From: Sasha Levin Date: Tue, 18 Nov 2025 02:44:39 +0000 (-0500) Subject: Fixes for all trees X-Git-Tag: v6.6.117~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a04090fd3110cc8f846bfd7cd6965a81ce4420ef;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/mtd-onenand-pass-correct-pointer-to-irq-handler.patch b/queue-5.10/mtd-onenand-pass-correct-pointer-to-irq-handler.patch new file mode 100644 index 0000000000..c30865c191 --- /dev/null +++ b/queue-5.10/mtd-onenand-pass-correct-pointer-to-irq-handler.patch @@ -0,0 +1,38 @@ +From 9a4cd471fb1c6f8fdc8f5dcdaa0e5d8247586ca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:25:48 +0300 +Subject: mtd: onenand: Pass correct pointer to IRQ handler + +From: Dan Carpenter + +[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ] + +This was supposed to pass "onenand" instead of "&onenand" with the +ampersand. Passing a random stack address which will be gone when the +function ends makes no sense. However the good thing is that the pointer +is never used, so this doesn't cause a problem at run time. + +Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c +index 87b28e397d671..d51d3ff6f0a3c 100644 +--- a/drivers/mtd/nand/onenand/onenand_samsung.c ++++ b/drivers/mtd/nand/onenand/onenand_samsung.c +@@ -908,7 +908,7 @@ static int s3c_onenand_probe(struct platform_device *pdev) + err = devm_request_irq(&pdev->dev, r->start, + s5pc110_onenand_irq, + IRQF_SHARED, "onenand", +- &onenand); ++ onenand); + if (err) { + dev_err(&pdev->dev, "failed to get irq\n"); + return err; +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nf_tables-reject-duplicate-device-on-updat.patch b/queue-5.10/netfilter-nf_tables-reject-duplicate-device-on-updat.patch new file mode 100644 index 0000000000..e951163160 --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-reject-duplicate-device-on-updat.patch @@ -0,0 +1,69 @@ +From c6327c0a9590d2663d840cb6df3070cb6057c72d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:40:46 +0000 +Subject: netfilter: nf_tables: reject duplicate device on updates + +From: Pablo Neira Ayuso + +commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream. + +A chain/flowtable update with duplicated devices in the same batch is +possible. Unfortunately, netdev event path only removes the first +device that is found, leaving unregistered the hook of the duplicated +device. + +Check if a duplicated device exists in the transaction batch, bail out +with EEXIST in such case. + +WARNING is hit when unregistering the hook: + + [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 + [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) + [...] + [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 8e799848cbcc1..dcb35be8b2af2 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7105,6 +7105,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ struct nftables_pernet *nft_net; + struct nft_hook *hook, *next; + struct nft_trans *trans; + bool unregister = false; +@@ -7120,6 +7121,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + if (nft_hook_list_find(&flowtable->hook_list, hook)) { + list_del(&hook->list); + kfree(hook); ++ continue; ++ } ++ ++ nft_net = net_generic(ctx->net, nf_tables_net_id); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || ++ trans->ctx.table != ctx->table || ++ !nft_trans_flowtable_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { ++ err = -EEXIST; ++ goto err_flowtable_update_hook; ++ } + } + } + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 5862e0e41a..674be8875d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -200,3 +200,5 @@ alsa-usb-audio-fix-null-pointer-dereference-in-snd_u.patch fsdax-mark-the-iomap-argument-to-dax_iomap_sector-as.patch mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch +mtd-onenand-pass-correct-pointer-to-irq-handler.patch +netfilter-nf_tables-reject-duplicate-device-on-updat.patch diff --git a/queue-5.15/mtd-onenand-pass-correct-pointer-to-irq-handler.patch b/queue-5.15/mtd-onenand-pass-correct-pointer-to-irq-handler.patch new file mode 100644 index 0000000000..154db1888e --- /dev/null +++ b/queue-5.15/mtd-onenand-pass-correct-pointer-to-irq-handler.patch @@ -0,0 +1,38 @@ +From 9ed44f1d9140990ec7bfde5ffdea4c0237a56c0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:25:48 +0300 +Subject: mtd: onenand: Pass correct pointer to IRQ handler + +From: Dan Carpenter + +[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ] + +This was supposed to pass "onenand" instead of "&onenand" with the +ampersand. Passing a random stack address which will be gone when the +function ends makes no sense. However the good thing is that the pointer +is never used, so this doesn't cause a problem at run time. + +Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c +index b64895573515e..48608632280c5 100644 +--- a/drivers/mtd/nand/onenand/onenand_samsung.c ++++ b/drivers/mtd/nand/onenand/onenand_samsung.c +@@ -909,7 +909,7 @@ static int s3c_onenand_probe(struct platform_device *pdev) + err = devm_request_irq(&pdev->dev, r->start, + s5pc110_onenand_irq, + IRQF_SHARED, "onenand", +- &onenand); ++ onenand); + if (err) { + dev_err(&pdev->dev, "failed to get irq\n"); + return err; +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nf_tables-reject-duplicate-device-on-updat.patch b/queue-5.15/netfilter-nf_tables-reject-duplicate-device-on-updat.patch new file mode 100644 index 0000000000..587599547a --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-reject-duplicate-device-on-updat.patch @@ -0,0 +1,69 @@ +From ddf4cdd0f09a86eba506b4cec6dfaaf4e98ef3c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:40:23 +0000 +Subject: netfilter: nf_tables: reject duplicate device on updates + +From: Pablo Neira Ayuso + +commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream. + +A chain/flowtable update with duplicated devices in the same batch is +possible. Unfortunately, netdev event path only removes the first +device that is found, leaving unregistered the hook of the duplicated +device. + +Check if a duplicated device exists in the transaction batch, bail out +with EEXIST in such case. + +WARNING is hit when unregistering the hook: + + [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 + [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) + [...] + [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 33d03340d9fc8..91b012e476be6 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7893,6 +7893,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ struct nftables_pernet *nft_net; + struct nft_hook *hook, *next; + struct nft_trans *trans; + bool unregister = false; +@@ -7908,6 +7909,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + if (nft_hook_list_find(&flowtable->hook_list, hook)) { + list_del(&hook->list); + kfree(hook); ++ continue; ++ } ++ ++ nft_net = nft_pernet(ctx->net); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || ++ trans->ctx.table != ctx->table || ++ !nft_trans_flowtable_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { ++ err = -EEXIST; ++ goto err_flowtable_update_hook; ++ } + } + } + +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index e2b7baeb83..917edc2521 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -266,3 +266,5 @@ bpf-add-bpf_prog_run_data_pointers.patch mptcp-pm-in-kernel-c-flag-handle-late-add_addr.patch mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch +mtd-onenand-pass-correct-pointer-to-irq-handler.patch +netfilter-nf_tables-reject-duplicate-device-on-updat.patch diff --git a/queue-6.1/asm-generic-unify-uapi-bitsperlong.h-for-arm64-riscv.patch b/queue-6.1/asm-generic-unify-uapi-bitsperlong.h-for-arm64-riscv.patch new file mode 100644 index 0000000000..758230aa20 --- /dev/null +++ b/queue-6.1/asm-generic-unify-uapi-bitsperlong.h-for-arm64-riscv.patch @@ -0,0 +1,250 @@ +From 02e56679c15797e3402525af5687e35ea19cc5b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 22:13:38 +0800 +Subject: asm-generic: Unify uapi bitsperlong.h for arm64, riscv and loongarch + +From: Tiezhu Yang + +[ Upstream commit 8386f58f8deda81110283798a387fb53ec21957c ] + +Now we specify the minimal version of GCC as 5.1 and Clang/LLVM as 11.0.0 +in Documentation/process/changes.rst, __CHAR_BIT__ and __SIZEOF_LONG__ are +usable, it is probably fine to unify the definition of __BITS_PER_LONG as +(__CHAR_BIT__ * __SIZEOF_LONG__) in asm-generic uapi bitsperlong.h. + +In order to keep safe and avoid regression, only unify uapi bitsperlong.h +for some archs such as arm64, riscv and loongarch which are using newer +toolchains that have the definitions of __CHAR_BIT__ and __SIZEOF_LONG__. + +Suggested-by: Xi Ruoyao +Link: https://lore.kernel.org/all/d3e255e4746de44c9903c4433616d44ffcf18d1b.camel@xry111.site/ +Suggested-by: Arnd Bergmann +Link: https://lore.kernel.org/linux-arch/a3a4f48a-07d4-4ed9-bc53-5d383428bdd2@app.fastmail.com/ +Signed-off-by: Tiezhu Yang +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/include/uapi/asm/bitsperlong.h | 24 ------------------- + arch/loongarch/include/uapi/asm/bitsperlong.h | 9 ------- + arch/riscv/include/uapi/asm/bitsperlong.h | 14 ----------- + include/uapi/asm-generic/bitsperlong.h | 13 +++++++++- + .../arch/arm64/include/uapi/asm/bitsperlong.h | 24 ------------------- + .../arch/riscv/include/uapi/asm/bitsperlong.h | 14 ----------- + tools/include/uapi/asm-generic/bitsperlong.h | 14 ++++++++++- + tools/include/uapi/asm/bitsperlong.h | 6 ----- + 8 files changed, 25 insertions(+), 93 deletions(-) + delete mode 100644 arch/arm64/include/uapi/asm/bitsperlong.h + delete mode 100644 arch/loongarch/include/uapi/asm/bitsperlong.h + delete mode 100644 arch/riscv/include/uapi/asm/bitsperlong.h + delete mode 100644 tools/arch/arm64/include/uapi/asm/bitsperlong.h + delete mode 100644 tools/arch/riscv/include/uapi/asm/bitsperlong.h + +diff --git a/arch/arm64/include/uapi/asm/bitsperlong.h b/arch/arm64/include/uapi/asm/bitsperlong.h +deleted file mode 100644 +index 485d60bee26ca..0000000000000 +--- a/arch/arm64/include/uapi/asm/bitsperlong.h ++++ /dev/null +@@ -1,24 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +-/* +- * Copyright (C) 2012 ARM Ltd. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License version 2 as +- * published by the Free Software Foundation. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program. If not, see . +- */ +-#ifndef __ASM_BITSPERLONG_H +-#define __ASM_BITSPERLONG_H +- +-#define __BITS_PER_LONG 64 +- +-#include +- +-#endif /* __ASM_BITSPERLONG_H */ +diff --git a/arch/loongarch/include/uapi/asm/bitsperlong.h b/arch/loongarch/include/uapi/asm/bitsperlong.h +deleted file mode 100644 +index 00b4ba1e5cdf0..0000000000000 +--- a/arch/loongarch/include/uapi/asm/bitsperlong.h ++++ /dev/null +@@ -1,9 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +-#ifndef __ASM_LOONGARCH_BITSPERLONG_H +-#define __ASM_LOONGARCH_BITSPERLONG_H +- +-#define __BITS_PER_LONG (__SIZEOF_LONG__ * 8) +- +-#include +- +-#endif /* __ASM_LOONGARCH_BITSPERLONG_H */ +diff --git a/arch/riscv/include/uapi/asm/bitsperlong.h b/arch/riscv/include/uapi/asm/bitsperlong.h +deleted file mode 100644 +index 7d0b32e3b7017..0000000000000 +--- a/arch/riscv/include/uapi/asm/bitsperlong.h ++++ /dev/null +@@ -1,14 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ +-/* +- * Copyright (C) 2012 ARM Ltd. +- * Copyright (C) 2015 Regents of the University of California +- */ +- +-#ifndef _UAPI_ASM_RISCV_BITSPERLONG_H +-#define _UAPI_ASM_RISCV_BITSPERLONG_H +- +-#define __BITS_PER_LONG (__SIZEOF_POINTER__ * 8) +- +-#include +- +-#endif /* _UAPI_ASM_RISCV_BITSPERLONG_H */ +diff --git a/include/uapi/asm-generic/bitsperlong.h b/include/uapi/asm-generic/bitsperlong.h +index 693d9a40eb7b0..352cb81947b87 100644 +--- a/include/uapi/asm-generic/bitsperlong.h ++++ b/include/uapi/asm-generic/bitsperlong.h +@@ -2,6 +2,17 @@ + #ifndef _UAPI__ASM_GENERIC_BITS_PER_LONG + #define _UAPI__ASM_GENERIC_BITS_PER_LONG + ++#ifndef __BITS_PER_LONG ++/* ++ * In order to keep safe and avoid regression, only unify uapi ++ * bitsperlong.h for some archs which are using newer toolchains ++ * that have the definitions of __CHAR_BIT__ and __SIZEOF_LONG__. ++ * See the following link for more info: ++ * https://lore.kernel.org/linux-arch/b9624545-2c80-49a1-ac3c-39264a591f7b@app.fastmail.com/ ++ */ ++#if defined(__CHAR_BIT__) && defined(__SIZEOF_LONG__) ++#define __BITS_PER_LONG (__CHAR_BIT__ * __SIZEOF_LONG__) ++#else + /* + * There seems to be no way of detecting this automatically from user + * space, so 64 bit architectures should override this in their +@@ -9,8 +20,8 @@ + * both 32 and 64 bit user space must not rely on CONFIG_64BIT + * to decide it, but rather check a compiler provided macro. + */ +-#ifndef __BITS_PER_LONG + #define __BITS_PER_LONG 32 + #endif ++#endif + + #endif /* _UAPI__ASM_GENERIC_BITS_PER_LONG */ +diff --git a/tools/arch/arm64/include/uapi/asm/bitsperlong.h b/tools/arch/arm64/include/uapi/asm/bitsperlong.h +deleted file mode 100644 +index 485d60bee26ca..0000000000000 +--- a/tools/arch/arm64/include/uapi/asm/bitsperlong.h ++++ /dev/null +@@ -1,24 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +-/* +- * Copyright (C) 2012 ARM Ltd. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License version 2 as +- * published by the Free Software Foundation. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program. If not, see . +- */ +-#ifndef __ASM_BITSPERLONG_H +-#define __ASM_BITSPERLONG_H +- +-#define __BITS_PER_LONG 64 +- +-#include +- +-#endif /* __ASM_BITSPERLONG_H */ +diff --git a/tools/arch/riscv/include/uapi/asm/bitsperlong.h b/tools/arch/riscv/include/uapi/asm/bitsperlong.h +deleted file mode 100644 +index 0b9b58b57ff6e..0000000000000 +--- a/tools/arch/riscv/include/uapi/asm/bitsperlong.h ++++ /dev/null +@@ -1,14 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0-only */ +-/* +- * Copyright (C) 2012 ARM Ltd. +- * Copyright (C) 2015 Regents of the University of California +- */ +- +-#ifndef _UAPI_ASM_RISCV_BITSPERLONG_H +-#define _UAPI_ASM_RISCV_BITSPERLONG_H +- +-#define __BITS_PER_LONG (__SIZEOF_POINTER__ * 8) +- +-#include +- +-#endif /* _UAPI_ASM_RISCV_BITSPERLONG_H */ +diff --git a/tools/include/uapi/asm-generic/bitsperlong.h b/tools/include/uapi/asm-generic/bitsperlong.h +index 23e6c416b85fc..352cb81947b87 100644 +--- a/tools/include/uapi/asm-generic/bitsperlong.h ++++ b/tools/include/uapi/asm-generic/bitsperlong.h +@@ -1,6 +1,18 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + #ifndef _UAPI__ASM_GENERIC_BITS_PER_LONG + #define _UAPI__ASM_GENERIC_BITS_PER_LONG + ++#ifndef __BITS_PER_LONG ++/* ++ * In order to keep safe and avoid regression, only unify uapi ++ * bitsperlong.h for some archs which are using newer toolchains ++ * that have the definitions of __CHAR_BIT__ and __SIZEOF_LONG__. ++ * See the following link for more info: ++ * https://lore.kernel.org/linux-arch/b9624545-2c80-49a1-ac3c-39264a591f7b@app.fastmail.com/ ++ */ ++#if defined(__CHAR_BIT__) && defined(__SIZEOF_LONG__) ++#define __BITS_PER_LONG (__CHAR_BIT__ * __SIZEOF_LONG__) ++#else + /* + * There seems to be no way of detecting this automatically from user + * space, so 64 bit architectures should override this in their +@@ -8,8 +20,8 @@ + * both 32 and 64 bit user space must not rely on CONFIG_64BIT + * to decide it, but rather check a compiler provided macro. + */ +-#ifndef __BITS_PER_LONG + #define __BITS_PER_LONG 32 + #endif ++#endif + + #endif /* _UAPI__ASM_GENERIC_BITS_PER_LONG */ +diff --git a/tools/include/uapi/asm/bitsperlong.h b/tools/include/uapi/asm/bitsperlong.h +index da52065171581..c65267afc3415 100644 +--- a/tools/include/uapi/asm/bitsperlong.h ++++ b/tools/include/uapi/asm/bitsperlong.h +@@ -1,8 +1,6 @@ + /* SPDX-License-Identifier: GPL-2.0 */ + #if defined(__i386__) || defined(__x86_64__) + #include "../../../arch/x86/include/uapi/asm/bitsperlong.h" +-#elif defined(__aarch64__) +-#include "../../../arch/arm64/include/uapi/asm/bitsperlong.h" + #elif defined(__powerpc__) + #include "../../../arch/powerpc/include/uapi/asm/bitsperlong.h" + #elif defined(__s390__) +@@ -13,12 +11,8 @@ + #include "../../../arch/mips/include/uapi/asm/bitsperlong.h" + #elif defined(__ia64__) + #include "../../../arch/ia64/include/uapi/asm/bitsperlong.h" +-#elif defined(__riscv) +-#include "../../../arch/riscv/include/uapi/asm/bitsperlong.h" + #elif defined(__alpha__) + #include "../../../arch/alpha/include/uapi/asm/bitsperlong.h" +-#elif defined(__loongarch__) +-#include "../../../arch/loongarch/include/uapi/asm/bitsperlong.h" + #else + #include + #endif +-- +2.51.0 + diff --git a/queue-6.1/mtd-onenand-pass-correct-pointer-to-irq-handler.patch b/queue-6.1/mtd-onenand-pass-correct-pointer-to-irq-handler.patch new file mode 100644 index 0000000000..b8d18fcec3 --- /dev/null +++ b/queue-6.1/mtd-onenand-pass-correct-pointer-to-irq-handler.patch @@ -0,0 +1,38 @@ +From c15007d3c1d1d69d89725629db8a04e4d81fbc31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:25:48 +0300 +Subject: mtd: onenand: Pass correct pointer to IRQ handler + +From: Dan Carpenter + +[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ] + +This was supposed to pass "onenand" instead of "&onenand" with the +ampersand. Passing a random stack address which will be gone when the +function ends makes no sense. However the good thing is that the pointer +is never used, so this doesn't cause a problem at run time. + +Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c +index b64895573515e..48608632280c5 100644 +--- a/drivers/mtd/nand/onenand/onenand_samsung.c ++++ b/drivers/mtd/nand/onenand/onenand_samsung.c +@@ -909,7 +909,7 @@ static int s3c_onenand_probe(struct platform_device *pdev) + err = devm_request_irq(&pdev->dev, r->start, + s5pc110_onenand_irq, + IRQF_SHARED, "onenand", +- &onenand); ++ onenand); + if (err) { + dev_err(&pdev->dev, "failed to get irq\n"); + return err; +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nf_tables-reject-duplicate-device-on-updat.patch b/queue-6.1/netfilter-nf_tables-reject-duplicate-device-on-updat.patch new file mode 100644 index 0000000000..8aa4bbb889 --- /dev/null +++ b/queue-6.1/netfilter-nf_tables-reject-duplicate-device-on-updat.patch @@ -0,0 +1,69 @@ +From fb06be447e41a01dba8f1582bade15f985bf20b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:39:58 +0000 +Subject: netfilter: nf_tables: reject duplicate device on updates + +From: Pablo Neira Ayuso + +commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream. + +A chain/flowtable update with duplicated devices in the same batch is +possible. Unfortunately, netdev event path only removes the first +device that is found, leaving unregistered the hook of the duplicated +device. + +Check if a duplicated device exists in the transaction batch, bail out +with EEXIST in such case. + +WARNING is hit when unregistering the hook: + + [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 + [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) + [...] + [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index df83224bef06c..b278f493cc93c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8078,6 +8078,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ struct nftables_pernet *nft_net; + struct nft_hook *hook, *next; + struct nft_trans *trans; + bool unregister = false; +@@ -8093,6 +8094,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + if (nft_hook_list_find(&flowtable->hook_list, hook)) { + list_del(&hook->list); + kfree(hook); ++ continue; ++ } ++ ++ nft_net = nft_pernet(ctx->net); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || ++ trans->ctx.table != ctx->table || ++ !nft_trans_flowtable_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { ++ err = -EEXIST; ++ goto err_flowtable_update_hook; ++ } + } + } + +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 0409adb99f..0e7a763ad7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -392,3 +392,6 @@ mm-mprotect-use-long-for-page-accountings-and-retval.patch espintcp-fix-skb-leaks.patch mm-mprotect-delete-pmd_none_or_clear_bad_unless_tran.patch lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch +asm-generic-unify-uapi-bitsperlong.h-for-arm64-riscv.patch +mtd-onenand-pass-correct-pointer-to-irq-handler.patch +netfilter-nf_tables-reject-duplicate-device-on-updat.patch diff --git a/queue-6.12/fs-namespace-correctly-handle-errors-returned-by-gra.patch b/queue-6.12/fs-namespace-correctly-handle-errors-returned-by-gra.patch new file mode 100644 index 0000000000..a296c10787 --- /dev/null +++ b/queue-6.12/fs-namespace-correctly-handle-errors-returned-by-gra.patch @@ -0,0 +1,141 @@ +From 3f164e56d35a1cfd25a5cba89bd5149b29cdf72d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 06:28:15 +0000 +Subject: fs/namespace: correctly handle errors returned by + grab_requested_mnt_ns + +From: Andrei Vagin + +[ Upstream commit 78f0e33cd6c939a555aa80dbed2fec6b333a7660 ] + +grab_requested_mnt_ns was changed to return error codes on failure, but +its callers were not updated to check for error pointers, still checking +only for a NULL return value. + +This commit updates the callers to use IS_ERR() or IS_ERR_OR_NULL() and +PTR_ERR() to correctly check for and propagate errors. + +This also makes sure that the logic actually works and mount namespace +file descriptors can be used to refere to mounts. + +Christian Brauner says: + +Rework the patch to be more ergonomic and in line with our overall error +handling patterns. + +Fixes: 7b9d14af8777 ("fs: allow mount namespace fd") +Cc: Christian Brauner +Signed-off-by: Andrei Vagin +Link: https://patch.msgid.link/20251111062815.2546189-1-avagin@google.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 32 ++++++++++++++++---------------- + include/uapi/linux/mount.h | 2 +- + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index cc4926d53e7de..035d6f1f0b6ef 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -158,7 +158,8 @@ static void mnt_ns_release(struct mnt_namespace *ns) + kfree(ns); + } + } +-DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, if (_T) mnt_ns_release(_T)) ++DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, ++ if (!IS_ERR(_T)) mnt_ns_release(_T)) + + static void mnt_ns_tree_remove(struct mnt_namespace *ns) + { +@@ -5325,7 +5326,7 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req, + ret = copy_struct_from_user(kreq, sizeof(*kreq), req, usize); + if (ret) + return ret; +- if (kreq->spare != 0) ++ if (kreq->mnt_ns_fd != 0 && kreq->mnt_ns_id) + return -EINVAL; + /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */ + if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET) +@@ -5342,16 +5343,12 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq + { + struct mnt_namespace *mnt_ns; + +- if (kreq->mnt_ns_id && kreq->spare) +- return ERR_PTR(-EINVAL); +- +- if (kreq->mnt_ns_id) +- return lookup_mnt_ns(kreq->mnt_ns_id); +- +- if (kreq->spare) { ++ if (kreq->mnt_ns_id) { ++ mnt_ns = lookup_mnt_ns(kreq->mnt_ns_id); ++ } else if (kreq->mnt_ns_fd) { + struct ns_common *ns; + +- CLASS(fd, f)(kreq->spare); ++ CLASS(fd, f)(kreq->mnt_ns_fd); + if (fd_empty(f)) + return ERR_PTR(-EBADF); + +@@ -5366,6 +5363,8 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq + } else { + mnt_ns = current->nsproxy->mnt_ns; + } ++ if (!mnt_ns) ++ return ERR_PTR(-ENOENT); + + refcount_inc(&mnt_ns->passive); + return mnt_ns; +@@ -5390,8 +5389,8 @@ SYSCALL_DEFINE4(statmount, const struct mnt_id_req __user *, req, + return ret; + + ns = grab_requested_mnt_ns(&kreq); +- if (!ns) +- return -ENOENT; ++ if (IS_ERR(ns)) ++ return PTR_ERR(ns); + + if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) && + !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN)) +@@ -5500,8 +5499,8 @@ static void __free_klistmount_free(const struct klistmount *kls) + static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *kreq, + size_t nr_mnt_ids) + { +- + u64 last_mnt_id = kreq->param; ++ struct mnt_namespace *ns; + + /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */ + if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET) +@@ -5515,9 +5514,10 @@ static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req * + if (!kls->kmnt_ids) + return -ENOMEM; + +- kls->ns = grab_requested_mnt_ns(kreq); +- if (!kls->ns) +- return -ENOENT; ++ ns = grab_requested_mnt_ns(kreq); ++ if (IS_ERR(ns)) ++ return PTR_ERR(ns); ++ kls->ns = ns; + + kls->mnt_parent_id = kreq->mnt_id; + return 0; +diff --git a/include/uapi/linux/mount.h b/include/uapi/linux/mount.h +index 225bc366ffcbf..dbf65f2ffcf33 100644 +--- a/include/uapi/linux/mount.h ++++ b/include/uapi/linux/mount.h +@@ -186,7 +186,7 @@ struct statmount { + */ + struct mnt_id_req { + __u32 size; +- __u32 spare; ++ __u32 mnt_ns_fd; + __u64 mnt_id; + __u64 param; + __u64 mnt_ns_id; +-- +2.51.0 + diff --git a/queue-6.12/hostfs-fix-only-passing-host-root-in-boot-stage-with.patch b/queue-6.12/hostfs-fix-only-passing-host-root-in-boot-stage-with.patch new file mode 100644 index 0000000000..7fe8ed25d6 --- /dev/null +++ b/queue-6.12/hostfs-fix-only-passing-host-root-in-boot-stage-with.patch @@ -0,0 +1,98 @@ +From cfb591ac1fa82f391cb5306e595d1610607ed44b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Oct 2025 09:22:35 +0000 +Subject: hostfs: Fix only passing host root in boot stage with new mount + +From: Hongbo Li + +[ Upstream commit 2c2b67af5f5f77fc68261a137ad65dcfb8e52506 ] + +In the old mount proceedure, hostfs could only pass root directory during +boot. This is because it constructed the root directory using the @root_ino +event without any mount options. However, when using it with the new mount +API, this step is no longer triggered. As a result, if users mounts without +specifying any mount options, the @host_root_path remains uninitialized. To +prevent this issue, the @host_root_path should be initialized at the time +of allocation. + +Reported-by: Geoffrey Thorpe +Closes: https://lore.kernel.org/all/643333a0-f434-42fb-82ac-d25a0b56f3b7@geoffthorpe.net/ +Fixes: cd140ce9f611 ("hostfs: convert hostfs to use the new mount API") +Signed-off-by: Hongbo Li +Link: https://patch.msgid.link/20251011092235.29880-1-lihongbo22@huawei.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hostfs/hostfs_kern.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c +index a16a7df0766cd..3e143b679156d 100644 +--- a/fs/hostfs/hostfs_kern.c ++++ b/fs/hostfs/hostfs_kern.c +@@ -972,7 +972,7 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param) + { + struct hostfs_fs_info *fsi = fc->s_fs_info; + struct fs_parse_result result; +- char *host_root; ++ char *host_root, *tmp_root; + int opt; + + opt = fs_parse(fc, hostfs_param_specs, param, &result); +@@ -983,11 +983,13 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param) + case Opt_hostfs: + host_root = param->string; + if (!*host_root) +- host_root = ""; +- fsi->host_root_path = +- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root); +- if (fsi->host_root_path == NULL) ++ break; ++ tmp_root = kasprintf(GFP_KERNEL, "%s%s", ++ fsi->host_root_path, host_root); ++ if (!tmp_root) + return -ENOMEM; ++ kfree(fsi->host_root_path); ++ fsi->host_root_path = tmp_root; + break; + } + +@@ -997,17 +999,17 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param) + static int hostfs_parse_monolithic(struct fs_context *fc, void *data) + { + struct hostfs_fs_info *fsi = fc->s_fs_info; +- char *host_root = (char *)data; ++ char *tmp_root, *host_root = (char *)data; + + /* NULL is printed as '(null)' by printf(): avoid that. */ + if (host_root == NULL) +- host_root = ""; ++ return 0; + +- fsi->host_root_path = +- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root); +- if (fsi->host_root_path == NULL) ++ tmp_root = kasprintf(GFP_KERNEL, "%s%s", fsi->host_root_path, host_root); ++ if (!tmp_root) + return -ENOMEM; +- ++ kfree(fsi->host_root_path); ++ fsi->host_root_path = tmp_root; + return 0; + } + +@@ -1042,6 +1044,11 @@ static int hostfs_init_fs_context(struct fs_context *fc) + if (!fsi) + return -ENOMEM; + ++ fsi->host_root_path = kasprintf(GFP_KERNEL, "%s/", root_ino); ++ if (!fsi->host_root_path) { ++ kfree(fsi); ++ return -ENOMEM; ++ } + fc->s_fs_info = fsi; + fc->ops = &hostfs_context_ops; + return 0; +-- +2.51.0 + diff --git a/queue-6.12/mtd-onenand-pass-correct-pointer-to-irq-handler.patch b/queue-6.12/mtd-onenand-pass-correct-pointer-to-irq-handler.patch new file mode 100644 index 0000000000..2b9fda2bf4 --- /dev/null +++ b/queue-6.12/mtd-onenand-pass-correct-pointer-to-irq-handler.patch @@ -0,0 +1,38 @@ +From 6691f827ebc35eb0e77f2da75c119eaa2dabe32a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:25:48 +0300 +Subject: mtd: onenand: Pass correct pointer to IRQ handler + +From: Dan Carpenter + +[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ] + +This was supposed to pass "onenand" instead of "&onenand" with the +ampersand. Passing a random stack address which will be gone when the +function ends makes no sense. However the good thing is that the pointer +is never used, so this doesn't cause a problem at run time. + +Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c +index fd6890a03d557..0e21d443078e4 100644 +--- a/drivers/mtd/nand/onenand/onenand_samsung.c ++++ b/drivers/mtd/nand/onenand/onenand_samsung.c +@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev) + err = devm_request_irq(&pdev->dev, r->start, + s5pc110_onenand_irq, + IRQF_SHARED, "onenand", +- &onenand); ++ onenand); + if (err) { + dev_err(&pdev->dev, "failed to get irq\n"); + return err; +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_tables-reject-duplicate-device-on-updat.patch b/queue-6.12/netfilter-nf_tables-reject-duplicate-device-on-updat.patch new file mode 100644 index 0000000000..8ea322a37c --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-reject-duplicate-device-on-updat.patch @@ -0,0 +1,98 @@ +From 340c9425f5363ea73eb30b586cf48d807d617a6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:28:59 +0000 +Subject: netfilter: nf_tables: reject duplicate device on updates + +From: Pablo Neira Ayuso + +commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream. + +A chain/flowtable update with duplicated devices in the same batch is +possible. Unfortunately, netdev event path only removes the first +device that is found, leaving unregistered the hook of the duplicated +device. + +Check if a duplicated device exists in the transaction batch, bail out +with EEXIST in such case. + +WARNING is hit when unregistering the hook: + + [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 + [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) + [...] + [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 2f3684dcbef8c..e1c617b488889 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2642,6 +2642,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + struct nft_chain *chain = ctx->chain; + struct nft_chain_hook hook = {}; + struct nft_stats *stats = NULL; ++ struct nftables_pernet *nft_net; + struct nft_hook *h, *next; + struct nf_hook_ops *ops; + struct nft_trans *trans; +@@ -2682,6 +2683,20 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + if (nft_hook_list_find(&basechain->hook_list, h)) { + list_del(&h->list); + kfree(h); ++ continue; ++ } ++ ++ nft_net = nft_pernet(ctx->net); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWCHAIN || ++ trans->table != ctx->table || ++ !nft_trans_chain_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) { ++ nft_chain_release_hook(&hook); ++ return -EEXIST; ++ } + } + } + } else { +@@ -8686,6 +8701,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ struct nftables_pernet *nft_net; + struct nft_hook *hook, *next; + struct nft_trans *trans; + bool unregister = false; +@@ -8701,6 +8717,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + if (nft_hook_list_find(&flowtable->hook_list, hook)) { + list_del(&hook->list); + kfree(hook); ++ continue; ++ } ++ ++ nft_net = nft_pernet(ctx->net); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || ++ trans->table != ctx->table || ++ !nft_trans_flowtable_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { ++ err = -EEXIST; ++ goto err_flowtable_update_hook; ++ } + } + } + +-- +2.51.0 + diff --git a/queue-6.12/revert-netfilter-nf_tables-reintroduce-shortened-del.patch b/queue-6.12/revert-netfilter-nf_tables-reintroduce-shortened-del.patch new file mode 100644 index 0000000000..85dd0ab8dd --- /dev/null +++ b/queue-6.12/revert-netfilter-nf_tables-reintroduce-shortened-del.patch @@ -0,0 +1,102 @@ +From fb3881b0eaa0d10a3720496b7035d95b7cd6ea40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:28:58 +0000 +Subject: Revert "netfilter: nf_tables: Reintroduce shortened deletion + notifications" + +From: Pablo Neira Ayuso + +This is a partial revert of commit dbe85d3115c7e6b5124c8b028f4f602856ea51dd. + +This update breaks old nftables userspace because monitor parser cannot +handle this shortened deletion, this patch was added as a Stable-dep:, +let's revert it. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 36 ++--------------------------------- + 1 file changed, 2 insertions(+), 34 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 3028d388b2933..2f3684dcbef8c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1032,12 +1032,6 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, + NFTA_TABLE_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELTABLE || +- event == NFT_MSG_DESTROYTABLE) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nla_put_be32(skb, NFTA_TABLE_FLAGS, + htonl(table->flags & NFT_TABLE_F_MASK))) + goto nla_put_failure; +@@ -1893,13 +1887,6 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net, + NFTA_CHAIN_PAD)) + goto nla_put_failure; + +- if (!hook_list && +- (event == NFT_MSG_DELCHAIN || +- event == NFT_MSG_DESTROYCHAIN)) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nft_is_base_chain(chain)) { + const struct nft_base_chain *basechain = nft_base_chain(chain); + struct nft_stats __percpu *stats; +@@ -4685,12 +4672,6 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + NFTA_SET_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELSET || +- event == NFT_MSG_DESTROYSET) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (set->flags != 0) + if (nla_put_be32(skb, NFTA_SET_FLAGS, htonl(set->flags))) + goto nla_put_failure; +@@ -8021,18 +8002,12 @@ static int nf_tables_fill_obj_info(struct sk_buff *skb, struct net *net, + + if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || + nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || +- nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || + nla_put_be64(skb, NFTA_OBJ_HANDLE, cpu_to_be64(obj->handle), + NFTA_OBJ_PAD)) + goto nla_put_failure; + +- if (event == NFT_MSG_DELOBJ || +- event == NFT_MSG_DESTROYOBJ) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- +- if (nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || ++ if (nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || ++ nla_put_be32(skb, NFTA_OBJ_USE, htonl(obj->use)) || + nft_object_dump(skb, NFTA_OBJ_DATA, obj, reset)) + goto nla_put_failure; + +@@ -9048,13 +9023,6 @@ static int nf_tables_fill_flowtable_info(struct sk_buff *skb, struct net *net, + NFTA_FLOWTABLE_PAD)) + goto nla_put_failure; + +- if (!hook_list && +- (event == NFT_MSG_DELFLOWTABLE || +- event == NFT_MSG_DESTROYFLOWTABLE)) { +- nlmsg_end(skb, nlh); +- return 0; +- } +- + if (nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || + nla_put_be32(skb, NFTA_FLOWTABLE_FLAGS, htonl(flowtable->data.flags))) + goto nla_put_failure; +-- +2.51.0 + diff --git a/queue-6.12/sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch b/queue-6.12/sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch new file mode 100644 index 0000000000..02e6ff1172 --- /dev/null +++ b/queue-6.12/sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch @@ -0,0 +1,133 @@ +From 96c22b9425cdb711e8a61f9b5ae290ba5ac6d8b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 15:33:28 +0800 +Subject: sched_ext: Fix unsafe locking in the scx_dump_state() + +From: Zqiang + +[ Upstream commit 5f02151c411dda46efcc5dc57b0845efcdcfc26d ] + +For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted +sleepable spinlock and not disable-irq, so the following scenarios occur: + +inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. +irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: +(&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 +{IN-HARDIRQ-W} state was registered at: + lock_acquire+0x1e1/0x510 + _raw_spin_lock_nested+0x42/0x80 + raw_spin_rq_lock_nested+0x2b/0x40 + sched_tick+0xae/0x7b0 + update_process_times+0x14c/0x1b0 + tick_periodic+0x62/0x1f0 + tick_handle_periodic+0x48/0xf0 + timer_interrupt+0x55/0x80 + __handle_irq_event_percpu+0x20a/0x5c0 + handle_irq_event_percpu+0x18/0xc0 + handle_irq_event+0xb5/0x150 + handle_level_irq+0x220/0x460 + __common_interrupt+0xa2/0x1e0 + common_interrupt+0xb0/0xd0 + asm_common_interrupt+0x2b/0x40 + _raw_spin_unlock_irqrestore+0x45/0x80 + __setup_irq+0xc34/0x1a30 + request_threaded_irq+0x214/0x2f0 + hpet_time_init+0x3e/0x60 + x86_late_time_init+0x5b/0xb0 + start_kernel+0x308/0x410 + x86_64_start_reservations+0x1c/0x30 + x86_64_start_kernel+0x96/0xa0 + common_startup_64+0x13e/0x148 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&rq->__lock); + + lock(&rq->__lock); + + *** DEADLOCK *** + + stack backtrace: + CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 + Call Trace: + + dump_stack_lvl+0x8c/0xd0 + dump_stack+0x14/0x20 + print_usage_bug+0x42e/0x690 + mark_lock.part.44+0x867/0xa70 + ? __pfx_mark_lock.part.44+0x10/0x10 + ? string_nocheck+0x19c/0x310 + ? number+0x739/0x9f0 + ? __pfx_string_nocheck+0x10/0x10 + ? __pfx_check_pointer+0x10/0x10 + ? kvm_sched_clock_read+0x15/0x30 + ? sched_clock_noinstr+0xd/0x20 + ? local_clock_noinstr+0x1c/0xe0 + __lock_acquire+0xc4b/0x62b0 + ? __pfx_format_decode+0x10/0x10 + ? __pfx_string+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + ? __pfx_vsnprintf+0x10/0x10 + lock_acquire+0x1e1/0x510 + ? raw_spin_rq_lock_nested+0x2b/0x40 + ? __pfx_lock_acquire+0x10/0x10 + ? dump_line+0x12e/0x270 + ? raw_spin_rq_lock_nested+0x20/0x40 + _raw_spin_lock_nested+0x42/0x80 + ? raw_spin_rq_lock_nested+0x2b/0x40 + raw_spin_rq_lock_nested+0x2b/0x40 + scx_dump_state+0x3b3/0x1270 + ? finish_task_switch+0x27e/0x840 + scx_ops_error_irq_workfn+0x67/0x80 + irq_work_single+0x113/0x260 + irq_work_run_list.part.3+0x44/0x70 + run_irq_workd+0x6b/0x90 + ? __pfx_run_irq_workd+0x10/0x10 + smpboot_thread_fn+0x529/0x870 + ? __pfx_smpboot_thread_fn+0x10/0x10 + kthread+0x305/0x3f0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x40/0x70 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + + +This commit therefore use rq_lock_irqsave/irqrestore() to replace +rq_lock/unlock() in the scx_dump_state(). + +Fixes: 07814a9439a3 ("sched_ext: Print debug dump after an error exit") +Signed-off-by: Zqiang +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index be2e836e10e93..ad1d438b3085c 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -4966,7 +4966,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len) + size_t avail, used; + bool idle; + +- rq_lock(rq, &rf); ++ rq_lock_irqsave(rq, &rf); + + idle = list_empty(&rq->scx.runnable_list) && + rq->curr->sched_class == &idle_sched_class; +@@ -5034,7 +5034,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len) + list_for_each_entry(p, &rq->scx.runnable_list, scx.runnable_node) + scx_dump_task(&s, &dctx, p, ' '); + next: +- rq_unlock(rq, &rf); ++ rq_unlock_irqrestore(rq, &rf); + } + + if (seq_buf_has_overflowed(&s) && dump_len >= sizeof(trunc_marker)) +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index bba044cde7..2dc803def6 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -89,3 +89,10 @@ lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch ext4-fix-out-of-bound-read-in-ext4_xattr_inode_dec_r.patch bluetooth-mgmt-fix-possible-uafs.patch f2fs-fix-to-avoid-overflow-while-left-shift-operatio.patch +hostfs-fix-only-passing-host-root-in-boot-stage-with.patch +mtd-onenand-pass-correct-pointer-to-irq-handler.patch +virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch +fs-namespace-correctly-handle-errors-returned-by-gra.patch +sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch +revert-netfilter-nf_tables-reintroduce-shortened-del.patch +netfilter-nf_tables-reject-duplicate-device-on-updat.patch diff --git a/queue-6.12/virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch b/queue-6.12/virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch new file mode 100644 index 0000000000..9cb611d93a --- /dev/null +++ b/queue-6.12/virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch @@ -0,0 +1,40 @@ +From 39bd0dd2b6eaca2f526e13338ea6d2aafa2e78a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 03:46:47 -0700 +Subject: virtio-fs: fix incorrect check for fsvq->kobj + +From: Alok Tiwari + +[ Upstream commit c014021253d77cd89b2d8788ce522283d83fbd40 ] + +In virtio_fs_add_queues_sysfs(), the code incorrectly checks fs->mqs_kobj +after calling kobject_create_and_add(). Change the check to fsvq->kobj +(fs->mqs_kobj -> fsvq->kobj) to ensure the per-queue kobject is +successfully created. + +Fixes: 87cbdc396a31 ("virtio_fs: add sysfs entries for queue information") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251027104658.1668537-1-alok.a.tiwari@oracle.com +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/fuse/virtio_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c +index 749c9f66d74c6..c81f7b888c385 100644 +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -372,7 +372,7 @@ static int virtio_fs_add_queues_sysfs(struct virtio_fs *fs) + + sprintf(buff, "%d", i); + fsvq->kobj = kobject_create_and_add(buff, fs->mqs_kobj); +- if (!fs->mqs_kobj) { ++ if (!fsvq->kobj) { + ret = -ENOMEM; + goto out_del; + } +-- +2.51.0 + diff --git a/queue-6.17/afs-fix-dynamic-lookup-to-fail-on-cell-lookup-failur.patch b/queue-6.17/afs-fix-dynamic-lookup-to-fail-on-cell-lookup-failur.patch new file mode 100644 index 0000000000..622a3f6d07 --- /dev/null +++ b/queue-6.17/afs-fix-dynamic-lookup-to-fail-on-cell-lookup-failur.patch @@ -0,0 +1,360 @@ +From d7be7b9ba9d0a21b6de4c7c5f78eedf444cc9149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 19:48:32 +0100 +Subject: afs: Fix dynamic lookup to fail on cell lookup failure + +From: David Howells + +[ Upstream commit 330e2c514823008b22e6afd2055715bc46dd8d55 ] + +When a process tries to access an entry in /afs, normally what happens is +that an automount dentry is created by ->lookup() and then triggered, which +jumps through the ->d_automount() op. Currently, afs_dynroot_lookup() does +not do cell DNS lookup, leaving that to afs_d_automount() to perform - +however, it is possible to use access() or stat() on the automount point, +which will always return successfully, have briefly created an afs_cell +record if one did not already exist. + +This means that something like: + + test -d "/afs/.west" && echo Directory exists + +will print "Directory exists" even though no such cell is configured. This +breaks the "west" python module available on PIP as it expects this access +to fail. + +Now, it could be possible to make afs_dynroot_lookup() perform the DNS[*] +lookup, but that would make "ls --color /afs" do this for each cell in /afs +that is listed but not yet probed. kafs-client, probably wrongly, preloads +the entire cell database and all the known cells are then listed in /afs - +and doing ls /afs would be very, very slow, especially if any cell supplied +addresses but was wholly inaccessible. + + [*] When I say "DNS", actually read getaddrinfo(), which could use any one + of a host of mechanisms. Could also use static configuration. + +To fix this, make the following changes: + + (1) Create an enum to specify the origination point of a call to + afs_lookup_cell() and pass this value into that function in place of + the "excl" parameter (which can be derived from it). There are six + points of origination: + + - Cell preload through /proc/net/afs/cells + - Root cell config through /proc/net/afs/rootcell + - Lookup in dynamic root + - Automount trigger + - Direct mount with mount() syscall + - Alias check where YFS tells us the cell name is different + + (2) Add an extra state into the afs_cell state machine to indicate a cell + that's been initialised, but not yet looked up. This is separate from + one that can be considered active and has been looked up at least + once. + + (3) Make afs_lookup_cell() vary its behaviour more, depending on where it + was called from: + + If called from preload or root cell config, DNS lookup will not happen + until we definitely want to use the cell (dynroot mount, automount, + direct mount or alias check). The cell will appear in /afs but stat() + won't trigger DNS lookup. + + If the cell already exists, dynroot will not wait for the DNS lookup + to complete. If the cell did not already exist, dynroot will wait. + + If called from automount, direct mount or alias check, it will wait + for the DNS lookup to complete. + + (4) Make afs_lookup_cell() return an error if lookup failed in one way or + another. We try to return -ENOENT if the DNS says the cell does not + exist and -EDESTADDRREQ if we couldn't access the DNS. + +Reported-by: Markus Suvanto +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220685 +Signed-off-by: David Howells +Link: https://patch.msgid.link/1784747.1761158912@warthog.procyon.org.uk +Fixes: 1d0b929fc070 ("afs: Change dynroot to create contents on demand") +Tested-by: Markus Suvanto +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/cell.c | 78 +++++++++++++++++++++++++++++++++++++++-------- + fs/afs/dynroot.c | 3 +- + fs/afs/internal.h | 12 +++++++- + fs/afs/mntpt.c | 3 +- + fs/afs/proc.c | 3 +- + fs/afs/super.c | 2 +- + fs/afs/vl_alias.c | 3 +- + 7 files changed, 86 insertions(+), 18 deletions(-) + +diff --git a/fs/afs/cell.c b/fs/afs/cell.c +index f31359922e98d..d9b6fa1088b7b 100644 +--- a/fs/afs/cell.c ++++ b/fs/afs/cell.c +@@ -229,7 +229,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net, + * @name: The name of the cell. + * @namesz: The strlen of the cell name. + * @vllist: A colon/comma separated list of numeric IP addresses or NULL. +- * @excl: T if an error should be given if the cell name already exists. ++ * @reason: The reason we're doing the lookup + * @trace: The reason to be logged if the lookup is successful. + * + * Look up a cell record by name and query the DNS for VL server addresses if +@@ -239,7 +239,8 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net, + */ + struct afs_cell *afs_lookup_cell(struct afs_net *net, + const char *name, unsigned int namesz, +- const char *vllist, bool excl, ++ const char *vllist, ++ enum afs_lookup_cell_for reason, + enum afs_cell_trace trace) + { + struct afs_cell *cell, *candidate, *cursor; +@@ -247,12 +248,18 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + enum afs_cell_state state; + int ret, n; + +- _enter("%s,%s", name, vllist); ++ _enter("%s,%s,%u", name, vllist, reason); + +- if (!excl) { ++ if (reason != AFS_LOOKUP_CELL_PRELOAD) { + cell = afs_find_cell(net, name, namesz, trace); +- if (!IS_ERR(cell)) ++ if (!IS_ERR(cell)) { ++ if (reason == AFS_LOOKUP_CELL_DYNROOT) ++ goto no_wait; ++ if (cell->state == AFS_CELL_SETTING_UP || ++ cell->state == AFS_CELL_UNLOOKED) ++ goto lookup_cell; + goto wait_for_cell; ++ } + } + + /* Assume we're probably going to create a cell and preallocate and +@@ -298,26 +305,69 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + rb_insert_color(&cell->net_node, &net->cells); + up_write(&net->cells_lock); + +- afs_queue_cell(cell, afs_cell_trace_queue_new); ++lookup_cell: ++ if (reason != AFS_LOOKUP_CELL_PRELOAD && ++ reason != AFS_LOOKUP_CELL_ROOTCELL) { ++ set_bit(AFS_CELL_FL_DO_LOOKUP, &cell->flags); ++ afs_queue_cell(cell, afs_cell_trace_queue_new); ++ } + + wait_for_cell: +- _debug("wait_for_cell"); + state = smp_load_acquire(&cell->state); /* vs error */ +- if (state != AFS_CELL_ACTIVE && +- state != AFS_CELL_DEAD) { ++ switch (state) { ++ case AFS_CELL_ACTIVE: ++ case AFS_CELL_DEAD: ++ break; ++ case AFS_CELL_UNLOOKED: ++ default: ++ if (reason == AFS_LOOKUP_CELL_PRELOAD || ++ reason == AFS_LOOKUP_CELL_ROOTCELL) ++ break; ++ _debug("wait_for_cell"); + afs_see_cell(cell, afs_cell_trace_wait); + wait_var_event(&cell->state, + ({ + state = smp_load_acquire(&cell->state); /* vs error */ + state == AFS_CELL_ACTIVE || state == AFS_CELL_DEAD; + })); ++ _debug("waited_for_cell %d %d", cell->state, cell->error); + } + ++no_wait: + /* Check the state obtained from the wait check. */ ++ state = smp_load_acquire(&cell->state); /* vs error */ + if (state == AFS_CELL_DEAD) { + ret = cell->error; + goto error; + } ++ if (state == AFS_CELL_ACTIVE) { ++ switch (cell->dns_status) { ++ case DNS_LOOKUP_NOT_DONE: ++ if (cell->dns_source == DNS_RECORD_FROM_CONFIG) { ++ ret = 0; ++ break; ++ } ++ fallthrough; ++ default: ++ ret = -EIO; ++ goto error; ++ case DNS_LOOKUP_GOOD: ++ case DNS_LOOKUP_GOOD_WITH_BAD: ++ ret = 0; ++ break; ++ case DNS_LOOKUP_GOT_NOT_FOUND: ++ ret = -ENOENT; ++ goto error; ++ case DNS_LOOKUP_BAD: ++ ret = -EREMOTEIO; ++ goto error; ++ case DNS_LOOKUP_GOT_LOCAL_FAILURE: ++ case DNS_LOOKUP_GOT_TEMP_FAILURE: ++ case DNS_LOOKUP_GOT_NS_FAILURE: ++ ret = -EDESTADDRREQ; ++ goto error; ++ } ++ } + + _leave(" = %p [cell]", cell); + return cell; +@@ -325,7 +375,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net, + cell_already_exists: + _debug("cell exists"); + cell = cursor; +- if (excl) { ++ if (reason == AFS_LOOKUP_CELL_PRELOAD) { + ret = -EEXIST; + } else { + afs_use_cell(cursor, trace); +@@ -384,7 +434,8 @@ int afs_cell_init(struct afs_net *net, const char *rootcell) + return -EINVAL; + + /* allocate a cell record for the root/workstation cell */ +- new_root = afs_lookup_cell(net, rootcell, len, vllist, false, ++ new_root = afs_lookup_cell(net, rootcell, len, vllist, ++ AFS_LOOKUP_CELL_ROOTCELL, + afs_cell_trace_use_lookup_ws); + if (IS_ERR(new_root)) { + _leave(" = %ld", PTR_ERR(new_root)); +@@ -777,6 +828,7 @@ static bool afs_manage_cell(struct afs_cell *cell) + switch (cell->state) { + case AFS_CELL_SETTING_UP: + goto set_up_cell; ++ case AFS_CELL_UNLOOKED: + case AFS_CELL_ACTIVE: + goto cell_is_active; + case AFS_CELL_REMOVING: +@@ -797,7 +849,7 @@ static bool afs_manage_cell(struct afs_cell *cell) + goto remove_cell; + } + +- afs_set_cell_state(cell, AFS_CELL_ACTIVE); ++ afs_set_cell_state(cell, AFS_CELL_UNLOOKED); + + cell_is_active: + if (afs_has_cell_expired(cell, &next_manage)) +@@ -807,6 +859,8 @@ static bool afs_manage_cell(struct afs_cell *cell) + ret = afs_update_cell(cell); + if (ret < 0) + cell->error = ret; ++ if (cell->state == AFS_CELL_UNLOOKED) ++ afs_set_cell_state(cell, AFS_CELL_ACTIVE); + } + + if (next_manage < TIME64_MAX && cell->net->live) { +diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c +index 8c6130789fde3..dc9d29e3739e7 100644 +--- a/fs/afs/dynroot.c ++++ b/fs/afs/dynroot.c +@@ -108,7 +108,8 @@ static struct dentry *afs_dynroot_lookup_cell(struct inode *dir, struct dentry * + dotted = true; + } + +- cell = afs_lookup_cell(net, name, len, NULL, false, ++ cell = afs_lookup_cell(net, name, len, NULL, ++ AFS_LOOKUP_CELL_DYNROOT, + afs_cell_trace_use_lookup_dynroot); + if (IS_ERR(cell)) { + ret = PTR_ERR(cell); +diff --git a/fs/afs/internal.h b/fs/afs/internal.h +index 1124ea4000cb1..87828d685293f 100644 +--- a/fs/afs/internal.h ++++ b/fs/afs/internal.h +@@ -343,6 +343,7 @@ extern const char afs_init_sysname[]; + + enum afs_cell_state { + AFS_CELL_SETTING_UP, ++ AFS_CELL_UNLOOKED, + AFS_CELL_ACTIVE, + AFS_CELL_REMOVING, + AFS_CELL_DEAD, +@@ -1047,9 +1048,18 @@ static inline bool afs_cb_is_broken(unsigned int cb_break, + extern int afs_cell_init(struct afs_net *, const char *); + extern struct afs_cell *afs_find_cell(struct afs_net *, const char *, unsigned, + enum afs_cell_trace); ++enum afs_lookup_cell_for { ++ AFS_LOOKUP_CELL_DYNROOT, ++ AFS_LOOKUP_CELL_MOUNTPOINT, ++ AFS_LOOKUP_CELL_DIRECT_MOUNT, ++ AFS_LOOKUP_CELL_PRELOAD, ++ AFS_LOOKUP_CELL_ROOTCELL, ++ AFS_LOOKUP_CELL_ALIAS_CHECK, ++}; + struct afs_cell *afs_lookup_cell(struct afs_net *net, + const char *name, unsigned int namesz, +- const char *vllist, bool excl, ++ const char *vllist, ++ enum afs_lookup_cell_for reason, + enum afs_cell_trace trace); + extern struct afs_cell *afs_use_cell(struct afs_cell *, enum afs_cell_trace); + void afs_unuse_cell(struct afs_cell *cell, enum afs_cell_trace reason); +diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c +index 9434a5399f2b0..828347fa26450 100644 +--- a/fs/afs/mntpt.c ++++ b/fs/afs/mntpt.c +@@ -107,7 +107,8 @@ static int afs_mntpt_set_params(struct fs_context *fc, struct dentry *mntpt) + if (size > AFS_MAXCELLNAME) + return -ENAMETOOLONG; + +- cell = afs_lookup_cell(ctx->net, p, size, NULL, false, ++ cell = afs_lookup_cell(ctx->net, p, size, NULL, ++ AFS_LOOKUP_CELL_MOUNTPOINT, + afs_cell_trace_use_lookup_mntpt); + if (IS_ERR(cell)) { + pr_err("kAFS: unable to lookup cell '%pd'\n", mntpt); +diff --git a/fs/afs/proc.c b/fs/afs/proc.c +index 40e879c8ca773..44520549b509a 100644 +--- a/fs/afs/proc.c ++++ b/fs/afs/proc.c +@@ -122,7 +122,8 @@ static int afs_proc_cells_write(struct file *file, char *buf, size_t size) + if (strcmp(buf, "add") == 0) { + struct afs_cell *cell; + +- cell = afs_lookup_cell(net, name, strlen(name), args, true, ++ cell = afs_lookup_cell(net, name, strlen(name), args, ++ AFS_LOOKUP_CELL_PRELOAD, + afs_cell_trace_use_lookup_add); + if (IS_ERR(cell)) { + ret = PTR_ERR(cell); +diff --git a/fs/afs/super.c b/fs/afs/super.c +index da407f2d6f0d1..d672b7ab57ae2 100644 +--- a/fs/afs/super.c ++++ b/fs/afs/super.c +@@ -290,7 +290,7 @@ static int afs_parse_source(struct fs_context *fc, struct fs_parameter *param) + /* lookup the cell record */ + if (cellname) { + cell = afs_lookup_cell(ctx->net, cellname, cellnamesz, +- NULL, false, ++ NULL, AFS_LOOKUP_CELL_DIRECT_MOUNT, + afs_cell_trace_use_lookup_mount); + if (IS_ERR(cell)) { + pr_err("kAFS: unable to lookup cell '%*.*s'\n", +diff --git a/fs/afs/vl_alias.c b/fs/afs/vl_alias.c +index 709b4cdb723ee..fc9676abd2527 100644 +--- a/fs/afs/vl_alias.c ++++ b/fs/afs/vl_alias.c +@@ -269,7 +269,8 @@ static int yfs_check_canonical_cell_name(struct afs_cell *cell, struct key *key) + if (!name_len || name_len > AFS_MAXCELLNAME) + master = ERR_PTR(-EOPNOTSUPP); + else +- master = afs_lookup_cell(cell->net, cell_name, name_len, NULL, false, ++ master = afs_lookup_cell(cell->net, cell_name, name_len, NULL, ++ AFS_LOOKUP_CELL_ALIAS_CHECK, + afs_cell_trace_use_lookup_canonical); + kfree(cell_name); + if (IS_ERR(master)) +-- +2.51.0 + diff --git a/queue-6.17/binfmt_misc-restore-write-access-before-closing-file.patch b/queue-6.17/binfmt_misc-restore-write-access-before-closing-file.patch new file mode 100644 index 0000000000..b150f13a04 --- /dev/null +++ b/queue-6.17/binfmt_misc-restore-write-access-before-closing-file.patch @@ -0,0 +1,49 @@ +From d3dbf3ef58344f88eb87cc0b63979abb73cab82a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Nov 2025 02:29:23 +0000 +Subject: binfmt_misc: restore write access before closing files opened by + open_exec() + +From: Zilin Guan + +[ Upstream commit 90f601b497d76f40fa66795c3ecf625b6aced9fd ] + +bm_register_write() opens an executable file using open_exec(), which +internally calls do_open_execat() and denies write access on the file to +avoid modification while it is being executed. + +However, when an error occurs, bm_register_write() closes the file using +filp_close() directly. This does not restore the write permission, which +may cause subsequent write operations on the same file to fail. + +Fix this by calling exe_file_allow_write_access() before filp_close() to +restore the write permission properly. + +Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write") +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/binfmt_misc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index a839f960cd4a0..a8b1d79e4af07 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -837,8 +837,10 @@ static ssize_t bm_register_write(struct file *file, const char __user *buffer, + inode_unlock(d_inode(root)); + + if (err) { +- if (f) ++ if (f) { ++ exe_file_allow_write_access(f); + filp_close(f, NULL); ++ } + kfree(e); + return err; + } +-- +2.51.0 + diff --git a/queue-6.17/fs-namespace-correctly-handle-errors-returned-by-gra.patch b/queue-6.17/fs-namespace-correctly-handle-errors-returned-by-gra.patch new file mode 100644 index 0000000000..438029a0fb --- /dev/null +++ b/queue-6.17/fs-namespace-correctly-handle-errors-returned-by-gra.patch @@ -0,0 +1,141 @@ +From 27f8010a5a18c9bd7f552d7e0315b15ed909fe15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 06:28:15 +0000 +Subject: fs/namespace: correctly handle errors returned by + grab_requested_mnt_ns + +From: Andrei Vagin + +[ Upstream commit 78f0e33cd6c939a555aa80dbed2fec6b333a7660 ] + +grab_requested_mnt_ns was changed to return error codes on failure, but +its callers were not updated to check for error pointers, still checking +only for a NULL return value. + +This commit updates the callers to use IS_ERR() or IS_ERR_OR_NULL() and +PTR_ERR() to correctly check for and propagate errors. + +This also makes sure that the logic actually works and mount namespace +file descriptors can be used to refere to mounts. + +Christian Brauner says: + +Rework the patch to be more ergonomic and in line with our overall error +handling patterns. + +Fixes: 7b9d14af8777 ("fs: allow mount namespace fd") +Cc: Christian Brauner +Signed-off-by: Andrei Vagin +Link: https://patch.msgid.link/20251111062815.2546189-1-avagin@google.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 32 ++++++++++++++++---------------- + include/uapi/linux/mount.h | 2 +- + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index fa7c034ac4a69..0026a6e7730e9 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -186,7 +186,8 @@ static void mnt_ns_release(struct mnt_namespace *ns) + kfree(ns); + } + } +-DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, if (_T) mnt_ns_release(_T)) ++DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, ++ if (!IS_ERR(_T)) mnt_ns_release(_T)) + + static void mnt_ns_release_rcu(struct rcu_head *rcu) + { +@@ -5881,7 +5882,7 @@ static int copy_mnt_id_req(const struct mnt_id_req __user *req, + ret = copy_struct_from_user(kreq, sizeof(*kreq), req, usize); + if (ret) + return ret; +- if (kreq->spare != 0) ++ if (kreq->mnt_ns_fd != 0 && kreq->mnt_ns_id) + return -EINVAL; + /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */ + if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET) +@@ -5898,16 +5899,12 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq + { + struct mnt_namespace *mnt_ns; + +- if (kreq->mnt_ns_id && kreq->spare) +- return ERR_PTR(-EINVAL); +- +- if (kreq->mnt_ns_id) +- return lookup_mnt_ns(kreq->mnt_ns_id); +- +- if (kreq->spare) { ++ if (kreq->mnt_ns_id) { ++ mnt_ns = lookup_mnt_ns(kreq->mnt_ns_id); ++ } else if (kreq->mnt_ns_fd) { + struct ns_common *ns; + +- CLASS(fd, f)(kreq->spare); ++ CLASS(fd, f)(kreq->mnt_ns_fd); + if (fd_empty(f)) + return ERR_PTR(-EBADF); + +@@ -5922,6 +5919,8 @@ static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq + } else { + mnt_ns = current->nsproxy->mnt_ns; + } ++ if (!mnt_ns) ++ return ERR_PTR(-ENOENT); + + refcount_inc(&mnt_ns->passive); + return mnt_ns; +@@ -5946,8 +5945,8 @@ SYSCALL_DEFINE4(statmount, const struct mnt_id_req __user *, req, + return ret; + + ns = grab_requested_mnt_ns(&kreq); +- if (!ns) +- return -ENOENT; ++ if (IS_ERR(ns)) ++ return PTR_ERR(ns); + + if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) && + !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN)) +@@ -6056,8 +6055,8 @@ static void __free_klistmount_free(const struct klistmount *kls) + static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req *kreq, + size_t nr_mnt_ids) + { +- + u64 last_mnt_id = kreq->param; ++ struct mnt_namespace *ns; + + /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */ + if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET) +@@ -6071,9 +6070,10 @@ static inline int prepare_klistmount(struct klistmount *kls, struct mnt_id_req * + if (!kls->kmnt_ids) + return -ENOMEM; + +- kls->ns = grab_requested_mnt_ns(kreq); +- if (!kls->ns) +- return -ENOENT; ++ ns = grab_requested_mnt_ns(kreq); ++ if (IS_ERR(ns)) ++ return PTR_ERR(ns); ++ kls->ns = ns; + + kls->mnt_parent_id = kreq->mnt_id; + return 0; +diff --git a/include/uapi/linux/mount.h b/include/uapi/linux/mount.h +index 7fa67c2031a5d..5d3f8c9e3a625 100644 +--- a/include/uapi/linux/mount.h ++++ b/include/uapi/linux/mount.h +@@ -197,7 +197,7 @@ struct statmount { + */ + struct mnt_id_req { + __u32 size; +- __u32 spare; ++ __u32 mnt_ns_fd; + __u64 mnt_id; + __u64 param; + __u64 mnt_ns_id; +-- +2.51.0 + diff --git a/queue-6.17/hostfs-fix-only-passing-host-root-in-boot-stage-with.patch b/queue-6.17/hostfs-fix-only-passing-host-root-in-boot-stage-with.patch new file mode 100644 index 0000000000..893d9bbb1f --- /dev/null +++ b/queue-6.17/hostfs-fix-only-passing-host-root-in-boot-stage-with.patch @@ -0,0 +1,98 @@ +From ca7f0f457151a50d6045c71811b63868c590a720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Oct 2025 09:22:35 +0000 +Subject: hostfs: Fix only passing host root in boot stage with new mount + +From: Hongbo Li + +[ Upstream commit 2c2b67af5f5f77fc68261a137ad65dcfb8e52506 ] + +In the old mount proceedure, hostfs could only pass root directory during +boot. This is because it constructed the root directory using the @root_ino +event without any mount options. However, when using it with the new mount +API, this step is no longer triggered. As a result, if users mounts without +specifying any mount options, the @host_root_path remains uninitialized. To +prevent this issue, the @host_root_path should be initialized at the time +of allocation. + +Reported-by: Geoffrey Thorpe +Closes: https://lore.kernel.org/all/643333a0-f434-42fb-82ac-d25a0b56f3b7@geoffthorpe.net/ +Fixes: cd140ce9f611 ("hostfs: convert hostfs to use the new mount API") +Signed-off-by: Hongbo Li +Link: https://patch.msgid.link/20251011092235.29880-1-lihongbo22@huawei.com +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/hostfs/hostfs_kern.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/fs/hostfs/hostfs_kern.c b/fs/hostfs/hostfs_kern.c +index 01e516175bcd7..30fcce80a2c35 100644 +--- a/fs/hostfs/hostfs_kern.c ++++ b/fs/hostfs/hostfs_kern.c +@@ -979,7 +979,7 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param) + { + struct hostfs_fs_info *fsi = fc->s_fs_info; + struct fs_parse_result result; +- char *host_root; ++ char *host_root, *tmp_root; + int opt; + + opt = fs_parse(fc, hostfs_param_specs, param, &result); +@@ -990,11 +990,13 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param) + case Opt_hostfs: + host_root = param->string; + if (!*host_root) +- host_root = ""; +- fsi->host_root_path = +- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root); +- if (fsi->host_root_path == NULL) ++ break; ++ tmp_root = kasprintf(GFP_KERNEL, "%s%s", ++ fsi->host_root_path, host_root); ++ if (!tmp_root) + return -ENOMEM; ++ kfree(fsi->host_root_path); ++ fsi->host_root_path = tmp_root; + break; + } + +@@ -1004,17 +1006,17 @@ static int hostfs_parse_param(struct fs_context *fc, struct fs_parameter *param) + static int hostfs_parse_monolithic(struct fs_context *fc, void *data) + { + struct hostfs_fs_info *fsi = fc->s_fs_info; +- char *host_root = (char *)data; ++ char *tmp_root, *host_root = (char *)data; + + /* NULL is printed as '(null)' by printf(): avoid that. */ + if (host_root == NULL) +- host_root = ""; ++ return 0; + +- fsi->host_root_path = +- kasprintf(GFP_KERNEL, "%s/%s", root_ino, host_root); +- if (fsi->host_root_path == NULL) ++ tmp_root = kasprintf(GFP_KERNEL, "%s%s", fsi->host_root_path, host_root); ++ if (!tmp_root) + return -ENOMEM; +- ++ kfree(fsi->host_root_path); ++ fsi->host_root_path = tmp_root; + return 0; + } + +@@ -1049,6 +1051,11 @@ static int hostfs_init_fs_context(struct fs_context *fc) + if (!fsi) + return -ENOMEM; + ++ fsi->host_root_path = kasprintf(GFP_KERNEL, "%s/", root_ino); ++ if (!fsi->host_root_path) { ++ kfree(fsi); ++ return -ENOMEM; ++ } + fc->s_fs_info = fsi; + fc->ops = &hostfs_context_ops; + return 0; +-- +2.51.0 + diff --git a/queue-6.17/mtd-onenand-pass-correct-pointer-to-irq-handler.patch b/queue-6.17/mtd-onenand-pass-correct-pointer-to-irq-handler.patch new file mode 100644 index 0000000000..dc66b9865d --- /dev/null +++ b/queue-6.17/mtd-onenand-pass-correct-pointer-to-irq-handler.patch @@ -0,0 +1,38 @@ +From 62501640348ac845b2bba07a105a44ae60db30ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:25:48 +0300 +Subject: mtd: onenand: Pass correct pointer to IRQ handler + +From: Dan Carpenter + +[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ] + +This was supposed to pass "onenand" instead of "&onenand" with the +ampersand. Passing a random stack address which will be gone when the +function ends makes no sense. However the good thing is that the pointer +is never used, so this doesn't cause a problem at run time. + +Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c +index f37a6138e461f..6d6aa709a21f8 100644 +--- a/drivers/mtd/nand/onenand/onenand_samsung.c ++++ b/drivers/mtd/nand/onenand/onenand_samsung.c +@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev) + err = devm_request_irq(&pdev->dev, r->start, + s5pc110_onenand_irq, + IRQF_SHARED, "onenand", +- &onenand); ++ onenand); + if (err) { + dev_err(&pdev->dev, "failed to get irq\n"); + return err; +-- +2.51.0 + diff --git a/queue-6.17/perf-build-don-t-fail-fast-path-feature-detection-wh.patch b/queue-6.17/perf-build-don-t-fail-fast-path-feature-detection-wh.patch new file mode 100644 index 0000000000..3451760058 --- /dev/null +++ b/queue-6.17/perf-build-don-t-fail-fast-path-feature-detection-wh.patch @@ -0,0 +1,89 @@ +From b688e926810031a0ccfa2550c29b2a8a5240f83f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 21:57:08 -0300 +Subject: perf build: Don't fail fast path feature detection when + binutils-devel is not available + +From: Arnaldo Carvalho de Melo + +[ Upstream commit a09e5967ad6819379fd31894634d7aed29c18409 ] + +This is one more remnant of the BUILD_NONDISTRO series to make building +with binutils-devel opt-in due to license incompatibility. + +In this case just the references at link time were still in place, which +make building the test-all.bin file fail, which wasn't detected before +probably because the last test was done with binutils-devel available, +doh. + +Now: + + $ rpm -q binutils-devel + package binutils-devel is not installed + $ file /tmp/build/perf-tools/feature/test-all.bin + /tmp/build/perf-tools/feature/test-all.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), + dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, + BuildID[sha1]=4b5388a346b51f1b993f0b0dbd49f4570769b03c, for GNU/Linux 3.2.0, not stripped + $ + +Fixes: 970ae86307718c34 ("perf build: The bfd features are opt-in, stop testing for them by default") +Reviewed-by: Ian Rogers +Cc: Adrian Hunter +Cc: James Clark +Cc: Jiri Olsa +Cc: Namhyung Kim +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/build/feature/Makefile | 4 ++-- + tools/perf/Makefile.config | 5 ++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/tools/build/feature/Makefile b/tools/build/feature/Makefile +index bd615a708a0aa..049d5d2b36468 100644 +--- a/tools/build/feature/Makefile ++++ b/tools/build/feature/Makefile +@@ -110,7 +110,7 @@ all: $(FILES) + __BUILD = $(CC) $(CFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.c,$(@F)) $(LDFLAGS) + BUILD = $(__BUILD) > $(@:.bin=.make.output) 2>&1 + BUILD_BFD = $(BUILD) -DPACKAGE='"perf"' -lbfd -ldl +- BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -DPACKAGE='"perf"' -lbfd -ldl -lz -llzma -lzstd ++ BUILD_ALL = $(BUILD) -fstack-protector-all -O2 -D_FORTIFY_SOURCE=2 -ldw -lelf -lnuma -lelf -lslang $(FLAGS_PERL_EMBED) $(FLAGS_PYTHON_EMBED) -ldl -lz -llzma -lzstd + + __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$(@F)) $(LDFLAGS) + BUILDXX = $(__BUILDXX) > $(@:.bin=.make.output) 2>&1 +@@ -118,7 +118,7 @@ __BUILDXX = $(CXX) $(CXXFLAGS) -MD -Wall -Werror -o $@ $(patsubst %.bin,%.cpp,$( + ############################### + + $(OUTPUT)test-all.bin: +- $(BUILD_ALL) || $(BUILD_ALL) -lopcodes -liberty ++ $(BUILD_ALL) + + $(OUTPUT)test-hello.bin: + $(BUILD) +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 5a5832ee7b53c..5a3026bba31c6 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -323,9 +323,6 @@ FEATURE_CHECK_LDFLAGS-libpython := $(PYTHON_EMBED_LDOPTS) + + FEATURE_CHECK_LDFLAGS-libaio = -lrt + +-FEATURE_CHECK_LDFLAGS-disassembler-four-args = -lbfd -lopcodes -ldl +-FEATURE_CHECK_LDFLAGS-disassembler-init-styled = -lbfd -lopcodes -ldl +- + CORE_CFLAGS += -fno-omit-frame-pointer + CORE_CFLAGS += -Wall + CORE_CFLAGS += -Wextra +@@ -921,6 +918,8 @@ ifdef BUILD_NONDISTRO + + ifeq ($(feature-libbfd), 1) + EXTLIBS += -lbfd -lopcodes ++ FEATURE_CHECK_LDFLAGS-disassembler-four-args = -lbfd -lopcodes -ldl ++ FEATURE_CHECK_LDFLAGS-disassembler-init-styled = -lbfd -lopcodes -ldl + else + # we are on a system that requires -liberty and (maybe) -lz + # to link against -lbfd; test each case individually here +-- +2.51.0 + diff --git a/queue-6.17/perf-header-write-bpf_prog-infos-btfs-_cnt-to-data-f.patch b/queue-6.17/perf-header-write-bpf_prog-infos-btfs-_cnt-to-data-f.patch new file mode 100644 index 0000000000..56e9a5b8cb --- /dev/null +++ b/queue-6.17/perf-header-write-bpf_prog-infos-btfs-_cnt-to-data-f.patch @@ -0,0 +1,73 @@ +From afb029f8d9bdc5d5b39d7c0a4136cd6c64ae1efa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 11:31:50 -0600 +Subject: perf header: Write bpf_prog (infos|btfs)_cnt to data file + +From: Thomas Falcon + +[ Upstream commit 85c894a80ac46aa177df04e0a33bcad409b7d64f ] + +With commit f0d0f978f3f5830a ("perf header: Don't write empty BPF/BTF +info"), the write_bpf_( prog_info() | btf() ) functions exit without +writing anything if env->bpf_prog.(infos| btfs)_cnt is zero. + +process_bpf_( prog_info() | btf() ), however, still expect a "count" +value to exist in the data file. If btf information is empty, for +example, process_bpf_btf will read garbage or some other data as the +number of btf nodes in the data file. As a result, the data file will +not be processed correctly. + +Instead, write the count to the data file and exit if it is zero. + +Fixes: f0d0f978f3f5830a ("perf header: Don't write empty BPF/BTF info") +Reviewed-by: Ian Rogers +Signed-off-by: Thomas Falcon +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Peter Zijlstra +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 4f2a6e10ed5cc..4e12be579140a 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -1022,12 +1022,9 @@ static int write_bpf_prog_info(struct feat_fd *ff, + + down_read(&env->bpf_progs.lock); + +- if (env->bpf_progs.infos_cnt == 0) +- goto out; +- + ret = do_write(ff, &env->bpf_progs.infos_cnt, + sizeof(env->bpf_progs.infos_cnt)); +- if (ret < 0) ++ if (ret < 0 || env->bpf_progs.infos_cnt == 0) + goto out; + + root = &env->bpf_progs.infos; +@@ -1067,13 +1064,10 @@ static int write_bpf_btf(struct feat_fd *ff, + + down_read(&env->bpf_progs.lock); + +- if (env->bpf_progs.btfs_cnt == 0) +- goto out; +- + ret = do_write(ff, &env->bpf_progs.btfs_cnt, + sizeof(env->bpf_progs.btfs_cnt)); + +- if (ret < 0) ++ if (ret < 0 || env->bpf_progs.btfs_cnt == 0) + goto out; + + root = &env->bpf_progs.btfs; +-- +2.51.0 + diff --git a/queue-6.17/perf-lock-fix-segfault-due-to-missing-kernel-map.patch b/queue-6.17/perf-lock-fix-segfault-due-to-missing-kernel-map.patch new file mode 100644 index 0000000000..96c019caca --- /dev/null +++ b/queue-6.17/perf-lock-fix-segfault-due-to-missing-kernel-map.patch @@ -0,0 +1,61 @@ +From 54ff2f6c13ba529acdbfe1601691c85b30ea9d1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:01:23 +0000 +Subject: perf lock: Fix segfault due to missing kernel map + +From: Ravi Bangoria + +[ Upstream commit d0206db94b36c998c11458cfdae2f45ba20bc4fb ] + +Kernel maps are encoded in PERF_RECORD_MMAP2 samples but "perf lock +report" and "perf lock contention" do not process MMAP2 samples. + +Because of that, machine->vmlinux_map stays NULL and any later access +triggers a segmentation fault. + +Fix it by adding ->mmap2() callbacks. + +Fixes: 53b00ff358dc75b1 ("perf record: Make --buildid-mmap the default") +Reported-by: Tycho Andersen (AMD) +Reviewed-by: Ian Rogers +Signed-off-by: Ravi Bangoria +Tested-by: Tycho Andersen (AMD) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ananth Narayan +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Sandipan Das +Cc: Santosh Shukla +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-lock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c +index 078634461df27..e8962c985d34a 100644 +--- a/tools/perf/builtin-lock.c ++++ b/tools/perf/builtin-lock.c +@@ -1867,6 +1867,7 @@ static int __cmd_report(bool display_info) + eops.sample = process_sample_event; + eops.comm = perf_event__process_comm; + eops.mmap = perf_event__process_mmap; ++ eops.mmap2 = perf_event__process_mmap2; + eops.namespaces = perf_event__process_namespaces; + eops.tracing_data = perf_event__process_tracing_data; + session = perf_session__new(&data, &eops); +@@ -2023,6 +2024,7 @@ static int __cmd_contention(int argc, const char **argv) + eops.sample = process_sample_event; + eops.comm = perf_event__process_comm; + eops.mmap = perf_event__process_mmap; ++ eops.mmap2 = perf_event__process_mmap2; + eops.tracing_data = perf_event__process_tracing_data; + + perf_env__init(&host_env); +-- +2.51.0 + diff --git a/queue-6.17/perf-test-fix-lock-contention-test.patch b/queue-6.17/perf-test-fix-lock-contention-test.patch new file mode 100644 index 0000000000..945ea1679b --- /dev/null +++ b/queue-6.17/perf-test-fix-lock-contention-test.patch @@ -0,0 +1,141 @@ +From 916d72d18b8ce4dbcad60efc983c4a8a859a3288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:01:24 +0000 +Subject: perf test: Fix lock contention test + +From: Ravi Bangoria + +[ Upstream commit 3c723f449723db2dc2b75b7efe03c2a76e4c09f0 ] + +Couple of independent fixes: + +1. Wire in SIGSEGV handler that terminates the test with a failure code. + +2. Use "--lock-cgroup" instead of "-g"; "-g" was proposed but never + merged. See commit 4d1792d0a2564caf ("perf lock contention: Add + --lock-cgroup option") + +3. Call cleanup() on every normal exit so trap_cleanup() doesn't mistake + it for an unexpected signal and emit a false-negative "Unexpected + signal in main" message. + +Before patch: + + # ./perf test -vv "lock contention" + 85: kernel lock contention analysis test: + --- start --- + test child forked, pid 610711 + Testing perf lock record and perf lock contention + Testing perf lock contention --use-bpf + Testing perf lock record and perf lock contention at the same time + Testing perf lock contention --threads + Testing perf lock contention --lock-addr + Testing perf lock contention --lock-cgroup + Unexpected signal in test_aggr_cgroup + ---- end(0) ---- + 85: kernel lock contention analysis test : Ok + +After patch: + + # ./perf test -vv "lock contention" + 85: kernel lock contention analysis test: + --- start --- + test child forked, pid 602637 + Testing perf lock record and perf lock contention + Testing perf lock contention --use-bpf + Testing perf lock record and perf lock contention at the same time + Testing perf lock contention --threads + Testing perf lock contention --lock-addr + Testing perf lock contention --lock-cgroup + Testing perf lock contention --type-filter (w/ spinlock) + Testing perf lock contention --lock-filter (w/ tasklist_lock) + Testing perf lock contention --callstack-filter (w/ unix_stream) + [Skip] Could not find 'unix_stream' + Testing perf lock contention --callstack-filter with task aggregation + [Skip] Could not find 'unix_stream' + Testing perf lock contention --cgroup-filter + Testing perf lock contention CSV output + ---- end(0) ---- + 85: kernel lock contention analysis test : Ok + +Reviewed-by: Ian Rogers +Signed-off-by: Ravi Bangoria +Tested-by: Arnaldo Carvalho de Melo +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ananth Narayan +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Sandipan Das +Cc: Santosh Shukla +Cc: Tycho Andersen +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/lock_contention.sh | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/tests/shell/lock_contention.sh b/tools/perf/tests/shell/lock_contention.sh +index 7248a74ca2a32..6dd90519f45ce 100755 +--- a/tools/perf/tests/shell/lock_contention.sh ++++ b/tools/perf/tests/shell/lock_contention.sh +@@ -13,15 +13,18 @@ cleanup() { + rm -f ${perfdata} + rm -f ${result} + rm -f ${errout} +- trap - EXIT TERM INT ++ trap - EXIT TERM INT ERR + } + + trap_cleanup() { ++ if (( $? == 139 )); then #SIGSEGV ++ err=1 ++ fi + echo "Unexpected signal in ${FUNCNAME[1]}" + cleanup + exit ${err} + } +-trap trap_cleanup EXIT TERM INT ++trap trap_cleanup EXIT TERM INT ERR + + check() { + if [ "$(id -u)" != 0 ]; then +@@ -145,7 +148,7 @@ test_aggr_cgroup() + fi + + # the perf lock contention output goes to the stderr +- perf lock con -a -b -g -E 1 -q -- perf bench sched messaging -p > /dev/null 2> ${result} ++ perf lock con -a -b --lock-cgroup -E 1 -q -- perf bench sched messaging -p > /dev/null 2> ${result} + if [ "$(cat "${result}" | wc -l)" != "1" ]; then + echo "[Fail] BPF result count is not 1:" "$(cat "${result}" | wc -l)" + err=1 +@@ -271,7 +274,7 @@ test_cgroup_filter() + return + fi + +- perf lock con -a -b -g -E 1 -F wait_total -q -- perf bench sched messaging -p > /dev/null 2> ${result} ++ perf lock con -a -b --lock-cgroup -E 1 -F wait_total -q -- perf bench sched messaging -p > /dev/null 2> ${result} + if [ "$(cat "${result}" | wc -l)" != "1" ]; then + echo "[Fail] BPF result should have a cgroup result:" "$(cat "${result}")" + err=1 +@@ -279,7 +282,7 @@ test_cgroup_filter() + fi + + cgroup=$(cat "${result}" | awk '{ print $3 }') +- perf lock con -a -b -g -E 1 -G "${cgroup}" -q -- perf bench sched messaging -p > /dev/null 2> ${result} ++ perf lock con -a -b --lock-cgroup -E 1 -G "${cgroup}" -q -- perf bench sched messaging -p > /dev/null 2> ${result} + if [ "$(cat "${result}" | wc -l)" != "1" ]; then + echo "[Fail] BPF result should have a result with cgroup filter:" "$(cat "${cgroup}")" + err=1 +@@ -338,4 +341,5 @@ test_aggr_task_stack_filter + test_cgroup_filter + test_csv_output + ++cleanup + exit ${err} +-- +2.51.0 + diff --git a/queue-6.17/perf-test-shell-lock_contention-extra-debug-diagnost.patch b/queue-6.17/perf-test-shell-lock_contention-extra-debug-diagnost.patch new file mode 100644 index 0000000000..5df34325ca --- /dev/null +++ b/queue-6.17/perf-test-shell-lock_contention-extra-debug-diagnost.patch @@ -0,0 +1,83 @@ +From 7fdc71dbaacfc73e4a94edf17c9be0307405ecc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Aug 2025 09:38:18 -0700 +Subject: perf test shell lock_contention: Extra debug diagnostics + +From: Ian Rogers + +[ Upstream commit 8b93f8933d37591d17c59fd71b18fc61966d9515 ] + +In test_record_concurrent, as stderr is sent to /dev/null, error +messages are hidden. Change this to gather the error messages and dump +them on failure. + +Some minor sh->bash changes to add some more diagnostics in +trap_cleanup. + +Reviewed-by: James Clark +Signed-off-by: Ian Rogers +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Athira Rajeev +Cc: Blake Jones +Cc: Chun-Tse Shao +Cc: Collin Funk +Cc: Howard Chu +Cc: Ingo Molnar +Cc: Jan Polensky +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Li Huafei +Cc: Mark Rutland +Cc: Nam Cao +Cc: Peter Zijlstra +Cc: Steinar H. Gunderson +Cc: Thomas Gleixner +Link: https://lore.kernel.org/r/20250821163820.1132977-5-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 3c723f449723 ("perf test: Fix lock contention test") +Signed-off-by: Sasha Levin +--- + tools/perf/tests/shell/lock_contention.sh | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/tests/shell/lock_contention.sh b/tools/perf/tests/shell/lock_contention.sh +index d33d9e4392b06..7248a74ca2a32 100755 +--- a/tools/perf/tests/shell/lock_contention.sh ++++ b/tools/perf/tests/shell/lock_contention.sh +@@ -7,14 +7,17 @@ set -e + err=0 + perfdata=$(mktemp /tmp/__perf_test.perf.data.XXXXX) + result=$(mktemp /tmp/__perf_test.result.XXXXX) ++errout=$(mktemp /tmp/__perf_test.errout.XXXXX) + + cleanup() { + rm -f ${perfdata} + rm -f ${result} ++ rm -f ${errout} + trap - EXIT TERM INT + } + + trap_cleanup() { ++ echo "Unexpected signal in ${FUNCNAME[1]}" + cleanup + exit ${err} + } +@@ -75,10 +78,12 @@ test_bpf() + test_record_concurrent() + { + echo "Testing perf lock record and perf lock contention at the same time" +- perf lock record -o- -- perf bench sched messaging -p 2> /dev/null | \ ++ perf lock record -o- -- perf bench sched messaging -p 2> ${errout} | \ + perf lock contention -i- -E 1 -q 2> ${result} + if [ "$(cat "${result}" | wc -l)" != "1" ]; then + echo "[Fail] Recorded result count is not 1:" "$(cat "${result}" | wc -l)" ++ cat ${errout} ++ cat ${result} + err=1 + exit + fi +-- +2.51.0 + diff --git a/queue-6.17/sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch b/queue-6.17/sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch new file mode 100644 index 0000000000..4f731f714d --- /dev/null +++ b/queue-6.17/sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch @@ -0,0 +1,133 @@ +From d1a369c60434f10e22e7ec5d8c5d1cdb06780c9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 15:33:28 +0800 +Subject: sched_ext: Fix unsafe locking in the scx_dump_state() + +From: Zqiang + +[ Upstream commit 5f02151c411dda46efcc5dc57b0845efcdcfc26d ] + +For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted +sleepable spinlock and not disable-irq, so the following scenarios occur: + +inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. +irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: +(&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 +{IN-HARDIRQ-W} state was registered at: + lock_acquire+0x1e1/0x510 + _raw_spin_lock_nested+0x42/0x80 + raw_spin_rq_lock_nested+0x2b/0x40 + sched_tick+0xae/0x7b0 + update_process_times+0x14c/0x1b0 + tick_periodic+0x62/0x1f0 + tick_handle_periodic+0x48/0xf0 + timer_interrupt+0x55/0x80 + __handle_irq_event_percpu+0x20a/0x5c0 + handle_irq_event_percpu+0x18/0xc0 + handle_irq_event+0xb5/0x150 + handle_level_irq+0x220/0x460 + __common_interrupt+0xa2/0x1e0 + common_interrupt+0xb0/0xd0 + asm_common_interrupt+0x2b/0x40 + _raw_spin_unlock_irqrestore+0x45/0x80 + __setup_irq+0xc34/0x1a30 + request_threaded_irq+0x214/0x2f0 + hpet_time_init+0x3e/0x60 + x86_late_time_init+0x5b/0xb0 + start_kernel+0x308/0x410 + x86_64_start_reservations+0x1c/0x30 + x86_64_start_kernel+0x96/0xa0 + common_startup_64+0x13e/0x148 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&rq->__lock); + + lock(&rq->__lock); + + *** DEADLOCK *** + + stack backtrace: + CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 + Call Trace: + + dump_stack_lvl+0x8c/0xd0 + dump_stack+0x14/0x20 + print_usage_bug+0x42e/0x690 + mark_lock.part.44+0x867/0xa70 + ? __pfx_mark_lock.part.44+0x10/0x10 + ? string_nocheck+0x19c/0x310 + ? number+0x739/0x9f0 + ? __pfx_string_nocheck+0x10/0x10 + ? __pfx_check_pointer+0x10/0x10 + ? kvm_sched_clock_read+0x15/0x30 + ? sched_clock_noinstr+0xd/0x20 + ? local_clock_noinstr+0x1c/0xe0 + __lock_acquire+0xc4b/0x62b0 + ? __pfx_format_decode+0x10/0x10 + ? __pfx_string+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + ? __pfx_vsnprintf+0x10/0x10 + lock_acquire+0x1e1/0x510 + ? raw_spin_rq_lock_nested+0x2b/0x40 + ? __pfx_lock_acquire+0x10/0x10 + ? dump_line+0x12e/0x270 + ? raw_spin_rq_lock_nested+0x20/0x40 + _raw_spin_lock_nested+0x42/0x80 + ? raw_spin_rq_lock_nested+0x2b/0x40 + raw_spin_rq_lock_nested+0x2b/0x40 + scx_dump_state+0x3b3/0x1270 + ? finish_task_switch+0x27e/0x840 + scx_ops_error_irq_workfn+0x67/0x80 + irq_work_single+0x113/0x260 + irq_work_run_list.part.3+0x44/0x70 + run_irq_workd+0x6b/0x90 + ? __pfx_run_irq_workd+0x10/0x10 + smpboot_thread_fn+0x529/0x870 + ? __pfx_smpboot_thread_fn+0x10/0x10 + kthread+0x305/0x3f0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x40/0x70 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + + +This commit therefore use rq_lock_irqsave/irqrestore() to replace +rq_lock/unlock() in the scx_dump_state(). + +Fixes: 07814a9439a3 ("sched_ext: Print debug dump after an error exit") +Signed-off-by: Zqiang +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index e1b502ef1243c..313206067ea3d 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -4270,7 +4270,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len) + size_t avail, used; + bool idle; + +- rq_lock(rq, &rf); ++ rq_lock_irqsave(rq, &rf); + + idle = list_empty(&rq->scx.runnable_list) && + rq->curr->sched_class == &idle_sched_class; +@@ -4339,7 +4339,7 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len) + list_for_each_entry(p, &rq->scx.runnable_list, scx.runnable_node) + scx_dump_task(&s, &dctx, p, ' '); + next: +- rq_unlock(rq, &rf); ++ rq_unlock_irqrestore(rq, &rf); + } + + dump_newline(&s); +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index f302f61f93..bd1abc9ff7 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -120,3 +120,15 @@ bpf-account-for-current-allocated-stack-depth-in-wid.patch irqchip-riscv-intc-add-missing-free-callback-in-risc.patch posix-timers-plug-potential-memory-leak-in-do_timer_.patch lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch +hostfs-fix-only-passing-host-root-in-boot-stage-with.patch +afs-fix-dynamic-lookup-to-fail-on-cell-lookup-failur.patch +mtd-onenand-pass-correct-pointer-to-irq-handler.patch +virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch +binfmt_misc-restore-write-access-before-closing-file.patch +fs-namespace-correctly-handle-errors-returned-by-gra.patch +sched_ext-fix-unsafe-locking-in-the-scx_dump_state.patch +perf-header-write-bpf_prog-infos-btfs-_cnt-to-data-f.patch +perf-build-don-t-fail-fast-path-feature-detection-wh.patch +perf-lock-fix-segfault-due-to-missing-kernel-map.patch +perf-test-shell-lock_contention-extra-debug-diagnost.patch +perf-test-fix-lock-contention-test.patch diff --git a/queue-6.17/virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch b/queue-6.17/virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch new file mode 100644 index 0000000000..3e6b48d330 --- /dev/null +++ b/queue-6.17/virtio-fs-fix-incorrect-check-for-fsvq-kobj.patch @@ -0,0 +1,40 @@ +From 45d1c50b03f08e797f45c0c1c52cd51f86f90f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 03:46:47 -0700 +Subject: virtio-fs: fix incorrect check for fsvq->kobj + +From: Alok Tiwari + +[ Upstream commit c014021253d77cd89b2d8788ce522283d83fbd40 ] + +In virtio_fs_add_queues_sysfs(), the code incorrectly checks fs->mqs_kobj +after calling kobject_create_and_add(). Change the check to fsvq->kobj +(fs->mqs_kobj -> fsvq->kobj) to ensure the per-queue kobject is +successfully created. + +Fixes: 87cbdc396a31 ("virtio_fs: add sysfs entries for queue information") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251027104658.1668537-1-alok.a.tiwari@oracle.com +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/fuse/virtio_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c +index 1751cd6e3d42b..38051e5fba19b 100644 +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -373,7 +373,7 @@ static int virtio_fs_add_queues_sysfs(struct virtio_fs *fs) + + sprintf(buff, "%d", i); + fsvq->kobj = kobject_create_and_add(buff, fs->mqs_kobj); +- if (!fs->mqs_kobj) { ++ if (!fsvq->kobj) { + ret = -ENOMEM; + goto out_del; + } +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch b/queue-6.6/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch new file mode 100644 index 0000000000..f8439a9a90 --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch @@ -0,0 +1,118 @@ +From a07fa1268fa9991696b3847041853c7857448670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 20:18:47 +0800 +Subject: Bluetooth: hci_sync: fix double free in + 'hci_discovery_filter_clear()' + +From: Arseniy Krasnov + +[ Upstream commit 2935e556850e9c94d7a00adf14d3cd7fe406ac03 ] + +Function 'hci_discovery_filter_clear()' frees 'uuids' array and then +sets it to NULL. There is a tiny chance of the following race: + +'hci_cmd_sync_work()' + + 'update_passive_scan_sync()' + + 'hci_update_passive_scan_sync()' + + 'hci_discovery_filter_clear()' + kfree(uuids); + + <-------------------------preempted--------------------------------> + 'start_service_discovery()' + + 'hci_discovery_filter_clear()' + kfree(uuids); // DOUBLE FREE + + <-------------------------preempted--------------------------------> + + uuids = NULL; + +To fix it let's add locking around 'kfree()' call and NULL pointer +assignment. Otherwise the following backtrace fires: + +[ ] ------------[ cut here ]------------ +[ ] kernel BUG at mm/slub.c:547! +[ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP +[ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 +[ ] Tainted: [O]=OOT_MODULE +[ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ ] pc : __slab_free+0xf8/0x348 +[ ] lr : __slab_free+0x48/0x348 +... +[ ] Call trace: +[ ] __slab_free+0xf8/0x348 +[ ] kfree+0x164/0x27c +[ ] start_service_discovery+0x1d0/0x2c0 +[ ] hci_sock_sendmsg+0x518/0x924 +[ ] __sock_sendmsg+0x54/0x60 +[ ] sock_write_iter+0x98/0xf8 +[ ] do_iter_readv_writev+0xe4/0x1c8 +[ ] vfs_writev+0x128/0x2b0 +[ ] do_writev+0xfc/0x118 +[ ] __arm64_sys_writev+0x20/0x2c +[ ] invoke_syscall+0x68/0xf0 +[ ] el0_svc_common.constprop.0+0x40/0xe0 +[ ] do_el0_svc+0x1c/0x28 +[ ] el0_svc+0x30/0xd0 +[ ] el0t_64_sync_handler+0x100/0x12c +[ ] el0t_64_sync+0x194/0x198 +[ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) +[ ] ---[ end trace 0000000000000000 ]--- + +Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled") +Signed-off-by: Arseniy Krasnov +Signed-off-by: Luiz Augusto von Dentz +[ Minor context change fixed. ] +Signed-off-by: Alva Lan +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 7672d8d6005d1..a2a6fb20f4964 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -95,6 +96,7 @@ struct discovery_state { + unsigned long scan_start; + unsigned long scan_duration; + unsigned long name_resolve_timeout; ++ spinlock_t lock; + }; + + #define SUSPEND_NOTIFIER_TIMEOUT msecs_to_jiffies(2000) /* 2 seconds */ +@@ -870,6 +872,7 @@ static inline void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, + + static inline void discovery_init(struct hci_dev *hdev) + { ++ spin_lock_init(&hdev->discovery.lock); + hdev->discovery.state = DISCOVERY_STOPPED; + INIT_LIST_HEAD(&hdev->discovery.all); + INIT_LIST_HEAD(&hdev->discovery.unknown); +@@ -884,8 +887,12 @@ static inline void hci_discovery_filter_clear(struct hci_dev *hdev) + hdev->discovery.report_invalid_rssi = true; + hdev->discovery.rssi = HCI_RSSI_INVALID; + hdev->discovery.uuid_count = 0; ++ ++ spin_lock(&hdev->discovery.lock); + kfree(hdev->discovery.uuids); + hdev->discovery.uuids = NULL; ++ spin_unlock(&hdev->discovery.lock); ++ + hdev->discovery.scan_start = 0; + hdev->discovery.scan_duration = 0; + } +-- +2.51.0 + diff --git a/queue-6.6/mtd-onenand-pass-correct-pointer-to-irq-handler.patch b/queue-6.6/mtd-onenand-pass-correct-pointer-to-irq-handler.patch new file mode 100644 index 0000000000..61e1d69e09 --- /dev/null +++ b/queue-6.6/mtd-onenand-pass-correct-pointer-to-irq-handler.patch @@ -0,0 +1,38 @@ +From 43cc7f02c2badb800bf9617fa53b0ac2f6133cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 16:25:48 +0300 +Subject: mtd: onenand: Pass correct pointer to IRQ handler + +From: Dan Carpenter + +[ Upstream commit 97315e7c901a1de60e8ca9b11e0e96d0f9253e18 ] + +This was supposed to pass "onenand" instead of "&onenand" with the +ampersand. Passing a random stack address which will be gone when the +function ends makes no sense. However the good thing is that the pointer +is never used, so this doesn't cause a problem at run time. + +Fixes: e23abf4b7743 ("mtd: OneNAND: S5PC110: Implement DMA interrupt method") +Signed-off-by: Dan Carpenter +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/onenand/onenand_samsung.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/onenand/onenand_samsung.c b/drivers/mtd/nand/onenand/onenand_samsung.c +index fd6890a03d557..0e21d443078e4 100644 +--- a/drivers/mtd/nand/onenand/onenand_samsung.c ++++ b/drivers/mtd/nand/onenand/onenand_samsung.c +@@ -906,7 +906,7 @@ static int s3c_onenand_probe(struct platform_device *pdev) + err = devm_request_irq(&pdev->dev, r->start, + s5pc110_onenand_irq, + IRQF_SHARED, "onenand", +- &onenand); ++ onenand); + if (err) { + dev_err(&pdev->dev, "failed to get irq\n"); + return err; +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nf_tables-reject-duplicate-device-on-updat.patch b/queue-6.6/netfilter-nf_tables-reject-duplicate-device-on-updat.patch new file mode 100644 index 0000000000..6a1c9a3db0 --- /dev/null +++ b/queue-6.6/netfilter-nf_tables-reject-duplicate-device-on-updat.patch @@ -0,0 +1,98 @@ +From 55d448467fc72dd4cf709e2518d481950d874b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:39:21 +0000 +Subject: netfilter: nf_tables: reject duplicate device on updates + +From: Pablo Neira Ayuso + +commit cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973 upstream. + +A chain/flowtable update with duplicated devices in the same batch is +possible. Unfortunately, netdev event path only removes the first +device that is found, leaving unregistered the hook of the duplicated +device. + +Check if a duplicated device exists in the transaction batch, bail out +with EEXIST in such case. + +WARNING is hit when unregistering the hook: + + [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 + [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) + [...] + [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150 + +Fixes: 78d9f48f7f44 ("netfilter: nf_tables: add devices to existing flowtable") +Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 5ca1d775e976d..80443b4eaeff0 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2576,6 +2576,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + struct nft_chain *chain = ctx->chain; + struct nft_chain_hook hook = {}; + struct nft_stats *stats = NULL; ++ struct nftables_pernet *nft_net; + struct nft_hook *h, *next; + struct nf_hook_ops *ops; + struct nft_trans *trans; +@@ -2616,6 +2617,20 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + if (nft_hook_list_find(&basechain->hook_list, h)) { + list_del(&h->list); + kfree(h); ++ continue; ++ } ++ ++ nft_net = nft_pernet(ctx->net); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWCHAIN || ++ trans->ctx.table != ctx->table || ++ !nft_trans_chain_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_chain_hooks(trans), h)) { ++ nft_chain_release_hook(&hook); ++ return -EEXIST; ++ } + } + } + } else { +@@ -8493,6 +8508,7 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + { + const struct nlattr * const *nla = ctx->nla; + struct nft_flowtable_hook flowtable_hook; ++ struct nftables_pernet *nft_net; + struct nft_hook *hook, *next; + struct nft_trans *trans; + bool unregister = false; +@@ -8508,6 +8524,20 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh, + if (nft_hook_list_find(&flowtable->hook_list, hook)) { + list_del(&hook->list); + kfree(hook); ++ continue; ++ } ++ ++ nft_net = nft_pernet(ctx->net); ++ list_for_each_entry(trans, &nft_net->commit_list, list) { ++ if (trans->msg_type != NFT_MSG_NEWFLOWTABLE || ++ trans->ctx.table != ctx->table || ++ !nft_trans_flowtable_update(trans)) ++ continue; ++ ++ if (nft_hook_list_find(&nft_trans_flowtable_hooks(trans), hook)) { ++ err = -EEXIST; ++ goto err_flowtable_update_hook; ++ } + } + } + +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 50197de393..3687ae605a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -451,3 +451,6 @@ net-allow-small-head-cache-usage-with-large-max_skb_.patch net-dsa-improve-shutdown-sequence.patch espintcp-fix-skb-leaks.patch lib-crypto-arm-curve25519-disable-on-cpu_big_endian.patch +bluetooth-hci_sync-fix-double-free-in-hci_discovery_.patch +mtd-onenand-pass-correct-pointer-to-irq-handler.patch +netfilter-nf_tables-reject-duplicate-device-on-updat.patch