From: Greg Kroah-Hartman Date: Mon, 18 Aug 2025 11:16:05 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v6.12.43~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96467e81c90d5bf97640febd43e27dd23b3380fd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch fbdev-nvidiafb-add-depends-on-has_ioport.patch hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch i2c-core-fix-double-free-of-fwnode-in-i2c_unregister_device.patch media-i2c-vd55g1-fix-return-code-in-vd55g1_enable_streams-error-path.patch media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch media-uvcvideo-turn-on-the-camera-if-v4l2_event_sub_fl_send_initial.patch media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch mm-huge_memory-don-t-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch mm-slab-restore-numa-policy-support-for-large-kmalloc.patch net-sched-ets-use-old-nbands-while-purging-unused-classes.patch ocfs2-reset-folio-to-null-when-get-folio-fails.patch parisc-makefile-fix-a-typo-in-palo.conf.patch rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch tracing-fprobe-fix-infinite-recursion-using-preempt_-_notrace.patch userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch --- diff --git a/queue-6.16/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch b/queue-6.16/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch new file mode 100644 index 0000000000..79f0ad095b --- /dev/null +++ b/queue-6.16/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch @@ -0,0 +1,69 @@ +From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001 +From: Sravan Kumar Gundu +Date: Thu, 31 Jul 2025 15:36:18 -0500 +Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit + +From: Sravan Kumar Gundu + +commit af0db3c1f898144846d4c172531a199bb3ca375d upstream. + +This issue triggers when a userspace program does an ioctl +FBIOPUT_CON2FBMAP by passing console number and frame buffer number. +Ideally this maps console to frame buffer and updates the screen if +console is visible. + +As part of mapping it has to do resize of console according to frame +buffer info. if this resize fails and returns from vc_do_resize() and +continues further. At this point console and new frame buffer are mapped +and sets display vars. Despite failure still it continue to proceed +updating the screen at later stages where vc_data is related to previous +frame buffer and frame buffer info and display vars are mapped to new +frame buffer and eventully leading to out-of-bounds write in +fast_imageblit(). This bheviour is excepted only when fg_console is +equal to requested console which is a visible console and updates screen +with invalid struct references in fbcon_putcs(). + +Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880 +Signed-off-by: Sravan Kumar Gundu +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -825,7 +825,8 @@ static void con2fb_init_display(struct v + fg_vc->vc_rows); + } + +- update_screen(vc_cons[fg_console].d); ++ if (fg_console != unit) ++ update_screen(vc_cons[fg_console].d); + } + + /** +@@ -1362,6 +1363,7 @@ static void fbcon_set_disp(struct fb_inf + struct vc_data *svc; + struct fbcon_ops *ops = info->fbcon_par; + int rows, cols; ++ unsigned long ret = 0; + + p = &fb_display[unit]; + +@@ -1412,11 +1414,10 @@ static void fbcon_set_disp(struct fb_inf + rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + cols /= vc->vc_font.width; + rows /= vc->vc_font.height; +- vc_resize(vc, cols, rows); ++ ret = vc_resize(vc, cols, rows); + +- if (con_is_visible(vc)) { ++ if (con_is_visible(vc) && !ret) + update_screen(vc); +- } + } + + static __inline__ void ywrap_up(struct vc_data *vc, int count) diff --git a/queue-6.16/fbdev-nvidiafb-add-depends-on-has_ioport.patch b/queue-6.16/fbdev-nvidiafb-add-depends-on-has_ioport.patch new file mode 100644 index 0000000000..6334948dbd --- /dev/null +++ b/queue-6.16/fbdev-nvidiafb-add-depends-on-has_ioport.patch @@ -0,0 +1,50 @@ +From ecdd7df997fd992f0ec70b788e3b12258008a2bf Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Sun, 15 Jun 2025 11:36:51 -0700 +Subject: fbdev: nvidiafb: add depends on HAS_IOPORT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +commit ecdd7df997fd992f0ec70b788e3b12258008a2bf upstream. + +The nvidiafb driver uses inb()/outb() without depending on HAS_IOPORT, +which leads to build errors since kernel v6.13-rc1: +commit 6f043e757445 ("asm-generic/io.h: Remove I/O port accessors +for HAS_IOPORT=n") + +Add the HAS_IOPORT dependency to prevent the build errors. + +(Found in ARCH=um allmodconfig builds) + +drivers/video/fbdev/nvidia/nv_accel.c: In function ‘NVDmaWait’: +include/asm-generic/io.h:596:15: error: call to ‘_outb’ declared with attribute error: outb() requires CONFIG_HAS_IOPORT + 596 | #define _outb _outb + +Signed-off-by: Randy Dunlap +Cc: Arnd Bergmann +Cc: Niklas Schnelle +Cc: Antonino Daplas +Cc: Helge Deller +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: stable@vger.kernel.org # v6.13+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -660,7 +660,7 @@ config FB_ATMEL + + config FB_NVIDIA + tristate "nVidia Framebuffer Support" +- depends on FB && PCI ++ depends on FB && PCI && HAS_IOPORT + select FB_CFB_FILLRECT + select FB_CFB_COPYAREA + select FB_CFB_IMAGEBLIT diff --git a/queue-6.16/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch b/queue-6.16/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch new file mode 100644 index 0000000000..58f1eef589 --- /dev/null +++ b/queue-6.16/hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch @@ -0,0 +1,145 @@ +From 33caa208dba6fa639e8a92fd0c8320b652e5550c Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Wed, 6 Aug 2025 13:21:51 -0700 +Subject: hv_netvsc: Fix panic during namespace deletion with VF + +From: Haiyang Zhang + +commit 33caa208dba6fa639e8a92fd0c8320b652e5550c upstream. + +The existing code move the VF NIC to new namespace when NETDEV_REGISTER is +received on netvsc NIC. During deletion of the namespace, +default_device_exit_batch() >> default_device_exit_net() is called. When +netvsc NIC is moved back and registered to the default namespace, it +automatically brings VF NIC back to the default namespace. This will cause +the default_device_exit_net() >> for_each_netdev_safe loop unable to detect +the list end, and hit NULL ptr: + +[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0 +[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010 +[ 231.450246] #PF: supervisor read access in kernel mode +[ 231.450579] #PF: error_code(0x0000) - not-present page +[ 231.450916] PGD 17b8a8067 P4D 0 +[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI +[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY +[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 +[ 231.452692] Workqueue: netns cleanup_net +[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0 +[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00 +[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246 +[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb +[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564 +[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000 +[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340 +[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340 +[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000 +[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0 +[ 231.458434] Call Trace: +[ 231.458600] +[ 231.458777] ops_undo_list+0x100/0x220 +[ 231.459015] cleanup_net+0x1b8/0x300 +[ 231.459285] process_one_work+0x184/0x340 + +To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid +changing the netdev list when default_device_exit_net() is using it. + +Cc: stable@vger.kernel.org +Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event") +Signed-off-by: Haiyang Zhang +Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/hyperv_net.h | 3 +++ + drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -1061,6 +1061,7 @@ struct net_device_context { + struct net_device __rcu *vf_netdev; + struct netvsc_vf_pcpu_stats __percpu *vf_stats; + struct delayed_work vf_takeover; ++ struct delayed_work vfns_work; + + /* 1: allocated, serial number is valid. 0: not allocated */ + u32 vf_alloc; +@@ -1075,6 +1076,8 @@ struct net_device_context { + struct netvsc_device_info *saved_netvsc_dev_info; + }; + ++void netvsc_vfns_work(struct work_struct *w); ++ + /* Azure hosts don't support non-TCP port numbers in hashing for fragmented + * packets. We can use ethtool to change UDP hash level when necessary. + */ +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -2530,6 +2530,7 @@ static int netvsc_probe(struct hv_device + spin_lock_init(&net_device_ctx->lock); + INIT_LIST_HEAD(&net_device_ctx->reconfig_events); + INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup); ++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work); + + net_device_ctx->vf_stats + = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats); +@@ -2674,6 +2675,8 @@ static void netvsc_remove(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); ++ + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev) { + cancel_work_sync(&nvdev->subchan_work); +@@ -2715,6 +2718,7 @@ static int netvsc_suspend(struct hv_devi + cancel_delayed_work_sync(&ndev_ctx->dwork); + + rtnl_lock(); ++ cancel_delayed_work_sync(&ndev_ctx->vfns_work); + + nvdev = rtnl_dereference(ndev_ctx->nvdev); + if (nvdev == NULL) { +@@ -2808,6 +2812,27 @@ static void netvsc_event_set_vf_ns(struc + } + } + ++void netvsc_vfns_work(struct work_struct *w) ++{ ++ struct net_device_context *ndev_ctx = ++ container_of(w, struct net_device_context, vfns_work.work); ++ struct net_device *ndev; ++ ++ if (!rtnl_trylock()) { ++ schedule_delayed_work(&ndev_ctx->vfns_work, 1); ++ return; ++ } ++ ++ ndev = hv_get_drvdata(ndev_ctx->device_ctx); ++ if (!ndev) ++ goto out; ++ ++ netvsc_event_set_vf_ns(ndev); ++ ++out: ++ rtnl_unlock(); ++} ++ + /* + * On Hyper-V, every VF interface is matched with a corresponding + * synthetic interface. The synthetic interface is presented first +@@ -2818,10 +2843,12 @@ static int netvsc_netdev_event(struct no + unsigned long event, void *ptr) + { + struct net_device *event_dev = netdev_notifier_info_to_dev(ptr); ++ struct net_device_context *ndev_ctx; + int ret = 0; + + if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) { +- netvsc_event_set_vf_ns(event_dev); ++ ndev_ctx = netdev_priv(event_dev); ++ schedule_delayed_work(&ndev_ctx->vfns_work, 0); + return NOTIFY_DONE; + } + diff --git a/queue-6.16/i2c-core-fix-double-free-of-fwnode-in-i2c_unregister_device.patch b/queue-6.16/i2c-core-fix-double-free-of-fwnode-in-i2c_unregister_device.patch new file mode 100644 index 0000000000..5725edd643 --- /dev/null +++ b/queue-6.16/i2c-core-fix-double-free-of-fwnode-in-i2c_unregister_device.patch @@ -0,0 +1,67 @@ +From 1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 19 Jul 2025 20:01:04 +0200 +Subject: i2c: core: Fix double-free of fwnode in i2c_unregister_device() + +From: Hans de Goede + +commit 1c24e5fc0c7096e00c202a6a3e0c342c1afb47c2 upstream. + +Before commit df6d7277e552 ("i2c: core: Do not dereference fwnode in struct +device"), i2c_unregister_device() only called fwnode_handle_put() on +of_node-s in the form of calling of_node_put(client->dev.of_node). + +But after this commit the i2c_client's fwnode now unconditionally gets +fwnode_handle_put() on it. + +When the i2c_client has no primary (ACPI / OF) fwnode but it does have +a software fwnode, the software-node will be the primary node and +fwnode_handle_put() will put() it. + +But for the software fwnode device_remove_software_node() will also put() +it leading to a double free: + +[ 82.665598] ------------[ cut here ]------------ +[ 82.665609] refcount_t: underflow; use-after-free. +[ 82.665808] WARNING: CPU: 3 PID: 1502 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x11 +... +[ 82.666830] RIP: 0010:refcount_warn_saturate+0xba/0x110 +... +[ 82.666962] +[ 82.666971] i2c_unregister_device+0x60/0x90 + +Fix this by not calling fwnode_handle_put() when the primary fwnode is +a software-node. + +Fixes: df6d7277e552 ("i2c: core: Do not dereference fwnode in struct device") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-base.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index 2ad2b1838f0f..0849aa44952d 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -1066,7 +1066,13 @@ void i2c_unregister_device(struct i2c_client *client) + of_node_clear_flag(to_of_node(fwnode), OF_POPULATED); + else if (is_acpi_device_node(fwnode)) + acpi_device_clear_enumerated(to_acpi_device_node(fwnode)); +- fwnode_handle_put(fwnode); ++ ++ /* ++ * If the primary fwnode is a software node it is free-ed by ++ * device_remove_software_node() below, avoid double-free. ++ */ ++ if (!is_software_node(fwnode)) ++ fwnode_handle_put(fwnode); + + device_remove_software_node(&client->dev); + device_unregister(&client->dev); +-- +2.50.1 + diff --git a/queue-6.16/media-i2c-vd55g1-fix-return-code-in-vd55g1_enable_streams-error-path.patch b/queue-6.16/media-i2c-vd55g1-fix-return-code-in-vd55g1_enable_streams-error-path.patch new file mode 100644 index 0000000000..fa7c7984fb --- /dev/null +++ b/queue-6.16/media-i2c-vd55g1-fix-return-code-in-vd55g1_enable_streams-error-path.patch @@ -0,0 +1,33 @@ +From 5931eed35cb632ff8b7e0b0cc91abc6014c64045 Mon Sep 17 00:00:00 2001 +From: Benjamin Mugnier +Date: Wed, 11 Jun 2025 10:48:31 +0200 +Subject: media: i2c: vd55g1: Fix return code in vd55g1_enable_streams error path + +From: Benjamin Mugnier + +commit 5931eed35cb632ff8b7e0b0cc91abc6014c64045 upstream. + +Enable stream was returning success even if an error occurred, fix it by +modifying the err_rpm_put return value to -EINVAL. + +Signed-off-by: Benjamin Mugnier +Fixes: e56616d7b23c ("media: i2c: Add driver for ST VD55G1 camera sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/vd55g1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/vd55g1.c ++++ b/drivers/media/i2c/vd55g1.c +@@ -1082,7 +1082,7 @@ static int vd55g1_enable_streams(struct + + err_rpm_put: + pm_runtime_put(sensor->dev); +- return 0; ++ return -EINVAL; + } + + static int vd55g1_disable_streams(struct v4l2_subdev *sd, diff --git a/queue-6.16/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch b/queue-6.16/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch new file mode 100644 index 0000000000..dad6e7e051 --- /dev/null +++ b/queue-6.16/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch @@ -0,0 +1,58 @@ +From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 7 Jul 2025 18:34:01 +0000 +Subject: media: uvcvideo: Do not mark valid metadata as invalid + +From: Ricardo Ribalda + +commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream. + +Currently, the driver performs a length check of the metadata buffer +before the actual metadata size is known and before the metadata is +decided to be copied. This results in valid metadata buffers being +incorrectly marked as invalid. + +Move the length check to occur after the metadata size is determined and +is decided to be copied. + +Cc: stable@vger.kernel.org +Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node") +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1442,12 +1442,6 @@ static void uvc_video_decode_meta(struct + if (!meta_buf || length == 2) + return; + +- if (meta_buf->length - meta_buf->bytesused < +- length + sizeof(meta->ns) + sizeof(meta->sof)) { +- meta_buf->error = 1; +- return; +- } +- + has_pts = mem[1] & UVC_STREAM_PTS; + has_scr = mem[1] & UVC_STREAM_SCR; + +@@ -1468,6 +1462,12 @@ static void uvc_video_decode_meta(struct + !memcmp(scr, stream->clock.last_scr, 6))) + return; + ++ if (meta_buf->length - meta_buf->bytesused < ++ length + sizeof(meta->ns) + sizeof(meta->sof)) { ++ meta_buf->error = 1; ++ return; ++ } ++ + meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused); + local_irq_save(flags); + time = uvc_video_get_time(); diff --git a/queue-6.16/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch b/queue-6.16/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch new file mode 100644 index 0000000000..7329bb744e --- /dev/null +++ b/queue-6.16/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch @@ -0,0 +1,43 @@ +From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001 +From: Youngjun Lee +Date: Tue, 10 Jun 2025 21:41:07 +0900 +Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() + +From: Youngjun Lee + +commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream. + +The buffer length check before calling uvc_parse_format() only ensured +that the buffer has at least 3 bytes (buflen > 2), buf the function +accesses buffer[3], requiring at least 4 bytes. + +This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. + +Fix it by checking that the buffer has at least 4 bytes in +uvc_parse_format(). + +Signed-off-by: Youngjun Lee +Reviewed-by: Laurent Pinchart +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -344,6 +344,9 @@ static int uvc_parse_format(struct uvc_d + u8 ftype; + int ret; + ++ if (buflen < 4) ++ return -EINVAL; ++ + format->type = buffer[2]; + format->index = buffer[3]; + format->frames = frames; diff --git a/queue-6.16/media-uvcvideo-turn-on-the-camera-if-v4l2_event_sub_fl_send_initial.patch b/queue-6.16/media-uvcvideo-turn-on-the-camera-if-v4l2_event_sub_fl_send_initial.patch new file mode 100644 index 0000000000..d3c3922793 --- /dev/null +++ b/queue-6.16/media-uvcvideo-turn-on-the-camera-if-v4l2_event_sub_fl_send_initial.patch @@ -0,0 +1,77 @@ +From a03e32e60141058d46ea8cf4631654c43c740fdb Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Tue, 1 Jul 2025 06:45:17 +0000 +Subject: media: uvcvideo: Turn on the camera if V4L2_EVENT_SUB_FL_SEND_INITIAL + +From: Ricardo Ribalda + +commit a03e32e60141058d46ea8cf4631654c43c740fdb upstream. + +If we subscribe to an event with V4L2_EVENT_SUB_FL_SEND_INITIAL, the +driver needs to report back some values that require the camera to be +powered on. But VIDIOC_SUBSCRIBE_EVENT is not part of the ioctls that +turn on the camera. + +We could unconditionally turn on the camera during +VIDIOC_SUBSCRIBE_EVENT, but it is more efficient to turn it on only +during V4L2_EVENT_SUB_FL_SEND_INITIAL, which we believe is not a common +usecase. + +To avoid a list_del if uvc_pm_get() fails, we move list_add_tail to the +end of the function. + +Reviewed-by: Hans de Goede +Fixes: d1b618e79548 ("media: uvcvideo: Do not turn on the camera for some ioctls") +Cc: stable@vger.kernel.org +Reviewed-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250701-uvc-grannular-invert-v4-5-8003b9b89f68@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index 303b7509ec47..efe609d70877 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -2072,18 +2072,24 @@ static int uvc_ctrl_add_event(struct v4l2_subscribed_event *sev, unsigned elems) + goto done; + } + +- list_add_tail(&sev->node, &mapping->ev_subs); + if (sev->flags & V4L2_EVENT_SUB_FL_SEND_INITIAL) { + struct v4l2_event ev; + u32 changes = V4L2_EVENT_CTRL_CH_FLAGS; + s32 val = 0; + ++ ret = uvc_pm_get(handle->chain->dev); ++ if (ret) ++ goto done; ++ + if (uvc_ctrl_mapping_is_compound(mapping) || + __uvc_ctrl_get(handle->chain, ctrl, mapping, &val) == 0) + changes |= V4L2_EVENT_CTRL_CH_VALUE; + + uvc_ctrl_fill_event(handle->chain, &ev, ctrl, mapping, val, + changes); ++ ++ uvc_pm_put(handle->chain->dev); ++ + /* + * Mark the queue as active, allowing this initial event to be + * accepted. +@@ -2092,6 +2098,8 @@ static int uvc_ctrl_add_event(struct v4l2_subscribed_event *sev, unsigned elems) + v4l2_event_queue_fh(sev->fh, &ev); + } + ++ list_add_tail(&sev->node, &mapping->ev_subs); ++ + done: + mutex_unlock(&handle->chain->ctrl_mutex); + return ret; +-- +2.50.1 + diff --git a/queue-6.16/media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch b/queue-6.16/media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch new file mode 100644 index 0000000000..e5aa5d7501 --- /dev/null +++ b/queue-6.16/media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch @@ -0,0 +1,42 @@ +From f7546da1d6eb8928efb89b7faacbd6c2f8f0de5c Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 11 Jul 2025 11:41:58 +0200 +Subject: media: v4l2: Add support for NV12M tiled variants to v4l2_format_info() + +From: Marek Szyprowski + +commit f7546da1d6eb8928efb89b7faacbd6c2f8f0de5c upstream. + +Commit 6f1466123d73 ("media: s5p-mfc: Add YV12 and I420 multiplanar +format support") added support for the new formats to s5p-mfc driver, +what in turn required some internal calls to the v4l2_format_info() +function while setting up formats. This in turn broke support for the +"old" tiled NV12MT* formats, which are not recognized by this function. +Fix this by adding those variants of NV12M pixel format to +v4l2_format_info() function database. + +Fixes: 6f1466123d73 ("media: s5p-mfc: Add YV12 and I420 multiplanar format support") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-common.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/v4l2-core/v4l2-common.c ++++ b/drivers/media/v4l2-core/v4l2-common.c +@@ -323,6 +323,12 @@ const struct v4l2_format_info *v4l2_form + { .format = V4L2_PIX_FMT_NV61M, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 1 }, + { .format = V4L2_PIX_FMT_P012M, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 2, 4, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2 }, + ++ /* Tiled YUV formats, non contiguous variant */ ++ { .format = V4L2_PIX_FMT_NV12MT, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2, ++ .block_w = { 64, 32, 0, 0 }, .block_h = { 32, 16, 0, 0 }}, ++ { .format = V4L2_PIX_FMT_NV12MT_16X16, .pixel_enc = V4L2_PIXEL_ENC_YUV, .mem_planes = 2, .comp_planes = 2, .bpp = { 1, 2, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 2, .vdiv = 2, ++ .block_w = { 16, 8, 0, 0 }, .block_h = { 16, 8, 0, 0 }}, ++ + /* Bayer RGB formats */ + { .format = V4L2_PIX_FMT_SBGGR8, .pixel_enc = V4L2_PIXEL_ENC_BAYER, .mem_planes = 1, .comp_planes = 1, .bpp = { 1, 0, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 1, .vdiv = 1 }, + { .format = V4L2_PIX_FMT_SGBRG8, .pixel_enc = V4L2_PIXEL_ENC_BAYER, .mem_planes = 1, .comp_planes = 1, .bpp = { 1, 0, 0, 0 }, .bpp_div = { 1, 1, 1, 1 }, .hdiv = 1, .vdiv = 1 }, diff --git a/queue-6.16/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch b/queue-6.16/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch new file mode 100644 index 0000000000..c63f60cc50 --- /dev/null +++ b/queue-6.16/media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch @@ -0,0 +1,197 @@ +From 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 Mon Sep 17 00:00:00 2001 +From: Vedang Nagar +Date: Mon, 19 May 2025 12:42:22 +0530 +Subject: media: venus: Fix OOB read due to missing payload bound check + +From: Vedang Nagar + +commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 upstream. + +Currently, The event_seq_changed() handler processes a variable number +of properties sent by the firmware. The number of properties is indicated +by the firmware and used to iterate over the payload. However, the +payload size is not being validated against the actual message length. + +This can lead to out-of-bounds memory access if the firmware provides a +property count that exceeds the data available in the payload. Such a +condition can result in kernel crashes or potential information leaks if +memory beyond the buffer is accessed. + +Fix this by properly validating the remaining size of the payload before +each property access and updating bounds accordingly as properties are +parsed. + +This ensures that property parsing is safely bounded within the received +message buffer and protects against malformed or malicious firmware +behavior. + +Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") +Cc: stable@vger.kernel.org +Signed-off-by: Vedang Nagar +Reviewed-by: Vikash Garodia +Reviewed-by: Bryan O'Donoghue +Co-developed-by: Dikshita Agarwal +Signed-off-by: Dikshita Agarwal +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++--------- + 1 file changed, 58 insertions(+), 25 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_msgs.c ++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c +@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven + struct hfi_buffer_requirements *bufreq; + struct hfi_extradata_input_crop *crop; + struct hfi_dpb_counts *dpb_count; ++ u32 ptype, rem_bytes; ++ u32 size_read = 0; + u8 *data_ptr; +- u32 ptype; + + inst->error = HFI_ERR_NONE; + +@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven + break; + default: + inst->error = HFI_ERR_SESSION_INVALID_PARAMETER; +- goto done; ++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); ++ return; + } + + event.event_type = pkt->event_data1; + + num_properties_changed = pkt->event_data2; +- if (!num_properties_changed) { +- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; +- goto done; +- } ++ if (!num_properties_changed) ++ goto error; + + data_ptr = (u8 *)&pkt->ext_event_data[0]; ++ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt); ++ + do { ++ if (rem_bytes < sizeof(u32)) ++ goto error; + ptype = *((u32 *)data_ptr); ++ ++ data_ptr += sizeof(u32); ++ rem_bytes -= sizeof(u32); ++ + switch (ptype) { + case HFI_PROPERTY_PARAM_FRAME_SIZE: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_framesize)) ++ goto error; ++ + frame_sz = (struct hfi_framesize *)data_ptr; + event.width = frame_sz->width; + event.height = frame_sz->height; +- data_ptr += sizeof(*frame_sz); ++ size_read = sizeof(struct hfi_framesize); + break; + case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_profile_level)) ++ goto error; ++ + profile_level = (struct hfi_profile_level *)data_ptr; + event.profile = profile_level->profile; + event.level = profile_level->level; +- data_ptr += sizeof(*profile_level); ++ size_read = sizeof(struct hfi_profile_level); + break; + case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_bit_depth)) ++ goto error; ++ + pixel_depth = (struct hfi_bit_depth *)data_ptr; + event.bit_depth = pixel_depth->bit_depth; +- data_ptr += sizeof(*pixel_depth); ++ size_read = sizeof(struct hfi_bit_depth); + break; + case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_pic_struct)) ++ goto error; ++ + pic_struct = (struct hfi_pic_struct *)data_ptr; + event.pic_struct = pic_struct->progressive_only; +- data_ptr += sizeof(*pic_struct); ++ size_read = sizeof(struct hfi_pic_struct); + break; + case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_colour_space)) ++ goto error; ++ + colour_info = (struct hfi_colour_space *)data_ptr; + event.colour_space = colour_info->colour_space; +- data_ptr += sizeof(*colour_info); ++ size_read = sizeof(struct hfi_colour_space); + break; + case HFI_PROPERTY_CONFIG_VDEC_ENTROPY: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(u32)) ++ goto error; ++ + event.entropy_mode = *(u32 *)data_ptr; +- data_ptr += sizeof(u32); ++ size_read = sizeof(u32); + break; + case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_buffer_requirements)) ++ goto error; ++ + bufreq = (struct hfi_buffer_requirements *)data_ptr; + event.buf_count = hfi_bufreq_get_count_min(bufreq, ver); +- data_ptr += sizeof(*bufreq); ++ size_read = sizeof(struct hfi_buffer_requirements); + break; + case HFI_INDEX_EXTRADATA_INPUT_CROP: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_extradata_input_crop)) ++ goto error; ++ + crop = (struct hfi_extradata_input_crop *)data_ptr; + event.input_crop.left = crop->left; + event.input_crop.top = crop->top; + event.input_crop.width = crop->width; + event.input_crop.height = crop->height; +- data_ptr += sizeof(*crop); ++ size_read = sizeof(struct hfi_extradata_input_crop); + break; + case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS: +- data_ptr += sizeof(u32); ++ if (rem_bytes < sizeof(struct hfi_dpb_counts)) ++ goto error; ++ + dpb_count = (struct hfi_dpb_counts *)data_ptr; + event.buf_count = dpb_count->fw_min_cnt; +- data_ptr += sizeof(*dpb_count); ++ size_read = sizeof(struct hfi_dpb_counts); + break; + default: ++ size_read = 0; + break; + } ++ data_ptr += size_read; ++ rem_bytes -= size_read; + num_properties_changed--; + } while (num_properties_changed > 0); + +-done: ++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); ++ return; ++ ++error: ++ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES; + inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event); + } + diff --git a/queue-6.16/mm-huge_memory-don-t-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch b/queue-6.16/mm-huge_memory-don-t-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch new file mode 100644 index 0000000000..86e6379a9d --- /dev/null +++ b/queue-6.16/mm-huge_memory-don-t-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch @@ -0,0 +1,99 @@ +From 09fefdca80aebd1023e827cb0ee174983d829d18 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 13 Jun 2025 11:27:00 +0200 +Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() + +From: David Hildenbrand + +commit 09fefdca80aebd1023e827cb0ee174983d829d18 upstream. + +Patch series "mm/huge_memory: vmf_insert_folio_*() and +vmf_insert_pfn_pud() fixes", v3. + +While working on improving vm_normal_page() and friends, I stumbled over +this issues: refcounted "normal" folios must not be marked using +pmd_special() / pud_special(). Otherwise, we're effectively telling the +system that these folios are no "normal", violating the rules we +documented for vm_normal_page(). + +Fortunately, there are not many pmd_special()/pud_special() users yet. So +far there doesn't seem to be serious damage. + +Tested using the ndctl tests ("ndctl:dax" suite). + + +This patch (of 3): + +We set up the cache mode but ... don't forward the updated pgprot to +insert_pfn_pud(). + +Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a +special cachemode. + +Fix it by using the proper pgprot where the cachemode was setup. + +It is unclear in which configurations we would get the cachemode wrong: +through vfio seems possible. Getting cachemodes wrong is usually ... +bad. As the fix is easy, let's backport it to stable. + +Identified by code inspection. + +Link: https://lkml.kernel.org/r/20250613092702.1943533-1-david@redhat.com +Link: https://lkml.kernel.org/r/20250613092702.1943533-2-david@redhat.com +Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") +Signed-off-by: David Hildenbrand +Reviewed-by: Dan Williams +Reviewed-by: Lorenzo Stoakes +Reviewed-by: Jason Gunthorpe +Reviewed-by: Oscar Salvador +Tested-by: Dan Williams +Cc: Alistair Popple +Cc: Baolin Wang +Cc: Dev Jain +Cc: Liam Howlett +Cc: Mariano Pache +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Ryan Roberts +Cc: Suren Baghdasaryan +Cc: Vlastimil Babka +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud + } + + static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, +- pud_t *pud, pfn_t pfn, bool write) ++ pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) + { + struct mm_struct *mm = vma->vm_mm; +- pgprot_t prot = vma->vm_page_prot; + pud_t entry; + + if (!pud_none(*pud)) { +@@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_ + pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); + + ptl = pud_lock(vma->vm_mm, vmf->pud); +- insert_pfn_pud(vma, addr, vmf->pud, pfn, write); ++ insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); + spin_unlock(ptl); + + return VM_FAULT_NOPAGE; +@@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct v + add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); + } + insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), +- write); ++ vma->vm_page_prot, write); + spin_unlock(ptl); + + return VM_FAULT_NOPAGE; diff --git a/queue-6.16/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch b/queue-6.16/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch new file mode 100644 index 0000000000..9eaebbd59d --- /dev/null +++ b/queue-6.16/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch @@ -0,0 +1,64 @@ +From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Thu, 31 Jul 2025 02:57:18 -0700 +Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock + +From: Breno Leitao + +commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream. + +When netpoll is enabled, calling pr_warn_once() while holding +kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock +inversion with the netconsole subsystem. This occurs because +pr_warn_once() may trigger netpoll, which eventually leads to +__alloc_skb() and back into kmemleak code, attempting to reacquire +kmemleak_lock. + +This is the path for the deadlock. + +mem_pool_alloc() + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + -> pr_warn_once() + -> netconsole subsystem + -> netpoll + -> __alloc_skb + -> __create_object + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + +Fix this by setting a flag and issuing the pr_warn_once() after +kmemleak_lock is released. + +Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org +Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") +Signed-off-by: Breno Leitao +Reported-by: Jakub Kicinski +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -470,6 +470,7 @@ static struct kmemleak_object *mem_pool_ + { + unsigned long flags; + struct kmemleak_object *object; ++ bool warn = false; + + /* try the slab allocator first */ + if (object_cache) { +@@ -488,8 +489,10 @@ static struct kmemleak_object *mem_pool_ + else if (mem_pool_free_count) + object = &mem_pool[--mem_pool_free_count]; + else +- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); ++ warn = true; + raw_spin_unlock_irqrestore(&kmemleak_lock, flags); ++ if (warn) ++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + + return object; + } diff --git a/queue-6.16/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch b/queue-6.16/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch new file mode 100644 index 0000000000..cf3b5b5dfe --- /dev/null +++ b/queue-6.16/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch @@ -0,0 +1,66 @@ +From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Mon, 28 Jul 2025 15:02:48 -0400 +Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() + +From: Waiman Long + +commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream. + +A soft lockup warning was observed on a relative small system x86-64 +system with 16 GB of memory when running a debug kernel with kmemleak +enabled. + + watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] + +The test system was running a workload with hot unplug happening in +parallel. Then kemleak decided to disable itself due to its inability to +allocate more kmemleak objects. The debug kernel has its +CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. + +The soft lockup happened in kmemleak_do_cleanup() when the existing +kmemleak objects were being removed and deleted one-by-one in a loop via a +workqueue. In this particular case, there are at least 40,000 objects +that need to be processed and given the slowness of a debug kernel and the +fact that a raw_spinlock has to be acquired and released in +__delete_object(), it could take a while to properly handle all these +objects. + +As kmemleak has been disabled in this case, the object removal and +deletion process can be further optimized as locking isn't really needed. +However, it is probably not worth the effort to optimize for such an edge +case that should rarely happen. So the simple solution is to call +cond_resched() at periodic interval in the iteration loop to avoid soft +lockup. + +Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com +Signed-off-by: Waiman Long +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -2181,6 +2181,7 @@ static const struct file_operations kmem + static void __kmemleak_do_cleanup(void) + { + struct kmemleak_object *object, *tmp; ++ unsigned int cnt = 0; + + /* + * Kmemleak has already been disabled, no need for RCU list traversal +@@ -2189,6 +2190,10 @@ static void __kmemleak_do_cleanup(void) + list_for_each_entry_safe(object, tmp, &object_list, object_list) { + __remove_object(object); + __delete_object(object); ++ ++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */ ++ if (!(++cnt & 0x3f)) ++ cond_resched(); + } + } + diff --git a/queue-6.16/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch b/queue-6.16/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch new file mode 100644 index 0000000000..9c6a12edd5 --- /dev/null +++ b/queue-6.16/mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch @@ -0,0 +1,131 @@ +From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001 +From: Anshuman Khandual +Date: Fri, 20 Jun 2025 10:54:27 +0530 +Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() + +From: Anshuman Khandual + +commit 59305202c67fea50378dcad0cc199dbc13a0e99a upstream. + +Memory hot remove unmaps and tears down various kernel page table regions +as required. The ptdump code can race with concurrent modifications of +the kernel page tables. When leaf entries are modified concurrently, the +dump code may log stale or inconsistent information for a VA range, but +this is otherwise not harmful. + +But when intermediate levels of kernel page table are freed, the dump code +will continue to use memory that has been freed and potentially +reallocated for another purpose. In such cases, the ptdump code may +dereference bogus addresses, leading to a number of potential problems. + +To avoid the above mentioned race condition, platforms such as arm64, +riscv and s390 take memory hotplug lock, while dumping kernel page table +via the sysfs interface /sys/kernel/debug/kernel_page_tables. + +Similar race condition exists while checking for pages that might have +been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages +which in turn calls ptdump_check_wx(). Instead of solving this race +condition again, let's just move the memory hotplug lock inside generic +ptdump_check_wx() which will benefit both the scenarios. + +Drop get_online_mems() and put_online_mems() combination from all existing +platform ptdump code paths. + +Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com +Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") +Signed-off-by: Anshuman Khandual +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Alexander Gordeev [s390] +Cc: Catalin Marinas +Cc: Will Deacon +Cc: Ryan Roberts +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Alexander Gordeev +Cc: Gerald Schaefer +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/ptdump_debugfs.c | 3 --- + arch/riscv/mm/ptdump.c | 3 --- + arch/s390/mm/dump_pagetables.c | 2 -- + mm/ptdump.c | 2 ++ + 4 files changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/arm64/mm/ptdump_debugfs.c ++++ b/arch/arm64/mm/ptdump_debugfs.c +@@ -1,6 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include + #include + + #include +@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file * + { + struct ptdump_info *info = m->private; + +- get_online_mems(); + ptdump_walk(m, info); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/arch/riscv/mm/ptdump.c ++++ b/arch/riscv/mm/ptdump.c +@@ -6,7 +6,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -413,9 +412,7 @@ bool ptdump_check_wx(void) + + static int ptdump_show(struct seq_file *m, void *v) + { +- get_online_mems(); + ptdump_walk(m, m->private); +- put_online_mems(); + + return 0; + } +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -247,11 +247,9 @@ static int ptdump_show(struct seq_file * + .marker = markers, + }; + +- get_online_mems(); + mutex_lock(&cpa_mutex); + ptdump_walk_pgd(&st.ptdump, &init_mm, NULL); + mutex_unlock(&cpa_mutex); +- put_online_mems(); + return 0; + } + DEFINE_SHOW_ATTRIBUTE(ptdump); +--- a/mm/ptdump.c ++++ b/mm/ptdump.c +@@ -175,6 +175,7 @@ void ptdump_walk_pgd(struct ptdump_state + { + const struct ptdump_range *range = st->range; + ++ get_online_mems(); + mmap_write_lock(mm); + while (range->start != range->end) { + walk_page_range_novma(mm, range->start, range->end, +@@ -182,6 +183,7 @@ void ptdump_walk_pgd(struct ptdump_state + range++; + } + mmap_write_unlock(mm); ++ put_online_mems(); + + /* Flush out the last page */ + st->note_page_flush(st); diff --git a/queue-6.16/mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch b/queue-6.16/mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch new file mode 100644 index 0000000000..472650a6d9 --- /dev/null +++ b/queue-6.16/mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch @@ -0,0 +1,157 @@ +From 5c241ed8d031693dadf33dd98ed2e7cc363e9b66 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Mon, 28 Jul 2025 15:52:59 +0800 +Subject: mm/shmem, swap: improve cached mTHP handling and fix potential hang + +From: Kairui Song + +commit 5c241ed8d031693dadf33dd98ed2e7cc363e9b66 upstream. + +The current swap-in code assumes that, when a swap entry in shmem mapping +is order 0, its cached folios (if present) must be order 0 too, which +turns out not always correct. + +The problem is shmem_split_large_entry is called before verifying the +folio will eventually be swapped in, one possible race is: + + CPU1 CPU2 +shmem_swapin_folio +/* swap in of order > 0 swap entry S1 */ + folio = swap_cache_get_folio + /* folio = NULL */ + order = xa_get_order + /* order > 0 */ + folio = shmem_swap_alloc_folio + /* mTHP alloc failure, folio = NULL */ + <... Interrupted ...> + shmem_swapin_folio + /* S1 is swapped in */ + shmem_writeout + /* S1 is swapped out, folio cached */ + shmem_split_large_entry(..., S1) + /* S1 is split, but the folio covering it has order > 0 now */ + +Now any following swapin of S1 will hang: `xa_get_order` returns 0, and +folio lookup will return a folio with order > 0. The +`xa_get_order(&mapping->i_pages, index) != folio_order(folio)` will always +return false causing swap-in to return -EEXIST. + +And this looks fragile. So fix this up by allowing seeing a larger folio +in swap cache, and check the whole shmem mapping range covered by the +swapin have the right swap value upon inserting the folio. And drop the +redundant tree walks before the insertion. + +This will actually improve performance, as it avoids two redundant Xarray +tree walks in the hot path, and the only side effect is that in the +failure path, shmem may redundantly reallocate a few folios causing +temporary slight memory pressure. + +And worth noting, it may seems the order and value check before inserting +might help reducing the lock contention, which is not true. The swap +cache layer ensures raced swapin will either see a swap cache folio or +failed to do a swapin (we have SWAP_HAS_CACHE bit even if swap cache is +bypassed), so holding the folio lock and checking the folio flag is +already good enough for avoiding the lock contention. The chance that a +folio passes the swap entry value check but the shmem mapping slot has +changed should be very low. + +Link: https://lkml.kernel.org/r/20250728075306.12704-1-ryncsn@gmail.com +Link: https://lkml.kernel.org/r/20250728075306.12704-2-ryncsn@gmail.com +Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") +Signed-off-by: Kairui Song +Reviewed-by: Kemeng Shi +Reviewed-by: Baolin Wang +Tested-by: Baolin Wang +Cc: Baoquan He +Cc: Barry Song +Cc: Chris Li +Cc: Hugh Dickins +Cc: Matthew Wilcox (Oracle) +Cc: Nhat Pham +Cc: Dev Jain +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -884,7 +884,9 @@ static int shmem_add_to_page_cache(struc + pgoff_t index, void *expected, gfp_t gfp) + { + XA_STATE_ORDER(xas, &mapping->i_pages, index, folio_order(folio)); +- long nr = folio_nr_pages(folio); ++ unsigned long nr = folio_nr_pages(folio); ++ swp_entry_t iter, swap; ++ void *entry; + + VM_BUG_ON_FOLIO(index != round_down(index, nr), folio); + VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); +@@ -896,14 +898,25 @@ static int shmem_add_to_page_cache(struc + + gfp &= GFP_RECLAIM_MASK; + folio_throttle_swaprate(folio, gfp); ++ swap = radix_to_swp_entry(expected); + + do { ++ iter = swap; + xas_lock_irq(&xas); +- if (expected != xas_find_conflict(&xas)) { +- xas_set_err(&xas, -EEXIST); +- goto unlock; ++ xas_for_each_conflict(&xas, entry) { ++ /* ++ * The range must either be empty, or filled with ++ * expected swap entries. Shmem swap entries are never ++ * partially freed without split of both entry and ++ * folio, so there shouldn't be any holes. ++ */ ++ if (!expected || entry != swp_to_radix_entry(iter)) { ++ xas_set_err(&xas, -EEXIST); ++ goto unlock; ++ } ++ iter.val += 1 << xas_get_order(&xas); + } +- if (expected && xas_find_conflict(&xas)) { ++ if (expected && iter.val - nr != swap.val) { + xas_set_err(&xas, -EEXIST); + goto unlock; + } +@@ -2327,7 +2340,7 @@ static int shmem_swapin_folio(struct ino + error = -ENOMEM; + goto failed; + } +- } else if (order != folio_order(folio)) { ++ } else if (order > folio_order(folio)) { + /* + * Swap readahead may swap in order 0 folios into swapcache + * asynchronously, while the shmem mapping can still stores +@@ -2352,15 +2365,23 @@ static int shmem_swapin_folio(struct ino + + swap = swp_entry(swp_type(swap), swp_offset(swap) + offset); + } ++ } else if (order < folio_order(folio)) { ++ swap.val = round_down(swap.val, 1 << folio_order(folio)); ++ index = round_down(index, 1 << folio_order(folio)); + } + + alloced: +- /* We have to do this with folio locked to prevent races */ ++ /* ++ * We have to do this with the folio locked to prevent races. ++ * The shmem_confirm_swap below only checks if the first swap ++ * entry matches the folio, that's enough to ensure the folio ++ * is not used outside of shmem, as shmem swap entries ++ * and swap cache folios are never partially freed. ++ */ + folio_lock(folio); + if ((!skip_swapcache && !folio_test_swapcache(folio)) || +- folio->swap.val != swap.val || + !shmem_confirm_swap(mapping, index, swap) || +- xa_get_order(&mapping->i_pages, index) != folio_order(folio)) { ++ folio->swap.val != swap.val) { + error = -EEXIST; + goto unlock; + } diff --git a/queue-6.16/mm-slab-restore-numa-policy-support-for-large-kmalloc.patch b/queue-6.16/mm-slab-restore-numa-policy-support-for-large-kmalloc.patch new file mode 100644 index 0000000000..b51def38d2 --- /dev/null +++ b/queue-6.16/mm-slab-restore-numa-policy-support-for-large-kmalloc.patch @@ -0,0 +1,42 @@ +From e2d18cbf178775ad377ad88ee55e6e183c38d262 Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka +Date: Mon, 2 Jun 2025 13:02:12 +0200 +Subject: mm, slab: restore NUMA policy support for large kmalloc + +From: Vlastimil Babka + +commit e2d18cbf178775ad377ad88ee55e6e183c38d262 upstream. + +The slab allocator observes the task's NUMA policy in various places +such as allocating slab pages. Large kmalloc() allocations used to do +that too, until an unintended change by c4cab557521a ("mm/slab_common: +cleanup kmalloc_large()") resulted in ignoring mempolicy and just +preferring the local node. Restore the NUMA policy support. + +Fixes: c4cab557521a ("mm/slab_common: cleanup kmalloc_large()") +Cc: +Acked-by: Christoph Lameter (Ampere) +Acked-by: Roman Gushchin +Reviewed-by: Harry Yoo +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4269,7 +4269,12 @@ static void *___kmalloc_large_node(size_ + flags = kmalloc_fix_flags(flags); + + flags |= __GFP_COMP; +- folio = (struct folio *)alloc_pages_node_noprof(node, flags, order); ++ ++ if (node == NUMA_NO_NODE) ++ folio = (struct folio *)alloc_pages_noprof(flags, order); ++ else ++ folio = (struct folio *)__alloc_pages_noprof(flags, order, node, NULL); ++ + if (folio) { + ptr = folio_address(folio); + lruvec_stat_mod_folio(folio, NR_SLAB_UNRECLAIMABLE_B, diff --git a/queue-6.16/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch b/queue-6.16/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch new file mode 100644 index 0000000000..679eaf5bd5 --- /dev/null +++ b/queue-6.16/net-sched-ets-use-old-nbands-while-purging-unused-classes.patch @@ -0,0 +1,115 @@ +From 87c6efc5ce9c126ae4a781bc04504b83780e3650 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 12 Aug 2025 18:40:29 +0200 +Subject: net/sched: ets: use old 'nbands' while purging unused classes + +From: Davide Caratti + +commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 upstream. + +Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() +after recent changes from Lion [2]. The problem is: in ets_qdisc_change() +we purge unused DWRR queues; the value of 'q->nbands' is the new one, and +the cleanup should be done with the old one. The problem is here since my +first attempts to fix ets_qdisc_change(), but it surfaced again after the +recent qdisc len accounting fixes. Fix it purging idle DWRR queues before +assigning a new value of 'q->nbands', so that all purge operations find a +consistent configuration: + + - old 'q->nbands' because it's needed by ets_class_find() + - old 'q->nstrict' because it's needed by ets_class_is_strict() + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary) + Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021 + RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80 + Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab + RSP: 0018:ffffba186009f400 EFLAGS: 00010202 + RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004 + RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004 + R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000 + R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000 + FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + + ets_class_qlen_notify+0x65/0x90 [sch_ets] + qdisc_tree_reduce_backlog+0x74/0x110 + ets_qdisc_change+0x630/0xa40 [sch_ets] + __tc_modify_qdisc.constprop.0+0x216/0x7f0 + tc_modify_qdisc+0x7c/0x120 + rtnetlink_rcv_msg+0x145/0x3f0 + netlink_rcv_skb+0x53/0x100 + netlink_unicast+0x245/0x390 + netlink_sendmsg+0x21b/0x470 + ____sys_sendmsg+0x39d/0x3d0 + ___sys_sendmsg+0x9a/0xe0 + __sys_sendmsg+0x7a/0xd0 + do_syscall_64+0x7d/0x160 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f2155114084 + Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 + RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084 + RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003 + RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f + R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0 + R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0 + + + [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/ + [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty") +Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") +Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") +Reported-by: Li Shuang +Closes: https://issues.redhat.com/browse/RHEL-108026 +Reviewed-by: Petr Machata +Co-developed-by: Ivan Vecera +Signed-off-by: Ivan Vecera +Signed-off-by: Davide Caratti +Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc + + sch_tree_lock(sch); + ++ for (i = nbands; i < oldbands; i++) { ++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) ++ list_del_init(&q->classes[i].alist); ++ qdisc_purge_queue(q->classes[i].qdisc); ++ } ++ + WRITE_ONCE(q->nbands, nbands); + for (i = nstrict; i < q->nstrict; i++) { + if (q->classes[i].qdisc->q.qlen) { +@@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc + q->classes[i].deficit = quanta[i]; + } + } +- for (i = q->nbands; i < oldbands; i++) { +- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) +- list_del_init(&q->classes[i].alist); +- qdisc_purge_queue(q->classes[i].qdisc); +- } + WRITE_ONCE(q->nstrict, nstrict); + memcpy(q->prio2band, priomap, sizeof(priomap)); + diff --git a/queue-6.16/ocfs2-reset-folio-to-null-when-get-folio-fails.patch b/queue-6.16/ocfs2-reset-folio-to-null-when-get-folio-fails.patch new file mode 100644 index 0000000000..2fff31b95d --- /dev/null +++ b/queue-6.16/ocfs2-reset-folio-to-null-when-get-folio-fails.patch @@ -0,0 +1,43 @@ +From 2ae826799932ff89409f56636ad3c25578fe7cf5 Mon Sep 17 00:00:00 2001 +From: Lizhi Xu +Date: Mon, 16 Jun 2025 09:31:40 +0800 +Subject: ocfs2: reset folio to NULL when get folio fails + +From: Lizhi Xu + +commit 2ae826799932ff89409f56636ad3c25578fe7cf5 upstream. + +The reproducer uses FAULT_INJECTION to make memory allocation fail, which +causes __filemap_get_folio() to fail, when initializing w_folios[i] in +ocfs2_grab_folios_for_write(), it only returns an error code and the value +of w_folios[i] is the error code, which causes +ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when +releasing folios. + +Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com +Reported-by: syzbot+c2ea94ae47cd7e3881ec@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec +Signed-off-by: Lizhi Xu +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/aops.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(s + if (IS_ERR(wc->w_folios[i])) { + ret = PTR_ERR(wc->w_folios[i]); + mlog_errno(ret); ++ wc->w_folios[i] = NULL; + goto out; + } + } diff --git a/queue-6.16/parisc-makefile-fix-a-typo-in-palo.conf.patch b/queue-6.16/parisc-makefile-fix-a-typo-in-palo.conf.patch new file mode 100644 index 0000000000..3e1aad747c --- /dev/null +++ b/queue-6.16/parisc-makefile-fix-a-typo-in-palo.conf.patch @@ -0,0 +1,35 @@ +From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:39:33 -0700 +Subject: parisc: Makefile: fix a typo in palo.conf + +From: Randy Dunlap + +commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream. + +Correct "objree" to "objtree". "objree" is not defined. + +Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile") +Signed-off-by: Randy Dunlap +Cc: Masahiro Yamada +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -139,7 +139,7 @@ palo lifimage: vmlinuz + fi + @if test ! -f "$(PALOCONF)"; then \ + cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \ +- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \ ++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \ + echo 'You should check it and re-run "make palo".'; \ + echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \ + false; \ diff --git a/queue-6.16/rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch b/queue-6.16/rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch new file mode 100644 index 0000000000..6aa00bd550 --- /dev/null +++ b/queue-6.16/rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch @@ -0,0 +1,95 @@ +From c18646248fed07683d4cee8a8af933fc4fe83c0d Mon Sep 17 00:00:00 2001 +From: Pedro Falcato +Date: Tue, 29 Jul 2025 13:03:48 +0100 +Subject: RDMA/siw: Fix the sendmsg byte count in siw_tcp_sendpages + +From: Pedro Falcato + +commit c18646248fed07683d4cee8a8af933fc4fe83c0d upstream. + +Ever since commit c2ff29e99a76 ("siw: Inline do_tcp_sendpages()"), +we have been doing this: + +static int siw_tcp_sendpages(struct socket *s, struct page **page, int offset, + size_t size) +[...] + /* Calculate the number of bytes we need to push, for this page + * specifically */ + size_t bytes = min_t(size_t, PAGE_SIZE - offset, size); + /* If we can't splice it, then copy it in, as normal */ + if (!sendpage_ok(page[i])) + msg.msg_flags &= ~MSG_SPLICE_PAGES; + /* Set the bvec pointing to the page, with len $bytes */ + bvec_set_page(&bvec, page[i], bytes, offset); + /* Set the iter to $size, aka the size of the whole sendpages (!!!) */ + iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); +try_page_again: + lock_sock(sk); + /* Sendmsg with $size size (!!!) */ + rv = tcp_sendmsg_locked(sk, &msg, size); + +This means we've been sending oversized iov_iters and tcp_sendmsg calls +for a while. This has a been a benign bug because sendpage_ok() always +returned true. With the recent slab allocator changes being slowly +introduced into next (that disallow sendpage on large kmalloc +allocations), we have recently hit out-of-bounds crashes, due to slight +differences in iov_iter behavior between the MSG_SPLICE_PAGES and +"regular" copy paths: + +(MSG_SPLICE_PAGES) +skb_splice_from_iter + iov_iter_extract_pages + iov_iter_extract_bvec_pages + uses i->nr_segs to correctly stop in its tracks before OoB'ing everywhere + skb_splice_from_iter gets a "short" read + +(!MSG_SPLICE_PAGES) +skb_copy_to_page_nocache copy=iov_iter_count + [...] + copy_from_iter + /* this doesn't help */ + if (unlikely(iter->count < len)) + len = iter->count; + iterate_bvec + ... and we run off the bvecs + +Fix this by properly setting the iov_iter's byte count, plus sending the +correct byte count to tcp_sendmsg_locked. + +Link: https://patch.msgid.link/r/20250729120348.495568-1-pfalcato@suse.de +Cc: stable@vger.kernel.org +Fixes: c2ff29e99a76 ("siw: Inline do_tcp_sendpages()") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202507220801.50a7210-lkp@intel.com +Reviewed-by: David Howells +Signed-off-by: Pedro Falcato +Acked-by: Bernard Metzler +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/siw/siw_qp_tx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/siw/siw_qp_tx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_tx.c +@@ -332,18 +332,17 @@ static int siw_tcp_sendpages(struct sock + if (!sendpage_ok(page[i])) + msg.msg_flags &= ~MSG_SPLICE_PAGES; + bvec_set_page(&bvec, page[i], bytes, offset); +- iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, size); ++ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, bytes); + + try_page_again: + lock_sock(sk); +- rv = tcp_sendmsg_locked(sk, &msg, size); ++ rv = tcp_sendmsg_locked(sk, &msg, bytes); + release_sock(sk); + + if (rv > 0) { + size -= rv; + sent += rv; + if (rv != bytes) { +- offset += rv; + bytes -= rv; + goto try_page_again; + } diff --git a/queue-6.16/series b/queue-6.16/series index e68ac176cd..3586bf6df9 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -531,3 +531,26 @@ btrfs-fix-wrong-length-parameter-for-btrfs_cleanup_ordered_extents.patch btrfs-fix-iteration-bug-in-__qgroup_excl_accounting.patch btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch xfs-fix-scrub-trace-with-null-pointer-in-quotacheck.patch +userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch +fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch +fbdev-nvidiafb-add-depends-on-has_ioport.patch +ocfs2-reset-folio-to-null-when-get-folio-fails.patch +net-sched-ets-use-old-nbands-while-purging-unused-classes.patch +hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch +i2c-core-fix-double-free-of-fwnode-in-i2c_unregister_device.patch +parisc-makefile-fix-a-typo-in-palo.conf.patch +mm-slab-restore-numa-policy-support-for-large-kmalloc.patch +mm-huge_memory-don-t-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch +mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch +mm-shmem-swap-improve-cached-mthp-handling-and-fix-potential-hang.patch +mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch +mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch +media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch +media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch +media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch +media-v4l2-add-support-for-nv12m-tiled-variants-to-v4l2_format_info.patch +media-uvcvideo-turn-on-the-camera-if-v4l2_event_sub_fl_send_initial.patch +media-i2c-vd55g1-fix-return-code-in-vd55g1_enable_streams-error-path.patch +tracing-fprobe-fix-infinite-recursion-using-preempt_-_notrace.patch +tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch +rdma-siw-fix-the-sendmsg-byte-count-in-siw_tcp_sendpages.patch diff --git a/queue-6.16/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch b/queue-6.16/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch new file mode 100644 index 0000000000..545f0f6564 --- /dev/null +++ b/queue-6.16/tools-nolibc-fix-spelling-of-fd_setbitmask-in-fd_-macros.patch @@ -0,0 +1,46 @@ +From a477629baa2a0e9991f640af418e8c973a1c08e3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 19 Jun 2025 11:30:51 +0200 +Subject: tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Willy Tarreau + +commit a477629baa2a0e9991f640af418e8c973a1c08e3 upstream. + +While nolibc-test does test syscalls, it doesn't test as much the rest +of the macros, and a wrong spelling of FD_SETBITMASK in commit +feaf75658783a broke programs using either FD_SET() or FD_CLR() without +being noticed. Let's fix these macros. + +Fixes: feaf75658783a ("nolibc: fix fd_set type") +Cc: stable@vger.kernel.org # v6.2+ +Acked-by: Thomas Weißschuh +Signed-off-by: Willy Tarreau +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/nolibc/types.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/include/nolibc/types.h ++++ b/tools/include/nolibc/types.h +@@ -128,7 +128,7 @@ typedef struct { + int __fd = (fd); \ + if (__fd >= 0) \ + __set->fds[__fd / FD_SETIDXMASK] &= \ +- ~(1U << (__fd & FX_SETBITMASK)); \ ++ ~(1U << (__fd & FD_SETBITMASK)); \ + } while (0) + + #define FD_SET(fd, set) do { \ +@@ -145,7 +145,7 @@ typedef struct { + int __r = 0; \ + if (__fd >= 0) \ + __r = !!(__set->fds[__fd / FD_SETIDXMASK] & \ +-1U << (__fd & FD_SET_BITMASK)); \ ++1U << (__fd & FD_SETBITMASK)); \ + __r; \ + }) + diff --git a/queue-6.16/tracing-fprobe-fix-infinite-recursion-using-preempt_-_notrace.patch b/queue-6.16/tracing-fprobe-fix-infinite-recursion-using-preempt_-_notrace.patch new file mode 100644 index 0000000000..5007a21240 --- /dev/null +++ b/queue-6.16/tracing-fprobe-fix-infinite-recursion-using-preempt_-_notrace.patch @@ -0,0 +1,47 @@ +From a3e892ab0fc287389176eabdcd74234508f6e52d Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 29 Jul 2025 08:47:03 +0900 +Subject: tracing: fprobe: Fix infinite recursion using preempt_*_notrace() + +From: Masami Hiramatsu (Google) + +commit a3e892ab0fc287389176eabdcd74234508f6e52d upstream. + +Since preempt_count_add/del() are tracable functions, it is not allowed +to use preempt_disable/enable() in ftrace handlers. Without this fix, +probing on `preempt_count_add%return` will cause an infinite recursion +of fprobes. + +To fix this problem, use preempt_disable/enable_notrace() in +fprobe_return(). + +Link: https://lore.kernel.org/all/175374642359.1471729.1054175011228386560.stgit@mhiramat.tok.corp.google.com/ + +Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/fprobe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/fprobe.c ++++ b/kernel/trace/fprobe.c +@@ -352,7 +352,7 @@ static void fprobe_return(struct ftrace_ + size_words = SIZE_IN_LONG(size); + ret_ip = ftrace_regs_get_instruction_pointer(fregs); + +- preempt_disable(); ++ preempt_disable_notrace(); + + curr = 0; + while (size_words > curr) { +@@ -368,7 +368,7 @@ static void fprobe_return(struct ftrace_ + } + curr += size; + } +- preempt_enable(); ++ preempt_enable_notrace(); + } + NOKPROBE_SYMBOL(fprobe_return); + diff --git a/queue-6.16/userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch b/queue-6.16/userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch new file mode 100644 index 0000000000..8ad00e0d9e --- /dev/null +++ b/queue-6.16/userfaultfd-fix-a-crash-in-uffdio_move-when-pmd-is-a-migration-entry.patch @@ -0,0 +1,57 @@ +From aba6faec0103ed8f169be8dce2ead41fcb689446 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Wed, 6 Aug 2025 15:00:22 -0700 +Subject: userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry + +From: Suren Baghdasaryan + +commit aba6faec0103ed8f169be8dce2ead41fcb689446 upstream. + +When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with +obtaining a folio and accessing it even though the entry is swp_entry_t. +Add the missing check and let split_huge_pmd() handle migration entries. +While at it also remove unnecessary folio check. + +[surenb@google.com: remove extra folio check, per David] + Link: https://lkml.kernel.org/r/20250807200418.1963585-1-surenb@google.com +Link: https://lkml.kernel.org/r/20250806220022.926763-1-surenb@google.com +Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") +Signed-off-by: Suren Baghdasaryan +Reported-by: syzbot+b446dbe27035ef6bd6c2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68794b5c.a70a0220.693ce.0050.GAE@google.com/ +Reviewed-by: Peter Xu +Acked-by: David Hildenbrand +Cc: Andrea Arcangeli +Cc: Lokesh Gidra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -1829,13 +1829,16 @@ ssize_t move_pages(struct userfaultfd_ct + /* Check if we can move the pmd without splitting it. */ + if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) || + !pmd_none(dst_pmdval)) { +- struct folio *folio = pmd_folio(*src_pmd); ++ /* Can be a migration entry */ ++ if (pmd_present(*src_pmd)) { ++ struct folio *folio = pmd_folio(*src_pmd); + +- if (!folio || (!is_huge_zero_folio(folio) && +- !PageAnonExclusive(&folio->page))) { +- spin_unlock(ptl); +- err = -EBUSY; +- break; ++ if (!is_huge_zero_folio(folio) && ++ !PageAnonExclusive(&folio->page)) { ++ spin_unlock(ptl); ++ err = -EBUSY; ++ break; ++ } + } + + spin_unlock(ptl);