From: Sasha Levin Date: Sun, 19 Jan 2025 23:10:07 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.6.73~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e3d1b9d511524d59655cccc2b96fe55f5b0a675;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/acpi-resource-acpi_dev_irq_override-check-dmi-match-.patch b/queue-6.1/acpi-resource-acpi_dev_irq_override-check-dmi-match-.patch new file mode 100644 index 0000000000..0d977e794a --- /dev/null +++ b/queue-6.1/acpi-resource-acpi_dev_irq_override-check-dmi-match-.patch @@ -0,0 +1,48 @@ +From 7496c9e42d7d7a7527e6884a803fd8771138169f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Dec 2024 17:52:53 +0100 +Subject: ACPI: resource: acpi_dev_irq_override(): Check DMI match last + +From: Hans de Goede + +[ Upstream commit cd4a7b2e6a2437a5502910c08128ea3bad55a80b ] + +acpi_dev_irq_override() gets called approx. 30 times during boot (15 legacy +IRQs * 2 override_table entries). Of these 30 calls at max 1 will match +the non DMI checks done by acpi_dev_irq_override(). The dmi_check_system() +check is by far the most expensive check done by acpi_dev_irq_override(), +make this call the last check done by acpi_dev_irq_override() so that it +will be called at max 1 time instead of 30 times. + +Signed-off-by: Hans de Goede +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/20241228165253.42584-1-hdegoede@redhat.com +[ rjw: Subject edit ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 6e041d40cad50..34cb7894e54ee 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -663,11 +663,11 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, + for (i = 0; i < ARRAY_SIZE(override_table); i++) { + const struct irq_override_cmp *entry = &override_table[i]; + +- if (dmi_check_system(entry->system) && +- entry->irq == gsi && ++ if (entry->irq == gsi && + entry->triggering == triggering && + entry->polarity == polarity && +- entry->shareable == shareable) ++ entry->shareable == shareable && ++ dmi_check_system(entry->system)) + return entry->override; + } + +-- +2.39.5 + diff --git a/queue-6.1/bpf-fix-bpf_sk_select_reuseport-memory-leak.patch-30571 b/queue-6.1/bpf-fix-bpf_sk_select_reuseport-memory-leak.patch-30571 new file mode 100644 index 0000000000..7abcd30435 --- /dev/null +++ b/queue-6.1/bpf-fix-bpf_sk_select_reuseport-memory-leak.patch-30571 @@ -0,0 +1,112 @@ +From 077ef3d346518aff2e8bfef99ade80f54ce5e02e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 14:21:55 +0100 +Subject: bpf: Fix bpf_sk_select_reuseport() memory leak + +From: Michal Luczaj + +[ Upstream commit b3af60928ab9129befa65e6df0310d27300942bf ] + +As pointed out in the original comment, lookup in sockmap can return a TCP +ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF +set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb +does not imply a non-refcounted socket. + +Drop sk's reference in both error paths. + +unreferenced object 0xffff888101911800 (size 2048): + comm "test_progs", pid 44109, jiffies 4297131437 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 9336483b): + __kmalloc_noprof+0x3bf/0x560 + __reuseport_alloc+0x1d/0x40 + reuseport_alloc+0xca/0x150 + reuseport_attach_prog+0x87/0x140 + sk_reuseport_attach_bpf+0xc8/0x100 + sk_setsockopt+0x1181/0x1990 + do_sock_setsockopt+0x12b/0x160 + __sys_setsockopt+0x7b/0xc0 + __x64_sys_setsockopt+0x1b/0x30 + do_syscall_64+0x93/0x180 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Fixes: 64d85290d79c ("bpf: Allow bpf_map_lookup_elem for SOCKMAP and SOCKHASH") +Signed-off-by: Michal Luczaj +Reviewed-by: Martin KaFai Lau +Link: https://patch.msgid.link/20250110-reuseport-memleak-v1-1-fa1ddab0adfe@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 7f9d703b00e7c..b35615c469e27 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -11109,6 +11109,7 @@ BPF_CALL_4(sk_select_reuseport, struct sk_reuseport_kern *, reuse_kern, + bool is_sockarray = map->map_type == BPF_MAP_TYPE_REUSEPORT_SOCKARRAY; + struct sock_reuseport *reuse; + struct sock *selected_sk; ++ int err; + + selected_sk = map->ops->map_lookup_elem(map, key); + if (!selected_sk) +@@ -11116,10 +11117,6 @@ BPF_CALL_4(sk_select_reuseport, struct sk_reuseport_kern *, reuse_kern, + + reuse = rcu_dereference(selected_sk->sk_reuseport_cb); + if (!reuse) { +- /* Lookup in sock_map can return TCP ESTABLISHED sockets. */ +- if (sk_is_refcounted(selected_sk)) +- sock_put(selected_sk); +- + /* reuseport_array has only sk with non NULL sk_reuseport_cb. + * The only (!reuse) case here is - the sk has already been + * unhashed (e.g. by close()), so treat it as -ENOENT. +@@ -11127,24 +11124,33 @@ BPF_CALL_4(sk_select_reuseport, struct sk_reuseport_kern *, reuse_kern, + * Other maps (e.g. sock_map) do not provide this guarantee and + * the sk may never be in the reuseport group to begin with. + */ +- return is_sockarray ? -ENOENT : -EINVAL; ++ err = is_sockarray ? -ENOENT : -EINVAL; ++ goto error; + } + + if (unlikely(reuse->reuseport_id != reuse_kern->reuseport_id)) { + struct sock *sk = reuse_kern->sk; + +- if (sk->sk_protocol != selected_sk->sk_protocol) +- return -EPROTOTYPE; +- else if (sk->sk_family != selected_sk->sk_family) +- return -EAFNOSUPPORT; +- +- /* Catch all. Likely bound to a different sockaddr. */ +- return -EBADFD; ++ if (sk->sk_protocol != selected_sk->sk_protocol) { ++ err = -EPROTOTYPE; ++ } else if (sk->sk_family != selected_sk->sk_family) { ++ err = -EAFNOSUPPORT; ++ } else { ++ /* Catch all. Likely bound to a different sockaddr. */ ++ err = -EBADFD; ++ } ++ goto error; + } + + reuse_kern->selected_sk = selected_sk; + + return 0; ++error: ++ /* Lookup in sock_map can return TCP ESTABLISHED sockets. */ ++ if (sk_is_refcounted(selected_sk)) ++ sock_put(selected_sk); ++ ++ return err; + } + + static const struct bpf_func_proto sk_select_reuseport_proto = { +-- +2.39.5 + diff --git a/queue-6.1/cachefiles-parse-the-secctx-immediately.patch b/queue-6.1/cachefiles-parse-the-secctx-immediately.patch new file mode 100644 index 0000000000..3d55fe016b --- /dev/null +++ b/queue-6.1/cachefiles-parse-the-secctx-immediately.patch @@ -0,0 +1,136 @@ +From 39fe1f643181393e1121fdabc6e8f6791038b5ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 13:50:05 +0000 +Subject: cachefiles: Parse the "secctx" immediately + +From: Max Kellermann + +[ Upstream commit e5a8b6446c0d370716f193771ccacf3260a57534 ] + +Instead of storing an opaque string, call security_secctx_to_secid() +right in the "secctx" command handler and store only the numeric +"secid". This eliminates an unnecessary string allocation and allows +the daemon to receive errors when writing the "secctx" command instead +of postponing the error to the "bind" command handler. For example, +if the kernel was built without `CONFIG_SECURITY`, "bind" will return +`EOPNOTSUPP`, but the daemon doesn't know why. With this patch, the +"secctx" will instead return `EOPNOTSUPP` which is the right context +for this error. + +This patch adds a boolean flag `have_secid` because I'm not sure if we +can safely assume that zero is the special secid value for "not set". +This appears to be true for SELinux, Smack and AppArmor, but since +this attribute is not documented, I'm unable to derive a stable +guarantee for that. + +Signed-off-by: Max Kellermann +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20241209141554.638708-1-max.kellermann@ionos.com/ +Link: https://lore.kernel.org/r/20241213135013.2964079-6-dhowells@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/cachefiles/daemon.c | 14 +++++++------- + fs/cachefiles/internal.h | 3 ++- + fs/cachefiles/security.c | 6 +++--- + 3 files changed, 12 insertions(+), 11 deletions(-) + +diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c +index 89b11336a8369..1806bff8e59bc 100644 +--- a/fs/cachefiles/daemon.c ++++ b/fs/cachefiles/daemon.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -576,7 +577,7 @@ static int cachefiles_daemon_dir(struct cachefiles_cache *cache, char *args) + */ + static int cachefiles_daemon_secctx(struct cachefiles_cache *cache, char *args) + { +- char *secctx; ++ int err; + + _enter(",%s", args); + +@@ -585,16 +586,16 @@ static int cachefiles_daemon_secctx(struct cachefiles_cache *cache, char *args) + return -EINVAL; + } + +- if (cache->secctx) { ++ if (cache->have_secid) { + pr_err("Second security context specified\n"); + return -EINVAL; + } + +- secctx = kstrdup(args, GFP_KERNEL); +- if (!secctx) +- return -ENOMEM; ++ err = security_secctx_to_secid(args, strlen(args), &cache->secid); ++ if (err) ++ return err; + +- cache->secctx = secctx; ++ cache->have_secid = true; + return 0; + } + +@@ -820,7 +821,6 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache) + put_cred(cache->cache_cred); + + kfree(cache->rootdirname); +- kfree(cache->secctx); + kfree(cache->tag); + + _leave(""); +diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h +index 111ad6ecd4baf..4421a12960a66 100644 +--- a/fs/cachefiles/internal.h ++++ b/fs/cachefiles/internal.h +@@ -122,7 +122,6 @@ struct cachefiles_cache { + #define CACHEFILES_STATE_CHANGED 3 /* T if state changed (poll trigger) */ + #define CACHEFILES_ONDEMAND_MODE 4 /* T if in on-demand read mode */ + char *rootdirname; /* name of cache root directory */ +- char *secctx; /* LSM security context */ + char *tag; /* cache binding tag */ + refcount_t unbind_pincount;/* refcount to do daemon unbind */ + struct xarray reqs; /* xarray of pending on-demand requests */ +@@ -130,6 +129,8 @@ struct cachefiles_cache { + struct xarray ondemand_ids; /* xarray for ondemand_id allocation */ + u32 ondemand_id_next; + u32 msg_id_next; ++ u32 secid; /* LSM security id */ ++ bool have_secid; /* whether "secid" was set */ + }; + + static inline bool cachefiles_in_ondemand_mode(struct cachefiles_cache *cache) +diff --git a/fs/cachefiles/security.c b/fs/cachefiles/security.c +index fe777164f1d89..fc6611886b3b5 100644 +--- a/fs/cachefiles/security.c ++++ b/fs/cachefiles/security.c +@@ -18,7 +18,7 @@ int cachefiles_get_security_ID(struct cachefiles_cache *cache) + struct cred *new; + int ret; + +- _enter("{%s}", cache->secctx); ++ _enter("{%u}", cache->have_secid ? cache->secid : 0); + + new = prepare_kernel_cred(current); + if (!new) { +@@ -26,8 +26,8 @@ int cachefiles_get_security_ID(struct cachefiles_cache *cache) + goto error; + } + +- if (cache->secctx) { +- ret = set_security_override_from_ctx(new, cache->secctx); ++ if (cache->have_secid) { ++ ret = set_security_override(new, cache->secid); + if (ret < 0) { + put_cred(new); + pr_err("Security denies permission to nominate security context: error %d\n", +-- +2.39.5 + diff --git a/queue-6.1/drm-v3d-ensure-job-pointer-is-set-to-null-after-job-.patch-13413 b/queue-6.1/drm-v3d-ensure-job-pointer-is-set-to-null-after-job-.patch-13413 new file mode 100644 index 0000000000..1fd64dbaa4 --- /dev/null +++ b/queue-6.1/drm-v3d-ensure-job-pointer-is-set-to-null-after-job-.patch-13413 @@ -0,0 +1,66 @@ +From e7a3c20158de9fa5cd38353e9a68e460b61b4b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 12:47:40 -0300 +Subject: drm/v3d: Ensure job pointer is set to NULL after job completion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit e4b5ccd392b92300a2b341705cc4805681094e49 ] + +After a job completes, the corresponding pointer in the device must +be set to NULL. Failing to do so triggers a warning when unloading +the driver, as it appears the job is still active. To prevent this, +assign the job pointer to NULL after completing the job, indicating +the job has finished. + +Fixes: 14d1d1908696 ("drm/v3d: Remove the bad signaled() implementation.") +Signed-off-by: Maíra Canal +Reviewed-by: Jose Maria Casanova Crespo +Link: https://patchwork.freedesktop.org/patch/msgid/20250113154741.67520-1-mcanal@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/v3d/v3d_irq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c +index e714d5318f309..76806039691a2 100644 +--- a/drivers/gpu/drm/v3d/v3d_irq.c ++++ b/drivers/gpu/drm/v3d/v3d_irq.c +@@ -103,6 +103,7 @@ v3d_irq(int irq, void *arg) + + trace_v3d_bcl_irq(&v3d->drm, fence->seqno); + dma_fence_signal(&fence->base); ++ v3d->bin_job = NULL; + status = IRQ_HANDLED; + } + +@@ -112,6 +113,7 @@ v3d_irq(int irq, void *arg) + + trace_v3d_rcl_irq(&v3d->drm, fence->seqno); + dma_fence_signal(&fence->base); ++ v3d->render_job = NULL; + status = IRQ_HANDLED; + } + +@@ -121,6 +123,7 @@ v3d_irq(int irq, void *arg) + + trace_v3d_csd_irq(&v3d->drm, fence->seqno); + dma_fence_signal(&fence->base); ++ v3d->csd_job = NULL; + status = IRQ_HANDLED; + } + +@@ -157,6 +160,7 @@ v3d_hub_irq(int irq, void *arg) + + trace_v3d_tfu_irq(&v3d->drm, fence->seqno); + dma_fence_signal(&fence->base); ++ v3d->tfu_job = NULL; + status = IRQ_HANDLED; + } + +-- +2.39.5 + diff --git a/queue-6.1/fs-fix-missing-declaration-of-init_files.patch b/queue-6.1/fs-fix-missing-declaration-of-init_files.patch new file mode 100644 index 0000000000..bda83836d6 --- /dev/null +++ b/queue-6.1/fs-fix-missing-declaration-of-init_files.patch @@ -0,0 +1,37 @@ +From 87209a18dec6ee8aebb2ce0feee61a85c3040669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 07:18:36 +0000 +Subject: fs: fix missing declaration of init_files + +From: Zhang Kunbo + +[ Upstream commit 2b2fc0be98a828cf33a88a28e9745e8599fb05cf ] + +fs/file.c should include include/linux/init_task.h for + declaration of init_files. This fixes the sparse warning: + +fs/file.c:501:21: warning: symbol 'init_files' was not declared. Should it be static? + +Signed-off-by: Zhang Kunbo +Link: https://lore.kernel.org/r/20241217071836.2634868-1-zhangkunbo@huawei.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/file.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/file.c b/fs/file.c +index 48f0b28da5247..bc0c087b31bbd 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #include "internal.h" + +-- +2.39.5 + diff --git a/queue-6.1/gtp-destroy-device-along-with-udp-socket-s-netns-dis.patch-10450 b/queue-6.1/gtp-destroy-device-along-with-udp-socket-s-netns-dis.patch-10450 new file mode 100644 index 0000000000..dae04bfb8f --- /dev/null +++ b/queue-6.1/gtp-destroy-device-along-with-udp-socket-s-netns-dis.patch-10450 @@ -0,0 +1,125 @@ +From 43027fb7452fe2d8c520bee94a83c40b8240d9a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 10:47:53 +0900 +Subject: gtp: Destroy device along with udp socket's netns dismantle. + +From: Kuniyuki Iwashima + +[ Upstream commit eb28fd76c0a08a47b470677c6cef9dd1c60e92d1 ] + +gtp_newlink() links the device to a list in dev_net(dev) instead of +src_net, where a udp tunnel socket is created. + +Even when src_net is removed, the device stays alive on dev_net(dev). +Then, removing src_net triggers the splat below. [0] + +In this example, gtp0 is created in ns2, and the udp socket is created +in ns1. + + ip netns add ns1 + ip netns add ns2 + ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn + ip netns del ns1 + +Let's link the device to the socket's netns instead. + +Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove +all gtp devices in the netns. + +[0]: +ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at + sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) + inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) + __sock_create (net/socket.c:1558) + udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) + gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) + gtp_create_sockets (drivers/net/gtp.c:1447) + gtp_newlink (drivers/net/gtp.c:1507) + rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) + rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) + netlink_rcv_skb (net/netlink/af_netlink.c:2542) + netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) + netlink_sendmsg (net/netlink/af_netlink.c:1891) + ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) + ___sys_sendmsg (net/socket.c:2639) + __sys_sendmsg (net/socket.c:2669) + do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) + +WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) +Modules linked in: +CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Workqueue: netns cleanup_net +RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) +Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 +RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 +RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c +RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae +R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 +R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 +FS: 0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + + ? __warn (kernel/panic.c:748) + ? ref_tracker_dir_exit (lib/ref_tracker.c:179) + ? report_bug (lib/bug.c:201 lib/bug.c:219) + ? handle_bug (arch/x86/kernel/traps.c:285) + ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) + ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) + ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) + ? ref_tracker_dir_exit (lib/ref_tracker.c:179) + ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) + ? kfree (mm/slub.c:4613 mm/slub.c:4761) + net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) + cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) + process_one_work (kernel/workqueue.c:3229) + worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) + kthread (kernel/kthread.c:389) + ret_from_fork (arch/x86/kernel/process.c:147) + ret_from_fork_asm (arch/x86/entry/entry_64.S:257) + + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Reported-by: Xiao Liang +Closes: https://lore.kernel.org/netdev/20250104125732.17335-1-shaw.leon@gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index f360b9a51b645..0de3dcd07cb7e 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1094,7 +1094,7 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev, + goto out_encap; + } + +- gn = net_generic(dev_net(dev), gtp_net_id); ++ gn = net_generic(src_net, gtp_net_id); + list_add(>p->list, &gn->gtp_dev_list); + dev->priv_destructor = gtp_destructor; + +@@ -1894,6 +1894,11 @@ static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list, + list_for_each_entry(net, net_list, exit_list) { + struct gtp_net *gn = net_generic(net, gtp_net_id); + struct gtp_dev *gtp, *gtp_next; ++ struct net_device *dev; ++ ++ for_each_netdev(net, dev) ++ if (dev->rtnl_link_ops == >p_link_ops) ++ gtp_dellink(dev, dev_to_kill); + + list_for_each_entry_safe(gtp, gtp_next, &gn->gtp_dev_list, list) + gtp_dellink(gtp->dev, dev_to_kill); +-- +2.39.5 + diff --git a/queue-6.1/gtp-use-exit_batch_rtnl-method.patch-2484 b/queue-6.1/gtp-use-exit_batch_rtnl-method.patch-2484 new file mode 100644 index 0000000000..a6a7f79bd2 --- /dev/null +++ b/queue-6.1/gtp-use-exit_batch_rtnl-method.patch-2484 @@ -0,0 +1,66 @@ +From 46a12593dd6c980ff79b360ccf42ea5d0f671b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 14:43:03 +0000 +Subject: gtp: use exit_batch_rtnl() method + +From: Eric Dumazet + +[ Upstream commit 6eedda01b2bfdcf427b37759e053dc27232f3af1 ] + +exit_batch_rtnl() is called while RTNL is held, +and devices to be unregistered can be queued in the dev_kill_list. + +This saves one rtnl_lock()/rtnl_unlock() pair per netns +and one unregister_netdevice_many() call per netns. + +Signed-off-by: Eric Dumazet +Reviewed-by: Antoine Tenart +Link: https://lore.kernel.org/r/20240206144313.2050392-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 46841c7053e6 ("gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().") +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 5e0332c9d0d73..0e1dfc6157224 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1883,23 +1883,23 @@ static int __net_init gtp_net_init(struct net *net) + return 0; + } + +-static void __net_exit gtp_net_exit(struct net *net) ++static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list, ++ struct list_head *dev_to_kill) + { +- struct gtp_net *gn = net_generic(net, gtp_net_id); +- struct gtp_dev *gtp; +- LIST_HEAD(list); ++ struct net *net; + +- rtnl_lock(); +- list_for_each_entry(gtp, &gn->gtp_dev_list, list) +- gtp_dellink(gtp->dev, &list); ++ list_for_each_entry(net, net_list, exit_list) { ++ struct gtp_net *gn = net_generic(net, gtp_net_id); ++ struct gtp_dev *gtp; + +- unregister_netdevice_many(&list); +- rtnl_unlock(); ++ list_for_each_entry(gtp, &gn->gtp_dev_list, list) ++ gtp_dellink(gtp->dev, dev_to_kill); ++ } + } + + static struct pernet_operations gtp_net_ops = { + .init = gtp_net_init, +- .exit = gtp_net_exit, ++ .exit_batch_rtnl = gtp_net_exit_batch_rtnl, + .id = >p_net_id, + .size = sizeof(struct gtp_net), + }; +-- +2.39.5 + diff --git a/queue-6.1/gtp-use-for_each_netdev_rcu-in-gtp_genl_dump_pdp.patch-26374 b/queue-6.1/gtp-use-for_each_netdev_rcu-in-gtp_genl_dump_pdp.patch-26374 new file mode 100644 index 0000000000..63e0ace843 --- /dev/null +++ b/queue-6.1/gtp-use-for_each_netdev_rcu-in-gtp_genl_dump_pdp.patch-26374 @@ -0,0 +1,91 @@ +From 026c1e5b4d61be32071742b4d0d3e2bbd58b5c18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 10:47:52 +0900 +Subject: gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). + +From: Kuniyuki Iwashima + +[ Upstream commit 46841c7053e6d25fb33e0534ef023833bf03e382 ] + +gtp_newlink() links the gtp device to a list in dev_net(dev). + +However, even after the gtp device is moved to another netns, +it stays on the list but should be invisible. + +Let's use for_each_netdev_rcu() for netdev traversal in +gtp_genl_dump_pdp(). + +Note that gtp_dev_list is no longer used under RCU, so list +helpers are converted to the non-RCU variant. + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Reported-by: Xiao Liang +Closes: https://lore.kernel.org/netdev/CABAhCOQdBL6h9M2C+kd+bGivRJ9Q72JUxW+-gur0nub_=PmFPA@mail.gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 0e1dfc6157224..f360b9a51b645 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -1095,7 +1095,7 @@ static int gtp_newlink(struct net *src_net, struct net_device *dev, + } + + gn = net_generic(dev_net(dev), gtp_net_id); +- list_add_rcu(>p->list, &gn->gtp_dev_list); ++ list_add(>p->list, &gn->gtp_dev_list); + dev->priv_destructor = gtp_destructor; + + netdev_dbg(dev, "registered new GTP interface\n"); +@@ -1121,7 +1121,7 @@ static void gtp_dellink(struct net_device *dev, struct list_head *head) + hlist_for_each_entry_safe(pctx, next, >p->tid_hash[i], hlist_tid) + pdp_context_delete(pctx); + +- list_del_rcu(>p->list); ++ list_del(>p->list); + unregister_netdevice_queue(dev, head); + } + +@@ -1689,16 +1689,19 @@ static int gtp_genl_dump_pdp(struct sk_buff *skb, + struct gtp_dev *last_gtp = (struct gtp_dev *)cb->args[2], *gtp; + int i, j, bucket = cb->args[0], skip = cb->args[1]; + struct net *net = sock_net(skb->sk); ++ struct net_device *dev; + struct pdp_ctx *pctx; +- struct gtp_net *gn; +- +- gn = net_generic(net, gtp_net_id); + + if (cb->args[4]) + return 0; + + rcu_read_lock(); +- list_for_each_entry_rcu(gtp, &gn->gtp_dev_list, list) { ++ for_each_netdev_rcu(net, dev) { ++ if (dev->rtnl_link_ops != >p_link_ops) ++ continue; ++ ++ gtp = netdev_priv(dev); ++ + if (last_gtp && last_gtp != gtp) + continue; + else +@@ -1890,9 +1893,9 @@ static void __net_exit gtp_net_exit_batch_rtnl(struct list_head *net_list, + + list_for_each_entry(net, net_list, exit_list) { + struct gtp_net *gn = net_generic(net, gtp_net_id); +- struct gtp_dev *gtp; ++ struct gtp_dev *gtp, *gtp_next; + +- list_for_each_entry(gtp, &gn->gtp_dev_list, list) ++ list_for_each_entry_safe(gtp, gtp_next, &gn->gtp_dev_list, list) + gtp_dellink(gtp->dev, dev_to_kill); + } + } +-- +2.39.5 + diff --git a/queue-6.1/hfs-sanity-check-the-root-record.patch b/queue-6.1/hfs-sanity-check-the-root-record.patch new file mode 100644 index 0000000000..0084b9e087 --- /dev/null +++ b/queue-6.1/hfs-sanity-check-the-root-record.patch @@ -0,0 +1,56 @@ +From db31d663f1b41f02661c1a31e36098f161498441 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2024 21:14:19 -0800 +Subject: hfs: Sanity check the root record + +From: Leo Stone + +[ Upstream commit b905bafdea21a75d75a96855edd9e0b6051eee30 ] + +In the syzbot reproducer, the hfs_cat_rec for the root dir has type +HFS_CDR_FIL after being read with hfs_bnode_read() in hfs_super_fill(). +This indicates it should be used as an hfs_cat_file, which is 102 bytes. +Only the first 70 bytes of that struct are initialized, however, +because the entrylength passed into hfs_bnode_read() is still the length of +a directory record. This causes uninitialized values to be used later on, +when the hfs_cat_rec union is treated as the larger hfs_cat_file struct. + +Add a check to make sure the retrieved record has the correct type +for the root directory (HFS_CDR_DIR), and make sure we load the correct +number of bytes for a directory record. + +Reported-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2db3c7526ba68f4ea776 +Tested-by: syzbot+2db3c7526ba68f4ea776@syzkaller.appspotmail.com +Tested-by: Leo Stone +Signed-off-by: Leo Stone +Link: https://lore.kernel.org/r/20241201051420.77858-1-leocstone@gmail.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hfs/super.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/super.c b/fs/hfs/super.c +index 6764afa98a6ff..431bdc65f7231 100644 +--- a/fs/hfs/super.c ++++ b/fs/hfs/super.c +@@ -418,11 +418,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent) + goto bail_no_root; + res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd); + if (!res) { +- if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) { ++ if (fd.entrylength != sizeof(rec.dir)) { + res = -EIO; + goto bail_hfs_find; + } + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); ++ if (rec.type != HFS_CDR_DIR) ++ res = -EIO; + } + if (res) + goto bail_hfs_find; +-- +2.39.5 + diff --git a/queue-6.1/hwmon-tmp513-fix-division-of-negative-numbers.patch-14292 b/queue-6.1/hwmon-tmp513-fix-division-of-negative-numbers.patch-14292 new file mode 100644 index 0000000000..f0fa838e2b --- /dev/null +++ b/queue-6.1/hwmon-tmp513-fix-division-of-negative-numbers.patch-14292 @@ -0,0 +1,74 @@ +From 5dbe1ffbb3ce1bd41012409fe843904ed471ae37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2025 15:45:52 -0600 +Subject: hwmon: (tmp513) Fix division of negative numbers + +From: David Lechner + +[ Upstream commit e2c68cea431d65292b592c9f8446c918d45fcf78 ] + +Fix several issues with division of negative numbers in the tmp513 +driver. + +The docs on the DIV_ROUND_CLOSEST macro explain that dividing a negative +value by an unsigned type is undefined behavior. The driver was doing +this in several places, i.e. data->shunt_uohms has type of u32. The +actual "undefined" behavior is that it converts both values to unsigned +before doing the division, for example: + + int ret = DIV_ROUND_CLOSEST(-100, 3U); + +results in ret == 1431655732 instead of -33. + +Furthermore the MILLI macro has a type of unsigned long. Multiplying a +signed long by an unsigned long results in an unsigned long. + +So, we need to cast both MILLI and data data->shunt_uohms to long when +using the DIV_ROUND_CLOSEST macro. + +Fixes: f07f9d2467f4 ("hwmon: (tmp513) Use SI constants from units.h") +Fixes: 59dfa75e5d82 ("hwmon: Add driver for Texas Instruments TMP512/513 sensor chips.") +Signed-off-by: David Lechner +Link: https://lore.kernel.org/r/20250114-fix-si-prefix-macro-sign-bugs-v1-1-696fd8d10f00@baylibre.com +[groeck: Drop some continuation lines] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/tmp513.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/tmp513.c b/drivers/hwmon/tmp513.c +index aaba9521ebefe..cbe29c8a9b18d 100644 +--- a/drivers/hwmon/tmp513.c ++++ b/drivers/hwmon/tmp513.c +@@ -203,7 +203,8 @@ static int tmp51x_get_value(struct tmp51x_data *data, u8 reg, u8 pos, + *val = sign_extend32(regval, + reg == TMP51X_SHUNT_CURRENT_RESULT ? + 16 - tmp51x_get_pga_shift(data) : 15); +- *val = DIV_ROUND_CLOSEST(*val * 10 * MILLI, data->shunt_uohms); ++ *val = DIV_ROUND_CLOSEST(*val * 10 * (long)MILLI, (long)data->shunt_uohms); ++ + break; + case TMP51X_BUS_VOLTAGE_RESULT: + case TMP51X_BUS_VOLTAGE_H_LIMIT: +@@ -219,7 +220,7 @@ static int tmp51x_get_value(struct tmp51x_data *data, u8 reg, u8 pos, + case TMP51X_BUS_CURRENT_RESULT: + // Current = (ShuntVoltage * CalibrationRegister) / 4096 + *val = sign_extend32(regval, 15) * (long)data->curr_lsb_ua; +- *val = DIV_ROUND_CLOSEST(*val, MILLI); ++ *val = DIV_ROUND_CLOSEST(*val, (long)MILLI); + break; + case TMP51X_LOCAL_TEMP_RESULT: + case TMP51X_REMOTE_TEMP_RESULT_1: +@@ -259,7 +260,7 @@ static int tmp51x_set_value(struct tmp51x_data *data, u8 reg, long val) + * The user enter current value and we convert it to + * voltage. 1lsb = 10uV + */ +- val = DIV_ROUND_CLOSEST(val * data->shunt_uohms, 10 * MILLI); ++ val = DIV_ROUND_CLOSEST(val * (long)data->shunt_uohms, 10 * (long)MILLI); + max_val = U16_MAX >> tmp51x_get_pga_shift(data); + regval = clamp_val(val, -max_val, max_val); + break; +-- +2.39.5 + diff --git a/queue-6.1/i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch-2743 b/queue-6.1/i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch-2743 new file mode 100644 index 0000000000..443fa27046 --- /dev/null +++ b/queue-6.1/i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch-2743 @@ -0,0 +1,37 @@ +From 0900d664386ddd187525f160228d20cbe91a6603 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 08:29:45 +0100 +Subject: i2c: mux: demux-pinctrl: check initial mux selection, too + +From: Wolfram Sang + +[ Upstream commit ca89f73394daf92779ddaa37b42956f4953f3941 ] + +When misconfigured, the initial setup of the current mux channel can +fail, too. It must be checked as well. + +Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver") +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/muxes/i2c-demux-pinctrl.c b/drivers/i2c/muxes/i2c-demux-pinctrl.c +index 45a3f7e7b3f68..cea057704c00c 100644 +--- a/drivers/i2c/muxes/i2c-demux-pinctrl.c ++++ b/drivers/i2c/muxes/i2c-demux-pinctrl.c +@@ -261,7 +261,9 @@ static int i2c_demux_pinctrl_probe(struct platform_device *pdev) + pm_runtime_no_callbacks(&pdev->dev); + + /* switch to first parent as active master */ +- i2c_demux_activate_master(priv, 0); ++ err = i2c_demux_activate_master(priv, 0); ++ if (err) ++ goto err_rollback; + + err = device_create_file(&pdev->dev, &dev_attr_available_masters); + if (err) +-- +2.39.5 + diff --git a/queue-6.1/i2c-rcar-fix-nack-handling-when-being-a-target.patch-16485 b/queue-6.1/i2c-rcar-fix-nack-handling-when-being-a-target.patch-16485 new file mode 100644 index 0000000000..aac0ef51e7 --- /dev/null +++ b/queue-6.1/i2c-rcar-fix-nack-handling-when-being-a-target.patch-16485 @@ -0,0 +1,95 @@ +From c056e1aeee8fc69182494be8342a173f89313136 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 13:36:23 +0100 +Subject: i2c: rcar: fix NACK handling when being a target + +From: Wolfram Sang + +[ Upstream commit 093f70c134f70e4632b295240f07d2b50b74e247 ] + +When this controller is a target, the NACK handling had two issues. +First, the return value from the backend was not checked on the initial +WRITE_REQUESTED. So, the driver missed to send a NACK in this case. +Also, the NACK always arrives one byte late on the bus, even in the +WRITE_RECEIVED case. This seems to be a HW issue. We should then not +rely on the backend to correctly NACK the superfluous byte as well. Fix +both issues by introducing a flag which gets set whenever the backend +requests a NACK and keep sending it until we get a STOP condition. + +Fixes: de20d1857dd6 ("i2c: rcar: add slave support") +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index d0098e342ba22..c7f2a9d8bcd56 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -110,6 +110,8 @@ + #define ID_P_PM_BLOCKED BIT(31) + #define ID_P_MASK GENMASK(31, 28) + ++#define ID_SLAVE_NACK BIT(0) ++ + enum rcar_i2c_type { + I2C_RCAR_GEN1, + I2C_RCAR_GEN2, +@@ -143,6 +145,7 @@ struct rcar_i2c_priv { + int irq; + + struct i2c_client *host_notify_client; ++ u8 slave_flags; + }; + + #define rcar_i2c_priv_to_dev(p) ((p)->adap.dev.parent) +@@ -597,6 +600,7 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + { + u32 ssr_raw, ssr_filtered; + u8 value; ++ int ret; + + ssr_raw = rcar_i2c_read(priv, ICSSR) & 0xff; + ssr_filtered = ssr_raw & rcar_i2c_read(priv, ICSIER); +@@ -612,7 +616,10 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + rcar_i2c_write(priv, ICRXTX, value); + rcar_i2c_write(priv, ICSIER, SDE | SSR | SAR); + } else { +- i2c_slave_event(priv->slave, I2C_SLAVE_WRITE_REQUESTED, &value); ++ ret = i2c_slave_event(priv->slave, I2C_SLAVE_WRITE_REQUESTED, &value); ++ if (ret) ++ priv->slave_flags |= ID_SLAVE_NACK; ++ + rcar_i2c_read(priv, ICRXTX); /* dummy read */ + rcar_i2c_write(priv, ICSIER, SDR | SSR | SAR); + } +@@ -625,18 +632,21 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + if (ssr_filtered & SSR) { + i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value); + rcar_i2c_write(priv, ICSCR, SIE | SDBS); /* clear our NACK */ ++ priv->slave_flags &= ~ID_SLAVE_NACK; + rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSSR, ~SSR & 0xff); + } + + /* master wants to write to us */ + if (ssr_filtered & SDR) { +- int ret; +- + value = rcar_i2c_read(priv, ICRXTX); + ret = i2c_slave_event(priv->slave, I2C_SLAVE_WRITE_RECEIVED, &value); +- /* Send NACK in case of error */ +- rcar_i2c_write(priv, ICSCR, SIE | SDBS | (ret < 0 ? FNA : 0)); ++ if (ret) ++ priv->slave_flags |= ID_SLAVE_NACK; ++ ++ /* Send NACK in case of error, but it will come 1 byte late :( */ ++ rcar_i2c_write(priv, ICSCR, SIE | SDBS | ++ (priv->slave_flags & ID_SLAVE_NACK ? FNA : 0)); + rcar_i2c_write(priv, ICSSR, ~SDR & 0xff); + } + +-- +2.39.5 + diff --git a/queue-6.1/iomap-avoid-avoid-truncating-64-bit-offset-to-32-bit.patch b/queue-6.1/iomap-avoid-avoid-truncating-64-bit-offset-to-32-bit.patch new file mode 100644 index 0000000000..ddd4786d5d --- /dev/null +++ b/queue-6.1/iomap-avoid-avoid-truncating-64-bit-offset-to-32-bit.patch @@ -0,0 +1,39 @@ +From dedd3397932cab6b6b5d14c7c324cc2879cd1023 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 20:11:50 -0800 +Subject: iomap: avoid avoid truncating 64-bit offset to 32 bits + +From: Marco Nelissen + +[ Upstream commit c13094b894de289514d84b8db56d1f2931a0bade ] + +on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a +32-bit position due to folio_next_index() returning an unsigned long. +This could lead to an infinite loop when writing to an xfs filesystem. + +Signed-off-by: Marco Nelissen +Link: https://lore.kernel.org/r/20250109041253.2494374-1-marco.nelissen@gmail.com +Reviewed-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index 47f44b02c17de..70e246f7e8fe8 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -907,7 +907,7 @@ static int iomap_write_delalloc_scan(struct inode *inode, + } + + /* move offset to start of next folio in range */ +- start_byte = folio_next_index(folio) << PAGE_SHIFT; ++ start_byte = folio_pos(folio) + folio_size(folio); + folio_unlock(folio); + folio_put(folio); + } +-- +2.39.5 + diff --git a/queue-6.1/kheaders-ignore-silly-rename-files.patch b/queue-6.1/kheaders-ignore-silly-rename-files.patch new file mode 100644 index 0000000000..aa9dc29950 --- /dev/null +++ b/queue-6.1/kheaders-ignore-silly-rename-files.patch @@ -0,0 +1,60 @@ +From 4039a1cf85ea3de97f0ceed448dc37bfaa3ca25c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 13:50:01 +0000 +Subject: kheaders: Ignore silly-rename files + +From: David Howells + +[ Upstream commit 973b710b8821c3401ad7a25360c89e94b26884ac ] + +Tell tar to ignore silly-rename files (".__afs*" and ".nfs*") when building +the header archive. These occur when a file that is open is unlinked +locally, but hasn't yet been closed. Such files are visible to the user +via the getdents() syscall and so programs may want to do things with them. + +During the kernel build, such files may be made during the processing of +header files and the cleanup may get deferred by fput() which may result in +tar seeing these files when it reads the directory, but they may have +disappeared by the time it tries to open them, causing tar to fail with an +error. Further, we don't want to include them in the tarball if they still +exist. + +With CONFIG_HEADERS_INSTALL=y, something like the following may be seen: + + find: './kernel/.tmp_cpio_dir/include/dt-bindings/reset/.__afs2080': No such file or directory + tar: ./include/linux/greybus/.__afs3C95: File removed before we read it + +The find warning doesn't seem to cause a problem. + +Fix this by telling tar when called from in gen_kheaders.sh to exclude such +files. This only affects afs and nfs; cifs uses the Windows Hidden +attribute to prevent the file from being seen. + +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20241213135013.2964079-2-dhowells@redhat.com +cc: Masahiro Yamada +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +cc: linux-nfs@vger.kernel.org +cc: linux-kernel@vger.kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + kernel/gen_kheaders.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/gen_kheaders.sh b/kernel/gen_kheaders.sh +index 12bcd08fe79d4..5d506c6e8c0e7 100755 +--- a/kernel/gen_kheaders.sh ++++ b/kernel/gen_kheaders.sh +@@ -82,6 +82,7 @@ find $cpio_dir -type f -print0 | + + # Create archive and try to normalize metadata for reproducibility. + tar "${KBUILD_BUILD_TIMESTAMP:+--mtime=$KBUILD_BUILD_TIMESTAMP}" \ ++ --exclude=".__afs*" --exclude=".nfs*" \ + --owner=0 --group=0 --sort=name --numeric-owner --mode=u=rw,go=r,a+X \ + -I $XZ -cf $tarfile -C $cpio_dir/ . > /dev/null + +-- +2.39.5 + diff --git a/queue-6.1/mac802154-check-local-interfaces-before-deleting-sda.patch b/queue-6.1/mac802154-check-local-interfaces-before-deleting-sda.patch new file mode 100644 index 0000000000..bff03c2cf1 --- /dev/null +++ b/queue-6.1/mac802154-check-local-interfaces-before-deleting-sda.patch @@ -0,0 +1,100 @@ +From bce16819acd8b8f22d30854487774ef65a3915aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Nov 2024 17:51:29 +0800 +Subject: mac802154: check local interfaces before deleting sdata list + +From: Lizhi Xu + +[ Upstream commit eb09fbeb48709fe66c0d708aed81e910a577a30a ] + +syzkaller reported a corrupted list in ieee802154_if_remove. [1] + +Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4 +hardware device from the system. + +CPU0 CPU1 +==== ==== +genl_family_rcv_msg_doit ieee802154_unregister_hw +ieee802154_del_iface ieee802154_remove_interfaces +rdev_del_virtual_intf_deprecated list_del(&sdata->list) +ieee802154_if_remove +list_del_rcu + +The net device has been unregistered, since the rcu grace period, +unregistration must be run before ieee802154_if_remove. + +To avoid this issue, add a check for local->interfaces before deleting +sdata list. + +[1] +kernel BUG at lib/list_debug.c:58! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56 +Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 <0f> 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7 +RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246 +RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00 +RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 +RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d +R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000 +R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0 +FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __list_del_entry_valid include/linux/list.h:124 [inline] + __list_del_entry include/linux/list.h:215 [inline] + list_del_rcu include/linux/rculist.h:157 [inline] + ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687 + rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline] + ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323 + genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] + netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 + netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 + sock_sendmsg_nosec net/socket.c:729 [inline] + __sock_sendmsg+0x221/0x270 net/socket.c:744 + ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607 + ___sys_sendmsg net/socket.c:2661 [inline] + __sys_sendmsg+0x292/0x380 net/socket.c:2690 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-and-tested-by: syzbot+985f827280dc3a6e7e92@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=985f827280dc3a6e7e92 +Signed-off-by: Lizhi Xu +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/20241113095129.1457225-1-lizhi.xu@windriver.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/mac802154/iface.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c +index 7e2065e729156..0233929502ec2 100644 +--- a/net/mac802154/iface.c ++++ b/net/mac802154/iface.c +@@ -689,6 +689,10 @@ void ieee802154_if_remove(struct ieee802154_sub_if_data *sdata) + ASSERT_RTNL(); + + mutex_lock(&sdata->local->iflist_mtx); ++ if (list_empty(&sdata->local->interfaces)) { ++ mutex_unlock(&sdata->local->iflist_mtx); ++ return; ++ } + list_del_rcu(&sdata->list); + mutex_unlock(&sdata->local->iflist_mtx); + +-- +2.39.5 + diff --git a/queue-6.1/net-add-exit_batch_rtnl-method.patch-29551 b/queue-6.1/net-add-exit_batch_rtnl-method.patch-29551 new file mode 100644 index 0000000000..195f41bc7f --- /dev/null +++ b/queue-6.1/net-add-exit_batch_rtnl-method.patch-29551 @@ -0,0 +1,128 @@ +From 74d4f17c78c08839da139199ffa030e25b414784 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Feb 2024 14:42:57 +0000 +Subject: net: add exit_batch_rtnl() method + +From: Eric Dumazet + +[ Upstream commit fd4f101edbd9f99567ab2adb1f2169579ede7c13 ] + +Many (struct pernet_operations)->exit_batch() methods have +to acquire rtnl. + +In presence of rtnl mutex pressure, this makes cleanup_net() +very slow. + +This patch adds a new exit_batch_rtnl() method to reduce +number of rtnl acquisitions from cleanup_net(). + +exit_batch_rtnl() handlers are called while rtnl is locked, +and devices to be killed can be queued in a list provided +as their second argument. + +A single unregister_netdevice_many() is called right +before rtnl is released. + +exit_batch_rtnl() handlers are called before ->exit() and +->exit_batch() handlers. + +Signed-off-by: Eric Dumazet +Reviewed-by: Antoine Tenart +Link: https://lore.kernel.org/r/20240206144313.2050392-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 46841c7053e6 ("gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().") +Signed-off-by: Sasha Levin +--- + include/net/net_namespace.h | 3 +++ + net/core/net_namespace.c | 31 ++++++++++++++++++++++++++++++- + 2 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h +index 7ca4b7af57ca6..17c7a88418345 100644 +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -426,6 +426,9 @@ struct pernet_operations { + void (*pre_exit)(struct net *net); + void (*exit)(struct net *net); + void (*exit_batch)(struct list_head *net_exit_list); ++ /* Following method is called with RTNL held. */ ++ void (*exit_batch_rtnl)(struct list_head *net_exit_list, ++ struct list_head *dev_kill_list); + unsigned int *id; + size_t size; + }; +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index 6c6d2a785c004..abf1e1751d6c8 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -314,8 +314,9 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns) + { + /* Must be called with pernet_ops_rwsem held */ + const struct pernet_operations *ops, *saved_ops; +- int error = 0; + LIST_HEAD(net_exit_list); ++ LIST_HEAD(dev_kill_list); ++ int error = 0; + + refcount_set(&net->ns.count, 1); + ref_tracker_dir_init(&net->refcnt_tracker, 128); +@@ -353,6 +354,15 @@ static __net_init int setup_net(struct net *net, struct user_namespace *user_ns) + + synchronize_rcu(); + ++ ops = saved_ops; ++ rtnl_lock(); ++ list_for_each_entry_continue_reverse(ops, &pernet_list, list) { ++ if (ops->exit_batch_rtnl) ++ ops->exit_batch_rtnl(&net_exit_list, &dev_kill_list); ++ } ++ unregister_netdevice_many(&dev_kill_list); ++ rtnl_unlock(); ++ + ops = saved_ops; + list_for_each_entry_continue_reverse(ops, &pernet_list, list) + ops_exit_list(ops, &net_exit_list); +@@ -576,6 +586,7 @@ static void cleanup_net(struct work_struct *work) + struct net *net, *tmp, *last; + struct llist_node *net_kill_list; + LIST_HEAD(net_exit_list); ++ LIST_HEAD(dev_kill_list); + + /* Atomically snapshot the list of namespaces to cleanup */ + net_kill_list = llist_del_all(&cleanup_list); +@@ -616,6 +627,14 @@ static void cleanup_net(struct work_struct *work) + */ + synchronize_rcu(); + ++ rtnl_lock(); ++ list_for_each_entry_reverse(ops, &pernet_list, list) { ++ if (ops->exit_batch_rtnl) ++ ops->exit_batch_rtnl(&net_exit_list, &dev_kill_list); ++ } ++ unregister_netdevice_many(&dev_kill_list); ++ rtnl_unlock(); ++ + /* Run all of the network namespace exit methods */ + list_for_each_entry_reverse(ops, &pernet_list, list) + ops_exit_list(ops, &net_exit_list); +@@ -1159,7 +1178,17 @@ static void free_exit_list(struct pernet_operations *ops, struct list_head *net_ + { + ops_pre_exit_list(ops, net_exit_list); + synchronize_rcu(); ++ ++ if (ops->exit_batch_rtnl) { ++ LIST_HEAD(dev_kill_list); ++ ++ rtnl_lock(); ++ ops->exit_batch_rtnl(net_exit_list, &dev_kill_list); ++ unregister_netdevice_many(&dev_kill_list); ++ rtnl_unlock(); ++ } + ops_exit_list(ops, net_exit_list); ++ + ops_free_list(ops, net_exit_list); + } + +-- +2.39.5 + diff --git a/queue-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field.patch-27995 b/queue-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field.patch-27995 new file mode 100644 index 0000000000..5bdc10108a --- /dev/null +++ b/queue-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field.patch-27995 @@ -0,0 +1,86 @@ +From 17e4b48b195be6aa1cf2972ff9dcfb35bc9569cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 22:54:33 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() + +From: Sudheer Kumar Doredla + +[ Upstream commit 03d120f27d050336f7e7d21879891542c4741f81 ] + +CPSW ALE has 75-bit ALE entries stored across three 32-bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions support +ALE field entries spanning up to two words at the most. + +The cpsw_ale_get_field() and cpsw_ale_set_field() functions work as +expected when ALE field spanned across word1 and word2, but fails when +ALE field spanned across word2 and word3. + +For example, while reading the ALE field spanned across word2 and word3 +(i.e. bits 62 to 64), the word3 data shifted to an incorrect position +due to the index becoming zero while flipping. +The same issue occurred when setting an ALE entry. + +This issue has not been seen in practice but will be an issue in the future +if the driver supports accessing ALE fields spanning word2 and word3 + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: b685f1a58956 ("net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()") +Signed-off-by: Sudheer Kumar Doredla +Reviewed-by: Simon Horman +Reviewed-by: Roger Quadros +Reviewed-by: Siddharth Vadapalli +Link: https://patch.msgid.link/20250108172433.311694-1-s-doredla@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index 2647c18d40d95..3d42ca15e8779 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -106,15 +106,15 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx, idx2; ++ int idx, idx2, index; + u32 hi_val = 0; + + idx = start / 32; + idx2 = (start + bits - 1) / 32; + /* Check if bits to be fetched exceed a word */ + if (idx != idx2) { +- idx2 = 2 - idx2; /* flip */ +- hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ index = 2 - idx2; /* flip */ ++ hi_val = ale_entry[index] << ((idx2 * 32) - start); + } + start -= idx * 32; + idx = 2 - idx; /* flip */ +@@ -124,16 +124,16 @@ static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx, idx2; ++ int idx, idx2, index; + + value &= BITMASK(bits); + idx = start / 32; + idx2 = (start + bits - 1) / 32; + /* Check if bits to be set exceed a word */ + if (idx != idx2) { +- idx2 = 2 - idx2; /* flip */ +- ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); +- ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ index = 2 - idx2; /* flip */ ++ ale_entry[index] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[index] |= (value >> ((idx2 * 32) - start)); + } + start -= idx * 32; + idx = 2 - idx; /* flip */ +-- +2.39.5 + diff --git a/queue-6.1/net-mlx5-clear-port-select-structure-when-fail-to-cr.patch-12234 b/queue-6.1/net-mlx5-clear-port-select-structure-when-fail-to-cr.patch-12234 new file mode 100644 index 0000000000..e9ef8627b0 --- /dev/null +++ b/queue-6.1/net-mlx5-clear-port-select-structure-when-fail-to-cr.patch-12234 @@ -0,0 +1,107 @@ +From 0f5acf359573397f0ebd456dea905e85e032b1be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 13:39:07 +0200 +Subject: net/mlx5: Clear port select structure when fail to create + +From: Mark Zhang + +[ Upstream commit 5641e82cb55b4ecbc6366a499300917d2f3e6790 ] + +Clear the port select structure on error so no stale values left after +definers are destroyed. That's because the mlx5_lag_destroy_definers() +always try to destroy all lag definers in the tt_map, so in the flow +below lag definers get double-destroyed and cause kernel crash: + + mlx5_lag_port_sel_create() + mlx5_lag_create_definers() + mlx5_lag_create_definer() <- Failed on tt 1 + mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed + mlx5_lag_port_sel_create() + mlx5_lag_create_definers() + mlx5_lag_create_definer() <- Failed on tt 0 + mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 + Mem abort info: + ESR = 0x0000000096000005 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x05: level 1 translation fault + Data abort info: + ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 + [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 + Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP + Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] + CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 + Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE + Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 + Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] + lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] + sp : ffff800085fafb00 + x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 + x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 + x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 + x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 + x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 + x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c + x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 + x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 + Call trace: + mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] + mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] + mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] + mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] + mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] + mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] + process_one_work+0x170/0x3e0 + worker_thread+0x2d8/0x3e0 + kthread+0x11c/0x128 + ret_from_fork+0x10/0x20 + Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) + ---[ end trace 0000000000000000 ]--- + +Fixes: dc48516ec7d3 ("net/mlx5: Lag, add support to create definers for LAG") +Signed-off-by: Mark Zhang +Reviewed-by: Leon Romanovsky +Reviewed-by: Mark Bloch +Reviewed-by: Jacob Keller +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +index 005661248c7e9..9faa9ef863a1b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c +@@ -540,7 +540,7 @@ int mlx5_lag_port_sel_create(struct mlx5_lag *ldev, + set_tt_map(port_sel, hash_type); + err = mlx5_lag_create_definers(ldev, hash_type, ports); + if (err) +- return err; ++ goto clear_port_sel; + + if (port_sel->tunnel) { + err = mlx5_lag_create_inner_ttc_table(ldev); +@@ -559,6 +559,8 @@ int mlx5_lag_port_sel_create(struct mlx5_lag *ldev, + mlx5_destroy_ttc_table(port_sel->inner.ttc); + destroy_definers: + mlx5_lag_destroy_definers(ldev); ++clear_port_sel: ++ memset(port_sel, 0, sizeof(*port_sel)); + return err; + } + +-- +2.39.5 + diff --git a/queue-6.1/net-mlx5-fix-rdma-tx-steering-prio.patch-30502 b/queue-6.1/net-mlx5-fix-rdma-tx-steering-prio.patch-30502 new file mode 100644 index 0000000000..ffddb9c030 --- /dev/null +++ b/queue-6.1/net-mlx5-fix-rdma-tx-steering-prio.patch-30502 @@ -0,0 +1,39 @@ +From f6b748f17a7f5beca94c0171f96991638092f7f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 13:39:04 +0200 +Subject: net/mlx5: Fix RDMA TX steering prio + +From: Patrisious Haddad + +[ Upstream commit c08d3e62b2e73e14da318a1d20b52d0486a28ee0 ] + +User added steering rules at RDMA_TX were being added to the first prio, +which is the counters prio. +Fix that so that they are correctly added to the BYPASS_PRIO instead. + +Fixes: 24670b1a3166 ("net/mlx5: Add support for RDMA TX steering") +Signed-off-by: Patrisious Haddad +Reviewed-by: Mark Bloch +Reviewed-by: Jacob Keller +Signed-off-by: Tariq Toukan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 50fdc3cbb778e..2717450e96661 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -2421,6 +2421,7 @@ struct mlx5_flow_namespace *mlx5_get_flow_namespace(struct mlx5_core_dev *dev, + break; + case MLX5_FLOW_NAMESPACE_RDMA_TX: + root_ns = steering->rdma_tx_root_ns; ++ prio = RDMA_TX_BYPASS_PRIO; + break; + case MLX5_FLOW_NAMESPACE_RDMA_RX_COUNTERS: + root_ns = steering->rdma_rx_root_ns; +-- +2.39.5 + diff --git a/queue-6.1/net-xilinx-axienet-fix-irq-coalescing-packet-count-o.patch-11613 b/queue-6.1/net-xilinx-axienet-fix-irq-coalescing-packet-count-o.patch-11613 new file mode 100644 index 0000000000..2960b98ae7 --- /dev/null +++ b/queue-6.1/net-xilinx-axienet-fix-irq-coalescing-packet-count-o.patch-11613 @@ -0,0 +1,48 @@ +From c15d3ff2f04259d281bcb680ea38a7168116486c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 11:30:00 -0500 +Subject: net: xilinx: axienet: Fix IRQ coalescing packet count overflow + +From: Sean Anderson + +[ Upstream commit c17ff476f53afb30f90bb3c2af77de069c81a622 ] + +If coalesce_count is greater than 255 it will not fit in the register and +will overflow. This can be reproduced by running + + # ethtool -C ethX rx-frames 256 + +which will result in a timeout of 0us instead. Fix this by checking for +invalid values and reporting an error. + +Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") +Signed-off-by: Sean Anderson +Reviewed-by: Shannon Nelson +Reviewed-by: Radhey Shyam Pandey +Link: https://patch.msgid.link/20250113163001.2335235-1-sean.anderson@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index ce0dd78826af0..a957721581761 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -1570,6 +1570,12 @@ axienet_ethtools_set_coalesce(struct net_device *ndev, + return -EFAULT; + } + ++ if (ecoalesce->rx_max_coalesced_frames > 255 || ++ ecoalesce->tx_max_coalesced_frames > 255) { ++ NL_SET_ERR_MSG(extack, "frames must be less than 256"); ++ return -EINVAL; ++ } ++ + if (ecoalesce->rx_max_coalesced_frames) + lp->coalesce_count_rx = ecoalesce->rx_max_coalesced_frames; + if (ecoalesce->rx_coalesce_usecs) +-- +2.39.5 + diff --git a/queue-6.1/nfp-bpf-prevent-integer-overflow-in-nfp_bpf_event_ou.patch-24124 b/queue-6.1/nfp-bpf-prevent-integer-overflow-in-nfp_bpf_event_ou.patch-24124 new file mode 100644 index 0000000000..4f71d2f9f9 --- /dev/null +++ b/queue-6.1/nfp-bpf-prevent-integer-overflow-in-nfp_bpf_event_ou.patch-24124 @@ -0,0 +1,39 @@ +From 14008754911fdfd89e6056210b5328967e672854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 09:18:39 +0300 +Subject: nfp: bpf: prevent integer overflow in nfp_bpf_event_output() + +From: Dan Carpenter + +[ Upstream commit 16ebb6f5b6295c9688749862a39a4889c56227f8 ] + +The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could +potentially have an integer wrapping bug on 32bit systems. Check for +this and return an error. + +Fixes: 9816dd35ecec ("nfp: bpf: perf event output helpers support") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/6074805b-e78d-4b8a-bf05-e929b5377c28@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c +index 9d97cd281f18e..c03558adda91e 100644 +--- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c ++++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c +@@ -458,7 +458,8 @@ int nfp_bpf_event_output(struct nfp_app_bpf *bpf, const void *data, + map_id_full = be64_to_cpu(cbe->map_ptr); + map_id = map_id_full; + +- if (len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size) ++ if (size_add(pkt_size, data_size) > INT_MAX || ++ len < sizeof(struct cmsg_bpf_event) + pkt_size + data_size) + return -EINVAL; + if (cbe->hdr.ver != NFP_CCM_ABI_VERSION) + return -EINVAL; +-- +2.39.5 + diff --git a/queue-6.1/nvmet-propagate-npwg-topology.patch b/queue-6.1/nvmet-propagate-npwg-topology.patch new file mode 100644 index 0000000000..267d203be4 --- /dev/null +++ b/queue-6.1/nvmet-propagate-npwg-topology.patch @@ -0,0 +1,39 @@ +From 2b2bb7025f86314446386123f011368fc8a3e73b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 18:33:25 -0800 +Subject: nvmet: propagate npwg topology + +From: Luis Chamberlain + +[ Upstream commit b579d6fdc3a9149bb4d2b3133cc0767130ed13e6 ] + +Ensure we propagate npwg to the target as well instead +of assuming its the same logical blocks per physical block. + +This ensures devices with large IUs information properly +propagated on the target. + +Signed-off-by: Luis Chamberlain +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/io-cmd-bdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index c2d6cea0236b0..ada58a4d0d0cf 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -36,7 +36,7 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) + */ + id->nsfeat |= 1 << 4; + /* NPWG = Namespace Preferred Write Granularity. 0's based */ +- id->npwg = lpp0b; ++ id->npwg = to0based(bdev_io_min(bdev) / bdev_logical_block_size(bdev)); + /* NPWA = Namespace Preferred Write Alignment. 0's based */ + id->npwa = id->npwg; + /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ +-- +2.39.5 + diff --git a/queue-6.1/openvswitch-fix-lockup-on-tx-to-unregistering-netdev.patch-7431 b/queue-6.1/openvswitch-fix-lockup-on-tx-to-unregistering-netdev.patch-7431 new file mode 100644 index 0000000000..0b4fa369b2 --- /dev/null +++ b/queue-6.1/openvswitch-fix-lockup-on-tx-to-unregistering-netdev.patch-7431 @@ -0,0 +1,79 @@ +From bcb4dd5cedeca98eb63033c8d561e9a6fc42b41d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 13:21:24 +0100 +Subject: openvswitch: fix lockup on tx to unregistering netdev with carrier + +From: Ilya Maximets + +[ Upstream commit 47e55e4b410f7d552e43011baa5be1aab4093990 ] + +Commit in a fixes tag attempted to fix the issue in the following +sequence of calls: + + do_output + -> ovs_vport_send + -> dev_queue_xmit + -> __dev_queue_xmit + -> netdev_core_pick_tx + -> skb_tx_hash + +When device is unregistering, the 'dev->real_num_tx_queues' goes to +zero and the 'while (unlikely(hash >= qcount))' loop inside the +'skb_tx_hash' becomes infinite, locking up the core forever. + +But unfortunately, checking just the carrier status is not enough to +fix the issue, because some devices may still be in unregistering +state while reporting carrier status OK. + +One example of such device is a net/dummy. It sets carrier ON +on start, but it doesn't implement .ndo_stop to set the carrier off. +And it makes sense, because dummy doesn't really have a carrier. +Therefore, while this device is unregistering, it's still easy to hit +the infinite loop in the skb_tx_hash() from the OVS datapath. There +might be other drivers that do the same, but dummy by itself is +important for the OVS ecosystem, because it is frequently used as a +packet sink for tcpdump while debugging OVS deployments. And when the +issue is hit, the only way to recover is to reboot. + +Fix that by also checking if the device is running. The running +state is handled by the net core during unregistering, so it covers +unregistering case better, and we don't really need to send packets +to devices that are not running anyway. + +While only checking the running state might be enough, the carrier +check is preserved. The running and the carrier states seem disjoined +throughout the code and different drivers. And other core functions +like __dev_direct_xmit() check both before attempting to transmit +a packet. So, it seems safer to check both flags in OVS as well. + +Fixes: 066b86787fa3 ("net: openvswitch: fix race on port output") +Reported-by: Friedrich Weber +Closes: https://mail.openvswitch.org/pipermail/ovs-discuss/2025-January/053423.html +Signed-off-by: Ilya Maximets +Tested-by: Friedrich Weber +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20250109122225.4034688-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 21102ffe44709..18d360aaf09bc 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -913,7 +913,9 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port, + { + struct vport *vport = ovs_vport_rcu(dp, out_port); + +- if (likely(vport && netif_carrier_ok(vport->dev))) { ++ if (likely(vport && ++ netif_running(vport->dev) && ++ netif_carrier_ok(vport->dev))) { + u16 mru = OVS_CB(skb)->mru; + u32 cutlen = OVS_CB(skb)->cutlen; + +-- +2.39.5 + diff --git a/queue-6.1/pktgen-avoid-out-of-bounds-access-in-get_imix_entrie.patch-15798 b/queue-6.1/pktgen-avoid-out-of-bounds-access-in-get_imix_entrie.patch-15798 new file mode 100644 index 0000000000..1716975343 --- /dev/null +++ b/queue-6.1/pktgen-avoid-out-of-bounds-access-in-get_imix_entrie.patch-15798 @@ -0,0 +1,68 @@ +From baa586776625a3f4cde8421b2bf12633011310e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 11:30:39 +0300 +Subject: pktgen: Avoid out-of-bounds access in get_imix_entries + +From: Artem Chernyshev + +[ Upstream commit 76201b5979768500bca362871db66d77cb4c225e ] + +Passing a sufficient amount of imix entries leads to invalid access to the +pkt_dev->imix_entries array because of the incorrect boundary check. + +UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 +index 20 is out of range for type 'imix_pkt [20]' +CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +Call Trace: + +dump_stack_lvl lib/dump_stack.c:117 +__ubsan_handle_out_of_bounds lib/ubsan.c:429 +get_imix_entries net/core/pktgen.c:874 +pktgen_if_write net/core/pktgen.c:1063 +pde_write fs/proc/inode.c:334 +proc_reg_write fs/proc/inode.c:346 +vfs_write fs/read_write.c:593 +ksys_write fs/read_write.c:644 +do_syscall_64 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 52a62f8603f9 ("pktgen: Parse internet mix (imix) input") +Signed-off-by: Artem Chernyshev +[ fp: allow to fill the array completely; minor changelog cleanup ] +Signed-off-by: Fedor Pchelkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/pktgen.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/core/pktgen.c b/net/core/pktgen.c +index 471d4effa8b49..a2fb951996b85 100644 +--- a/net/core/pktgen.c ++++ b/net/core/pktgen.c +@@ -850,6 +850,9 @@ static ssize_t get_imix_entries(const char __user *buffer, + unsigned long weight; + unsigned long size; + ++ if (pkt_dev->n_imix_entries >= MAX_IMIX_ENTRIES) ++ return -E2BIG; ++ + len = num_arg(&buffer[i], max_digits, &size); + if (len < 0) + return len; +@@ -879,9 +882,6 @@ static ssize_t get_imix_entries(const char __user *buffer, + + i++; + pkt_dev->n_imix_entries++; +- +- if (pkt_dev->n_imix_entries > MAX_IMIX_ENTRIES) +- return -E2BIG; + } while (c == ' '); + + return i; +-- +2.39.5 + diff --git a/queue-6.1/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch b/queue-6.1/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch new file mode 100644 index 0000000000..5a01ae9000 --- /dev/null +++ b/queue-6.1/poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch @@ -0,0 +1,67 @@ +From d01a5f352b1c3aa185b157554055e4c1a5f85d6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jan 2025 17:27:17 +0100 +Subject: poll_wait: add mb() to fix theoretical race between + waitqueue_active() and .poll() + +From: Oleg Nesterov + +[ Upstream commit cacd9ae4bf801ff4125d8961bb9a3ba955e51680 ] + +As the comment above waitqueue_active() explains, it can only be used +if both waker and waiter have mb()'s that pair with each other. However +__pollwait() is broken in this respect. + +This is not pipe-specific, but let's look at pipe_poll() for example: + + poll_wait(...); // -> __pollwait() -> add_wait_queue() + + LOAD(pipe->head); + LOAD(pipe->head); + +In theory these LOAD()'s can leak into the critical section inside +add_wait_queue() and can happen before list_add(entry, wq_head), in this +case pipe_poll() can race with wakeup_pipe_readers/writers which do + + smp_mb(); + if (waitqueue_active(wq_head)) + wake_up_interruptible(wq_head); + +There are more __pollwait()-like functions (grep init_poll_funcptr), and +it seems that at least ep_ptable_queue_proc() has the same problem, so the +patch adds smp_mb() into poll_wait(). + +Link: https://lore.kernel.org/all/20250102163320.GA17691@redhat.com/ +Signed-off-by: Oleg Nesterov +Link: https://lore.kernel.org/r/20250107162717.GA18922@redhat.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + include/linux/poll.h | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/linux/poll.h b/include/linux/poll.h +index d1ea4f3714a84..fc641b50f1298 100644 +--- a/include/linux/poll.h ++++ b/include/linux/poll.h +@@ -41,8 +41,16 @@ typedef struct poll_table_struct { + + static inline void poll_wait(struct file * filp, wait_queue_head_t * wait_address, poll_table *p) + { +- if (p && p->_qproc && wait_address) ++ if (p && p->_qproc && wait_address) { + p->_qproc(filp, wait_address, p); ++ /* ++ * This memory barrier is paired in the wq_has_sleeper(). ++ * See the comment above prepare_to_wait(), we need to ++ * ensure that subsequent tests in this thread can't be ++ * reordered with __add_wait_queue() in _qproc() paths. ++ */ ++ smp_mb(); ++ } + } + + /* +-- +2.39.5 + diff --git a/queue-6.1/revert-mtd-spi-nor-core-replace-dummy-buswidth-from-.patch-29714 b/queue-6.1/revert-mtd-spi-nor-core-replace-dummy-buswidth-from-.patch-29714 new file mode 100644 index 0000000000..f83f9d57e4 --- /dev/null +++ b/queue-6.1/revert-mtd-spi-nor-core-replace-dummy-buswidth-from-.patch-29714 @@ -0,0 +1,78 @@ +From 8af9f239b757837b0150e2ffe1447f2745f4b7a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 13:41:56 +0000 +Subject: Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" + +From: Pratyush Yadav + +[ Upstream commit d15638bf76ad47874ecb5dc386f0945fc0b2a875 ] + +This reverts commit 98d1fb94ce75f39febd456d6d3cbbe58b6678795. + +The commit uses data nbits instead of addr nbits for dummy phase. This +causes a regression for all boards where spi-tx-bus-width is smaller +than spi-rx-bus-width. It is a common pattern for boards to have +spi-tx-bus-width == 1 and spi-rx-bus-width > 1. The regression causes +all reads with a dummy phase to become unavailable for such boards, +leading to a usually slower 0-dummy-cycle read being selected. + +Most controllers' supports_op hooks call spi_mem_default_supports_op(). +In spi_mem_default_supports_op(), spi_mem_check_buswidth() is called to +check if the buswidths for the op can actually be supported by the +board's wiring. This wiring information comes from (among other things) +the spi-{tx,rx}-bus-width DT properties. Based on these properties, +SPI_TX_* or SPI_RX_* flags are set by of_spi_parse_dt(). +spi_mem_check_buswidth() then uses these flags to make the decision +whether an op can be supported by the board's wiring (in a way, +indirectly checking against spi-{rx,tx}-bus-width). + +Now the tricky bit here is that spi_mem_check_buswidth() does: + + if (op->dummy.nbytes && + spi_check_buswidth_req(mem, op->dummy.buswidth, true)) + return false; + +The true argument to spi_check_buswidth_req() means the op is treated as +a TX op. For a board that has say 1-bit TX and 4-bit RX, a 4-bit dummy +TX is considered as unsupported, and the op gets rejected. + +The commit being reverted uses the data buswidth for dummy buswidth. So +for reads, the RX buswidth gets used for the dummy phase, uncovering +this issue. In reality, a dummy phase is neither RX nor TX. As the name +suggests, these are just dummy cycles that send or receive no data, and +thus don't really need to have any buswidth at all. + +Ideally, dummy phases should not be checked against the board's wiring +capabilities at all, and should only be sanity-checked for having a sane +buswidth value. Since we are now at rc7 and such a change might +introduce many unexpected bugs, revert the commit for now. It can be +sent out later along with the spi_mem_check_buswidth() fix. + +Fixes: 98d1fb94ce75 ("mtd: spi-nor: core: replace dummy buswidth from addr to data") +Reported-by: Alexander Stein +Closes: https://lore.kernel.org/linux-mtd/3342163.44csPzL39Z@steina-w/ +Tested-by: Alexander Stein +Reviewed-by: Tudor Ambarus +Signed-off-by: Pratyush Yadav +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c +index e82ed9d5c6564..a9000b0ebe690 100644 +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -90,7 +90,7 @@ void spi_nor_spimem_setup_op(const struct spi_nor *nor, + op->addr.buswidth = spi_nor_get_protocol_addr_nbits(proto); + + if (op->dummy.nbytes) +- op->dummy.buswidth = spi_nor_get_protocol_data_nbits(proto); ++ op->dummy.buswidth = spi_nor_get_protocol_addr_nbits(proto); + + if (op->data.nbytes) + op->data.buswidth = spi_nor_get_protocol_data_nbits(proto); +-- +2.39.5 + diff --git a/queue-6.1/scsi-ufs-core-honor-runtime-system-pm-levels-if-set-.patch b/queue-6.1/scsi-ufs-core-honor-runtime-system-pm-levels-if-set-.patch new file mode 100644 index 0000000000..2b2750ad09 --- /dev/null +++ b/queue-6.1/scsi-ufs-core-honor-runtime-system-pm-levels-if-set-.patch @@ -0,0 +1,50 @@ +From 631561656c21f6e2cffda7b5172f45162d2c864b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 22:20:42 +0530 +Subject: scsi: ufs: core: Honor runtime/system PM levels if set by host + controller drivers + +From: Manivannan Sadhasivam + +[ Upstream commit bb9850704c043e48c86cc9df90ee102e8a338229 ] + +Otherwise, the default levels will override the levels set by the host +controller drivers. + +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-2-63c4b95a70b9@linaro.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/ufs/core/ufshcd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c +index 1ea7ae78fca2c..c5115f6adbdc2 100644 +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -9879,14 +9879,17 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) + } + + /* +- * Set the default power management level for runtime and system PM. ++ * Set the default power management level for runtime and system PM if ++ * not set by the host controller drivers. + * Default power saving mode is to keep UFS link in Hibern8 state + * and UFS device in sleep state. + */ +- hba->rpm_lvl = ufs_get_desired_pm_lvl_for_dev_link_state( ++ if (!hba->rpm_lvl) ++ hba->rpm_lvl = ufs_get_desired_pm_lvl_for_dev_link_state( + UFS_SLEEP_PWR_MODE, + UIC_LINK_HIBERN8_STATE); +- hba->spm_lvl = ufs_get_desired_pm_lvl_for_dev_link_state( ++ if (!hba->spm_lvl) ++ hba->spm_lvl = ufs_get_desired_pm_lvl_for_dev_link_state( + UFS_SLEEP_PWR_MODE, + UIC_LINK_HIBERN8_STATE); + +-- +2.39.5 + diff --git a/queue-6.1/selftests-tc-testing-reduce-rshift-value.patch b/queue-6.1/selftests-tc-testing-reduce-rshift-value.patch new file mode 100644 index 0000000000..e447ab15ff --- /dev/null +++ b/queue-6.1/selftests-tc-testing-reduce-rshift-value.patch @@ -0,0 +1,41 @@ +From a923417f6505bfcdb2472a8e066c34d074d8e9b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 10:24:58 -0800 +Subject: selftests: tc-testing: reduce rshift value + +From: Jakub Kicinski + +[ Upstream commit e95274dfe86490ec2a5633035c24b2de6722841f ] + +After previous change rshift >= 32 is no longer allowed. +Modify the test to use 31, the test doesn't seem to send +any traffic so the exact value shouldn't matter. + +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250103182458.1213486-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/tc-testing/tc-tests/filters/flow.json | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/tc-testing/tc-tests/filters/flow.json b/tools/testing/selftests/tc-testing/tc-tests/filters/flow.json +index 58189327f6444..383fbda07245c 100644 +--- a/tools/testing/selftests/tc-testing/tc-tests/filters/flow.json ++++ b/tools/testing/selftests/tc-testing/tc-tests/filters/flow.json +@@ -78,10 +78,10 @@ + "setup": [ + "$TC qdisc add dev $DEV1 ingress" + ], +- "cmdUnderTest": "$TC filter add dev $DEV1 parent ffff: handle 1 prio 1 protocol ip flow map key dst rshift 0xff", ++ "cmdUnderTest": "$TC filter add dev $DEV1 parent ffff: handle 1 prio 1 protocol ip flow map key dst rshift 0x1f", + "expExitCode": "0", + "verifyCmd": "$TC filter get dev $DEV1 parent ffff: handle 1 protocol ip prio 1 flow", +- "matchPattern": "filter parent ffff: protocol ip pref 1 flow chain [0-9]+ handle 0x1 map keys dst rshift 255 baseclass", ++ "matchPattern": "filter parent ffff: protocol ip pref 1 flow chain [0-9]+ handle 0x1 map keys dst rshift 31 baseclass", + "matchCount": "1", + "teardown": [ + "$TC qdisc del dev $DEV1 ingress" +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index a7f70c1345..b01a508ffc 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -15,3 +15,31 @@ hwmon-tmp513-fix-division-of-negative-numbers.patch revert-mtd-spi-nor-core-replace-dummy-buswidth-from-.patch i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch i2c-rcar-fix-nack-handling-when-being-a-target.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field.patch-27995 +bpf-fix-bpf_sk_select_reuseport-memory-leak.patch-30571 +openvswitch-fix-lockup-on-tx-to-unregistering-netdev.patch-7431 +pktgen-avoid-out-of-bounds-access-in-get_imix_entrie.patch-15798 +net-add-exit_batch_rtnl-method.patch-29551 +gtp-use-exit_batch_rtnl-method.patch-2484 +gtp-use-for_each_netdev_rcu-in-gtp_genl_dump_pdp.patch-26374 +gtp-destroy-device-along-with-udp-socket-s-netns-dis.patch-10450 +nfp-bpf-prevent-integer-overflow-in-nfp_bpf_event_ou.patch-24124 +net-xilinx-axienet-fix-irq-coalescing-packet-count-o.patch-11613 +net-mlx5-fix-rdma-tx-steering-prio.patch-30502 +net-mlx5-clear-port-select-structure-when-fail-to-cr.patch-12234 +drm-v3d-ensure-job-pointer-is-set-to-null-after-job-.patch-13413 +hwmon-tmp513-fix-division-of-negative-numbers.patch-14292 +revert-mtd-spi-nor-core-replace-dummy-buswidth-from-.patch-29714 +i2c-mux-demux-pinctrl-check-initial-mux-selection-to.patch-2743 +i2c-rcar-fix-nack-handling-when-being-a-target.patch-16485 +nvmet-propagate-npwg-topology.patch +mac802154-check-local-interfaces-before-deleting-sda.patch +hfs-sanity-check-the-root-record.patch +fs-fix-missing-declaration-of-init_files.patch +kheaders-ignore-silly-rename-files.patch +cachefiles-parse-the-secctx-immediately.patch +scsi-ufs-core-honor-runtime-system-pm-levels-if-set-.patch +selftests-tc-testing-reduce-rshift-value.patch +acpi-resource-acpi_dev_irq_override-check-dmi-match-.patch +iomap-avoid-avoid-truncating-64-bit-offset-to-32-bit.patch +poll_wait-add-mb-to-fix-theoretical-race-between-wai.patch