From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 07:57:52 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.297~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae7568ca4fc7f9ece4e521a991a117bc2c30cd12;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch block-don-t-call-rq_qos_ops-done_bio-if-the-bio-isn-t-tracked.patch btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch dma-buf-insert-memory-barrier-before-updating-num_fences.patch dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch dpaa2-eth-retry-the-probe-when-the-mac-is-not-yet-discovered-on-the-bus.patch dpaa2-mac-export-mac-counters-even-when-in-type_fixed.patch dpaa2-mac-split-up-initializing-the-mac-object-from-connecting-to-it.patch mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch mm-update-memfd-seal-write-check-to-include-f_seal_write.patch ptp-fix-possible-memory-leak-in-ptp_clock_register.patch selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch --- diff --git a/queue-5.10/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch b/queue-5.10/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch new file mode 100644 index 0000000000..0f38d5f1da --- /dev/null +++ b/queue-5.10/arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch @@ -0,0 +1,60 @@ +From stable+bounces-164981-greg=kroah.com@vger.kernel.org Mon Jul 28 17:00:53 2025 +From: Sasha Levin +Date: Mon, 28 Jul 2025 11:00:44 -0400 +Subject: ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS +To: stable@vger.kernel.org +Cc: Nathan Chancellor , KernelCI bot , Masahiro Yamada , Russell King , Sasha Levin +Message-ID: <20250728150044.2341245-1-sashal@kernel.org> + +From: Nathan Chancellor + +[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ] + +After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper +flags and language target"), which updated as-instr to use the +'assembler-with-cpp' language option, the Kbuild version of as-instr +always fails internally for arch/arm with + + : fatal error: asm/unified.h: No such file or directory + compilation terminated. + +because '-include' flags are now taken into account by the compiler +driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not +found. + +This went unnoticed at the time of the Kbuild change because the last +use of as-instr in Kbuild that arch/arm could reach was removed in 5.7 +by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a +stable backport of the Kbuild change to before that point exposed this +potential issue if one were to be reintroduced. + +Follow the general pattern of '-include' paths throughout the tree and +make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can +be used independently. + +Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target") +Reported-by: KernelCI bot +Reviewed-by: Masahiro Yamada +Signed-off-by: Nathan Chancellor +Signed-off-by: Russell King (Oracle) +[ adapted to missing -Wa ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/Makefile ++++ b/arch/arm/Makefile +@@ -126,7 +126,7 @@ endif + + # Need -Uarm for gcc < 3.x + KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm +-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float ++KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float + + CHECKFLAGS += -D__arm__ + diff --git a/queue-5.10/block-don-t-call-rq_qos_ops-done_bio-if-the-bio-isn-t-tracked.patch b/queue-5.10/block-don-t-call-rq_qos_ops-done_bio-if-the-bio-isn-t-tracked.patch new file mode 100644 index 0000000000..c463445a13 --- /dev/null +++ b/queue-5.10/block-don-t-call-rq_qos_ops-done_bio-if-the-bio-isn-t-tracked.patch @@ -0,0 +1,54 @@ +From a647a524a46736786c95cdb553a070322ca096e3 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 24 Sep 2021 19:07:04 +0800 +Subject: block: don't call rq_qos_ops->done_bio if the bio isn't tracked + +From: Ming Lei + +commit a647a524a46736786c95cdb553a070322ca096e3 upstream. + +rq_qos framework is only applied on request based driver, so: + +1) rq_qos_done_bio() needn't to be called for bio based driver + +2) rq_qos_done_bio() needn't to be called for bio which isn't tracked, +such as bios ended from error handling code. + +Especially in bio_endio(): + +1) request queue is referred via bio->bi_bdev->bd_disk->queue, which +may be gone since request queue refcount may not be held in above two +cases + +2) q->rq_qos may be freed in blk_cleanup_queue() when calling into +__rq_qos_done_bio() + +Fix the potential kernel panic by not calling rq_qos_ops->done_bio if +the bio isn't tracked. This way is safe because both ioc_rqos_done_bio() +and blkcg_iolatency_done_bio() are nop if the bio isn't tracked. + +Reported-by: Yu Kuai +Cc: tj@kernel.org +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20210924110704.1541818-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +[ Shivani: Modified to apply on 5.10.y ] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1430,7 +1430,7 @@ again: + if (!bio_integrity_endio(bio)) + return; + +- if (bio->bi_disk) ++ if (bio->bi_disk && bio_flagged(bio, BIO_TRACKED)) + rq_qos_done_bio(bio->bi_disk->queue, bio); + + /* diff --git a/queue-5.10/btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch b/queue-5.10/btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch new file mode 100644 index 0000000000..1de126b2d7 --- /dev/null +++ b/queue-5.10/btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch @@ -0,0 +1,245 @@ +From f9baa501b4fd6962257853d46ddffbc21f27e344 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 22 Apr 2021 12:08:05 +0100 +Subject: btrfs: fix deadlock when cloning inline extents and using qgroups + +From: Filipe Manana + +commit f9baa501b4fd6962257853d46ddffbc21f27e344 upstream. + +There are a few exceptional cases where cloning an inline extent needs to +copy the inline extent data into a page of the destination inode. + +When this happens, we end up starting a transaction while having a dirty +page for the destination inode and while having the range locked in the +destination's inode iotree too. Because when reserving metadata space +for a transaction we may need to flush existing delalloc in case there is +not enough free space, we have a mechanism in place to prevent a deadlock, +which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when +cloning inline extent and low on free metadata space"). + +However when using qgroups, a transaction also reserves metadata qgroup +space, which can also result in flushing delalloc in case there is not +enough available space at the moment. When this happens we deadlock, since +flushing delalloc requires locking the file range in the inode's iotree +and the range was already locked at the very beginning of the clone +operation, before attempting to start the transaction. + +When this issue happens, stack traces like the following are reported: + + [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000 + [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142) + [72747.556271] Call Trace: + [72747.556273] __schedule+0x296/0x760 + [72747.556277] schedule+0x3c/0xa0 + [72747.556279] io_schedule+0x12/0x40 + [72747.556284] __lock_page+0x13c/0x280 + [72747.556287] ? generic_file_readonly_mmap+0x70/0x70 + [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs] + [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160 + [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs] + [72747.556362] ? update_group_capacity+0x25/0x210 + [72747.556366] ? cpumask_next_and+0x1a/0x20 + [72747.556391] extent_writepages+0x44/0xa0 [btrfs] + [72747.556394] do_writepages+0x41/0xd0 + [72747.556398] __writeback_single_inode+0x39/0x2a0 + [72747.556403] writeback_sb_inodes+0x1ea/0x440 + [72747.556407] __writeback_inodes_wb+0x5f/0xc0 + [72747.556410] wb_writeback+0x235/0x2b0 + [72747.556414] ? get_nr_inodes+0x35/0x50 + [72747.556417] wb_workfn+0x354/0x490 + [72747.556420] ? newidle_balance+0x2c5/0x3e0 + [72747.556424] process_one_work+0x1aa/0x340 + [72747.556426] worker_thread+0x30/0x390 + [72747.556429] ? create_worker+0x1a0/0x1a0 + [72747.556432] kthread+0x116/0x130 + [72747.556435] ? kthread_park+0x80/0x80 + [72747.556438] ret_from_fork+0x1f/0x30 + + [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs] + [72747.566961] Call Trace: + [72747.566964] __schedule+0x296/0x760 + [72747.566968] ? finish_wait+0x80/0x80 + [72747.566970] schedule+0x3c/0xa0 + [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs] + [72747.566999] ? finish_wait+0x80/0x80 + [72747.567024] lock_extent_bits+0x37/0x90 [btrfs] + [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs] + [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380 + [72747.567076] __extent_writepage+0x203/0x320 [btrfs] + [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs] + [72747.567106] ? update_load_avg+0x7e/0x5f0 + [72747.567109] ? enqueue_entity+0xf4/0x6f0 + [72747.567134] extent_writepages+0x44/0xa0 [btrfs] + [72747.567137] ? enqueue_task_fair+0x93/0x6f0 + [72747.567140] do_writepages+0x41/0xd0 + [72747.567144] __filemap_fdatawrite_range+0xc7/0x100 + [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs] + [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs] + [72747.567200] process_one_work+0x1aa/0x340 + [72747.567202] worker_thread+0x30/0x390 + [72747.567205] ? create_worker+0x1a0/0x1a0 + [72747.567208] kthread+0x116/0x130 + [72747.567211] ? kthread_park+0x80/0x80 + [72747.567214] ret_from_fork+0x1f/0x30 + + [72747.569686] task:fsstress state:D stack: 0 pid:841421 ppid:841417 flags:0x00000000 + [72747.569689] Call Trace: + [72747.569691] __schedule+0x296/0x760 + [72747.569694] schedule+0x3c/0xa0 + [72747.569721] try_flush_qgroup+0x95/0x140 [btrfs] + [72747.569725] ? finish_wait+0x80/0x80 + [72747.569753] btrfs_qgroup_reserve_data+0x34/0x50 [btrfs] + [72747.569781] btrfs_check_data_free_space+0x5f/0xa0 [btrfs] + [72747.569804] btrfs_buffered_write+0x1f7/0x7f0 [btrfs] + [72747.569810] ? path_lookupat.isra.48+0x97/0x140 + [72747.569833] btrfs_file_write_iter+0x81/0x410 [btrfs] + [72747.569836] ? __kmalloc+0x16a/0x2c0 + [72747.569839] do_iter_readv_writev+0x160/0x1c0 + [72747.569843] do_iter_write+0x80/0x1b0 + [72747.569847] vfs_writev+0x84/0x140 + [72747.569869] ? btrfs_file_llseek+0x38/0x270 [btrfs] + [72747.569873] do_writev+0x65/0x100 + [72747.569876] do_syscall_64+0x33/0x40 + [72747.569879] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + + [72747.569899] task:fsstress state:D stack: 0 pid:841424 ppid:841417 flags:0x00004000 + [72747.569903] Call Trace: + [72747.569906] __schedule+0x296/0x760 + [72747.569909] schedule+0x3c/0xa0 + [72747.569936] try_flush_qgroup+0x95/0x140 [btrfs] + [72747.569940] ? finish_wait+0x80/0x80 + [72747.569967] __btrfs_qgroup_reserve_meta+0x36/0x50 [btrfs] + [72747.569989] start_transaction+0x279/0x580 [btrfs] + [72747.570014] clone_copy_inline_extent+0x332/0x490 [btrfs] + [72747.570041] btrfs_clone+0x5b7/0x7a0 [btrfs] + [72747.570068] ? lock_extent_bits+0x64/0x90 [btrfs] + [72747.570095] btrfs_clone_files+0xfc/0x150 [btrfs] + [72747.570122] btrfs_remap_file_range+0x3d8/0x4a0 [btrfs] + [72747.570126] do_clone_file_range+0xed/0x200 + [72747.570131] vfs_clone_file_range+0x37/0x110 + [72747.570134] ioctl_file_clone+0x7d/0xb0 + [72747.570137] do_vfs_ioctl+0x138/0x630 + [72747.570140] __x64_sys_ioctl+0x62/0xc0 + [72747.570143] do_syscall_64+0x33/0x40 + [72747.570146] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +So fix this by skipping the flush of delalloc for an inode that is +flagged with BTRFS_INODE_NO_DELALLOC_FLUSH, meaning it is currently under +such a special case of cloning an inline extent, when flushing delalloc +during qgroup metadata reservation. + +The special cases for cloning inline extents were added in kernel 5.7 by +by commit 05a5a7621ce66c ("Btrfs: implement full reflink support for +inline extents"), while having qgroup metadata space reservation flushing +delalloc when low on space was added in kernel 5.9 by commit +c53e9653605dbf ("btrfs: qgroup: try to flush qgroup space when we get +-EDQUOT"). So use a "Fixes:" tag for the later commit to ease stable +kernel backports. + +Reported-by: Wang Yugui +Link: https://lore.kernel.org/linux-btrfs/20210421083137.31E3.409509F4@e16-tech.com/ +Fixes: c53e9653605dbf ("btrfs: qgroup: try to flush qgroup space when we get -EDQUOT") +CC: stable@vger.kernel.org # 5.9+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ Shivani: Modified to apply on 5.10.y, Passed false to + btrfs_start_delalloc_flush() in fs/btrfs/transaction.c file to + maintain the default behaviour ] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.h | 2 +- + fs/btrfs/inode.c | 4 ++-- + fs/btrfs/ioctl.c | 2 +- + fs/btrfs/qgroup.c | 2 +- + fs/btrfs/send.c | 4 ++-- + fs/btrfs/transaction.c | 2 +- + 6 files changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -3013,7 +3013,7 @@ int btrfs_truncate_inode_items(struct bt + struct inode *inode, u64 new_size, + u32 min_type); + +-int btrfs_start_delalloc_snapshot(struct btrfs_root *root); ++int btrfs_start_delalloc_snapshot(struct btrfs_root *root, bool in_reclaim_context); + int btrfs_start_delalloc_roots(struct btrfs_fs_info *fs_info, u64 nr, + bool in_reclaim_context); + int btrfs_set_extent_delalloc(struct btrfs_inode *inode, u64 start, u64 end, +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -9566,7 +9566,7 @@ out: + return ret; + } + +-int btrfs_start_delalloc_snapshot(struct btrfs_root *root) ++int btrfs_start_delalloc_snapshot(struct btrfs_root *root, bool in_reclaim_context) + { + struct writeback_control wbc = { + .nr_to_write = LONG_MAX, +@@ -9579,7 +9579,7 @@ int btrfs_start_delalloc_snapshot(struct + if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state)) + return -EROFS; + +- return start_delalloc_inodes(root, &wbc, true, false); ++ return start_delalloc_inodes(root, &wbc, true, in_reclaim_context); + } + + int btrfs_start_delalloc_roots(struct btrfs_fs_info *fs_info, u64 nr, +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1030,7 +1030,7 @@ static noinline int btrfs_mksnapshot(con + */ + btrfs_drew_read_lock(&root->snapshot_lock); + +- ret = btrfs_start_delalloc_snapshot(root); ++ ret = btrfs_start_delalloc_snapshot(root, false); + if (ret) + goto out; + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -3704,7 +3704,7 @@ static int try_flush_qgroup(struct btrfs + return 0; + } + +- ret = btrfs_start_delalloc_snapshot(root); ++ ret = btrfs_start_delalloc_snapshot(root, true); + if (ret < 0) + goto out; + btrfs_wait_ordered_extents(root, U64_MAX, 0, (u64)-1); +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -7207,7 +7207,7 @@ static int flush_delalloc_roots(struct s + int i; + + if (root) { +- ret = btrfs_start_delalloc_snapshot(root); ++ ret = btrfs_start_delalloc_snapshot(root, false); + if (ret) + return ret; + btrfs_wait_ordered_extents(root, U64_MAX, 0, U64_MAX); +@@ -7215,7 +7215,7 @@ static int flush_delalloc_roots(struct s + + for (i = 0; i < sctx->clone_roots_cnt; i++) { + root = sctx->clone_roots[i].root; +- ret = btrfs_start_delalloc_snapshot(root); ++ ret = btrfs_start_delalloc_snapshot(root, false); + if (ret) + return ret; + btrfs_wait_ordered_extents(root, U64_MAX, 0, U64_MAX); +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -2045,7 +2045,7 @@ static inline int btrfs_start_delalloc_f + list_for_each_entry(pending, head, list) { + int ret; + +- ret = btrfs_start_delalloc_snapshot(pending->root); ++ ret = btrfs_start_delalloc_snapshot(pending->root, false); + if (ret) + return ret; + } diff --git a/queue-5.10/dma-buf-insert-memory-barrier-before-updating-num_fences.patch b/queue-5.10/dma-buf-insert-memory-barrier-before-updating-num_fences.patch new file mode 100644 index 0000000000..00821f0533 --- /dev/null +++ b/queue-5.10/dma-buf-insert-memory-barrier-before-updating-num_fences.patch @@ -0,0 +1,44 @@ +From prvs=308dc1d81=wanjay@amazon.com Fri Aug 8 20:05:43 2025 +From: Jay Wang +Date: Fri, 8 Aug 2025 18:05:37 +0000 +Subject: dma-buf: insert memory barrier before updating num_fences +To: +Cc: , , +Message-ID: <20250808180537.26649-1-wanjay@amazon.com> + +From: Hyejeong Choi + +commit 72c7d62583ebce7baeb61acce6057c361f73be4a upstream. + +smp_store_mb() inserts memory barrier after storing operation. +It is different with what the comment is originally aiming so Null +pointer dereference can be happened if memory update is reordered. + +Signed-off-by: Hyejeong Choi +Fixes: a590d0fdbaa5 ("dma-buf: Update reservation shared_count after adding the new fence") +CC: stable@vger.kernel.org +Reviewed-by: Christian König +Link: https://lore.kernel.org/r/20250513020638.GA2329653@au1-maretx-p37.eng.sarc.samsung.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +[Conflict resolved by applying changes from dma_resv_add_fence() in the original fix to dma_resv_add_shared_fence() in current code base] +Signed-off-by: Jay Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-resv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -290,8 +290,9 @@ void dma_resv_add_shared_fence(struct dm + + replace: + RCU_INIT_POINTER(fobj->shared[i], fence); +- /* pointer update must be visible before we extend the shared_count */ +- smp_store_mb(fobj->shared_count, count); ++ /* fence update must be visible before we extend the shared_count */ ++ smp_wmb(); ++ fobj->shared_count = count; + + write_seqcount_end(&obj->seq); + dma_fence_put(old); diff --git a/queue-5.10/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch b/queue-5.10/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch new file mode 100644 index 0000000000..fc95a8145e --- /dev/null +++ b/queue-5.10/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch @@ -0,0 +1,72 @@ +From stable+bounces-165029-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:10 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 00:28:53 -0400 +Subject: dpaa2-eth: Fix device reference count leak in MAC endpoint handling +To: stable@vger.kernel.org +Cc: Ma Ke , Ioana Ciornei , Simon Horman , Jakub Kicinski , Sasha Levin +Message-ID: <20250729042853.2357022-4-sashal@kernel.org> + +From: Ma Ke + +[ Upstream commit ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc ] + +The fsl_mc_get_endpoint() function uses device_find_child() for +localization, which implicitly calls get_device() to increment the +device's reference count before returning the pointer. However, the +caller dpaa2_eth_connect_mac() fails to properly release this +reference in multiple scenarios. We should call put_device() to +decrement reference count properly. + +As comment of device_find_child() says, 'NOTE: you will need to drop +the reference with put_device() after use'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink") +Signed-off-by: Ma Ke +Tested-by: Ioana Ciornei +Reviewed-by: Ioana Ciornei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717022309.3339976-2-make24@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4138,12 +4138,19 @@ static int dpaa2_eth_connect_mac(struct + if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) + return PTR_ERR(dpmac_dev); + +- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) ++ if (IS_ERR(dpmac_dev)) + return 0; + ++ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { ++ err = 0; ++ goto out_put_device; ++ } ++ + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); +- if (!mac) +- return -ENOMEM; ++ if (!mac) { ++ err = -ENOMEM; ++ goto out_put_device; ++ } + + mac->mc_dev = dpmac_dev; + mac->mc_io = priv->mc_io; +@@ -4169,6 +4176,8 @@ err_close_mac: + priv->mac = NULL; + err_free_mac: + kfree(mac); ++out_put_device: ++ put_device(&dpmac_dev->dev); + return err; + } + diff --git a/queue-5.10/dpaa2-eth-retry-the-probe-when-the-mac-is-not-yet-discovered-on-the-bus.patch b/queue-5.10/dpaa2-eth-retry-the-probe-when-the-mac-is-not-yet-discovered-on-the-bus.patch new file mode 100644 index 0000000000..d3baa4b527 --- /dev/null +++ b/queue-5.10/dpaa2-eth-retry-the-probe-when-the-mac-is-not-yet-discovered-on-the-bus.patch @@ -0,0 +1,42 @@ +From stable+bounces-165028-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:09 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 00:28:52 -0400 +Subject: dpaa2-eth: retry the probe when the MAC is not yet discovered on the bus +To: stable@vger.kernel.org +Cc: Ioana Ciornei , Andrew Lunn , Jakub Kicinski , Sasha Levin +Message-ID: <20250729042853.2357022-3-sashal@kernel.org> + +From: Ioana Ciornei + +[ Upstream commit 47325da28ef137fa04a0e5d6d244e9635184bf5e ] + +The fsl_mc_get_endpoint() function now returns -EPROBE_DEFER when the +dpmac device was not yet discovered by the fsl-mc bus. When this +happens, pass the error code up so that we can retry the probe at a +later time. + +Signed-off-by: Ioana Ciornei +Reviewed-by: Andrew Lunn +Signed-off-by: Jakub Kicinski +Stable-dep-of: ee9f3a81ab08 ("dpaa2-eth: Fix device reference count leak in MAC endpoint handling") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4134,7 +4134,11 @@ static int dpaa2_eth_connect_mac(struct + + dpni_dev = to_fsl_mc_device(priv->net_dev->dev.parent); + dpmac_dev = fsl_mc_get_endpoint(dpni_dev); +- if (IS_ERR_OR_NULL(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) ++ ++ if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) ++ return PTR_ERR(dpmac_dev); ++ ++ if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) + return 0; + + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); diff --git a/queue-5.10/dpaa2-mac-export-mac-counters-even-when-in-type_fixed.patch b/queue-5.10/dpaa2-mac-export-mac-counters-even-when-in-type_fixed.patch new file mode 100644 index 0000000000..0d9ca0436c --- /dev/null +++ b/queue-5.10/dpaa2-mac-export-mac-counters-even-when-in-type_fixed.patch @@ -0,0 +1,277 @@ +From stable+bounces-165027-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:05 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 00:28:51 -0400 +Subject: dpaa2-mac: export MAC counters even when in TYPE_FIXED +To: stable@vger.kernel.org +Cc: Ioana Ciornei , Jakub Kicinski , Sasha Levin +Message-ID: <20250729042853.2357022-2-sashal@kernel.org> + +From: Ioana Ciornei + +[ Upstream commit d87e606373f641c58d5e8e4c48b3216fd9d1c78a ] + +If the network interface object is connected to a MAC of TYPE_FIXED, the +link status management is handled exclusively by the firmware. This does +not mean that the driver cannot access the MAC counters and export them +in ethtool. + +For this to happen, we open the attached dpmac device and keep a pointer +to it in priv->mac. Because of this, all the checks in the driver of the +following form 'if (priv->mac)' have to be updated to actually check +the dpmac attribute and not rely on the presence of a non-NULL value. + +Signed-off-by: Ioana Ciornei +Signed-off-by: Jakub Kicinski +Stable-dep-of: ee9f3a81ab08 ("dpaa2-eth: Fix device reference count leak in MAC endpoint handling") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 37 +++++++++---------- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 13 ++++++ + drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 16 ++++---- + drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c | 26 ------------- + 4 files changed, 39 insertions(+), 53 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -1765,7 +1765,7 @@ static int dpaa2_eth_link_state_update(s + /* When we manage the MAC/PHY using phylink there is no need + * to manually update the netif_carrier. + */ +- if (priv->mac) ++ if (dpaa2_eth_is_type_phy(priv)) + goto out; + + /* Chech link state; speed / duplex changes are not treated yet */ +@@ -1804,7 +1804,7 @@ static int dpaa2_eth_open(struct net_dev + priv->dpbp_dev->obj_desc.id, priv->bpid); + } + +- if (!priv->mac) { ++ if (!dpaa2_eth_is_type_phy(priv)) { + /* We'll only start the txqs when the link is actually ready; + * make sure we don't race against the link up notification, + * which may come immediately after dpni_enable(); +@@ -1826,7 +1826,7 @@ static int dpaa2_eth_open(struct net_dev + goto enable_err; + } + +- if (priv->mac) ++ if (dpaa2_eth_is_type_phy(priv)) + phylink_start(priv->mac->phylink); + + return 0; +@@ -1900,11 +1900,11 @@ static int dpaa2_eth_stop(struct net_dev + int dpni_enabled = 0; + int retries = 10; + +- if (!priv->mac) { ++ if (dpaa2_eth_is_type_phy(priv)) { ++ phylink_stop(priv->mac->phylink); ++ } else { + netif_tx_stop_all_queues(net_dev); + netif_carrier_off(net_dev); +- } else { +- phylink_stop(priv->mac->phylink); + } + + /* On dpni_disable(), the MC firmware will: +@@ -2192,7 +2192,7 @@ static int dpaa2_eth_ioctl(struct net_de + if (cmd == SIOCSHWTSTAMP) + return dpaa2_eth_ts_ioctl(dev, rq, cmd); + +- if (priv->mac) ++ if (dpaa2_eth_is_type_phy(priv)) + return phylink_mii_ioctl(priv->mac->phylink, rq, cmd); + + return -EOPNOTSUPP; +@@ -4137,9 +4137,6 @@ static int dpaa2_eth_connect_mac(struct + if (IS_ERR_OR_NULL(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) + return 0; + +- if (dpaa2_mac_is_type_fixed(dpmac_dev, priv->mc_io)) +- return 0; +- + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); + if (!mac) + return -ENOMEM; +@@ -4151,18 +4148,21 @@ static int dpaa2_eth_connect_mac(struct + err = dpaa2_mac_open(mac); + if (err) + goto err_free_mac; ++ priv->mac = mac; + +- err = dpaa2_mac_connect(mac); +- if (err) { +- netdev_err(priv->net_dev, "Error connecting to the MAC endpoint\n"); +- goto err_close_mac; ++ if (dpaa2_eth_is_type_phy(priv)) { ++ err = dpaa2_mac_connect(mac); ++ if (err) { ++ netdev_err(priv->net_dev, "Error connecting to the MAC endpoint\n"); ++ goto err_close_mac; ++ } + } +- priv->mac = mac; + + return 0; + + err_close_mac: + dpaa2_mac_close(mac); ++ priv->mac = NULL; + err_free_mac: + kfree(mac); + return err; +@@ -4170,10 +4170,9 @@ err_free_mac: + + static void dpaa2_eth_disconnect_mac(struct dpaa2_eth_priv *priv) + { +- if (!priv->mac) +- return; ++ if (dpaa2_eth_is_type_phy(priv)) ++ dpaa2_mac_disconnect(priv->mac); + +- dpaa2_mac_disconnect(priv->mac); + dpaa2_mac_close(priv->mac); + kfree(priv->mac); + priv->mac = NULL; +@@ -4203,7 +4202,7 @@ static irqreturn_t dpni_irq0_handler_thr + dpaa2_eth_update_tx_fqids(priv); + + rtnl_lock(); +- if (priv->mac) ++ if (dpaa2_eth_has_mac(priv)) + dpaa2_eth_disconnect_mac(priv); + else + dpaa2_eth_connect_mac(priv); +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h +@@ -705,6 +705,19 @@ static inline unsigned int dpaa2_eth_rx_ + return priv->tx_data_offset - DPAA2_ETH_RX_HWA_SIZE; + } + ++static inline bool dpaa2_eth_is_type_phy(struct dpaa2_eth_priv *priv) ++{ ++ if (priv->mac && priv->mac->attr.link_type == DPMAC_LINK_TYPE_PHY) ++ return true; ++ ++ return false; ++} ++ ++static inline bool dpaa2_eth_has_mac(struct dpaa2_eth_priv *priv) ++{ ++ return priv->mac ? true : false; ++} ++ + int dpaa2_eth_set_hash(struct net_device *net_dev, u64 flags); + int dpaa2_eth_set_cls(struct net_device *net_dev, u64 key); + int dpaa2_eth_cls_key_size(u64 key); +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c +@@ -85,7 +85,7 @@ static int dpaa2_eth_nway_reset(struct n + { + struct dpaa2_eth_priv *priv = netdev_priv(net_dev); + +- if (priv->mac) ++ if (dpaa2_eth_is_type_phy(priv)) + return phylink_ethtool_nway_reset(priv->mac->phylink); + + return -EOPNOTSUPP; +@@ -97,7 +97,7 @@ dpaa2_eth_get_link_ksettings(struct net_ + { + struct dpaa2_eth_priv *priv = netdev_priv(net_dev); + +- if (priv->mac) ++ if (dpaa2_eth_is_type_phy(priv)) + return phylink_ethtool_ksettings_get(priv->mac->phylink, + link_settings); + +@@ -115,7 +115,7 @@ dpaa2_eth_set_link_ksettings(struct net_ + { + struct dpaa2_eth_priv *priv = netdev_priv(net_dev); + +- if (!priv->mac) ++ if (!dpaa2_eth_is_type_phy(priv)) + return -ENOTSUPP; + + return phylink_ethtool_ksettings_set(priv->mac->phylink, link_settings); +@@ -127,7 +127,7 @@ static void dpaa2_eth_get_pauseparam(str + struct dpaa2_eth_priv *priv = netdev_priv(net_dev); + u64 link_options = priv->link_state.options; + +- if (priv->mac) { ++ if (dpaa2_eth_is_type_phy(priv)) { + phylink_ethtool_get_pauseparam(priv->mac->phylink, pause); + return; + } +@@ -150,7 +150,7 @@ static int dpaa2_eth_set_pauseparam(stru + return -EOPNOTSUPP; + } + +- if (priv->mac) ++ if (dpaa2_eth_is_type_phy(priv)) + return phylink_ethtool_set_pauseparam(priv->mac->phylink, + pause); + if (pause->autoneg) +@@ -198,7 +198,7 @@ static void dpaa2_eth_get_strings(struct + strlcpy(p, dpaa2_ethtool_extras[i], ETH_GSTRING_LEN); + p += ETH_GSTRING_LEN; + } +- if (priv->mac) ++ if (dpaa2_eth_has_mac(priv)) + dpaa2_mac_get_strings(p); + break; + } +@@ -211,7 +211,7 @@ static int dpaa2_eth_get_sset_count(stru + + switch (sset) { + case ETH_SS_STATS: /* ethtool_get_stats(), ethtool_get_drvinfo() */ +- if (priv->mac) ++ if (dpaa2_eth_has_mac(priv)) + num_ss_stats += dpaa2_mac_get_sset_count(); + return num_ss_stats; + default: +@@ -311,7 +311,7 @@ static void dpaa2_eth_get_ethtool_stats( + } + *(data + i++) = buf_cnt; + +- if (priv->mac) ++ if (dpaa2_eth_has_mac(priv)) + dpaa2_mac_get_ethtool_stats(priv->mac, data + i); + } + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c +@@ -228,32 +228,6 @@ static const struct phylink_mac_ops dpaa + .mac_link_down = dpaa2_mac_link_down, + }; + +-bool dpaa2_mac_is_type_fixed(struct fsl_mc_device *dpmac_dev, +- struct fsl_mc_io *mc_io) +-{ +- struct dpmac_attr attr; +- bool fixed = false; +- u16 mc_handle = 0; +- int err; +- +- err = dpmac_open(mc_io, 0, dpmac_dev->obj_desc.id, +- &mc_handle); +- if (err || !mc_handle) +- return false; +- +- err = dpmac_get_attributes(mc_io, 0, mc_handle, &attr); +- if (err) +- goto out; +- +- if (attr.link_type == DPMAC_LINK_TYPE_FIXED) +- fixed = true; +- +-out: +- dpmac_close(mc_io, 0, mc_handle); +- +- return fixed; +-} +- + static int dpaa2_pcs_create(struct dpaa2_mac *mac, + struct device_node *dpmac_node, int id) + { diff --git a/queue-5.10/dpaa2-mac-split-up-initializing-the-mac-object-from-connecting-to-it.patch b/queue-5.10/dpaa2-mac-split-up-initializing-the-mac-object-from-connecting-to-it.patch new file mode 100644 index 0000000000..f2903f6dde --- /dev/null +++ b/queue-5.10/dpaa2-mac-split-up-initializing-the-mac-object-from-connecting-to-it.patch @@ -0,0 +1,196 @@ +From stable+bounces-165026-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:04 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 00:28:50 -0400 +Subject: dpaa2-mac: split up initializing the MAC object from connecting to it +To: stable@vger.kernel.org +Cc: Ioana Ciornei , Jakub Kicinski , Sasha Levin +Message-ID: <20250729042853.2357022-1-sashal@kernel.org> + +From: Ioana Ciornei + +[ Upstream commit 095dca16d92f32150314ef47ea150ed83c5aacd9 ] + +Split up the initialization phase of the dpmac object from actually +configuring the phylink instance, connecting to it and configuring the +MAC. This is done so that even though the dpni object is connected to a +dpmac which has link management handled by the firmware we are still +able to export the MAC counters. + +Signed-off-by: Ioana Ciornei +Signed-off-by: Jakub Kicinski +Stable-dep-of: ee9f3a81ab08 ("dpaa2-eth: Fix device reference count leak in MAC endpoint handling") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 ++++ + drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c | 69 ++++++++++++++--------- + drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h | 5 + + 3 files changed, 59 insertions(+), 29 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4148,15 +4148,24 @@ static int dpaa2_eth_connect_mac(struct + mac->mc_io = priv->mc_io; + mac->net_dev = priv->net_dev; + ++ err = dpaa2_mac_open(mac); ++ if (err) ++ goto err_free_mac; ++ + err = dpaa2_mac_connect(mac); + if (err) { + netdev_err(priv->net_dev, "Error connecting to the MAC endpoint\n"); +- kfree(mac); +- return err; ++ goto err_close_mac; + } + priv->mac = mac; + + return 0; ++ ++err_close_mac: ++ dpaa2_mac_close(mac); ++err_free_mac: ++ kfree(mac); ++ return err; + } + + static void dpaa2_eth_disconnect_mac(struct dpaa2_eth_priv *priv) +@@ -4165,6 +4174,7 @@ static void dpaa2_eth_disconnect_mac(str + return; + + dpaa2_mac_disconnect(priv->mac); ++ dpaa2_mac_close(priv->mac); + kfree(priv->mac); + priv->mac = NULL; + } +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c +@@ -302,36 +302,20 @@ static void dpaa2_pcs_destroy(struct dpa + + int dpaa2_mac_connect(struct dpaa2_mac *mac) + { +- struct fsl_mc_device *dpmac_dev = mac->mc_dev; + struct net_device *net_dev = mac->net_dev; + struct device_node *dpmac_node; + struct phylink *phylink; +- struct dpmac_attr attr; + int err; + +- err = dpmac_open(mac->mc_io, 0, dpmac_dev->obj_desc.id, +- &dpmac_dev->mc_handle); +- if (err || !dpmac_dev->mc_handle) { +- netdev_err(net_dev, "dpmac_open() = %d\n", err); +- return -ENODEV; +- } +- +- err = dpmac_get_attributes(mac->mc_io, 0, dpmac_dev->mc_handle, &attr); +- if (err) { +- netdev_err(net_dev, "dpmac_get_attributes() = %d\n", err); +- goto err_close_dpmac; +- } +- +- mac->if_link_type = attr.link_type; ++ mac->if_link_type = mac->attr.link_type; + +- dpmac_node = dpaa2_mac_get_node(attr.id); ++ dpmac_node = dpaa2_mac_get_node(mac->attr.id); + if (!dpmac_node) { +- netdev_err(net_dev, "No dpmac@%d node found.\n", attr.id); +- err = -ENODEV; +- goto err_close_dpmac; ++ netdev_err(net_dev, "No dpmac@%d node found.\n", mac->attr.id); ++ return -ENODEV; + } + +- err = dpaa2_mac_get_if_mode(dpmac_node, attr); ++ err = dpaa2_mac_get_if_mode(dpmac_node, mac->attr); + if (err < 0) { + err = -EINVAL; + goto err_put_node; +@@ -351,9 +335,9 @@ int dpaa2_mac_connect(struct dpaa2_mac * + goto err_put_node; + } + +- if (attr.link_type == DPMAC_LINK_TYPE_PHY && +- attr.eth_if != DPMAC_ETH_IF_RGMII) { +- err = dpaa2_pcs_create(mac, dpmac_node, attr.id); ++ if (mac->attr.link_type == DPMAC_LINK_TYPE_PHY && ++ mac->attr.eth_if != DPMAC_ETH_IF_RGMII) { ++ err = dpaa2_pcs_create(mac, dpmac_node, mac->attr.id); + if (err) + goto err_put_node; + } +@@ -389,8 +373,7 @@ err_pcs_destroy: + dpaa2_pcs_destroy(mac); + err_put_node: + of_node_put(dpmac_node); +-err_close_dpmac: +- dpmac_close(mac->mc_io, 0, dpmac_dev->mc_handle); ++ + return err; + } + +@@ -402,8 +385,40 @@ void dpaa2_mac_disconnect(struct dpaa2_m + phylink_disconnect_phy(mac->phylink); + phylink_destroy(mac->phylink); + dpaa2_pcs_destroy(mac); ++} ++ ++int dpaa2_mac_open(struct dpaa2_mac *mac) ++{ ++ struct fsl_mc_device *dpmac_dev = mac->mc_dev; ++ struct net_device *net_dev = mac->net_dev; ++ int err; + +- dpmac_close(mac->mc_io, 0, mac->mc_dev->mc_handle); ++ err = dpmac_open(mac->mc_io, 0, dpmac_dev->obj_desc.id, ++ &dpmac_dev->mc_handle); ++ if (err || !dpmac_dev->mc_handle) { ++ netdev_err(net_dev, "dpmac_open() = %d\n", err); ++ return -ENODEV; ++ } ++ ++ err = dpmac_get_attributes(mac->mc_io, 0, dpmac_dev->mc_handle, ++ &mac->attr); ++ if (err) { ++ netdev_err(net_dev, "dpmac_get_attributes() = %d\n", err); ++ goto err_close_dpmac; ++ } ++ ++ return 0; ++ ++err_close_dpmac: ++ dpmac_close(mac->mc_io, 0, dpmac_dev->mc_handle); ++ return err; ++} ++ ++void dpaa2_mac_close(struct dpaa2_mac *mac) ++{ ++ struct fsl_mc_device *dpmac_dev = mac->mc_dev; ++ ++ dpmac_close(mac->mc_io, 0, dpmac_dev->mc_handle); + } + + static char dpaa2_mac_ethtool_stats[][ETH_GSTRING_LEN] = { +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h +@@ -17,6 +17,7 @@ struct dpaa2_mac { + struct dpmac_link_state state; + struct net_device *net_dev; + struct fsl_mc_io *mc_io; ++ struct dpmac_attr attr; + + struct phylink_config phylink_config; + struct phylink *phylink; +@@ -28,6 +29,10 @@ struct dpaa2_mac { + bool dpaa2_mac_is_type_fixed(struct fsl_mc_device *dpmac_dev, + struct fsl_mc_io *mc_io); + ++int dpaa2_mac_open(struct dpaa2_mac *mac); ++ ++void dpaa2_mac_close(struct dpaa2_mac *mac); ++ + int dpaa2_mac_connect(struct dpaa2_mac *mac); + + void dpaa2_mac_disconnect(struct dpaa2_mac *mac); diff --git a/queue-5.10/mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch b/queue-5.10/mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch new file mode 100644 index 0000000000..d4ec70f434 --- /dev/null +++ b/queue-5.10/mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch @@ -0,0 +1,195 @@ +From 3RnuJaA4KBq0VfNNPZNaWNeeRfTbbTYR.PbZTeRTXUYVahkSbhaQNgVba.beT@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:15 2025 +From: "Isaac J. Manjarres" +Date: Tue, 29 Jul 2025 18:53:59 -0700 +Subject: mm: drop the assumption that VM_SHARED always implies writable +To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Alexander Viro , Christian Brauner , Jan Kara , Andrew Morton , David Hildenbrand , "Liam R. Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , Kees Cook , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Valentin Schneider , "Matthew Wilcox (Oracle)" , Jann Horn , Pedro Falcato +Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, Lorenzo Stoakes , Andy Lutomirski , Hugh Dickins , Mike Kravetz , Muchun Song , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org +Message-ID: <20250730015406.32569-2-isaacmanjarres@google.com> + +From: Lorenzo Stoakes + +[ Upstream commit e8e17ee90eaf650c855adb0a3e5e965fd6692ff1 ] + +Patch series "permit write-sealed memfd read-only shared mappings", v4. + +The man page for fcntl() describing memfd file seals states the following +about F_SEAL_WRITE:- + + Furthermore, trying to create new shared, writable memory-mappings via + mmap(2) will also fail with EPERM. + +With emphasis on 'writable'. In turns out in fact that currently the +kernel simply disallows all new shared memory mappings for a memfd with +F_SEAL_WRITE applied, rendering this documentation inaccurate. + +This matters because users are therefore unable to obtain a shared mapping +to a memfd after write sealing altogether, which limits their usefulness. +This was reported in the discussion thread [1] originating from a bug +report [2]. + +This is a product of both using the struct address_space->i_mmap_writable +atomic counter to determine whether writing may be permitted, and the +kernel adjusting this counter when any VM_SHARED mapping is performed and +more generally implicitly assuming VM_SHARED implies writable. + +It seems sensible that we should only update this mapping if VM_MAYWRITE +is specified, i.e. whether it is possible that this mapping could at any +point be written to. + +If we do so then all we need to do to permit write seals to function as +documented is to clear VM_MAYWRITE when mapping read-only. It turns out +this functionality already exists for F_SEAL_FUTURE_WRITE - we can +therefore simply adapt this logic to do the same for F_SEAL_WRITE. + +We then hit a chicken and egg situation in mmap_region() where the check +for VM_MAYWRITE occurs before we are able to clear this flag. To work +around this, perform this check after we invoke call_mmap(), with careful +consideration of error paths. + +Thanks to Andy Lutomirski for the suggestion! + +[1]:https://lore.kernel.org/all/20230324133646.16101dfa666f253c4715d965@linux-foundation.org/ +[2]:https://bugzilla.kernel.org/show_bug.cgi?id=217238 + +This patch (of 3): + +There is a general assumption that VMAs with the VM_SHARED flag set are +writable. If the VM_MAYWRITE flag is not set, then this is simply not the +case. + +Update those checks which affect the struct address_space->i_mmap_writable +field to explicitly test for this by introducing +[vma_]is_shared_maywrite() helper functions. + +This remains entirely conservative, as the lack of VM_MAYWRITE guarantees +that the VMA cannot be written to. + +Link: https://lkml.kernel.org/r/cover.1697116581.git.lstoakes@gmail.com +Link: https://lkml.kernel.org/r/d978aefefa83ec42d18dfa964ad180dbcde34795.1697116581.git.lstoakes@gmail.com +Signed-off-by: Lorenzo Stoakes +Suggested-by: Andy Lutomirski +Reviewed-by: Jan Kara +Cc: Alexander Viro +Cc: Christian Brauner +Cc: Hugh Dickins +Cc: Matthew Wilcox (Oracle) +Cc: Mike Kravetz +Cc: Muchun Song +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +[isaacmanjarres: resolved merge conflicts due to +due to refactoring that happened in upstream commit +5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")] +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/fs.h | 4 ++-- + include/linux/mm.h | 11 +++++++++++ + kernel/fork.c | 2 +- + mm/filemap.c | 2 +- + mm/madvise.c | 2 +- + mm/mmap.c | 6 +++--- + 6 files changed, 19 insertions(+), 8 deletions(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -436,7 +436,7 @@ int pagecache_write_end(struct file *, s + * @host: Owner, either the inode or the block_device. + * @i_pages: Cached pages. + * @gfp_mask: Memory allocation flags to use for allocating pages. +- * @i_mmap_writable: Number of VM_SHARED mappings. ++ * @i_mmap_writable: Number of VM_SHARED, VM_MAYWRITE mappings. + * @nr_thps: Number of THPs in the pagecache (non-shmem only). + * @i_mmap: Tree of private and shared mappings. + * @i_mmap_rwsem: Protects @i_mmap and @i_mmap_writable. +@@ -535,7 +535,7 @@ static inline int mapping_mapped(struct + + /* + * Might pages of this file have been modified in userspace? +- * Note that i_mmap_writable counts all VM_SHARED vmas: do_mmap ++ * Note that i_mmap_writable counts all VM_SHARED, VM_MAYWRITE vmas: do_mmap + * marks vma as VM_SHARED if it is shared, and the file was opened for + * writing i.e. vma may be mprotected writable even if now readonly. + * +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -666,6 +666,17 @@ static inline bool vma_is_accessible(str + return vma->vm_flags & VM_ACCESS_FLAGS; + } + ++static inline bool is_shared_maywrite(vm_flags_t vm_flags) ++{ ++ return (vm_flags & (VM_SHARED | VM_MAYWRITE)) == ++ (VM_SHARED | VM_MAYWRITE); ++} ++ ++static inline bool vma_is_shared_maywrite(struct vm_area_struct *vma) ++{ ++ return is_shared_maywrite(vma->vm_flags); ++} ++ + #ifdef CONFIG_SHMEM + /* + * The vma_is_shmem is not inline because it is used only by slow +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -561,7 +561,7 @@ static __latent_entropy int dup_mmap(str + if (tmp->vm_flags & VM_DENYWRITE) + put_write_access(inode); + i_mmap_lock_write(mapping); +- if (tmp->vm_flags & VM_SHARED) ++ if (vma_is_shared_maywrite(tmp)) + mapping_allow_writable(mapping); + flush_dcache_mmap_lock(mapping); + /* insert tmp into the share list, just after mpnt */ +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2959,7 +2959,7 @@ int generic_file_mmap(struct file * file + */ + int generic_file_readonly_mmap(struct file *file, struct vm_area_struct *vma) + { +- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE)) ++ if (vma_is_shared_maywrite(vma)) + return -EINVAL; + return generic_file_mmap(file, vma); + } +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -848,7 +848,7 @@ static long madvise_remove(struct vm_are + return -EINVAL; + } + +- if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE)) ++ if (!vma_is_shared_maywrite(vma)) + return -EACCES; + + offset = (loff_t)(start - vma->vm_start) +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -144,7 +144,7 @@ static void __remove_shared_vm_struct(st + { + if (vma->vm_flags & VM_DENYWRITE) + allow_write_access(file); +- if (vma->vm_flags & VM_SHARED) ++ if (vma_is_shared_maywrite(vma)) + mapping_unmap_writable(mapping); + + flush_dcache_mmap_lock(mapping); +@@ -663,7 +663,7 @@ static void __vma_link_file(struct vm_ar + + if (vma->vm_flags & VM_DENYWRITE) + put_write_access(file_inode(file)); +- if (vma->vm_flags & VM_SHARED) ++ if (vma_is_shared_maywrite(vma)) + mapping_allow_writable(mapping); + + flush_dcache_mmap_lock(mapping); +@@ -2942,7 +2942,7 @@ unsigned long mmap_region(struct file *f + return -EINVAL; + + /* Map writable and ensure this isn't a sealed memfd. */ +- if (file && (vm_flags & VM_SHARED)) { ++ if (file && is_shared_maywrite(vm_flags)) { + int error = mapping_map_writable(file->f_mapping); + + if (error) diff --git a/queue-5.10/mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch b/queue-5.10/mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch new file mode 100644 index 0000000000..da645a36dc --- /dev/null +++ b/queue-5.10/mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch @@ -0,0 +1,234 @@ +From 3TXuJaA4KBrQcmUUWgUhdUllYmaiiafY.WigalYaebfchorZiohXUncih.ila@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:21 2025 +From: "Isaac J. Manjarres" +Date: Tue, 29 Jul 2025 18:54:01 -0700 +Subject: mm: reinstate ability to map write-sealed memfd mappings read-only +To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Hugh Dickins , Baolin Wang , Andrew Morton , David Hildenbrand , "Liam R. Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , Jann Horn , Pedro Falcato +Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, Julian Orth , "Liam R. Howlett" , Linus Torvalds , Shuah Khan , linux-mm@kvack.org, linux-kernel@vger.kernel.org +Message-ID: <20250730015406.32569-4-isaacmanjarres@google.com> + +From: Lorenzo Stoakes + +[ Upstream commit 8ec396d05d1b737c87311fb7311f753b02c2a6b1 ] + +Patch series "mm: reinstate ability to map write-sealed memfd mappings +read-only". + +In commit 158978945f31 ("mm: perform the mapping_map_writable() check +after call_mmap()") (and preceding changes in the same series) it became +possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. + +Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path +behaviour") unintentionally undid this logic by moving the +mapping_map_writable() check before the shmem_mmap() hook is invoked, +thereby regressing this change. + +This series reworks how we both permit write-sealed mappings being mapped +read-only and disallow mprotect() from undoing the write-seal, fixing this +regression. + +We also add a regression test to ensure that we do not accidentally +regress this in future. + +Thanks to Julian Orth for reporting this regression. + +This patch (of 2): + +In commit 158978945f31 ("mm: perform the mapping_map_writable() check +after call_mmap()") (and preceding changes in the same series) it became +possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only. + +This was previously unnecessarily disallowed, despite the man page +documentation indicating that it would be, thereby limiting the usefulness +of F_SEAL_WRITE logic. + +We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE +seal (one which disallows future writes to the memfd) to also be used for +F_SEAL_WRITE. + +For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a +read-only mapping to disallow mprotect() from overriding the seal - an +operation performed by seal_check_write(), invoked from shmem_mmap(), the +f_op->mmap() hook used by shmem mappings. + +By extending this to F_SEAL_WRITE and critically - checking +mapping_map_writable() to determine if we may map the memfd AFTER we +invoke shmem_mmap() - the desired logic becomes possible. This is because +mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will +have cleared. + +Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path +behaviour") unintentionally undid this logic by moving the +mapping_map_writable() check before the shmem_mmap() hook is invoked, +thereby regressing this change. + +We reinstate this functionality by moving the check out of shmem_mmap() +and instead performing it in do_mmap() at the point at which VMA flags are +being determined, which seems in any case to be a more appropriate place +in which to make this determination. + +In order to achieve this we rework memfd seal logic to allow us access to +this information using existing logic and eliminate the clearing of +VM_MAYWRITE from seal_check_write() which we are performing in do_mmap() +instead. + +Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.1732804776.git.lorenzo.stoakes@oracle.com +Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour") +Signed-off-by: Lorenzo Stoakes +Reported-by: Julian Orth +Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZxrYpQ@mail.gmail.com/ +Cc: Jann Horn +Cc: Liam R. Howlett +Cc: Linus Torvalds +Cc: Shuah Khan +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/memfd.h | 14 ++++++++++++ + include/linux/mm.h | 58 ++++++++++++++++++++++++++++++++++---------------- + mm/memfd.c | 2 - + mm/mmap.c | 4 +++ + 4 files changed, 59 insertions(+), 19 deletions(-) + +--- a/include/linux/memfd.h ++++ b/include/linux/memfd.h +@@ -6,11 +6,25 @@ + + #ifdef CONFIG_MEMFD_CREATE + extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg); ++unsigned int *memfd_file_seals_ptr(struct file *file); + #else + static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned long a) + { + return -EINVAL; + } ++ ++static inline unsigned int *memfd_file_seals_ptr(struct file *file) ++{ ++ return NULL; ++} + #endif + ++/* Retrieve memfd seals associated with the file, if any. */ ++static inline unsigned int memfd_file_seals(struct file *file) ++{ ++ unsigned int *sealsp = memfd_file_seals_ptr(file); ++ ++ return sealsp ? *sealsp : 0; ++} ++ + #endif /* __LINUX_MEMFD_H */ +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -3200,6 +3200,37 @@ unsigned long wp_shared_mapping_range(st + + extern int sysctl_nr_trim_pages; + ++static inline bool is_write_sealed(int seals) ++{ ++ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE); ++} ++ ++/** ++ * is_readonly_sealed - Checks whether write-sealed but mapped read-only, ++ * in which case writes should be disallowing moving ++ * forwards. ++ * @seals: the seals to check ++ * @vm_flags: the VMA flags to check ++ * ++ * Returns whether readonly sealed, in which case writess should be disallowed ++ * going forward. ++ */ ++static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags) ++{ ++ /* ++ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as ++ * MAP_SHARED and read-only, take care to not allow mprotect to ++ * revert protections on such mappings. Do this only for shared ++ * mappings. For private mappings, don't need to mask ++ * VM_MAYWRITE as we still want them to be COW-writable. ++ */ ++ if (is_write_sealed(seals) && ++ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED)) ++ return true; ++ ++ return false; ++} ++ + /** + * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and + * handle them. +@@ -3211,24 +3242,15 @@ extern int sysctl_nr_trim_pages; + */ + static inline int seal_check_write(int seals, struct vm_area_struct *vma) + { +- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { +- /* +- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when +- * write seals are active. +- */ +- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) +- return -EPERM; +- +- /* +- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as +- * MAP_SHARED and read-only, take care to not allow mprotect to +- * revert protections on such mappings. Do this only for shared +- * mappings. For private mappings, don't need to mask +- * VM_MAYWRITE as we still want them to be COW-writable. +- */ +- if (vma->vm_flags & VM_SHARED) +- vma->vm_flags &= ~(VM_MAYWRITE); +- } ++ if (!is_write_sealed(seals)) ++ return 0; ++ ++ /* ++ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when ++ * write seals are active. ++ */ ++ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) ++ return -EPERM; + + return 0; + } +--- a/mm/memfd.c ++++ b/mm/memfd.c +@@ -133,7 +133,7 @@ static int memfd_wait_for_pins(struct ad + return error; + } + +-static unsigned int *memfd_file_seals_ptr(struct file *file) ++unsigned int *memfd_file_seals_ptr(struct file *file) + { + if (shmem_file(file)) + return &SHMEM_I(file_inode(file))->seals; +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -47,6 +47,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1488,6 +1489,7 @@ unsigned long do_mmap(struct file *file, + + if (file) { + struct inode *inode = file_inode(file); ++ unsigned int seals = memfd_file_seals(file); + unsigned long flags_mask; + + if (!file_mmap_ok(file, inode, pgoff, len)) +@@ -1532,6 +1534,8 @@ unsigned long do_mmap(struct file *file, + vm_flags |= VM_SHARED | VM_MAYSHARE; + if (!(file->f_mode & FMODE_WRITE)) + vm_flags &= ~(VM_MAYWRITE | VM_SHARED); ++ else if (is_readonly_sealed(seals, vm_flags)) ++ vm_flags &= ~VM_MAYWRITE; + fallthrough; + case MAP_PRIVATE: + if (!(file->f_mode & FMODE_READ)) diff --git a/queue-5.10/mm-update-memfd-seal-write-check-to-include-f_seal_write.patch b/queue-5.10/mm-update-memfd-seal-write-check-to-include-f_seal_write.patch new file mode 100644 index 0000000000..a1bf441b64 --- /dev/null +++ b/queue-5.10/mm-update-memfd-seal-write-check-to-include-f_seal_write.patch @@ -0,0 +1,104 @@ +From 3SXuJaA4KBrAYiQQScQdZQhhUiWeeWbU.SecWhUWaXbYdknVekdTQjYed.ehW@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:18 2025 +From: "Isaac J. Manjarres" +Date: Tue, 29 Jul 2025 18:54:00 -0700 +Subject: mm: update memfd seal write check to include F_SEAL_WRITE +To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Muchun Song , Oscar Salvador , David Hildenbrand , Andrew Morton , "Liam R. Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , Hugh Dickins , Baolin Wang +Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, Lorenzo Stoakes , Jan Kara , Alexander Viro , Andy Lutomirski , Christian Brauner , "Matthew Wilcox (Oracle)" , Mike Kravetz , linux-mm@kvack.org, linux-kernel@vger.kernel.org +Message-ID: <20250730015406.32569-3-isaacmanjarres@google.com> + +From: Lorenzo Stoakes + +[ Upstream commit 28464bbb2ddc199433383994bcb9600c8034afa1 ] + +The seal_check_future_write() function is called by shmem_mmap() or +hugetlbfs_file_mmap() to disallow any future writable mappings of an memfd +sealed this way. + +The F_SEAL_WRITE flag is not checked here, as that is handled via the +mapping->i_mmap_writable mechanism and so any attempt at a mapping would +fail before this could be run. + +However we intend to change this, meaning this check can be performed for +F_SEAL_WRITE mappings also. + +The logic here is equally applicable to both flags, so update this +function to accommodate both and rename it accordingly. + +Link: https://lkml.kernel.org/r/913628168ce6cce77df7d13a63970bae06a526e0.1697116581.git.lstoakes@gmail.com +Signed-off-by: Lorenzo Stoakes +Reviewed-by: Jan Kara +Cc: Alexander Viro +Cc: Andy Lutomirski +Cc: Christian Brauner +Cc: Hugh Dickins +Cc: Matthew Wilcox (Oracle) +Cc: Mike Kravetz +Cc: Muchun Song +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 2 +- + include/linux/mm.h | 15 ++++++++------- + mm/shmem.c | 2 +- + 3 files changed, 10 insertions(+), 9 deletions(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -148,7 +148,7 @@ static int hugetlbfs_file_mmap(struct fi + vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND; + vma->vm_ops = &hugetlb_vm_ops; + +- ret = seal_check_future_write(info->seals, vma); ++ ret = seal_check_write(info->seals, vma); + if (ret) + return ret; + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -3201,25 +3201,26 @@ unsigned long wp_shared_mapping_range(st + extern int sysctl_nr_trim_pages; + + /** +- * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it ++ * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and ++ * handle them. + * @seals: the seals to check + * @vma: the vma to operate on + * +- * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on +- * the vma flags. Return 0 if check pass, or <0 for errors. ++ * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper ++ * check/handling on the vma flags. Return 0 if check pass, or <0 for errors. + */ +-static inline int seal_check_future_write(int seals, struct vm_area_struct *vma) ++static inline int seal_check_write(int seals, struct vm_area_struct *vma) + { +- if (seals & F_SEAL_FUTURE_WRITE) { ++ if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when +- * "future write" seal active. ++ * write seals are active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; + + /* +- * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as ++ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2263,7 +2263,7 @@ static int shmem_mmap(struct file *file, + struct shmem_inode_info *info = SHMEM_I(file_inode(file)); + int ret; + +- ret = seal_check_future_write(info->seals, vma); ++ ret = seal_check_write(info->seals, vma); + if (ret) + return ret; + diff --git a/queue-5.10/ptp-fix-possible-memory-leak-in-ptp_clock_register.patch b/queue-5.10/ptp-fix-possible-memory-leak-in-ptp_clock_register.patch new file mode 100644 index 0000000000..248aa65030 --- /dev/null +++ b/queue-5.10/ptp-fix-possible-memory-leak-in-ptp_clock_register.patch @@ -0,0 +1,68 @@ +From 4225fea1cb28370086e17e82c0f69bec2779dca0 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 20 Oct 2021 16:18:34 +0800 +Subject: ptp: Fix possible memory leak in ptp_clock_register() + +From: Yang Yingliang + +commit 4225fea1cb28370086e17e82c0f69bec2779dca0 upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88800906c618 (size 8): + comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (age 13.188s) + hex dump (first 8 bytes): + 70 74 70 30 00 00 00 00 ptp0.... + backtrace: + [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0 + [<0000000079f6e2ff>] kvasprintf+0xb5/0x150 + [<0000000026aae54f>] kvasprintf_const+0x60/0x190 + [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150 + [<000000004e35abdd>] dev_set_name+0xc0/0x100 + [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp] + [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33] + +When posix_clock_register() returns an error, the name allocated +in dev_set_name() will be leaked, the put_device() should be used +to give up the device reference, then the name will be freed in +kobject_cleanup() and other memory will be freed in ptp_clock_release(). + +Reported-by: Hulk Robot +Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +[ Shivani: Modified to apply on 5.10.y, Removed kfree(ptp->vclock_index) in + the ptach, since vclock_index is introduced in later versions ] +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -283,15 +283,20 @@ struct ptp_clock *ptp_clock_register(str + /* Create a posix clock and link it to the device. */ + err = posix_clock_register(&ptp->clock, &ptp->dev); + if (err) { ++ if (ptp->pps_source) ++ pps_unregister_source(ptp->pps_source); ++ ++ if (ptp->kworker) ++ kthread_destroy_worker(ptp->kworker); ++ ++ put_device(&ptp->dev); ++ + pr_err("failed to create posix clock\n"); +- goto no_clock; ++ return ERR_PTR(err); + } + + return ptp; + +-no_clock: +- if (ptp->pps_source) +- pps_unregister_source(ptp->pps_source); + no_pps: + ptp_cleanup_pin_groups(ptp); + no_pin_groups: diff --git a/queue-5.10/selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch b/queue-5.10/selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch new file mode 100644 index 0000000000..7efd158395 --- /dev/null +++ b/queue-5.10/selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch @@ -0,0 +1,98 @@ +From 3T3uJaA4KBrYeoWWYiWjfWnnaockkcha.YkicnacgdhejqtbkqjZWpekj.knc@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:24 2025 +From: "Isaac J. Manjarres" +Date: Tue, 29 Jul 2025 18:54:02 -0700 +Subject: selftests/memfd: add test for mapping write-sealed memfd read-only +To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Shuah Khan +Cc: aliceryhl@google.com, surenb@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" , kernel-team@android.com, Jann Horn , Julian Orth , "Liam R. Howlett" , Linus Torvalds , Vlastimil Babka , Andrew Morton , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org +Message-ID: <20250730015406.32569-5-isaacmanjarres@google.com> + +From: Lorenzo Stoakes + +[ Upstream commit ea0916e01d0b0f2cce1369ac1494239a79827270 ] + +Now we have reinstated the ability to map F_SEAL_WRITE mappings read-only, +assert that we are able to do this in a test to ensure that we do not +regress this again. + +Link: https://lkml.kernel.org/r/a6377ec470b14c0539b4600cf8fa24bf2e4858ae.1732804776.git.lorenzo.stoakes@oracle.com +Signed-off-by: Lorenzo Stoakes +Cc: Jann Horn +Cc: Julian Orth +Cc: Liam R. Howlett +Cc: Linus Torvalds +Cc: Shuah Khan +Cc: Vlastimil Babka +Signed-off-by: Andrew Morton +Cc: stable@vger.kernel.org +Signed-off-by: Isaac J. Manjarres +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/memfd/memfd_test.c | 43 +++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +--- a/tools/testing/selftests/memfd/memfd_test.c ++++ b/tools/testing/selftests/memfd/memfd_test.c +@@ -186,6 +186,24 @@ static void *mfd_assert_mmap_shared(int + return p; + } + ++static void *mfd_assert_mmap_read_shared(int fd) ++{ ++ void *p; ++ ++ p = mmap(NULL, ++ mfd_def_size, ++ PROT_READ, ++ MAP_SHARED, ++ fd, ++ 0); ++ if (p == MAP_FAILED) { ++ printf("mmap() failed: %m\n"); ++ abort(); ++ } ++ ++ return p; ++} ++ + static void *mfd_assert_mmap_private(int fd) + { + void *p; +@@ -802,6 +820,30 @@ static void test_seal_future_write(void) + close(fd); + } + ++static void test_seal_write_map_read_shared(void) ++{ ++ int fd; ++ void *p; ++ ++ printf("%s SEAL-WRITE-MAP-READ\n", memfd_str); ++ ++ fd = mfd_assert_new("kern_memfd_seal_write_map_read", ++ mfd_def_size, ++ MFD_CLOEXEC | MFD_ALLOW_SEALING); ++ ++ mfd_assert_add_seals(fd, F_SEAL_WRITE); ++ mfd_assert_has_seals(fd, F_SEAL_WRITE); ++ ++ p = mfd_assert_mmap_read_shared(fd); ++ ++ mfd_assert_read(fd); ++ mfd_assert_read_shared(fd); ++ mfd_fail_write(fd); ++ ++ munmap(p, mfd_def_size); ++ close(fd); ++} ++ + /* + * Test SEAL_SHRINK + * Test whether SEAL_SHRINK actually prevents shrinking +@@ -1056,6 +1098,7 @@ int main(int argc, char **argv) + + test_seal_write(); + test_seal_future_write(); ++ test_seal_write_map_read_shared(); + test_seal_shrink(); + test_seal_grow(); + test_seal_resize(); diff --git a/queue-5.10/series b/queue-5.10/series index f7fa39d321..781c9a3889 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -435,3 +435,16 @@ hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch +ptp-fix-possible-memory-leak-in-ptp_clock_register.patch +block-don-t-call-rq_qos_ops-done_bio-if-the-bio-isn-t-tracked.patch +btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch +arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch +dpaa2-mac-split-up-initializing-the-mac-object-from-connecting-to-it.patch +dpaa2-mac-export-mac-counters-even-when-in-type_fixed.patch +dpaa2-eth-retry-the-probe-when-the-mac-is-not-yet-discovered-on-the-bus.patch +dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch +mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch +mm-update-memfd-seal-write-check-to-include-f_seal_write.patch +mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch +selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch +dma-buf-insert-memory-barrier-before-updating-num_fences.patch