@ + #include + + #define IMX214_DEFAULT_CLK_FREQ 24000000 +-#define IMX214_DEFAULT_LINK_FREQ 480000000 ++#define IMX214_DEFAULT_LINK_FREQ 600000000 ++/* Keep wrong link frequency for backward compatibility */ ++#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 + #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) + #define IMX214_FPS 30 + #define IMX214_MBUS_CODE MEDIA_BUS_FMT_SRGGB10_1X10 +@@ -892,17 +894,26 @@ static int imx214_parse_fwnode(struct de + goto done; + } + +- for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) ++ if (bus_cfg.nr_of_link_frequencies != 1) ++ dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); ++ ++ for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { + if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) + break; +- +- if (i == bus_cfg.nr_of_link_frequencies) { +- dev_err(dev, "link-frequencies %d not supported, Please review your DT\n", +- IMX214_DEFAULT_LINK_FREQ); +- ret = -EINVAL; +- goto done; ++ if (bus_cfg.link_frequencies[i] == ++ IMX214_DEFAULT_LINK_FREQ_LEGACY) { ++ dev_warn(dev, ++ "link-frequencies %d not supported, please review your DT. Continuing anyway\n", ++ IMX214_DEFAULT_LINK_FREQ); ++ break; ++ } + } + ++ if (i == bus_cfg.nr_of_link_frequencies) ++ ret = dev_err_probe(dev, -EINVAL, ++ "link-frequencies %d not supported, please review your DT\n", ++ IMX214_DEFAULT_LINK_FREQ); ++ + done: + v4l2_fwnode_endpoint_free(&bus_cfg); + fwnode_handle_put(endpoint); diff --git a/queue-5.15/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch b/queue-5.15/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch new file mode 100644 index 0000000000..1d1d2b7d68 --- /dev/null +++ b/queue-5.15/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch @@ -0,0 +1,49 @@ +From stable+bounces-178972-greg=kroah.com@vger.kernel.org Mon Sep 8 23:11:01 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 17:10:54 -0400 +Subject: media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning +To: stable@vger.kernel.org +Cc: Arnd Bergmann , Nathan Chancellor , Alexandre Courbot , Hans Verkuil , Sasha Levin +Message-ID: <20250908211054.2351463-1-sashal@kernel.org> + +From: Arnd Bergmann + +[ Upstream commit 07df4f23ef3ffe6fee697cd2e03623ad27108843 ] + +This is one of three clang warnings about incompatible enum types +in a conditional expression: + +drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional] + 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; + | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ + +The code is correct, so just rework it to avoid the warning. + +Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Reviewed-by: Alexandre Courbot +Signed-off-by: Hans Verkuil +[ Adapted file path ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c ++++ b/drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c +@@ -513,7 +513,11 @@ static int h264_enc_init(struct mtk_vcod + + inst->ctx = ctx; + inst->vpu_inst.ctx = ctx; +- inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; ++ if (is_ext) ++ inst->vpu_inst.id = SCP_IPI_VENC_H264; ++ else ++ inst->vpu_inst.id = IPI_VENC_H264; ++ + inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx, VENC_SYS); + + mtk_vcodec_debug_enter(inst); diff --git a/queue-5.15/mm-introduce-and-use-pgd-p4d-_populate_kernel.patch b/queue-5.15/mm-introduce-and-use-pgd-p4d-_populate_kernel.patch new file mode 100644 index 0000000000..50b1384bce --- /dev/null +++ b/queue-5.15/mm-introduce-and-use-pgd-p4d-_populate_kernel.patch @@ -0,0 +1,258 @@ +From f2d2f9598ebb0158a3fe17cda0106d7752e654a2 Mon Sep 17 00:00:00 2001 +From: Harry Yoo +Date: Mon, 18 Aug 2025 11:02:05 +0900 +Subject: mm: introduce and use {pgd,p4d}_populate_kernel() + +From: Harry Yoo + +commit f2d2f9598ebb0158a3fe17cda0106d7752e654a2 upstream. + +Introduce and use {pgd,p4d}_populate_kernel() in core MM code when +populating PGD and P4D entries for the kernel address space. These +helpers ensure proper synchronization of page tables when updating the +kernel portion of top-level page tables. + +Until now, the kernel has relied on each architecture to handle +synchronization of top-level page tables in an ad-hoc manner. For +example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct +mapping and vmemmap mapping changes"). + +However, this approach has proven fragile for following reasons: + + 1) It is easy to forget to perform the necessary page table + synchronization when introducing new changes. + For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory + savings for compound devmaps") overlooked the need to synchronize + page tables for the vmemmap area. + + 2) It is also easy to overlook that the vmemmap and direct mapping areas + must not be accessed before explicit page table synchronization. + For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated + sub-pmd ranges")) caused crashes by accessing the vmemmap area + before calling sync_global_pgds(). + +To address this, as suggested by Dave Hansen, introduce _kernel() variants +of the page table population helpers, which invoke architecture-specific +hooks to properly synchronize page tables. These are introduced in a new +header file, include/linux/pgalloc.h, so they can be called from common +code. + +They reuse existing infrastructure for vmalloc and ioremap. +Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, +and the actual synchronization is performed by +arch_sync_kernel_mappings(). + +This change currently targets only x86_64, so only PGD and P4D level +helpers are introduced. Currently, these helpers are no-ops since no +architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. + +In theory, PUD and PMD level helpers can be added later if needed by other +architectures. For now, 32-bit architectures (x86-32 and arm) only handle +PGTBL_PMD_MODIFIED, so p*d_populate_kernel() will never affect them unless +we introduce a PMD level helper. + +[harry.yoo@oracle.com: fix KASAN build error due to p*d_populate_kernel()] + Link: https://lkml.kernel.org/r/20250822020727.202749-1-harry.yoo@oracle.com +Link: https://lkml.kernel.org/r/20250818020206.4517-3-harry.yoo@oracle.com +Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") +Signed-off-by: Harry Yoo +Suggested-by: Dave Hansen +Acked-by: Kiryl Shutsemau +Reviewed-by: Mike Rapoport (Microsoft) +Reviewed-by: Lorenzo Stoakes +Acked-by: David Hildenbrand +Cc: Alexander Potapenko +Cc: Alistair Popple +Cc: Andrey Konovalov +Cc: Andrey Ryabinin +Cc: Andy Lutomirski +Cc: "Aneesh Kumar K.V" +Cc: Anshuman Khandual +Cc: Ard Biesheuvel +Cc: Arnd Bergmann +Cc: bibo mao +Cc: Borislav Betkov +Cc: Christoph Lameter (Ampere) +Cc: Dennis Zhou +Cc: Dev Jain +Cc: Dmitriy Vyukov +Cc: Gwan-gyeong Mun +Cc: Ingo Molnar +Cc: Jane Chu +Cc: Joao Martins +Cc: Joerg Roedel +Cc: John Hubbard +Cc: Kevin Brodsky +Cc: Liam Howlett +Cc: Michal Hocko +Cc: Oscar Salvador +Cc: Peter Xu +Cc: Peter Zijlstra +Cc: Qi Zheng +Cc: Ryan Roberts +Cc: Suren Baghdasaryan +Cc: Tejun Heo +Cc: Thomas Gleinxer +Cc: Thomas Huth +Cc: "Uladzislau Rezki (Sony)" +Cc: Vincenzo Frascino +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +[ Adjust context. mm/percpu.c is untouched because there is no generic + pcpu_populate_pte() implementation in 5.15.y ] +Signed-off-by: Harry Yoo +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pgalloc.h | 29 +++++++++++++++++++++++++++++ + include/linux/pgtable.h | 13 +++++++------ + mm/kasan/init.c | 12 ++++++------ + mm/sparse-vmemmap.c | 6 +++--- + 4 files changed, 45 insertions(+), 15 deletions(-) + create mode 100644 include/linux/pgalloc.h + +--- /dev/null ++++ b/include/linux/pgalloc.h +@@ -0,0 +1,29 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_PGALLOC_H ++#define _LINUX_PGALLOC_H ++ ++#include ++#include ++ ++/* ++ * {pgd,p4d}_populate_kernel() are defined as macros to allow ++ * compile-time optimization based on the configured page table levels. ++ * Without this, linking may fail because callers (e.g., KASAN) may rely ++ * on calls to these functions being optimized away when passing symbols ++ * that exist only for certain page table levels. ++ */ ++#define pgd_populate_kernel(addr, pgd, p4d) \ ++ do { \ ++ pgd_populate(&init_mm, pgd, p4d); \ ++ if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) \ ++ arch_sync_kernel_mappings(addr, addr); \ ++ } while (0) ++ ++#define p4d_populate_kernel(addr, p4d, pud) \ ++ do { \ ++ p4d_populate(&init_mm, p4d, pud); \ ++ if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) \ ++ arch_sync_kernel_mappings(addr, addr); \ ++ } while (0) ++ ++#endif /* _LINUX_PGALLOC_H */ +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -1382,8 +1382,8 @@ static inline int pmd_protnone(pmd_t pmd + + /* + * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values +- * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() +- * needs to be called. ++ * and let generic vmalloc, ioremap and page table update code know when ++ * arch_sync_kernel_mappings() needs to be called. + */ + #ifndef ARCH_PAGE_TABLE_SYNC_MASK + #define ARCH_PAGE_TABLE_SYNC_MASK 0 +@@ -1522,10 +1522,11 @@ static inline bool arch_has_pfn_modify_c + /* + * Page Table Modification bits for pgtbl_mod_mask. + * +- * These are used by the p?d_alloc_track*() set of functions an in the generic +- * vmalloc/ioremap code to track at which page-table levels entries have been +- * modified. Based on that the code can better decide when vmalloc and ioremap +- * mapping changes need to be synchronized to other page-tables in the system. ++ * These are used by the p?d_alloc_track*() and p*d_populate_kernel() ++ * functions in the generic vmalloc, ioremap and page table update code ++ * to track at which page-table levels entries have been modified. ++ * Based on that the code can better decide when page table changes need ++ * to be synchronized to other page-tables in the system. + */ + #define __PGTBL_PGD_MODIFIED 0 + #define __PGTBL_P4D_MODIFIED 1 +--- a/mm/kasan/init.c ++++ b/mm/kasan/init.c +@@ -13,9 +13,9 @@ + #include + #include + #include ++#include + + #include +-#include + + #include "kasan.h" + +@@ -188,7 +188,7 @@ static int __ref zero_p4d_populate(pgd_t + pud_t *pud; + pmd_t *pmd; + +- p4d_populate(&init_mm, p4d, ++ p4d_populate_kernel(addr, p4d, + lm_alias(kasan_early_shadow_pud)); + pud = pud_offset(p4d, addr); + pud_populate(&init_mm, pud, +@@ -207,7 +207,7 @@ static int __ref zero_p4d_populate(pgd_t + if (!p) + return -ENOMEM; + } else { +- p4d_populate(&init_mm, p4d, ++ p4d_populate_kernel(addr, p4d, + early_alloc(PAGE_SIZE, NUMA_NO_NODE)); + } + } +@@ -247,10 +247,10 @@ int __ref kasan_populate_early_shadow(co + * puds,pmds, so pgd_populate(), pud_populate() + * is noops. + */ +- pgd_populate(&init_mm, pgd, ++ pgd_populate_kernel(addr, pgd, + lm_alias(kasan_early_shadow_p4d)); + p4d = p4d_offset(pgd, addr); +- p4d_populate(&init_mm, p4d, ++ p4d_populate_kernel(addr, p4d, + lm_alias(kasan_early_shadow_pud)); + pud = pud_offset(p4d, addr); + pud_populate(&init_mm, pud, +@@ -269,7 +269,7 @@ int __ref kasan_populate_early_shadow(co + if (!p) + return -ENOMEM; + } else { +- pgd_populate(&init_mm, pgd, ++ pgd_populate_kernel(addr, pgd, + early_alloc(PAGE_SIZE, NUMA_NO_NODE)); + } + } +--- a/mm/sparse-vmemmap.c ++++ b/mm/sparse-vmemmap.c +@@ -29,9 +29,9 @@ + #include + #include + #include ++#include + + #include +-#include + #include + + /** +@@ -553,7 +553,7 @@ p4d_t * __meminit vmemmap_p4d_populate(p + void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); + if (!p) + return NULL; +- p4d_populate(&init_mm, p4d, p); ++ p4d_populate_kernel(addr, p4d, p); + } + return p4d; + } +@@ -565,7 +565,7 @@ pgd_t * __meminit vmemmap_pgd_populate(u + void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); + if (!p) + return NULL; +- pgd_populate(&init_mm, pgd, p); ++ pgd_populate_kernel(addr, pgd, p); + } + return pgd; + } diff --git a/queue-5.15/mm-rmap-reject-hugetlb-folios-in-folio_make_device_exclusive.patch b/queue-5.15/mm-rmap-reject-hugetlb-folios-in-folio_make_device_exclusive.patch new file mode 100644 index 0000000000..f13fc6e0ec --- /dev/null +++ b/queue-5.15/mm-rmap-reject-hugetlb-folios-in-folio_make_device_exclusive.patch @@ -0,0 +1,71 @@ +From stable+bounces-178815-greg=kroah.com@vger.kernel.org Mon Sep 8 00:26:33 2025 +From: Sasha Levin +Date: Sun, 7 Sep 2025 18:26:20 -0400 +Subject: mm/rmap: reject hugetlb folios in folio_make_device_exclusive() +To: stable@vger.kernel.org +Cc: David Hildenbrand , Alistair Popple , Alex Shi , Danilo Krummrich , Dave Airlie , Jann Horn , Jason Gunthorpe , Jerome Glisse , John Hubbard , Jonathan Corbet , Karol Herbst , Liam Howlett , Lorenzo Stoakes , Lyude , "Masami Hiramatsu (Google)" , Oleg Nesterov , Pasha Tatashin , Peter Xu , "Peter Zijlstra (Intel)" , SeongJae Park , Simona Vetter , Vlastimil Babka , Yanteng Si , Barry Song , Andrew Morton , Sasha Levin +Message-ID: <20250907222620.932696-1-sashal@kernel.org> + +From: David Hildenbrand + +[ Upstream commit bc3fe6805cf09a25a086573a17d40e525208c5d8 ] + +Even though FOLL_SPLIT_PMD on hugetlb now always fails with -EOPNOTSUPP, +let's add a safety net in case FOLL_SPLIT_PMD usage would ever be +reworked. + +In particular, before commit 9cb28da54643 ("mm/gup: handle hugetlb in the +generic follow_page_mask code"), GUP(FOLL_SPLIT_PMD) would just have +returned a page. In particular, hugetlb folios that are not PMD-sized +would never have been prone to FOLL_SPLIT_PMD. + +hugetlb folios can be anonymous, and page_make_device_exclusive_one() is +not really prepared for handling them at all. So let's spell that out. + +Link: https://lkml.kernel.org/r/20250210193801.781278-3-david@redhat.com +Fixes: b756a3b5e7ea ("mm: device exclusive memory access") +Signed-off-by: David Hildenbrand +Reviewed-by: Alistair Popple +Tested-by: Alistair Popple +Cc: Alex Shi +Cc: Danilo Krummrich +Cc: Dave Airlie +Cc: Jann Horn +Cc: Jason Gunthorpe +Cc: Jerome Glisse +Cc: John Hubbard +Cc: Jonathan Corbet +Cc: Karol Herbst +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Lyude +Cc: "Masami Hiramatsu (Google)" +Cc: Oleg Nesterov +Cc: Pasha Tatashin +Cc: Peter Xu +Cc: Peter Zijlstra (Intel) +Cc: SeongJae Park +Cc: Simona Vetter +Cc: Vlastimil Babka +Cc: Yanteng Si +Cc: Barry Song +Cc: +Signed-off-by: Andrew Morton +[ folio_test_hugetlb() => PageHuge() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/rmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -2184,7 +2184,7 @@ static bool page_make_device_exclusive(s + * issues. Also tail pages shouldn't be passed to rmap_walk so skip + * those. + */ +- if (!PageAnon(page) || PageTail(page)) ++ if (!PageAnon(page) || PageTail(page) || PageHuge(page)) + return false; + + rmap_walk(page, &rwc); diff --git a/queue-5.15/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch b/queue-5.15/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch new file mode 100644 index 0000000000..003f78ece5 --- /dev/null +++ b/queue-5.15/net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch @@ -0,0 +1,275 @@ +From stable+bounces-178959-greg=kroah.com@vger.kernel.org Mon Sep 8 21:48:19 2025 +From: Sasha Levin +Date: Mon, 8 Sep 2025 15:48:11 -0400 +Subject: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. +To: stable@vger.kernel.org +Cc: Kuniyuki Iwashima , Jakub Kicinski , Sasha Levin +Message-ID: <20250908194811.2306166-1-sashal@kernel.org> + +From: Kuniyuki Iwashima + +[ Upstream commit 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 ] + +When I ran the repro [0] and waited a few seconds, I observed two +LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] + +Reproduction Steps: + + 1) Mount CIFS + 2) Add an iptables rule to drop incoming FIN packets for CIFS + 3) Unmount CIFS + 4) Unload the CIFS module + 5) Remove the iptables rule + +At step 3), the CIFS module calls sock_release() for the underlying +TCP socket, and it returns quickly. However, the socket remains in +FIN_WAIT_1 because incoming FIN packets are dropped. + +At this point, the module's refcnt is 0 while the socket is still +alive, so the following rmmod command succeeds. + + # ss -tan + State Recv-Q Send-Q Local Address:Port Peer Address:Port + FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 + + # lsmod | grep cifs + cifs 1159168 0 + +This highlights a discrepancy between the lifetime of the CIFS module +and the underlying TCP socket. Even after CIFS calls sock_release() +and it returns, the TCP socket does not die immediately in order to +close the connection gracefully. + +While this is generally fine, it causes an issue with LOCKDEP because +CIFS assigns a different lock class to the TCP socket's sk->sk_lock +using sock_lock_init_class_and_name(). + +Once an incoming packet is processed for the socket or a timer fires, +sk->sk_lock is acquired. + +Then, LOCKDEP checks the lock context in check_wait_context(), where +hlock_class() is called to retrieve the lock class. However, since +the module has already been unloaded, hlock_class() logs a warning +and returns NULL, triggering the null-ptr-deref. + +If LOCKDEP is enabled, we must ensure that a module calling +sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded +while such a socket is still alive to prevent this issue. + +Let's hold the module reference in sock_lock_init_class_and_name() +and release it when the socket is freed in sk_prot_free(). + +Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() +that calls sock_lock_init_class_and_name() for a listening socket, +which clones a socket by sk_clone_lock() without GFP_ZERO. + +[0]: +CIFS_SERVER="10.0.0.137" +CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" +DEV="enp0s3" +CRED="/root/WindowsCredential.txt" + +MNT=$(mktemp -d /tmp/XXXXXX) +mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 + +iptables -A INPUT -s ${CIFS_SERVER} -j DROP + +for i in $(seq 10); +do + umount ${MNT} + rmmod cifs + sleep 1 +done + +rm -r ${MNT} + +iptables -D INPUT -s ${CIFS_SERVER} -j DROP + +[1]: +DEBUG_LOCKS_WARN_ON(1) +WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) +Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] +CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) +... +Call Trace: + + __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) + lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) + _raw_spin_lock_nested (kernel/locking/spinlock.c:379) + tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) +... + +BUG: kernel NULL pointer dereference, address: 00000000000000c4 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 +Tainted: [W]=WARN +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) +Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 +RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 +RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 +RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff +R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 +R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 +FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) + _raw_spin_lock_nested (kernel/locking/spinlock.c:379) + tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) + ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) + ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) + ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) + ip_list_rcv_finish (net/ipv4/ip_input.c:628) + ip_list_rcv (net/ipv4/ip_input.c:670) + __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) + netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) + napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) + e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) + __napi_poll.constprop.0 (net/core/dev.c:7191) + net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) + handle_softirqs (kernel/softirq.c:561) + __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) + irq_exit_rcu (kernel/softirq.c:680) + common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) + + + asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) +RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) +Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 +RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 +RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 +RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) + default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) + do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) + cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) + start_secondary (arch/x86/kernel/smpboot.c:315) + common_startup_64 (arch/x86/kernel/head_64.S:421) + +Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] +CR2: 00000000000000c4 + +Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") +Signed-off-by: Kuniyuki Iwashima +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +[ no ns_tracker and sk_user_frags fields ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 40 ++++++++++++++++++++++++++++++++++++++-- + net/core/sock.c | 5 +++++ + 2 files changed, 43 insertions(+), 2 deletions(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -349,6 +349,8 @@ struct bpf_local_storage; + * @sk_txtime_deadline_mode: set deadline mode for SO_TXTIME + * @sk_txtime_report_errors: set report errors mode for SO_TXTIME + * @sk_txtime_unused: unused txtime flags ++ * @sk_owner: reference to the real owner of the socket that calls ++ * sock_lock_init_class_and_name(). + */ + struct sock { + /* +@@ -537,6 +539,10 @@ struct sock { + struct bpf_local_storage __rcu *sk_bpf_storage; + #endif + struct rcu_head sk_rcu; ++ ++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) ++ struct module *sk_owner; ++#endif + }; + + enum sk_pacing { +@@ -1662,6 +1668,35 @@ static inline void sock_release_ownershi + } + } + ++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) ++static inline void sk_owner_set(struct sock *sk, struct module *owner) ++{ ++ __module_get(owner); ++ sk->sk_owner = owner; ++} ++ ++static inline void sk_owner_clear(struct sock *sk) ++{ ++ sk->sk_owner = NULL; ++} ++ ++static inline void sk_owner_put(struct sock *sk) ++{ ++ module_put(sk->sk_owner); ++} ++#else ++static inline void sk_owner_set(struct sock *sk, struct module *owner) ++{ ++} ++ ++static inline void sk_owner_clear(struct sock *sk) ++{ ++} ++ ++static inline void sk_owner_put(struct sock *sk) ++{ ++} ++#endif + /* + * Macro so as to not evaluate some arguments when + * lockdep is not enabled. +@@ -1671,13 +1706,14 @@ static inline void sock_release_ownershi + */ + #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ + do { \ ++ sk_owner_set(sk, THIS_MODULE); \ + sk->sk_lock.owned = 0; \ + init_waitqueue_head(&sk->sk_lock.wq); \ + spin_lock_init(&(sk)->sk_lock.slock); \ + debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ +- sizeof((sk)->sk_lock)); \ ++ sizeof((sk)->sk_lock)); \ + lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ +- (skey), (sname)); \ ++ (skey), (sname)); \ + lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ + } while (0) + +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1799,6 +1799,8 @@ int sock_getsockopt(struct socket *sock, + */ + static inline void sock_lock_init(struct sock *sk) + { ++ sk_owner_clear(sk); ++ + if (sk->sk_kern_sock) + sock_lock_init_class_and_name( + sk, +@@ -1894,6 +1896,9 @@ static void sk_prot_free(struct proto *p + cgroup_sk_free(&sk->sk_cgrp_data); + mem_cgroup_sk_free(sk); + security_sk_free(sk); ++ ++ sk_owner_put(sk); ++ + if (slab != NULL) + kmem_cache_free(slab, sk); + else diff --git a/queue-5.15/series b/queue-5.15/series index 1bb7e413dd..60cb2cf7c6 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1,2 +1,9 @@ revert-fbdev-disable-sysfb-device-registration-when-.patch xfs-short-circuit-xfs_growfs_data_private-if-delta-i.patch +kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch +mm-introduce-and-use-pgd-p4d-_populate_kernel.patch +media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch +media-i2c-imx214-fix-link-frequency-validation.patch +net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch +tracing-do-not-add-length-to-print-format-in-synthetic-events.patch +mm-rmap-reject-hugetlb-folios-in-folio_make_device_exclusive.patch diff --git a/queue-5.15/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch b/queue-5.15/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch new file mode 100644 index 0000000000..5dd48fbfc4 --- /dev/null +++ b/queue-5.15/tracing-do-not-add-length-to-print-format-in-synthetic-events.patch @@ -0,0 +1,67 @@ +From stable+bounces-178819-greg=kroah.com@vger.kernel.org Mon Sep 8 02:23:31 2025 +From: Sasha Levin +Date: Sun, 7 Sep 2025 20:23:21 -0400 +Subject: tracing: Do not add length to print format in synthetic events +To: stable@vger.kernel.org +Cc: Steven Rostedt , Mathieu Desnoyers , Tom Zanussi , Douglas Raillard , "Masami Hiramatsu (Google)" , Sasha Levin +Message-ID: <20250908002321.961475-1-sashal@kernel.org> + +From: Steven Rostedt + +[ Upstream commit e1a453a57bc76be678bd746f84e3d73f378a9511 ] + +The following causes a vsnprintf fault: + + # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger + # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger + +Because the synthetic event's "wakee" field is created as a dynamic string +(even though the string copied is not). The print format to print the +dynamic string changed from "%*s" to "%s" because another location +(__set_synth_event_print_fmt()) exported this to user space, and user +space did not need that. But it is still used in print_synth_event(), and +the output looks like: + + -0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 + sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 + -0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 + bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21 + -0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129 + sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50 + +The length isn't needed as the string is always nul terminated. Just print +the string and not add the length (which was hard coded to the max string +length anyway). + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Cc: Tom Zanussi +Cc: Douglas Raillard +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home +Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields"); +Signed-off-by: Steven Rostedt (Google) +[ offset calculations instead of union-based data structures ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -364,13 +364,11 @@ static enum print_line_t print_synth_eve + str_field = (char *)entry + data_offset; + + trace_seq_printf(s, print_fmt, se->fields[i]->name, +- STR_VAR_LEN_MAX, + str_field, + i == se->n_fields - 1 ? "" : " "); + n_u64++; + } else { + trace_seq_printf(s, print_fmt, se->fields[i]->name, +- STR_VAR_LEN_MAX, + (char *)&entry->fields[n_u64], + i == se->n_fields - 1 ? "" : " "); + n_u64 += STR_VAR_LEN_MAX / sizeof(u64);