From: Greg Kroah-Hartman Date: Fri, 20 Jun 2025 10:44:52 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v5.4.295~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2906d4d3d5416562ebbbf8f11f4144176340f09;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: dummycon-trigger-redraw-when-switching-consoles-with-deferred-takeover.patch iio-adc-ad7173-fix-compiling-without-gpiolib.patch iio-adc-ad7606-fix-raw-read-for-18-bit-chips.patch iio-adc-ad7606_spi-fix-reg-write-value-mask.patch iio-adc-ad7944-mask-high-bits-on-direct-read.patch iio-adc-ti-ads1298-kconfig-add-kfifo-dependency-to-fix-module-build.patch iio-imu-inv_icm42600-fix-temperature-calculation.patch io_uring-net-only-consider-msg_inq-if-larger-than-1.patch mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch --- diff --git a/queue-6.15/dummycon-trigger-redraw-when-switching-consoles-with-deferred-takeover.patch b/queue-6.15/dummycon-trigger-redraw-when-switching-consoles-with-deferred-takeover.patch new file mode 100644 index 0000000000..966fa4ae0d --- /dev/null +++ b/queue-6.15/dummycon-trigger-redraw-when-switching-consoles-with-deferred-takeover.patch @@ -0,0 +1,90 @@ +From 03bcbbb3995ba5df43af9aba45334e35f2dfe27b Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Tue, 20 May 2025 09:14:00 +0200 +Subject: dummycon: Trigger redraw when switching consoles with deferred takeover + +From: Thomas Zimmermann + +commit 03bcbbb3995ba5df43af9aba45334e35f2dfe27b upstream. + +Signal vt subsystem to redraw console when switching to dummycon +with deferred takeover enabled. Makes the console switch to fbcon +and displays the available output. + +With deferred takeover enabled, dummycon acts as the placeholder +until the first output to the console happens. At that point, fbcon +takes over. If the output happens while dummycon is not active, it +cannot inform fbcon. This is the case if the vt subsystem runs in +graphics mode. + +A typical graphical boot starts plymouth, a display manager and a +compositor; all while leaving out dummycon. Switching to a text-mode +console leaves the console with dummycon even if a getty terminal +has been started. + +Returning true from dummycon's con_switch helper signals the vt +subsystem to redraw the screen. If there's output available dummycon's +con_putc{s} helpers trigger deferred takeover of fbcon, which sets a +display mode and displays the output. If no output is available, +dummycon remains active. + +v2: +- make the comment slightly more verbose (Javier) + +Signed-off-by: Thomas Zimmermann +Reported-by: Andrei Borzenkov +Closes: https://bugzilla.suse.com/show_bug.cgi?id=1242191 +Tested-by: Andrei Borzenkov +Acked-by: Javier Martinez Canillas +Fixes: 83d83bebf401 ("console/fbcon: Add support for deferred console takeover") +Cc: Hans de Goede +Cc: linux-fbdev@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: # v4.19+ +Link: https://lore.kernel.org/r/20250520071418.8462-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/dummycon.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/drivers/video/console/dummycon.c ++++ b/drivers/video/console/dummycon.c +@@ -85,6 +85,15 @@ static bool dummycon_blank(struct vc_dat + /* Redraw, so that we get putc(s) for output done while blanked */ + return true; + } ++ ++static bool dummycon_switch(struct vc_data *vc) ++{ ++ /* ++ * Redraw, so that we get putc(s) for output done while switched ++ * away. Informs deferred consoles to take over the display. ++ */ ++ return true; ++} + #else + static void dummycon_putc(struct vc_data *vc, u16 c, unsigned int y, + unsigned int x) { } +@@ -95,6 +104,10 @@ static bool dummycon_blank(struct vc_dat + { + return false; + } ++static bool dummycon_switch(struct vc_data *vc) ++{ ++ return false; ++} + #endif + + static const char *dummycon_startup(void) +@@ -123,11 +136,6 @@ static bool dummycon_scroll(struct vc_da + { + return false; + } +- +-static bool dummycon_switch(struct vc_data *vc) +-{ +- return false; +-} + + /* + * The console `switch' structure for the dummy console diff --git a/queue-6.15/iio-adc-ad7173-fix-compiling-without-gpiolib.patch b/queue-6.15/iio-adc-ad7173-fix-compiling-without-gpiolib.patch new file mode 100644 index 0000000000..bbb0f28d15 --- /dev/null +++ b/queue-6.15/iio-adc-ad7173-fix-compiling-without-gpiolib.patch @@ -0,0 +1,102 @@ +From c553aa1b03719400a30d9387477190d4743fc1de Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Tue, 22 Apr 2025 15:12:27 -0500 +Subject: iio: adc: ad7173: fix compiling without gpiolib + +From: David Lechner + +commit c553aa1b03719400a30d9387477190d4743fc1de upstream. + +Fix compiling the ad7173 driver when CONFIG_GPIOLIB is not set by +selecting GPIOLIB to be always enabled and remove the #if. + +Commit 031bdc8aee01 ("iio: adc: ad7173: add calibration support") placed +unrelated code in the middle of the #if IS_ENABLED(CONFIG_GPIOLIB) block +which caused the reported compile error. + +However, later commit 7530ed2aaa3f ("iio: adc: ad7173: add openwire +detection support for single conversions") makes use of the gpio regmap +even when we aren't providing gpio controller support. So it makes more +sense to always enable GPIOLIB rather than trying to make it optional. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202504220824.HVrTVov1-lkp@intel.com/ +Fixes: 031bdc8aee01 ("iio: adc: ad7173: add calibration support") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20250422-iio-adc-ad7173-fix-compile-without-gpiolib-v1-1-295f2c990754@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/Kconfig | 5 +++-- + drivers/iio/adc/ad7173.c | 15 +-------------- + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig +index 6529df1a498c..ba746754a816 100644 +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -129,8 +129,9 @@ config AD7173 + tristate "Analog Devices AD7173 driver" + depends on SPI_MASTER + select AD_SIGMA_DELTA +- select GPIO_REGMAP if GPIOLIB +- select REGMAP_SPI if GPIOLIB ++ select GPIOLIB ++ select GPIO_REGMAP ++ select REGMAP_SPI + help + Say yes here to build support for Analog Devices AD7173 and similar ADC + Currently supported models: +diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c +index 69de5886474c..b3e6bd2a55d7 100644 +--- a/drivers/iio/adc/ad7173.c ++++ b/drivers/iio/adc/ad7173.c +@@ -230,10 +230,8 @@ struct ad7173_state { + unsigned long long *config_cnts; + struct clk *ext_clk; + struct clk_hw int_clk_hw; +-#if IS_ENABLED(CONFIG_GPIOLIB) + struct regmap *reg_gpiocon_regmap; + struct gpio_regmap *gpio_regmap; +-#endif + }; + + static unsigned int ad4115_sinc5_data_rates[] = { +@@ -288,8 +286,6 @@ static const char *const ad7173_clk_sel[] = { + "ext-clk", "xtal" + }; + +-#if IS_ENABLED(CONFIG_GPIOLIB) +- + static const struct regmap_range ad7173_range_gpio[] = { + regmap_reg_range(AD7173_REG_GPIO, AD7173_REG_GPIO), + }; +@@ -543,12 +539,6 @@ static int ad7173_gpio_init(struct ad7173_state *st) + + return 0; + } +-#else +-static int ad7173_gpio_init(struct ad7173_state *st) +-{ +- return 0; +-} +-#endif /* CONFIG_GPIOLIB */ + + static struct ad7173_state *ad_sigma_delta_to_ad7173(struct ad_sigma_delta *sd) + { +@@ -1797,10 +1787,7 @@ static int ad7173_probe(struct spi_device *spi) + if (ret) + return ret; + +- if (IS_ENABLED(CONFIG_GPIOLIB)) +- return ad7173_gpio_init(st); +- +- return 0; ++ return ad7173_gpio_init(st); + } + + static const struct of_device_id ad7173_of_match[] = { +-- +2.50.0 + diff --git a/queue-6.15/iio-adc-ad7606-fix-raw-read-for-18-bit-chips.patch b/queue-6.15/iio-adc-ad7606-fix-raw-read-for-18-bit-chips.patch new file mode 100644 index 0000000000..f2a4a2bbcf --- /dev/null +++ b/queue-6.15/iio-adc-ad7606-fix-raw-read-for-18-bit-chips.patch @@ -0,0 +1,68 @@ +From 3f5fd1717ae9497215f22aa748fc2c09df88b0e3 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Fri, 2 May 2025 10:04:30 -0500 +Subject: iio: adc: ad7606: fix raw read for 18-bit chips + +From: David Lechner + +commit 3f5fd1717ae9497215f22aa748fc2c09df88b0e3 upstream. + +Fix 18-bit raw read for 18-bit chips by applying a mask to the value +we receive from the SPI controller. + +SPI controllers either return 1, 2 or 4 bytes per word depending on the +bits_per_word. For 16-bit chips, there was no problem since they raw +data fit exactly in the 2 bytes received from the SPI controller. But +now that we have 18-bit chips and we are using bits_per_word = 18, we +cannot assume that the extra bits in the 32-bit word are always zero. +In fact, with the AXI SPI Engine controller, these bits are not always +zero which caused the raw values to read 10s of 1000s of volts instead +of the correct value. Therefore, we need to mask the value we receive +from the SPI controller to ensure that only the 18 bits of real data +are used. + +Fixes: f3838e934dff ("iio: adc: ad7606: add support for AD7606C-{16,18} parts") +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20250502-iio-adc-ad7606-fix-raw-read-for-18-bit-chips-v1-1-06caa92d8f11@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7606.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c +index 703556eb7257..8ed65a35b486 100644 +--- a/drivers/iio/adc/ad7606.c ++++ b/drivers/iio/adc/ad7606.c +@@ -727,17 +727,16 @@ static int ad7606_scan_direct(struct iio_dev *indio_dev, unsigned int ch, + goto error_ret; + + chan = &indio_dev->channels[ch + 1]; +- if (chan->scan_type.sign == 'u') { +- if (realbits > 16) +- *val = st->data.buf32[ch]; +- else +- *val = st->data.buf16[ch]; +- } else { +- if (realbits > 16) +- *val = sign_extend32(st->data.buf32[ch], realbits - 1); +- else +- *val = sign_extend32(st->data.buf16[ch], realbits - 1); +- } ++ ++ if (realbits > 16) ++ *val = st->data.buf32[ch]; ++ else ++ *val = st->data.buf16[ch]; ++ ++ *val &= GENMASK(realbits - 1, 0); ++ ++ if (chan->scan_type.sign == 's') ++ *val = sign_extend32(*val, realbits - 1); + + error_ret: + if (!st->gpio_convst) { +-- +2.50.0 + diff --git a/queue-6.15/iio-adc-ad7606_spi-fix-reg-write-value-mask.patch b/queue-6.15/iio-adc-ad7606_spi-fix-reg-write-value-mask.patch new file mode 100644 index 0000000000..5b69b69568 --- /dev/null +++ b/queue-6.15/iio-adc-ad7606_spi-fix-reg-write-value-mask.patch @@ -0,0 +1,35 @@ +From 89944d88f8795c6c89b9514cb365998145511cd4 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Mon, 28 Apr 2025 20:55:34 -0500 +Subject: iio: adc: ad7606_spi: fix reg write value mask + +From: David Lechner + +commit 89944d88f8795c6c89b9514cb365998145511cd4 upstream. + +Fix incorrect value mask for register write. Register values are 8-bit, +not 9. If this function was called with a value > 0xFF and an even addr, +it would cause writing to the next register. + +Fixes: f2a22e1e172f ("iio: adc: ad7606: Add support for software mode for ad7616") +Signed-off-by: David Lechner +Reviewed-by: Angelo Dureghello +Link: https://patch.msgid.link/20250428-iio-adc-ad7606_spi-fix-write-value-mask-v1-1-a2d5e85a809f@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7606_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7606_spi.c ++++ b/drivers/iio/adc/ad7606_spi.c +@@ -155,7 +155,7 @@ static int ad7606_spi_reg_write(struct a + struct spi_device *spi = to_spi_device(st->dev); + + st->d16[0] = cpu_to_be16((st->bops->rd_wr_cmd(addr, 1) << 8) | +- (val & 0x1FF)); ++ (val & 0xFF)); + + return spi_write(spi, &st->d16[0], sizeof(st->d16[0])); + } diff --git a/queue-6.15/iio-adc-ad7944-mask-high-bits-on-direct-read.patch b/queue-6.15/iio-adc-ad7944-mask-high-bits-on-direct-read.patch new file mode 100644 index 0000000000..7a8554cfe1 --- /dev/null +++ b/queue-6.15/iio-adc-ad7944-mask-high-bits-on-direct-read.patch @@ -0,0 +1,40 @@ +From 7cdfbc0113d087348b8e65dd79276d0f57b89a10 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Mon, 5 May 2025 13:28:40 -0500 +Subject: iio: adc: ad7944: mask high bits on direct read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +commit 7cdfbc0113d087348b8e65dd79276d0f57b89a10 upstream. + +Apply a mask to the raw value received over the SPI bus for unsigned +direct reads. As we found recently, SPI controllers may not set unused +bits to 0 when reading with bits_per_word != {8,16,32}. The ad7944 uses +bits_per_word of 14 and 18, so we need to mask the value to be sure we +returning the correct value to userspace during a direct read. + +Fixes: d1efcf8871db ("iio: adc: ad7944: add driver for AD7944/AD7985/AD7986") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250505-iio-adc-ad7944-max-high-bits-on-direct-read-v1-1-b173facceefe@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7944.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/ad7944.c ++++ b/drivers/iio/adc/ad7944.c +@@ -377,6 +377,8 @@ static int ad7944_single_conversion(stru + + if (chan->scan_type.sign == 's') + *val = sign_extend32(*val, chan->scan_type.realbits - 1); ++ else ++ *val &= GENMASK(chan->scan_type.realbits - 1, 0); + + return IIO_VAL_INT; + } diff --git a/queue-6.15/iio-adc-ti-ads1298-kconfig-add-kfifo-dependency-to-fix-module-build.patch b/queue-6.15/iio-adc-ti-ads1298-kconfig-add-kfifo-dependency-to-fix-module-build.patch new file mode 100644 index 0000000000..94d817b790 --- /dev/null +++ b/queue-6.15/iio-adc-ti-ads1298-kconfig-add-kfifo-dependency-to-fix-module-build.patch @@ -0,0 +1,37 @@ +From 3c5dfea39a245b2dad869db24e2830aa299b1cf2 Mon Sep 17 00:00:00 2001 +From: Arthur-Prince +Date: Wed, 30 Apr 2025 16:07:37 -0300 +Subject: iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module build +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arthur-Prince + +commit 3c5dfea39a245b2dad869db24e2830aa299b1cf2 upstream. + +Add dependency to Kconfig’s ti-ads1298 because compiling it as a module +failed with an undefined kfifo symbol. + +Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver") +Signed-off-by: Arthur-Prince +Co-developed-by: Mariana Valério +Signed-off-by: Mariana Valério +Link: https://patch.msgid.link/20250430191131.120831-1-r2.arthur.prince@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -1546,6 +1546,7 @@ config TI_ADS1298 + tristate "Texas Instruments ADS1298" + depends on SPI + select IIO_BUFFER ++ select IIO_KFIFO_BUF + help + If you say yes here you get support for Texas Instruments ADS1298 + medical ADC chips diff --git a/queue-6.15/iio-imu-inv_icm42600-fix-temperature-calculation.patch b/queue-6.15/iio-imu-inv_icm42600-fix-temperature-calculation.patch new file mode 100644 index 0000000000..f7475695dc --- /dev/null +++ b/queue-6.15/iio-imu-inv_icm42600-fix-temperature-calculation.patch @@ -0,0 +1,49 @@ +From e2f820014239df9360064079ae93f838ff3b7f8c Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Fri, 2 May 2025 11:37:26 +0200 +Subject: iio: imu: inv_icm42600: Fix temperature calculation + +From: Sean Nyekjaer + +commit e2f820014239df9360064079ae93f838ff3b7f8c upstream. + +>From the documentation: +"offset to be added to [Y]_raw prior toscaling by [Y]_scale" +Offset should be applied before multiplying scale, so divide offset by +scale to make this correct. + +Fixes: bc3eb0207fb5 ("iio: imu: inv_icm42600: add temperature sensor support") +Signed-off-by: Sean Nyekjaer +Acked-by: Jean-Baptiste Maneyrol +Link: https://patch.msgid.link/20250502-imu-v1-1-129b8391a4e3@geanix.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c +@@ -67,16 +67,18 @@ int inv_icm42600_temp_read_raw(struct ii + return IIO_VAL_INT; + /* + * T°C = (temp / 132.48) + 25 +- * Tm°C = 1000 * ((temp * 100 / 13248) + 25) ++ * Tm°C = 1000 * ((temp / 132.48) + 25) ++ * Tm°C = 7.548309 * temp + 25000 ++ * Tm°C = (temp + 3312) * 7.548309 + * scale: 100000 / 13248 ~= 7.548309 +- * offset: 25000 ++ * offset: 3312 + */ + case IIO_CHAN_INFO_SCALE: + *val = 7; + *val2 = 548309; + return IIO_VAL_INT_PLUS_MICRO; + case IIO_CHAN_INFO_OFFSET: +- *val = 25000; ++ *val = 3312; + return IIO_VAL_INT; + default: + return -EINVAL; diff --git a/queue-6.15/io_uring-net-only-consider-msg_inq-if-larger-than-1.patch b/queue-6.15/io_uring-net-only-consider-msg_inq-if-larger-than-1.patch new file mode 100644 index 0000000000..d305e267ca --- /dev/null +++ b/queue-6.15/io_uring-net-only-consider-msg_inq-if-larger-than-1.patch @@ -0,0 +1,49 @@ +From 2c7f023219966777be0687e15b57689894304cd3 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Wed, 28 May 2025 13:45:44 -0600 +Subject: io_uring/net: only consider msg_inq if larger than 1 + +From: Jens Axboe + +commit 2c7f023219966777be0687e15b57689894304cd3 upstream. + +Currently retry and general validity of msg_inq is gated on it being +larger than zero, but it's entirely possible for this to be slightly +inaccurate. In particular, if FIN is received, it'll return 1. + +Just use larger than 1 as the check. This covers both the FIN case, and +at the same time, it doesn't make much sense to retry a recv immediately +if there's even just a single 1 byte of valid data in the socket. + +Leave the SOCK_NONEMPTY flagging when larger than 0 still, as an app may +use that for the final receive. + +Cc: stable@vger.kernel.org +Reported-by: Christian Mazakas +Fixes: 7c71a0af81ba ("io_uring/net: improve recv bundles") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -840,7 +840,7 @@ static inline bool io_recv_finish(struct + * If more is available AND it was a full transfer, retry and + * append to this one + */ +- if (!sr->retry && kmsg->msg.msg_inq > 0 && this_ret > 0 && ++ if (!sr->retry && kmsg->msg.msg_inq > 1 && this_ret > 0 && + !iov_iter_count(&kmsg->msg.msg_iter)) { + req->cqe.flags = cflags & ~CQE_F_MASK; + sr->len = kmsg->msg.msg_inq; +@@ -1077,7 +1077,7 @@ static int io_recv_buf_select(struct io_ + arg.mode |= KBUF_MODE_FREE; + } + +- if (kmsg->msg.msg_inq > 0) ++ if (kmsg->msg.msg_inq > 1) + arg.max_len = min_not_zero(sr->len, kmsg->msg.msg_inq); + + ret = io_buffers_peek(req, &arg); diff --git a/queue-6.15/mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch b/queue-6.15/mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch new file mode 100644 index 0000000000..00daad2b02 --- /dev/null +++ b/queue-6.15/mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch @@ -0,0 +1,134 @@ +From 2b12d06c37fd3a394376f42f026a7478d826ed63 Mon Sep 17 00:00:00 2001 +From: Pu Lehui +Date: Thu, 29 May 2025 15:56:47 +0000 +Subject: mm: fix uprobe pte be overwritten when expanding vma + +From: Pu Lehui + +commit 2b12d06c37fd3a394376f42f026a7478d826ed63 upstream. + +Patch series "Fix uprobe pte be overwritten when expanding vma". + + +This patch (of 4): + +We encountered a BUG alert triggered by Syzkaller as follows: + BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 + +And we can reproduce it with the following steps: +1. register uprobe on file at zero offset +2. mmap the file at zero offset: + addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); +3. mremap part of vma1 to new vma2: + addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); +4. mremap back to orig addr1: + mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); + +In step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2 +with range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1 +to vma2, then unmap the vma1 range [addr1, addr1 + 4096]. + +In step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the +addr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096, +addr1 + 8192] still maps the file, it will take vma_merge_new_range to +expand the range, and then do uprobe_mmap in vma_complete. Since the +merged vma pgoff is also zero offset, it will install uprobe anon page to +the merged vma. However, the upcomming move_page_tables step, which use +set_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite +the newly uprobe pte in the merged vma, and lead that pte to be orphan. + +Since the uprobe pte will be remapped to the merged vma, we can remove the +unnecessary uprobe_mmap upon merged vma. + +This problem was first found in linux-6.6.y and also exists in the +community syzkaller: +https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/ + +Link: https://lkml.kernel.org/r/20250529155650.4017699-1-pulehui@huaweicloud.com +Link: https://lkml.kernel.org/r/20250529155650.4017699-2-pulehui@huaweicloud.com +Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") +Signed-off-by: Pu Lehui +Suggested-by: Lorenzo Stoakes +Reviewed-by: Lorenzo Stoakes +Acked-by: David Hildenbrand +Cc: Jann Horn +Cc: Liam Howlett +Cc: "Masami Hiramatsu (Google)" +Cc: Oleg Nesterov +Cc: Peter Zijlstra +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vma.c | 20 +++++++++++++++++--- + mm/vma.h | 7 +++++++ + 2 files changed, 24 insertions(+), 3 deletions(-) + +--- a/mm/vma.c ++++ b/mm/vma.c +@@ -144,6 +144,9 @@ static void init_multi_vma_prep(struct v + vp->file = vma->vm_file; + if (vp->file) + vp->mapping = vma->vm_file->f_mapping; ++ ++ if (vmg && vmg->skip_vma_uprobe) ++ vp->skip_vma_uprobe = true; + } + + /* +@@ -333,10 +336,13 @@ static void vma_complete(struct vma_prep + + if (vp->file) { + i_mmap_unlock_write(vp->mapping); +- uprobe_mmap(vp->vma); + +- if (vp->adj_next) +- uprobe_mmap(vp->adj_next); ++ if (!vp->skip_vma_uprobe) { ++ uprobe_mmap(vp->vma); ++ ++ if (vp->adj_next) ++ uprobe_mmap(vp->adj_next); ++ } + } + + if (vp->remove) { +@@ -1783,6 +1789,14 @@ struct vm_area_struct *copy_vma(struct v + faulted_in_anon_vma = false; + } + ++ /* ++ * If the VMA we are copying might contain a uprobe PTE, ensure ++ * that we do not establish one upon merge. Otherwise, when mremap() ++ * moves page tables, it will orphan the newly created PTE. ++ */ ++ if (vma->vm_file) ++ vmg.skip_vma_uprobe = true; ++ + new_vma = find_vma_prev(mm, addr, &vmg.prev); + if (new_vma && new_vma->vm_start < addr + len) + return NULL; /* should never get here */ +--- a/mm/vma.h ++++ b/mm/vma.h +@@ -19,6 +19,8 @@ struct vma_prepare { + struct vm_area_struct *insert; + struct vm_area_struct *remove; + struct vm_area_struct *remove2; ++ ++ bool skip_vma_uprobe :1; + }; + + struct unlink_vma_file_batch { +@@ -120,6 +122,11 @@ struct vma_merge_struct { + */ + bool give_up_on_oom :1; + ++ /* ++ * If set, skip uprobe_mmap upon merged vma. ++ */ ++ bool skip_vma_uprobe :1; ++ + /* Internal flags set during merge process: */ + + /* diff --git a/queue-6.15/mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch b/queue-6.15/mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch new file mode 100644 index 0000000000..9f152f1f62 --- /dev/null +++ b/queue-6.15/mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch @@ -0,0 +1,55 @@ +From 1013af4f585fccc4d3e5c5824d174de2257f7d6d Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 27 May 2025 23:23:54 +0200 +Subject: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race + +From: Jann Horn + +commit 1013af4f585fccc4d3e5c5824d174de2257f7d6d upstream. + +huge_pmd_unshare() drops a reference on a page table that may have +previously been shared across processes, potentially turning it into a +normal page table used in another process in which unrelated VMAs can +afterwards be installed. + +If this happens in the middle of a concurrent gup_fast(), gup_fast() could +end up walking the page tables of another process. While I don't see any +way in which that immediately leads to kernel memory corruption, it is +really weird and unexpected. + +Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), +just like we do in khugepaged when removing page tables for a THP +collapse. + +Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-2-1329349bad1a@google.com +Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-2-f4136f5ec58a@google.com +Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") +Signed-off-by: Jann Horn +Reviewed-by: Lorenzo Stoakes +Cc: Liam Howlett +Cc: Muchun Song +Cc: Oscar Salvador +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -7628,6 +7628,13 @@ int huge_pmd_unshare(struct mm_struct *m + return 0; + + pud_clear(pud); ++ /* ++ * Once our caller drops the rmap lock, some other process might be ++ * using this page table as a normal, non-hugetlb page table. ++ * Wait for pending gup_fast() in other threads to finish before letting ++ * that happen. ++ */ ++ tlb_remove_table_sync_one(); + ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep)); + mm_dec_nr_pmds(mm); + return 1; diff --git a/queue-6.15/mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch b/queue-6.15/mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch new file mode 100644 index 0000000000..ef559c1201 --- /dev/null +++ b/queue-6.15/mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch @@ -0,0 +1,222 @@ +From 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 27 May 2025 23:23:53 +0200 +Subject: mm/hugetlb: unshare page tables during VMA split, not before + +From: Jann Horn + +commit 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 upstream. + +Currently, __split_vma() triggers hugetlb page table unsharing through +vm_ops->may_split(). This happens before the VMA lock and rmap locks are +taken - which is too early, it allows racing VMA-locked page faults in our +process and racing rmap walks from other processes to cause page tables to +be shared again before we actually perform the split. + +Fix it by explicitly calling into the hugetlb unshare logic from +__split_vma() in the same place where THP splitting also happens. At that +point, both the VMA and the rmap(s) are write-locked. + +An annoying detail is that we can now call into the helper +hugetlb_unshare_pmds() from two different locking contexts: + +1. from hugetlb_split(), holding: + - mmap lock (exclusively) + - VMA lock + - file rmap lock (exclusively) +2. hugetlb_unshare_all_pmds(), which I think is designed to be able to + call us with only the mmap lock held (in shared mode), but currently + only runs while holding mmap lock (exclusively) and VMA lock + +Backporting note: +This commit fixes a racy protection that was introduced in commit +b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that +commit claimed to fix an issue introduced in 5.13, but it should actually +also go all the way back. + +[jannh@google.com: v2] + Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-1-1329349bad1a@google.com +Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-0-1329349bad1a@google.com +Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-1-f4136f5ec58a@google.com +Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") +Signed-off-by: Jann Horn +Cc: Liam Howlett +Reviewed-by: Lorenzo Stoakes +Reviewed-by: Oscar Salvador +Cc: Lorenzo Stoakes +Cc: Vlastimil Babka +Cc: [b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs] +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hugetlb.h | 3 + + mm/hugetlb.c | 60 ++++++++++++++++++++++++++++----------- + mm/vma.c | 7 ++++ + tools/testing/vma/vma_internal.h | 2 + + 4 files changed, 56 insertions(+), 16 deletions(-) + +--- a/include/linux/hugetlb.h ++++ b/include/linux/hugetlb.h +@@ -276,6 +276,7 @@ bool is_hugetlb_entry_migration(pte_t pt + bool is_hugetlb_entry_hwpoisoned(pte_t pte); + void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); + void fixup_hugetlb_reservations(struct vm_area_struct *vma); ++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr); + + #else /* !CONFIG_HUGETLB_PAGE */ + +@@ -473,6 +474,8 @@ static inline void fixup_hugetlb_reserva + { + } + ++static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {} ++ + #endif /* !CONFIG_HUGETLB_PAGE */ + + #ifndef pgd_write +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -120,7 +120,7 @@ static void hugetlb_vma_lock_free(struct + static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma); + static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma); + static void hugetlb_unshare_pmds(struct vm_area_struct *vma, +- unsigned long start, unsigned long end); ++ unsigned long start, unsigned long end, bool take_locks); + static struct resv_map *vma_resv_map(struct vm_area_struct *vma); + + static void hugetlb_free_folio(struct folio *folio) +@@ -5426,26 +5426,40 @@ static int hugetlb_vm_op_split(struct vm + { + if (addr & ~(huge_page_mask(hstate_vma(vma)))) + return -EINVAL; ++ return 0; ++} + ++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) ++{ + /* + * PMD sharing is only possible for PUD_SIZE-aligned address ranges + * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this + * split, unshare PMDs in the PUD_SIZE interval surrounding addr now. ++ * This function is called in the middle of a VMA split operation, with ++ * MM, VMA and rmap all write-locked to prevent concurrent page table ++ * walks (except hardware and gup_fast()). + */ ++ vma_assert_write_locked(vma); ++ i_mmap_assert_write_locked(vma->vm_file->f_mapping); ++ + if (addr & ~PUD_MASK) { +- /* +- * hugetlb_vm_op_split is called right before we attempt to +- * split the VMA. We will need to unshare PMDs in the old and +- * new VMAs, so let's unshare before we split. +- */ + unsigned long floor = addr & PUD_MASK; + unsigned long ceil = floor + PUD_SIZE; + +- if (floor >= vma->vm_start && ceil <= vma->vm_end) +- hugetlb_unshare_pmds(vma, floor, ceil); ++ if (floor >= vma->vm_start && ceil <= vma->vm_end) { ++ /* ++ * Locking: ++ * Use take_locks=false here. ++ * The file rmap lock is already held. ++ * The hugetlb VMA lock can't be taken when we already ++ * hold the file rmap lock, and we don't need it because ++ * its purpose is to synchronize against concurrent page ++ * table walks, which are not possible thanks to the ++ * locks held by our caller. ++ */ ++ hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false); ++ } + } +- +- return 0; + } + + static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma) +@@ -7884,9 +7898,16 @@ void move_hugetlb_state(struct folio *ol + spin_unlock_irq(&hugetlb_lock); + } + ++/* ++ * If @take_locks is false, the caller must ensure that no concurrent page table ++ * access can happen (except for gup_fast() and hardware page walks). ++ * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like ++ * concurrent page fault handling) and the file rmap lock. ++ */ + static void hugetlb_unshare_pmds(struct vm_area_struct *vma, + unsigned long start, +- unsigned long end) ++ unsigned long end, ++ bool take_locks) + { + struct hstate *h = hstate_vma(vma); + unsigned long sz = huge_page_size(h); +@@ -7910,8 +7931,12 @@ static void hugetlb_unshare_pmds(struct + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm, + start, end); + mmu_notifier_invalidate_range_start(&range); +- hugetlb_vma_lock_write(vma); +- i_mmap_lock_write(vma->vm_file->f_mapping); ++ if (take_locks) { ++ hugetlb_vma_lock_write(vma); ++ i_mmap_lock_write(vma->vm_file->f_mapping); ++ } else { ++ i_mmap_assert_write_locked(vma->vm_file->f_mapping); ++ } + for (address = start; address < end; address += PUD_SIZE) { + ptep = hugetlb_walk(vma, address, sz); + if (!ptep) +@@ -7921,8 +7946,10 @@ static void hugetlb_unshare_pmds(struct + spin_unlock(ptl); + } + flush_hugetlb_tlb_range(vma, start, end); +- i_mmap_unlock_write(vma->vm_file->f_mapping); +- hugetlb_vma_unlock_write(vma); ++ if (take_locks) { ++ i_mmap_unlock_write(vma->vm_file->f_mapping); ++ hugetlb_vma_unlock_write(vma); ++ } + /* + * No need to call mmu_notifier_arch_invalidate_secondary_tlbs(), see + * Documentation/mm/mmu_notifier.rst. +@@ -7937,7 +7964,8 @@ static void hugetlb_unshare_pmds(struct + void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) + { + hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), +- ALIGN_DOWN(vma->vm_end, PUD_SIZE)); ++ ALIGN_DOWN(vma->vm_end, PUD_SIZE), ++ /* take_locks = */ true); + } + + /* +--- a/mm/vma.c ++++ b/mm/vma.c +@@ -516,7 +516,14 @@ __split_vma(struct vma_iterator *vmi, st + init_vma_prep(&vp, vma); + vp.insert = new; + vma_prepare(&vp); ++ ++ /* ++ * Get rid of huge pages and shared page tables straddling the split ++ * boundary. ++ */ + vma_adjust_trans_huge(vma, vma->vm_start, addr, NULL); ++ if (is_vm_hugetlb_page(vma)) ++ hugetlb_split(vma, addr); + + if (new_below) { + vma->vm_start = addr; +--- a/tools/testing/vma/vma_internal.h ++++ b/tools/testing/vma/vma_internal.h +@@ -793,6 +793,8 @@ static inline void vma_adjust_trans_huge + (void)next; + } + ++static inline void hugetlb_split(struct vm_area_struct *, unsigned long) {} ++ + static inline void vma_iter_free(struct vma_iterator *vmi) + { + mas_destroy(&vmi->mas); diff --git a/queue-6.15/series b/queue-6.15/series index 9f78fbed3f..ef63ee30f4 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -192,3 +192,14 @@ accel-ivpu-use-firmware-names-from-upstream-repo.patch accel-ivpu-trigger-device-recovery-on-engine-reset-resume-failure.patch accel-ivpu-use-dma_resv_lock-instead-of-a-custom-mutex.patch accel-ivpu-fix-warning-in-ivpu_gem_bo_free.patch +io_uring-net-only-consider-msg_inq-if-larger-than-1.patch +dummycon-trigger-redraw-when-switching-consoles-with-deferred-takeover.patch +mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch +mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch +mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch +iio-imu-inv_icm42600-fix-temperature-calculation.patch +iio-adc-ad7944-mask-high-bits-on-direct-read.patch +iio-adc-ti-ads1298-kconfig-add-kfifo-dependency-to-fix-module-build.patch +iio-adc-ad7606_spi-fix-reg-write-value-mask.patch +iio-adc-ad7173-fix-compiling-without-gpiolib.patch +iio-adc-ad7606-fix-raw-read-for-18-bit-chips.patch