From: Greg Kroah-Hartman Date: Thu, 21 Aug 2025 13:03:58 +0000 (+0200) Subject: 6.16-stable patches X-Git-Tag: v6.16.3~100 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3582734ef9cb7b06224a4601db4627209740b52;p=thirdparty%2Fkernel%2Fstable-queue.git 6.16-stable patches added patches: btrfs-fix-incorrect-log-message-for-nobarrier-mount-option.patch btrfs-fix-printing-of-mount-info-messages-for-nodatacow-nodatasum.patch btrfs-restore-mount-option-info-messages-during-mount.patch btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch crypto-caam-prevent-crash-on-suspend-with-imx8qm-imx8ulp.patch crypto-ccp-fix-snp-panic-notifier-unregistration.patch crypto-hash-increase-hash_max_descsize-for-hmac-sha3-224-s390.patch crypto-octeontx2-fix-address-alignment-issue-on-ucode-loading.patch crypto-octeontx2-fix-address-alignment-on-cn10k-a0-a1-and-octeontx2.patch crypto-octeontx2-fix-address-alignment-on-cn10kb-and-cn10ka-b0.patch crypto-qat-flush-misc-workqueue-during-device-shutdown.patch crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch crypto-x86-aegis-add-missing-error-checks.patch crypto-x86-aegis-fix-sleeping-when-disallowed-on-preempt_rt.patch ext4-check-fast-symlink-for-ea_inode-correctly.patch ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch ext4-preserve-sb_i_version-on-remount.patch ext4-use-kmalloc_array-for-array-space-allocation.patch ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch ksmbd-fix-refcount-leak-causing-resource-not-released.patch lib-crypto-arm-poly1305-fix-register-corruption-in-no-simd-contexts.patch lib-crypto-arm64-poly1305-fix-register-corruption-in-no-simd-contexts.patch lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch --- diff --git a/queue-6.16/btrfs-fix-incorrect-log-message-for-nobarrier-mount-option.patch b/queue-6.16/btrfs-fix-incorrect-log-message-for-nobarrier-mount-option.patch new file mode 100644 index 0000000000..0d1cc2910f --- /dev/null +++ b/queue-6.16/btrfs-fix-incorrect-log-message-for-nobarrier-mount-option.patch @@ -0,0 +1,35 @@ +From edf842abe4368ce3c423343cf4b23b210fcf1622 Mon Sep 17 00:00:00 2001 +From: Kyoji Ogasawara +Date: Wed, 23 Jul 2025 00:38:37 +0900 +Subject: btrfs: fix incorrect log message for nobarrier mount option + +From: Kyoji Ogasawara + +commit edf842abe4368ce3c423343cf4b23b210fcf1622 upstream. + +Fix a wrong log message that appears when the "nobarrier" mount option +is unset. When "nobarrier" is unset, barrier is actually enabled. +However, the log incorrectly stated "turning off barriers". + +Fixes: eddb1a433f26 ("btrfs: add reconfigure callback for fs_context") +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Qu Wenruo +Signed-off-by: Kyoji Ogasawara +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1453,7 +1453,7 @@ static void btrfs_emit_options(struct bt + btrfs_info_if_unset(info, old, NODATACOW, "setting datacow"); + btrfs_info_if_unset(info, old, SSD, "not using ssd optimizations"); + btrfs_info_if_unset(info, old, SSD_SPREAD, "not using spread ssd allocation scheme"); +- btrfs_info_if_unset(info, old, NOBARRIER, "turning off barriers"); ++ btrfs_info_if_unset(info, old, NOBARRIER, "turning on barriers"); + btrfs_info_if_unset(info, old, NOTREELOG, "enabling tree log"); + btrfs_info_if_unset(info, old, SPACE_CACHE, "disabling disk space caching"); + btrfs_info_if_unset(info, old, FREE_SPACE_TREE, "disabling free space tree"); diff --git a/queue-6.16/btrfs-fix-printing-of-mount-info-messages-for-nodatacow-nodatasum.patch b/queue-6.16/btrfs-fix-printing-of-mount-info-messages-for-nodatacow-nodatasum.patch new file mode 100644 index 0000000000..1226a10c43 --- /dev/null +++ b/queue-6.16/btrfs-fix-printing-of-mount-info-messages-for-nodatacow-nodatasum.patch @@ -0,0 +1,43 @@ +From 74857fdc5dd2cdcdeb6e99bdf26976fd9299d2bb Mon Sep 17 00:00:00 2001 +From: Kyoji Ogasawara +Date: Wed, 13 Aug 2025 03:00:07 +0900 +Subject: btrfs: fix printing of mount info messages for NODATACOW/NODATASUM + +From: Kyoji Ogasawara + +commit 74857fdc5dd2cdcdeb6e99bdf26976fd9299d2bb upstream. + +The NODATASUM message was printed twice by mistake and the NODATACOW was +missing from the 'unset' part. Fix the duplication and make the output +look the same. + +Fixes: eddb1a433f26 ("btrfs: add reconfigure callback for fs_context") +CC: stable@vger.kernel.org # 6.8+ +Reviewed-by: Qu Wenruo +Signed-off-by: Kyoji Ogasawara +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1430,7 +1430,7 @@ static void btrfs_emit_options(struct bt + { + btrfs_info_if_set(info, old, NODATASUM, "setting nodatasum"); + btrfs_info_if_set(info, old, DEGRADED, "allowing degraded mounts"); +- btrfs_info_if_set(info, old, NODATASUM, "setting nodatasum"); ++ btrfs_info_if_set(info, old, NODATACOW, "setting nodatacow"); + btrfs_info_if_set(info, old, SSD, "enabling ssd optimizations"); + btrfs_info_if_set(info, old, SSD_SPREAD, "using spread ssd allocation scheme"); + btrfs_info_if_set(info, old, NOBARRIER, "turning off barriers"); +@@ -1452,6 +1452,7 @@ static void btrfs_emit_options(struct bt + btrfs_info_if_set(info, old, IGNOREMETACSUMS, "ignoring meta csums"); + btrfs_info_if_set(info, old, IGNORESUPERFLAGS, "ignoring unknown super block flags"); + ++ btrfs_info_if_unset(info, old, NODATASUM, "setting datasum"); + btrfs_info_if_unset(info, old, NODATACOW, "setting datacow"); + btrfs_info_if_unset(info, old, SSD, "not using ssd optimizations"); + btrfs_info_if_unset(info, old, SSD_SPREAD, "not using spread ssd allocation scheme"); diff --git a/queue-6.16/btrfs-restore-mount-option-info-messages-during-mount.patch b/queue-6.16/btrfs-restore-mount-option-info-messages-during-mount.patch new file mode 100644 index 0000000000..0583c6fe85 --- /dev/null +++ b/queue-6.16/btrfs-restore-mount-option-info-messages-during-mount.patch @@ -0,0 +1,63 @@ +From b435ab556bea875c088485f271ef2709ca1d75f5 Mon Sep 17 00:00:00 2001 +From: Kyoji Ogasawara +Date: Wed, 13 Aug 2025 03:00:06 +0900 +Subject: btrfs: restore mount option info messages during mount + +From: Kyoji Ogasawara + +commit b435ab556bea875c088485f271ef2709ca1d75f5 upstream. + +After the fsconfig migration in 6.8, mount option info messages are no +longer displayed during mount operations because btrfs_emit_options() is +only called during remount, not during initial mount. + +Fix this by calling btrfs_emit_options() in btrfs_fill_super() after +open_ctree() succeeds. Additionally, prevent log duplication by ensuring +btrfs_check_options() handles validation with warn-level and err-level +messages, while btrfs_emit_options() provides info-level messages. + +Fixes: eddb1a433f26 ("btrfs: add reconfigure callback for fs_context") +CC: stable@vger.kernel.org # 6.8+ +Reviewed-by: Qu Wenruo +Signed-off-by: Kyoji Ogasawara +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -88,6 +88,9 @@ struct btrfs_fs_context { + refcount_t refs; + }; + ++static void btrfs_emit_options(struct btrfs_fs_info *info, ++ struct btrfs_fs_context *old); ++ + enum { + Opt_acl, + Opt_clear_cache, +@@ -689,12 +692,9 @@ bool btrfs_check_options(const struct bt + + if (!test_bit(BTRFS_FS_STATE_REMOUNTING, &info->fs_state)) { + if (btrfs_raw_test_opt(*mount_opt, SPACE_CACHE)) { +- btrfs_info(info, "disk space caching is enabled"); + btrfs_warn(info, + "space cache v1 is being deprecated and will be removed in a future release, please use -o space_cache=v2"); + } +- if (btrfs_raw_test_opt(*mount_opt, FREE_SPACE_TREE)) +- btrfs_info(info, "using free-space-tree"); + } + + return ret; +@@ -971,6 +971,8 @@ static int btrfs_fill_super(struct super + return err; + } + ++ btrfs_emit_options(fs_info, NULL); ++ + inode = btrfs_iget(BTRFS_FIRST_FREE_OBJECTID, fs_info->fs_root); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); diff --git a/queue-6.16/btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch b/queue-6.16/btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch new file mode 100644 index 0000000000..f77e5a9082 --- /dev/null +++ b/queue-6.16/btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch @@ -0,0 +1,55 @@ +From 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Wed, 16 Jul 2025 16:59:54 +0900 +Subject: btrfs: zoned: fix write time activation failure for metadata block group + +From: Naohiro Aota + +commit 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af upstream. + +Since commit 13bb483d32ab ("btrfs: zoned: activate metadata block group on +write time"), we activate a metadata block group at the write time. If the +zone capacity is small enough, we can allocate the entire region before the +first write. Then, we hit the btrfs_zoned_bg_is_full() in +btrfs_zone_activate() and the activation fails. + +For a data block group, we activate it at the allocation time and we should +check the fullness condition in the caller side. Add, a WARN to check the +fullness condition. + +For a metadata block group, we don't need the fullness check because we +activate it at the write time. Instead, activating it once it is written +should be invalid. Catch that with a WARN too. + +Fixes: 13bb483d32ab ("btrfs: zoned: activate metadata block group on write time") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -2169,10 +2169,15 @@ bool btrfs_zone_activate(struct btrfs_bl + goto out_unlock; + } + +- /* No space left */ +- if (btrfs_zoned_bg_is_full(block_group)) { +- ret = false; +- goto out_unlock; ++ if (block_group->flags & BTRFS_BLOCK_GROUP_DATA) { ++ /* The caller should check if the block group is full. */ ++ if (WARN_ON_ONCE(btrfs_zoned_bg_is_full(block_group))) { ++ ret = false; ++ goto out_unlock; ++ } ++ } else { ++ /* Since it is already written, it should have been active. */ ++ WARN_ON_ONCE(block_group->meta_write_pointer != block_group->start); + } + + for (i = 0; i < map->num_stripes; i++) { diff --git a/queue-6.16/crypto-caam-prevent-crash-on-suspend-with-imx8qm-imx8ulp.patch b/queue-6.16/crypto-caam-prevent-crash-on-suspend-with-imx8qm-imx8ulp.patch new file mode 100644 index 0000000000..379d868c3f --- /dev/null +++ b/queue-6.16/crypto-caam-prevent-crash-on-suspend-with-imx8qm-imx8ulp.patch @@ -0,0 +1,116 @@ +From 5ffc47feddcf8eb4d8ac7b42111a02c8e8146512 Mon Sep 17 00:00:00 2001 +From: John Ernberg +Date: Wed, 11 Jun 2025 11:38:08 +0000 +Subject: crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP + +From: John Ernberg + +commit 5ffc47feddcf8eb4d8ac7b42111a02c8e8146512 upstream. + +Since the CAAM on these SoCs is managed by another ARM core, called the +SECO (Security Controller) on iMX8QM and Secure Enclave on iMX8ULP, which +also reserves access to register page 0 suspend operations cannot touch +this page. + +This is similar to when running OPTEE, where OPTEE will reserve page 0. + +Track this situation using a new state variable no_page0, reflecting if +page 0 is reserved elsewhere, either by other management cores in SoC or +by OPTEE. + +Replace the optee_en check in suspend/resume with the new check. + +optee_en cannot go away as it's needed elsewhere to gate OPTEE specific +situations. + +Fixes the following splat at suspend: + + Internal error: synchronous external abort: 0000000096000010 [#1] SMP + Hardware name: Freescale i.MX8QXP ACU6C (DT) + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : readl+0x0/0x18 + lr : rd_reg32+0x18/0x3c + sp : ffffffc08192ba20 + x29: ffffffc08192ba20 x28: ffffff8025190000 x27: 0000000000000000 + x26: ffffffc0808ae808 x25: ffffffc080922338 x24: ffffff8020e89090 + x23: 0000000000000000 x22: ffffffc080922000 x21: ffffff8020e89010 + x20: ffffffc080387ef8 x19: ffffff8020e89010 x18: 000000005d8000d5 + x17: 0000000030f35963 x16: 000000008f785f3f x15: 000000003b8ef57c + x14: 00000000c418aef8 x13: 00000000f5fea526 x12: 0000000000000001 + x11: 0000000000000002 x10: 0000000000000001 x9 : 0000000000000000 + x8 : ffffff8025190870 x7 : ffffff8021726880 x6 : 0000000000000002 + x5 : ffffff80217268f0 x4 : ffffff8021726880 x3 : ffffffc081200000 + x2 : 0000000000000001 x1 : ffffff8020e89010 x0 : ffffffc081200004 + Call trace: + readl+0x0/0x18 + caam_ctrl_suspend+0x30/0xdc + dpm_run_callback.constprop.0+0x24/0x5c + device_suspend+0x170/0x2e8 + dpm_suspend+0xa0/0x104 + dpm_suspend_start+0x48/0x50 + suspend_devices_and_enter+0x7c/0x45c + pm_suspend+0x148/0x160 + state_store+0xb4/0xf8 + kobj_attr_store+0x14/0x24 + sysfs_kf_write+0x38/0x48 + kernfs_fop_write_iter+0xb4/0x178 + vfs_write+0x118/0x178 + ksys_write+0x6c/0xd0 + __arm64_sys_write+0x14/0x1c + invoke_syscall.constprop.0+0x64/0xb0 + do_el0_svc+0x90/0xb0 + el0_svc+0x18/0x44 + el0t_64_sync_handler+0x88/0x124 + el0t_64_sync+0x150/0x154 + Code: 88dffc21 88dffc21 5ac00800 d65f03c0 (b9400000) + +Fixes: d2835701d93c ("crypto: caam - i.MX8ULP donot have CAAM page0 access") +Cc: stable@kernel.org # v6.10+ +Signed-off-by: John Ernberg +Reviewed-by: Peng Fan +Reviewed-by: Frank Li +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/caam/ctrl.c | 5 +++-- + drivers/crypto/caam/intern.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/caam/ctrl.c ++++ b/drivers/crypto/caam/ctrl.c +@@ -831,7 +831,7 @@ static int caam_ctrl_suspend(struct devi + { + const struct caam_drv_private *ctrlpriv = dev_get_drvdata(dev); + +- if (ctrlpriv->caam_off_during_pm && !ctrlpriv->optee_en) ++ if (ctrlpriv->caam_off_during_pm && !ctrlpriv->no_page0) + caam_state_save(dev); + + return 0; +@@ -842,7 +842,7 @@ static int caam_ctrl_resume(struct devic + struct caam_drv_private *ctrlpriv = dev_get_drvdata(dev); + int ret = 0; + +- if (ctrlpriv->caam_off_during_pm && !ctrlpriv->optee_en) { ++ if (ctrlpriv->caam_off_during_pm && !ctrlpriv->no_page0) { + caam_state_restore(dev); + + /* HW and rng will be reset so deinstantiation can be removed */ +@@ -908,6 +908,7 @@ static int caam_probe(struct platform_de + + imx_soc_data = imx_soc_match->data; + reg_access = reg_access && imx_soc_data->page0_access; ++ ctrlpriv->no_page0 = !reg_access; + /* + * CAAM clocks cannot be controlled from kernel. + */ +--- a/drivers/crypto/caam/intern.h ++++ b/drivers/crypto/caam/intern.h +@@ -115,6 +115,7 @@ struct caam_drv_private { + u8 blob_present; /* Nonzero if BLOB support present in device */ + u8 mc_en; /* Nonzero if MC f/w is active */ + u8 optee_en; /* Nonzero if OP-TEE f/w is active */ ++ u8 no_page0; /* Nonzero if register page 0 is not controlled by Linux */ + bool pr_support; /* RNG prediction resistance available */ + int secvio_irq; /* Security violation interrupt number */ + int virt_en; /* Virtualization enabled in CAAM */ diff --git a/queue-6.16/crypto-ccp-fix-snp-panic-notifier-unregistration.patch b/queue-6.16/crypto-ccp-fix-snp-panic-notifier-unregistration.patch new file mode 100644 index 0000000000..0ada630b0f --- /dev/null +++ b/queue-6.16/crypto-ccp-fix-snp-panic-notifier-unregistration.patch @@ -0,0 +1,57 @@ +From ab8b9fd39c45b7760093528cbef93e7353359d82 Mon Sep 17 00:00:00 2001 +From: Ashish Kalra +Date: Mon, 16 Jun 2025 21:50:27 +0000 +Subject: crypto: ccp - Fix SNP panic notifier unregistration + +From: Ashish Kalra + +commit ab8b9fd39c45b7760093528cbef93e7353359d82 upstream. + +Panic notifiers are invoked with RCU read lock held and when the +SNP panic notifier tries to unregister itself from the panic +notifier callback itself it causes a deadlock as notifier +unregistration does RCU synchronization. + +Code flow for SNP panic notifier: +snp_shutdown_on_panic() -> +__sev_firmware_shutdown() -> +__sev_snp_shutdown_locked() -> +atomic_notifier_chain_unregister(.., &snp_panic_notifier) + +Fix SNP panic notifier to unregister itself during SNP shutdown +only if panic is not in progress. + +Reviewed-by: Tom Lendacky +Cc: stable@vger.kernel.org +Fixes: 19860c3274fb ("crypto: ccp - Register SNP panic notifier only if SNP is enabled") +Signed-off-by: Ashish Kalra +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/sev-dev.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c +index 8fb94c5f006a..17edc6bf5622 100644 +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -1787,8 +1787,14 @@ static int __sev_snp_shutdown_locked(int *error, bool panic) + sev->snp_initialized = false; + dev_dbg(sev->dev, "SEV-SNP firmware shutdown\n"); + +- atomic_notifier_chain_unregister(&panic_notifier_list, +- &snp_panic_notifier); ++ /* ++ * __sev_snp_shutdown_locked() deadlocks when it tries to unregister ++ * itself during panic as the panic notifier is called with RCU read ++ * lock held and notifier unregistration does RCU synchronization. ++ */ ++ if (!panic) ++ atomic_notifier_chain_unregister(&panic_notifier_list, ++ &snp_panic_notifier); + + /* Reset TMR size back to default */ + sev_es_tmr_size = SEV_TMR_SIZE; +-- +2.50.1 + diff --git a/queue-6.16/crypto-hash-increase-hash_max_descsize-for-hmac-sha3-224-s390.patch b/queue-6.16/crypto-hash-increase-hash_max_descsize-for-hmac-sha3-224-s390.patch new file mode 100644 index 0000000000..0ba7b0ce47 --- /dev/null +++ b/queue-6.16/crypto-hash-increase-hash_max_descsize-for-hmac-sha3-224-s390.patch @@ -0,0 +1,38 @@ +From 9d9b193ed73a65ec47cf1fd39925b09da8216461 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Thu, 31 Jul 2025 09:41:47 +0800 +Subject: crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390) + +From: Herbert Xu + +commit 9d9b193ed73a65ec47cf1fd39925b09da8216461 upstream. + +The value of HASH_MAX_DESCSIZE is off by one for hmac(sha3-224-s390). +Fix this so that hmac(sha3-224-s390) can be registered. + +Reported-by: Ingo Franzki +Reported-by: Eric Biggers +Fixes: 6f90ba706551 ("crypto: s390/sha3 - Use API partial block handling") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + include/crypto/hash.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/crypto/hash.h b/include/crypto/hash.h +index 6f6b9de12cd3..ed63b904837d 100644 +--- a/include/crypto/hash.h ++++ b/include/crypto/hash.h +@@ -184,7 +184,7 @@ struct shash_desc { + * Worst case is hmac(sha3-224-s390). Its context is a nested 'shash_desc' + * containing a 'struct s390_sha_ctx'. + */ +-#define HASH_MAX_DESCSIZE (sizeof(struct shash_desc) + 360) ++#define HASH_MAX_DESCSIZE (sizeof(struct shash_desc) + 361) + #define MAX_SYNC_HASH_REQSIZE (sizeof(struct ahash_request) + \ + HASH_MAX_DESCSIZE) + +-- +2.50.1 + diff --git a/queue-6.16/crypto-octeontx2-fix-address-alignment-issue-on-ucode-loading.patch b/queue-6.16/crypto-octeontx2-fix-address-alignment-issue-on-ucode-loading.patch new file mode 100644 index 0000000000..551d30c6db --- /dev/null +++ b/queue-6.16/crypto-octeontx2-fix-address-alignment-issue-on-ucode-loading.patch @@ -0,0 +1,110 @@ +From b7b88b4939e71ef2aed8238976a2bbabcb63a790 Mon Sep 17 00:00:00 2001 +From: Bharat Bhushan +Date: Thu, 22 May 2025 15:36:25 +0530 +Subject: crypto: octeontx2 - Fix address alignment issue on ucode loading + +From: Bharat Bhushan + +commit b7b88b4939e71ef2aed8238976a2bbabcb63a790 upstream. + +octeontx2 crypto driver allocates memory using kmalloc/kzalloc, +and uses this memory for dma (does dma_map_single()). It assumes +that kmalloc/kzalloc will return 128-byte aligned address. But +kmalloc/kzalloc returns 8-byte aligned address after below changes: + "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the + smaller cache_line_size()" + +Completion address should be 32-Byte alignment when loading +microcode. + +Signed-off-by: Bharat Bhushan +Cc: # v6.5+ +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 35 ++++++++++++-------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c ++++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c +@@ -1491,12 +1491,13 @@ int otx2_cpt_discover_eng_capabilities(s + union otx2_cpt_opcode opcode; + union otx2_cpt_res_s *result; + union otx2_cpt_inst_s inst; ++ dma_addr_t result_baddr; + dma_addr_t rptr_baddr; + struct pci_dev *pdev; +- u32 len, compl_rlen; + int timeout = 10000; ++ void *base, *rptr; + int ret, etype; +- void *rptr; ++ u32 len; + + /* + * We don't get capabilities if it was already done +@@ -1519,22 +1520,28 @@ int otx2_cpt_discover_eng_capabilities(s + if (ret) + goto delete_grps; + +- compl_rlen = ALIGN(sizeof(union otx2_cpt_res_s), OTX2_CPT_DMA_MINALIGN); +- len = compl_rlen + LOADFVC_RLEN; ++ /* Allocate extra memory for "rptr" and "result" pointer alignment */ ++ len = LOADFVC_RLEN + ARCH_DMA_MINALIGN + ++ sizeof(union otx2_cpt_res_s) + OTX2_CPT_RES_ADDR_ALIGN; + +- result = kzalloc(len, GFP_KERNEL); +- if (!result) { ++ base = kzalloc(len, GFP_KERNEL); ++ if (!base) { + ret = -ENOMEM; + goto lf_cleanup; + } +- rptr_baddr = dma_map_single(&pdev->dev, (void *)result, len, +- DMA_BIDIRECTIONAL); ++ ++ rptr = PTR_ALIGN(base, ARCH_DMA_MINALIGN); ++ rptr_baddr = dma_map_single(&pdev->dev, rptr, len, DMA_BIDIRECTIONAL); + if (dma_mapping_error(&pdev->dev, rptr_baddr)) { + dev_err(&pdev->dev, "DMA mapping failed\n"); + ret = -EFAULT; +- goto free_result; ++ goto free_rptr; + } +- rptr = (u8 *)result + compl_rlen; ++ ++ result = (union otx2_cpt_res_s *)PTR_ALIGN(rptr + LOADFVC_RLEN, ++ OTX2_CPT_RES_ADDR_ALIGN); ++ result_baddr = ALIGN(rptr_baddr + LOADFVC_RLEN, ++ OTX2_CPT_RES_ADDR_ALIGN); + + /* Fill in the command */ + opcode.s.major = LOADFVC_MAJOR_OP; +@@ -1546,14 +1553,14 @@ int otx2_cpt_discover_eng_capabilities(s + /* 64-bit swap for microcode data reads, not needed for addresses */ + cpu_to_be64s(&iq_cmd.cmd.u); + iq_cmd.dptr = 0; +- iq_cmd.rptr = rptr_baddr + compl_rlen; ++ iq_cmd.rptr = rptr_baddr; + iq_cmd.cptr.u = 0; + + for (etype = 1; etype < OTX2_CPT_MAX_ENG_TYPES; etype++) { + result->s.compcode = OTX2_CPT_COMPLETION_CODE_INIT; + iq_cmd.cptr.s.grp = otx2_cpt_get_eng_grp(&cptpf->eng_grps, + etype); +- otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr); ++ otx2_cpt_fill_inst(&inst, &iq_cmd, result_baddr); + lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]); + timeout = 10000; + +@@ -1576,8 +1583,8 @@ int otx2_cpt_discover_eng_capabilities(s + + error_no_response: + dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL); +-free_result: +- kfree(result); ++free_rptr: ++ kfree(base); + lf_cleanup: + otx2_cptlf_shutdown(lfs); + delete_grps: diff --git a/queue-6.16/crypto-octeontx2-fix-address-alignment-on-cn10k-a0-a1-and-octeontx2.patch b/queue-6.16/crypto-octeontx2-fix-address-alignment-on-cn10k-a0-a1-and-octeontx2.patch new file mode 100644 index 0000000000..c1d431d4bf --- /dev/null +++ b/queue-6.16/crypto-octeontx2-fix-address-alignment-on-cn10k-a0-a1-and-octeontx2.patch @@ -0,0 +1,142 @@ +From 2e13163b43e6bb861182ea999a80dd1d893c0cbf Mon Sep 17 00:00:00 2001 +From: Bharat Bhushan +Date: Thu, 22 May 2025 15:36:26 +0530 +Subject: crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and OcteonTX2 + +From: Bharat Bhushan + +commit 2e13163b43e6bb861182ea999a80dd1d893c0cbf upstream. + +octeontx2 crypto driver allocates memory using kmalloc/kzalloc, +and uses this memory for dma (does dma_map_single()). It assumes +that kmalloc/kzalloc will return 128-byte aligned address. But +kmalloc/kzalloc returns 8-byte aligned address after below changes: + "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the + smaller cache_line_size() + +Memory allocated are used for following purpose: + - Input data or scatter list address - 8-Byte alignment + - Output data or gather list address - 8-Byte alignment + - Completion address - 32-Byte alignment. + +This patch ensures all addresses are aligned as mentioned above. + +Signed-off-by: Bharat Bhushan +Cc: # v6.5+ +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h | 66 ++++++++++++++++----- + 1 file changed, 51 insertions(+), 15 deletions(-) + +--- a/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h ++++ b/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h +@@ -34,6 +34,9 @@ + #define SG_COMP_2 2 + #define SG_COMP_1 1 + ++#define OTX2_CPT_DPTR_RPTR_ALIGN 8 ++#define OTX2_CPT_RES_ADDR_ALIGN 32 ++ + union otx2_cpt_opcode { + u16 flags; + struct { +@@ -417,10 +420,9 @@ static inline struct otx2_cpt_inst_info + otx2_sg_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req, + gfp_t gfp) + { +- int align = OTX2_CPT_DMA_MINALIGN; + struct otx2_cpt_inst_info *info; +- u32 dlen, align_dlen, info_len; +- u16 g_sz_bytes, s_sz_bytes; ++ u32 dlen, info_len; ++ u16 g_len, s_len; + u32 total_mem_len; + + if (unlikely(req->in_cnt > OTX2_CPT_MAX_SG_IN_CNT || +@@ -429,22 +431,54 @@ otx2_sg_info_create(struct pci_dev *pdev + return NULL; + } + +- g_sz_bytes = ((req->in_cnt + 3) / 4) * +- sizeof(struct otx2_cpt_sglist_component); +- s_sz_bytes = ((req->out_cnt + 3) / 4) * +- sizeof(struct otx2_cpt_sglist_component); ++ /* Allocate memory to meet below alignment requirement: ++ * ------------------------------------ ++ * | struct otx2_cpt_inst_info | ++ * | (No alignment required) | ++ * | --------------------------------| ++ * | | padding for ARCH_DMA_MINALIGN | ++ * | | alignment | ++ * |------------------------------------| ++ * | SG List Header of 8 Byte | ++ * |------------------------------------| ++ * | SG List Gather/Input memory | ++ * | Length = multiple of 32Bytes | ++ * | Alignment = 8Byte | ++ * |---------------------------------- | ++ * | SG List Scatter/Output memory | ++ * | Length = multiple of 32Bytes | ++ * | Alignment = 8Byte | ++ * | -------------------------------| ++ * | | padding for 32B alignment | ++ * |------------------------------------| ++ * | Result response memory | ++ * | Alignment = 32Byte | ++ * ------------------------------------ ++ */ + +- dlen = g_sz_bytes + s_sz_bytes + SG_LIST_HDR_SIZE; +- align_dlen = ALIGN(dlen, align); +- info_len = ALIGN(sizeof(*info), align); +- total_mem_len = align_dlen + info_len + sizeof(union otx2_cpt_res_s); ++ info_len = sizeof(*info); ++ ++ g_len = ((req->in_cnt + 3) / 4) * ++ sizeof(struct otx2_cpt_sglist_component); ++ s_len = ((req->out_cnt + 3) / 4) * ++ sizeof(struct otx2_cpt_sglist_component); ++ ++ dlen = g_len + s_len + SG_LIST_HDR_SIZE; ++ ++ /* Allocate extra memory for SG and response address alignment */ ++ total_mem_len = ALIGN(info_len, OTX2_CPT_DPTR_RPTR_ALIGN); ++ total_mem_len += (ARCH_DMA_MINALIGN - 1) & ++ ~(OTX2_CPT_DPTR_RPTR_ALIGN - 1); ++ total_mem_len += ALIGN(dlen, OTX2_CPT_RES_ADDR_ALIGN); ++ total_mem_len += sizeof(union otx2_cpt_res_s); + + info = kzalloc(total_mem_len, gfp); + if (unlikely(!info)) + return NULL; + + info->dlen = dlen; +- info->in_buffer = (u8 *)info + info_len; ++ info->in_buffer = PTR_ALIGN((u8 *)info + info_len, ARCH_DMA_MINALIGN); ++ info->out_buffer = info->in_buffer + SG_LIST_HDR_SIZE + g_len; + + ((u16 *)info->in_buffer)[0] = req->out_cnt; + ((u16 *)info->in_buffer)[1] = req->in_cnt; +@@ -460,7 +494,7 @@ otx2_sg_info_create(struct pci_dev *pdev + } + + if (setup_sgio_components(pdev, req->out, req->out_cnt, +- &info->in_buffer[8 + g_sz_bytes])) { ++ info->out_buffer)) { + dev_err(&pdev->dev, "Failed to setup scatter list\n"); + goto destroy_info; + } +@@ -476,8 +510,10 @@ otx2_sg_info_create(struct pci_dev *pdev + * Get buffer for union otx2_cpt_res_s response + * structure and its physical address + */ +- info->completion_addr = info->in_buffer + align_dlen; +- info->comp_baddr = info->dptr_baddr + align_dlen; ++ info->completion_addr = PTR_ALIGN((info->in_buffer + dlen), ++ OTX2_CPT_RES_ADDR_ALIGN); ++ info->comp_baddr = ALIGN((info->dptr_baddr + dlen), ++ OTX2_CPT_RES_ADDR_ALIGN); + + return info; + diff --git a/queue-6.16/crypto-octeontx2-fix-address-alignment-on-cn10kb-and-cn10ka-b0.patch b/queue-6.16/crypto-octeontx2-fix-address-alignment-on-cn10kb-and-cn10ka-b0.patch new file mode 100644 index 0000000000..ebe41de38e --- /dev/null +++ b/queue-6.16/crypto-octeontx2-fix-address-alignment-on-cn10kb-and-cn10ka-b0.patch @@ -0,0 +1,126 @@ +From a091a58b8a1eba2f243b0c05bcc82bdc2a4a338d Mon Sep 17 00:00:00 2001 +From: Bharat Bhushan +Date: Thu, 22 May 2025 15:36:27 +0530 +Subject: crypto: octeontx2 - Fix address alignment on CN10KB and CN10KA-B0 + +From: Bharat Bhushan + +commit a091a58b8a1eba2f243b0c05bcc82bdc2a4a338d upstream. + +octeontx2 crypto driver allocates memory using kmalloc/kzalloc, +and uses this memory for dma (does dma_map_single()). It assumes +that kmalloc/kzalloc will return 128-byte aligned address. But +kmalloc/kzalloc returns 8-byte aligned address after below changes: + "9382bc44b5f5 arm64: allow kmalloc() caches aligned to the + smaller cache_line_size() + +Memory allocated are used for following purpose: + - Input data or scatter list address - 8-Byte alignment + - Output data or gather list address - 8-Byte alignment + - Completion address - 32-Byte alignment. + +This patch ensures all addresses are aligned as mentioned above. + +Signed-off-by: Bharat Bhushan +Cc: # v6.8+ +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h | 61 +++++++++++++++------ + 1 file changed, 45 insertions(+), 16 deletions(-) + +--- a/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h ++++ b/drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h +@@ -350,22 +350,48 @@ static inline struct otx2_cpt_inst_info + cn10k_sgv2_info_create(struct pci_dev *pdev, struct otx2_cpt_req_info *req, + gfp_t gfp) + { +- u32 dlen = 0, g_len, sg_len, info_len; +- int align = OTX2_CPT_DMA_MINALIGN; ++ u32 dlen = 0, g_len, s_len, sg_len, info_len; + struct otx2_cpt_inst_info *info; +- u16 g_sz_bytes, s_sz_bytes; + u32 total_mem_len; + int i; + +- g_sz_bytes = ((req->in_cnt + 2) / 3) * +- sizeof(struct cn10kb_cpt_sglist_component); +- s_sz_bytes = ((req->out_cnt + 2) / 3) * +- sizeof(struct cn10kb_cpt_sglist_component); +- +- g_len = ALIGN(g_sz_bytes, align); +- sg_len = ALIGN(g_len + s_sz_bytes, align); +- info_len = ALIGN(sizeof(*info), align); +- total_mem_len = sg_len + info_len + sizeof(union otx2_cpt_res_s); ++ /* Allocate memory to meet below alignment requirement: ++ * ------------------------------------ ++ * | struct otx2_cpt_inst_info | ++ * | (No alignment required) | ++ * | --------------------------------| ++ * | | padding for ARCH_DMA_MINALIGN | ++ * | | alignment | ++ * |------------------------------------| ++ * | SG List Gather/Input memory | ++ * | Length = multiple of 32Bytes | ++ * | Alignment = 8Byte | ++ * |---------------------------------- | ++ * | SG List Scatter/Output memory | ++ * | Length = multiple of 32Bytes | ++ * | Alignment = 8Byte | ++ * | -------------------------------| ++ * | | padding for 32B alignment | ++ * |------------------------------------| ++ * | Result response memory | ++ * | Alignment = 32Byte | ++ * ------------------------------------ ++ */ ++ ++ info_len = sizeof(*info); ++ ++ g_len = ((req->in_cnt + 2) / 3) * ++ sizeof(struct cn10kb_cpt_sglist_component); ++ s_len = ((req->out_cnt + 2) / 3) * ++ sizeof(struct cn10kb_cpt_sglist_component); ++ sg_len = g_len + s_len; ++ ++ /* Allocate extra memory for SG and response address alignment */ ++ total_mem_len = ALIGN(info_len, OTX2_CPT_DPTR_RPTR_ALIGN); ++ total_mem_len += (ARCH_DMA_MINALIGN - 1) & ++ ~(OTX2_CPT_DPTR_RPTR_ALIGN - 1); ++ total_mem_len += ALIGN(sg_len, OTX2_CPT_RES_ADDR_ALIGN); ++ total_mem_len += sizeof(union otx2_cpt_res_s); + + info = kzalloc(total_mem_len, gfp); + if (unlikely(!info)) +@@ -375,7 +401,8 @@ cn10k_sgv2_info_create(struct pci_dev *p + dlen += req->in[i].size; + + info->dlen = dlen; +- info->in_buffer = (u8 *)info + info_len; ++ info->in_buffer = PTR_ALIGN((u8 *)info + info_len, ARCH_DMA_MINALIGN); ++ info->out_buffer = info->in_buffer + g_len; + info->gthr_sz = req->in_cnt; + info->sctr_sz = req->out_cnt; + +@@ -387,7 +414,7 @@ cn10k_sgv2_info_create(struct pci_dev *p + } + + if (sgv2io_components_setup(pdev, req->out, req->out_cnt, +- &info->in_buffer[g_len])) { ++ info->out_buffer)) { + dev_err(&pdev->dev, "Failed to setup scatter list\n"); + goto destroy_info; + } +@@ -404,8 +431,10 @@ cn10k_sgv2_info_create(struct pci_dev *p + * Get buffer for union otx2_cpt_res_s response + * structure and its physical address + */ +- info->completion_addr = info->in_buffer + sg_len; +- info->comp_baddr = info->dptr_baddr + sg_len; ++ info->completion_addr = PTR_ALIGN((info->in_buffer + sg_len), ++ OTX2_CPT_RES_ADDR_ALIGN); ++ info->comp_baddr = ALIGN((info->dptr_baddr + sg_len), ++ OTX2_CPT_RES_ADDR_ALIGN); + + return info; + diff --git a/queue-6.16/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch b/queue-6.16/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch new file mode 100644 index 0000000000..f9cbfd7418 --- /dev/null +++ b/queue-6.16/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch @@ -0,0 +1,83 @@ +From 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Fri, 11 Jul 2025 13:27:43 +0100 +Subject: crypto: qat - flush misc workqueue during device shutdown + +From: Giovanni Cabiddu + +commit 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a upstream. + +Repeated loading and unloading of a device specific QAT driver, for +example qat_4xxx, in a tight loop can lead to a crash due to a +use-after-free scenario. This occurs when a power management (PM) +interrupt triggers just before the device-specific driver (e.g., +qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains +loaded. + +Since the driver uses a shared workqueue (`qat_misc_wq`) across all +devices and owned by intel_qat.ko, a deferred routine from the +device-specific driver may still be pending in the queue. If this +routine executes after the driver is unloaded, it can dereference freed +memory, resulting in a page fault and kernel crash like the following: + + BUG: unable to handle page fault for address: ffa000002e50a01c + #PF: supervisor read access in kernel mode + RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] + Call Trace: + pm_bh_handler+0x1d2/0x250 [intel_qat] + process_one_work+0x171/0x340 + worker_thread+0x277/0x3a0 + kthread+0xf0/0x120 + ret_from_fork+0x2d/0x50 + +To prevent this, flush the misc workqueue during device shutdown to +ensure that all pending work items are completed before the driver is +unloaded. + +Note: This approach may slightly increase shutdown latency if the +workqueue contains jobs from other devices, but it ensures correctness +and stability. + +Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4") +Signed-off-by: Giovanni Cabiddu +Cc: stable@vger.kernel.org +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 + + drivers/crypto/intel/qat/qat_common/adf_init.c | 1 + + drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 +++++ + 3 files changed, 7 insertions(+) + +--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h +@@ -189,6 +189,7 @@ void adf_exit_misc_wq(void); + bool adf_misc_wq_queue_work(struct work_struct *work); + bool adf_misc_wq_queue_delayed_work(struct delayed_work *work, + unsigned long delay); ++void adf_misc_wq_flush(void); + #if defined(CONFIG_PCI_IOV) + int adf_sriov_configure(struct pci_dev *pdev, int numvfs); + void adf_disable_sriov(struct adf_accel_dev *accel_dev); +--- a/drivers/crypto/intel/qat/qat_common/adf_init.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_init.c +@@ -404,6 +404,7 @@ static void adf_dev_shutdown(struct adf_ + hw_data->exit_admin_comms(accel_dev); + + adf_cleanup_etr_data(accel_dev); ++ adf_misc_wq_flush(); + adf_dev_restore(accel_dev); + } + +--- a/drivers/crypto/intel/qat/qat_common/adf_isr.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_isr.c +@@ -407,3 +407,8 @@ bool adf_misc_wq_queue_delayed_work(stru + { + return queue_delayed_work(adf_misc_wq, work, delay); + } ++ ++void adf_misc_wq_flush(void) ++{ ++ flush_workqueue(adf_misc_wq); ++} diff --git a/queue-6.16/crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch b/queue-6.16/crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch new file mode 100644 index 0000000000..c3a35c6229 --- /dev/null +++ b/queue-6.16/crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch @@ -0,0 +1,81 @@ +From 8024774190a5ef2af2c5846f60a50b23e0980a32 Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Fri, 13 Jun 2025 11:32:27 +0100 +Subject: crypto: qat - lower priority for skcipher and aead algorithms + +From: Giovanni Cabiddu + +commit 8024774190a5ef2af2c5846f60a50b23e0980a32 upstream. + +Most kernel applications utilizing the crypto API operate synchronously +and on small buffer sizes, therefore do not benefit from QAT acceleration. + +Reduce the priority of QAT implementations for both skcipher and aead +algorithms, allowing more suitable alternatives to be selected by default. + +Signed-off-by: Giovanni Cabiddu +Link: https://lore.kernel.org/all/20250613012357.GA3603104@google.com/ +Cc: stable@vger.kernel.org +Acked-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/intel/qat/qat_common/qat_algs.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/intel/qat/qat_common/qat_algs.c ++++ b/drivers/crypto/intel/qat/qat_common/qat_algs.c +@@ -1277,7 +1277,7 @@ static struct aead_alg qat_aeads[] = { { + .base = { + .cra_name = "authenc(hmac(sha1),cbc(aes))", + .cra_driver_name = "qat_aes_cbc_hmac_sha1", +- .cra_priority = 4001, ++ .cra_priority = 100, + .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), +@@ -1294,7 +1294,7 @@ static struct aead_alg qat_aeads[] = { { + .base = { + .cra_name = "authenc(hmac(sha256),cbc(aes))", + .cra_driver_name = "qat_aes_cbc_hmac_sha256", +- .cra_priority = 4001, ++ .cra_priority = 100, + .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), +@@ -1311,7 +1311,7 @@ static struct aead_alg qat_aeads[] = { { + .base = { + .cra_name = "authenc(hmac(sha512),cbc(aes))", + .cra_driver_name = "qat_aes_cbc_hmac_sha512", +- .cra_priority = 4001, ++ .cra_priority = 100, + .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .cra_blocksize = AES_BLOCK_SIZE, + .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), +@@ -1329,7 +1329,7 @@ static struct aead_alg qat_aeads[] = { { + static struct skcipher_alg qat_skciphers[] = { { + .base.cra_name = "cbc(aes)", + .base.cra_driver_name = "qat_aes_cbc", +- .base.cra_priority = 4001, ++ .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx), +@@ -1347,7 +1347,7 @@ static struct skcipher_alg qat_skciphers + }, { + .base.cra_name = "ctr(aes)", + .base.cra_driver_name = "qat_aes_ctr", +- .base.cra_priority = 4001, ++ .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, + .base.cra_blocksize = 1, + .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx), +@@ -1365,7 +1365,7 @@ static struct skcipher_alg qat_skciphers + }, { + .base.cra_name = "xts(aes)", + .base.cra_driver_name = "qat_aes_xts", +- .base.cra_priority = 4001, ++ .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK | + CRYPTO_ALG_ALLOCATES_MEMORY, + .base.cra_blocksize = AES_BLOCK_SIZE, diff --git a/queue-6.16/crypto-x86-aegis-add-missing-error-checks.patch b/queue-6.16/crypto-x86-aegis-add-missing-error-checks.patch new file mode 100644 index 0000000000..13f83ba456 --- /dev/null +++ b/queue-6.16/crypto-x86-aegis-add-missing-error-checks.patch @@ -0,0 +1,127 @@ +From 3d9eb180fbe8828cce43bce4c370124685b205c3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 8 Jul 2025 12:38:29 -0700 +Subject: crypto: x86/aegis - Add missing error checks + +From: Eric Biggers + +commit 3d9eb180fbe8828cce43bce4c370124685b205c3 upstream. + +The skcipher_walk functions can allocate memory and can fail, so +checking for errors is necessary. + +Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/aegis128-aesni-glue.c | 36 +++++++++++++++++++++++----------- + 1 file changed, 25 insertions(+), 11 deletions(-) + +--- a/arch/x86/crypto/aegis128-aesni-glue.c ++++ b/arch/x86/crypto/aegis128-aesni-glue.c +@@ -104,10 +104,12 @@ static void crypto_aegis128_aesni_proces + } + } + +-static __always_inline void ++static __always_inline int + crypto_aegis128_aesni_process_crypt(struct aegis_state *state, + struct skcipher_walk *walk, bool enc) + { ++ int err = 0; ++ + while (walk->nbytes >= AEGIS128_BLOCK_SIZE) { + if (enc) + aegis128_aesni_enc(state, walk->src.virt.addr, +@@ -120,7 +122,8 @@ crypto_aegis128_aesni_process_crypt(stru + round_down(walk->nbytes, + AEGIS128_BLOCK_SIZE)); + kernel_fpu_end(); +- skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); ++ err = skcipher_walk_done(walk, ++ walk->nbytes % AEGIS128_BLOCK_SIZE); + kernel_fpu_begin(); + } + +@@ -134,9 +137,10 @@ crypto_aegis128_aesni_process_crypt(stru + walk->dst.virt.addr, + walk->nbytes); + kernel_fpu_end(); +- skcipher_walk_done(walk, 0); ++ err = skcipher_walk_done(walk, 0); + kernel_fpu_begin(); + } ++ return err; + } + + static struct aegis_ctx *crypto_aegis128_aesni_ctx(struct crypto_aead *aead) +@@ -169,7 +173,7 @@ static int crypto_aegis128_aesni_setauth + return 0; + } + +-static __always_inline void ++static __always_inline int + crypto_aegis128_aesni_crypt(struct aead_request *req, + struct aegis_block *tag_xor, + unsigned int cryptlen, bool enc) +@@ -178,20 +182,24 @@ crypto_aegis128_aesni_crypt(struct aead_ + struct aegis_ctx *ctx = crypto_aegis128_aesni_ctx(tfm); + struct skcipher_walk walk; + struct aegis_state state; ++ int err; + + if (enc) +- skcipher_walk_aead_encrypt(&walk, req, false); ++ err = skcipher_walk_aead_encrypt(&walk, req, false); + else +- skcipher_walk_aead_decrypt(&walk, req, false); ++ err = skcipher_walk_aead_decrypt(&walk, req, false); ++ if (err) ++ return err; + + kernel_fpu_begin(); + + aegis128_aesni_init(&state, &ctx->key, req->iv); + crypto_aegis128_aesni_process_ad(&state, req->src, req->assoclen); +- crypto_aegis128_aesni_process_crypt(&state, &walk, enc); +- aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); +- ++ err = crypto_aegis128_aesni_process_crypt(&state, &walk, enc); ++ if (err == 0) ++ aegis128_aesni_final(&state, tag_xor, req->assoclen, cryptlen); + kernel_fpu_end(); ++ return err; + } + + static int crypto_aegis128_aesni_encrypt(struct aead_request *req) +@@ -200,8 +208,11 @@ static int crypto_aegis128_aesni_encrypt + struct aegis_block tag = {}; + unsigned int authsize = crypto_aead_authsize(tfm); + unsigned int cryptlen = req->cryptlen; ++ int err; + +- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); ++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, true); ++ if (err) ++ return err; + + scatterwalk_map_and_copy(tag.bytes, req->dst, + req->assoclen + cryptlen, authsize, 1); +@@ -216,11 +227,14 @@ static int crypto_aegis128_aesni_decrypt + struct aegis_block tag; + unsigned int authsize = crypto_aead_authsize(tfm); + unsigned int cryptlen = req->cryptlen - authsize; ++ int err; + + scatterwalk_map_and_copy(tag.bytes, req->src, + req->assoclen + cryptlen, authsize, 0); + +- crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); ++ err = crypto_aegis128_aesni_crypt(req, &tag, cryptlen, false); ++ if (err) ++ return err; + + return crypto_memneq(tag.bytes, zeros.bytes, authsize) ? -EBADMSG : 0; + } diff --git a/queue-6.16/crypto-x86-aegis-fix-sleeping-when-disallowed-on-preempt_rt.patch b/queue-6.16/crypto-x86-aegis-fix-sleeping-when-disallowed-on-preempt_rt.patch new file mode 100644 index 0000000000..9c99f78ac4 --- /dev/null +++ b/queue-6.16/crypto-x86-aegis-fix-sleeping-when-disallowed-on-preempt_rt.patch @@ -0,0 +1,62 @@ +From c7f49dadfcdf27e1f747442e874e9baa52ab7674 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 8 Jul 2025 12:38:28 -0700 +Subject: crypto: x86/aegis - Fix sleeping when disallowed on PREEMPT_RT + +From: Eric Biggers + +commit c7f49dadfcdf27e1f747442e874e9baa52ab7674 upstream. + +skcipher_walk_done() can call kfree(), which takes a spinlock, which +makes it incorrect to call while preemption is disabled on PREEMPT_RT. +Therefore, end the kernel-mode FPU section before calling +skcipher_walk_done(), and restart it afterwards. + +Moreover, pass atomic=false to skcipher_walk_aead_encrypt() instead of +atomic=true. The point of atomic=true was to make skcipher_walk_done() +safe to call while in a kernel-mode FPU section, but that does not +actually work. So just use the usual atomic=false. + +Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/aegis128-aesni-glue.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/crypto/aegis128-aesni-glue.c ++++ b/arch/x86/crypto/aegis128-aesni-glue.c +@@ -119,7 +119,9 @@ crypto_aegis128_aesni_process_crypt(stru + walk->dst.virt.addr, + round_down(walk->nbytes, + AEGIS128_BLOCK_SIZE)); ++ kernel_fpu_end(); + skcipher_walk_done(walk, walk->nbytes % AEGIS128_BLOCK_SIZE); ++ kernel_fpu_begin(); + } + + if (walk->nbytes) { +@@ -131,7 +133,9 @@ crypto_aegis128_aesni_process_crypt(stru + aegis128_aesni_dec_tail(state, walk->src.virt.addr, + walk->dst.virt.addr, + walk->nbytes); ++ kernel_fpu_end(); + skcipher_walk_done(walk, 0); ++ kernel_fpu_begin(); + } + } + +@@ -176,9 +180,9 @@ crypto_aegis128_aesni_crypt(struct aead_ + struct aegis_state state; + + if (enc) +- skcipher_walk_aead_encrypt(&walk, req, true); ++ skcipher_walk_aead_encrypt(&walk, req, false); + else +- skcipher_walk_aead_decrypt(&walk, req, true); ++ skcipher_walk_aead_decrypt(&walk, req, false); + + kernel_fpu_begin(); + diff --git a/queue-6.16/ext4-check-fast-symlink-for-ea_inode-correctly.patch b/queue-6.16/ext4-check-fast-symlink-for-ea_inode-correctly.patch new file mode 100644 index 0000000000..d63144362f --- /dev/null +++ b/queue-6.16/ext4-check-fast-symlink-for-ea_inode-correctly.patch @@ -0,0 +1,63 @@ +From b4cc4a4077268522e3d0d34de4b2dc144e2330fa Mon Sep 17 00:00:00 2001 +From: Andreas Dilger +Date: Wed, 16 Jul 2025 19:36:42 -0600 +Subject: ext4: check fast symlink for ea_inode correctly + +From: Andreas Dilger + +commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream. + +The check for a fast symlink in the presence of only an +external xattr inode is incorrect. If a fast symlink does +not have an xattr block (i_file_acl == 0), but does have +an external xattr inode that increases inode i_blocks, then +the check for a fast symlink will incorrectly fail and +__ext4_iget()->ext4_ind_check_inode() will report the inode +is corrupt when it "validates" i_data[] on the next read: + + # ln -s foo /mnt/tmp/bar + # setfattr -h -n trusted.test \ + -v "$(yes | head -n 4000)" /mnt/tmp/bar + # umount /mnt/tmp + # mount /mnt/tmp + # ls -l /mnt/tmp + ls: cannot access '/mnt/tmp/bar': Structure needs cleaning + total 4 + ? l?????????? ? ? ? ? ? bar + # dmesg | tail -1 + EXT4-fs error (device dm-8): __ext4_iget:5098: + inode #24578: block 7303014: comm ls: invalid block + +(note that "block 7303014" = 0x6f6f66 = "foo" in LE order). + +ext4_inode_is_fast_symlink() should check the superblock +EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode +EXT4_EA_INODE_FL, since the latter is only set on the xattr +inode itself, and not on the inode that uses this xattr. + +Cc: stable@vger.kernel.org +Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems") +Signed-off-by: Andreas Dilger +Reviewed-by: Li Dongyang +Reviewed-by: Alex Zhuravlev +Reviewed-by: Oleg Drokin +Reviewed-on: https://review.whamcloud.com/59879 +Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121 +Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -146,7 +146,7 @@ static inline int ext4_begin_ordered_tru + */ + int ext4_inode_is_fast_symlink(struct inode *inode) + { +- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { ++ if (!ext4_has_feature_ea_inode(inode->i_sb)) { + int ea_blocks = EXT4_I(inode)->i_file_acl ? + EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0; + diff --git a/queue-6.16/ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch b/queue-6.16/ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch new file mode 100644 index 0000000000..632b4afcae --- /dev/null +++ b/queue-6.16/ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch @@ -0,0 +1,48 @@ +From c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 7 Aug 2025 09:35:20 -0400 +Subject: ext4: don't try to clear the orphan_present feature block device is r/o + +From: Theodore Ts'o + +commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream. + +When the file system is frozen in preparation for taking an LVM +snapshot, the journal is checkpointed and if the orphan_file feature +is enabled, and the orphan file is empty, we clear the orphan_present +feature flag. But if there are pending inodes that need to be removed +the orphan_present feature flag can't be cleared. + +The problem comes if the block device is read-only. In that case, we +can't process the orphan inode list, so it is skipped in +ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(), +this results in the ext4 error "Orphan file not empty on read-only fs" +firing and the file system mount is aborted. + +Fix this by clearing the needs_recovery flag in the block device is +read-only. We do this after the call to ext4_load_and_init-journal() +since there are some error checks need to be done in case the journal +needs to be replayed and the block device is read-only, or if the +block device containing the externa journal is read-only, etc. + +Cc: stable@kernel.org +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271 +Cc: stable@vger.kernel.org +Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling") +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5414,6 +5414,8 @@ static int __ext4_fill_super(struct fs_c + err = ext4_load_and_init_journal(sb, es, ctx); + if (err) + goto failed_mount3a; ++ if (bdev_read_only(sb->s_bdev)) ++ needs_recovery = 0; + } else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) && + ext4_has_feature_journal_needs_recovery(sb)) { + ext4_msg(sb, KERN_ERR, "required journal recovery " diff --git a/queue-6.16/ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch b/queue-6.16/ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch new file mode 100644 index 0000000000..ad1a346b01 --- /dev/null +++ b/queue-6.16/ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch @@ -0,0 +1,120 @@ +From bae76c035bf0852844151e68098c9b7cd63ef238 Mon Sep 17 00:00:00 2001 +From: Ojaswin Mujoo +Date: Tue, 5 Aug 2025 14:00:30 +0530 +Subject: ext4: fix fsmap end of range reporting with bigalloc + +From: Ojaswin Mujoo + +commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream. + +With bigalloc enabled, the logic to report last extent has a bug since +we try to use cluster units instead of block units. This can cause an +issue where extra incorrect entries might be returned back to the +user. This was flagged by generic/365 with 64k bs and -O bigalloc. + +** Details of issue ** + +The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has +only 1 bg. + +$ xfs_io -c "fsmap -d" /mnt/scratch + + 0: 253:48 [0..127]: static fs metadata 128 /* sb */ + 1: 253:48 [128..255]: special 102:1 128 /* gdt */ + 3: 253:48 [256..383]: special 102:3 128 /* block bitmap */ + 4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */ + 5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */ + 6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */ + 7: 253:48 [4352..6911]: inodes 2560 + 8: 253:48 [6912..538623]: unknown 531712 + 9: 253:48 [538624..10485759]: free space 9947136 + +The issue can be seen with: + +$ xfs_io -c "fsmap -d 0 3" /mnt/scratch + + 0: 253:48 [0..127]: static fs metadata 128 + 1: 253:48 [384..2047]: unknown 1664 + +Only the first entry was expected to be returned but we get 2. This is +because: + +ext4_getfsmap_datadev() + first_cluster, last_cluster = 0 + ... + info->gfi_last = true; + ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info); + fsb = C2B(1) = 16 + fslen = 0 + ... + /* Merge in any relevant extents from the meta_list */ + list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) { + ... + // since fsb = 16, considers all metadata which starts before 16 blockno + iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop + info->gfi_next_fsblk = 1 + iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop + info->gfi_next_fsblk = 2 + iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop + info->gfi_next_fsblk = 3 + iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19) + if (rec_blk > info->gfi_next_fsblk) { // (18 > 3) + // emits an extra entry ** BUG ** + } + } + +Fix this by directly calling ext4_getfsmap_datadev() with a dummy +record that has fmr_physical set to (end_fsb + 1) instead of +last_cluster + 1. By using the block instead of cluster we get the +correct behavior. + +Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper() +is okay since the gfi_lastfree and metadata checks in +ext4_getfsmap_datadev_helper() are anyways redundant when we only want +to emit the last allocated block of the range, as we have already +taken care of emitting metadata and any last free blocks. + +Cc: stable@kernel.org +Reported-by: Disha Goel +Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling") +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Darrick J. Wong +Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct + ext4_group_t end_ag; + ext4_grpblk_t first_cluster; + ext4_grpblk_t last_cluster; ++ struct ext4_fsmap irec; + int error = 0; + + bofs = le32_to_cpu(sbi->s_es->s_first_data_block); +@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct + goto err; + } + +- /* Report any gaps at the end of the bg */ ++ /* ++ * The dummy record below will cause ext4_getfsmap_helper() to report ++ * any allocated blocks at the end of the range. ++ */ ++ irec.fmr_device = 0; ++ irec.fmr_physical = end_fsb + 1; ++ irec.fmr_length = 0; ++ irec.fmr_owner = EXT4_FMR_OWN_FREE; ++ irec.fmr_flags = 0; ++ + info->gfi_last = true; +- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, +- 0, info); ++ error = ext4_getfsmap_helper(sb, info, &irec); + if (error) + goto err; + diff --git a/queue-6.16/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch b/queue-6.16/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch new file mode 100644 index 0000000000..8009203e7d --- /dev/null +++ b/queue-6.16/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch @@ -0,0 +1,80 @@ +From 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Mon, 11 Aug 2025 14:45:32 +0800 +Subject: ext4: fix hole length calculation overflow in non-extent inodes + +From: Zhang Yi + +commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream. + +In a filesystem with a block size larger than 4KB, the hole length +calculation for a non-extent inode in ext4_ind_map_blocks() can easily +exceed INT_MAX. Then it could return a zero length hole and trigger the +following waring and infinite in the iomap infrastructure. + + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190 + CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary) + Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : iomap_iter_done+0x148/0x190 + lr : iomap_iter+0x174/0x230 + sp : ffff8000880af740 + x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000 + x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000 + x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48 + x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000 + x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000 + x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c + x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44 + x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000 + x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000 + Call trace: + iomap_iter_done+0x148/0x190 (P) + iomap_iter+0x174/0x230 + iomap_fiemap+0x154/0x1d8 + ext4_fiemap+0x110/0x140 [ext4] + do_vfs_ioctl+0x4b8/0xbc0 + __arm64_sys_ioctl+0x8c/0x120 + invoke_syscall+0x6c/0x100 + el0_svc_common.constprop.0+0x48/0xf0 + do_el0_svc+0x24/0x38 + el0_svc+0x38/0x120 + el0t_64_sync_handler+0x10c/0x138 + el0t_64_sync+0x198/0x1a0 + ---[ end trace 0000000000000000 ]--- + +Cc: stable@kernel.org +Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()") +Reported-by: Qu Wenruo +Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/ +Tested-by: Qu Wenruo +Signed-off-by: Zhang Yi +Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle + int indirect_blks; + int blocks_to_boundary = 0; + int depth; +- int count = 0; ++ u64 count = 0; + ext4_fsblk_t first_block = 0; + + trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); +@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle + count++; + /* Fill in size of a hole we found */ + map->m_pblk = 0; +- map->m_len = min_t(unsigned int, map->m_len, count); ++ map->m_len = umin(map->m_len, count); + goto cleanup; + } + diff --git a/queue-6.16/ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch b/queue-6.16/ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch new file mode 100644 index 0000000000..14a3792072 --- /dev/null +++ b/queue-6.16/ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch @@ -0,0 +1,53 @@ +From 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 Mon Sep 17 00:00:00 2001 +From: Ojaswin Mujoo +Date: Tue, 5 Aug 2025 14:00:31 +0530 +Subject: ext4: fix reserved gdt blocks handling in fsmap + +From: Ojaswin Mujoo + +commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream. + +In some cases like small FSes with no meta_bg and where the resize +doesn't need extra gdt blocks as it can fit in the current one, +s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0 +length entry, which is incorrect. + + $ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G + $ mount /dev/sda /mnt/scratch + $ xfs_io -c "fsmap -d" /mnt/scartch + + 0: 253:48 [0..127]: static fs metadata 128 + 1: 253:48 [128..255]: special 102:1 128 + 2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry + 3: 253:48 [256..383]: special 102:3 128 + +Fix this by adding a check for this case. + +Cc: stable@kernel.org +Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls") +Signed-off-by: Ojaswin Mujoo +Reviewed-by: Darrick J. Wong +Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/fsmap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ext4/fsmap.c ++++ b/fs/ext4/fsmap.c +@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s + /* Reserved GDT blocks */ + if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) { + len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks); ++ ++ /* ++ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases, ++ * check for that. ++ */ ++ if (!len) ++ return 0; ++ + error = ext4_getfsmap_fill(meta_list, fsb, len, + EXT4_FMR_OWN_RESV_GDT); + if (error) diff --git a/queue-6.16/ext4-preserve-sb_i_version-on-remount.patch b/queue-6.16/ext4-preserve-sb_i_version-on-remount.patch new file mode 100644 index 0000000000..961fb8d815 --- /dev/null +++ b/queue-6.16/ext4-preserve-sb_i_version-on-remount.patch @@ -0,0 +1,55 @@ +From f2326fd14a224e4cccbab89e14c52279ff79b7ec Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 3 Jul 2025 15:39:03 +0800 +Subject: ext4: preserve SB_I_VERSION on remount + +From: Baokun Li + +commit f2326fd14a224e4cccbab89e14c52279ff79b7ec upstream. + +IMA testing revealed that after an ext4 remount, file accesses triggered +full measurements even without modifications, instead of skipping as +expected when i_version is unchanged. + +Debugging showed `SB_I_VERSION` was cleared in reconfigure_super() during +remount due to commit 1ff20307393e ("ext4: unconditionally enable the +i_version counter") removing the fix from commit 960e0ab63b2e ("ext4: fix +i_version handling on remount"). + +To rectify this, `SB_I_VERSION` is always set for `fc->sb_flags` in +ext4_init_fs_context(), instead of `sb->s_flags` in __ext4_fill_super(), +ensuring it persists across all mounts. + +Cc: stable@kernel.org +Fixes: 1ff20307393e ("ext4: unconditionally enable the i_version counter") +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20250703073903.6952-2-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1998,6 +1998,9 @@ int ext4_init_fs_context(struct fs_conte + fc->fs_private = ctx; + fc->ops = &ext4_context_ops; + ++ /* i_version is always enabled now */ ++ fc->sb_flags |= SB_I_VERSION; ++ + return 0; + } + +@@ -5314,9 +5317,6 @@ static int __ext4_fill_super(struct fs_c + sb->s_flags = (sb->s_flags & ~SB_POSIXACL) | + (test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0); + +- /* i_version is always enabled now */ +- sb->s_flags |= SB_I_VERSION; +- + /* HSM events are allowed by default. */ + sb->s_iflags |= SB_I_ALLOW_HSM; + diff --git a/queue-6.16/ext4-use-kmalloc_array-for-array-space-allocation.patch b/queue-6.16/ext4-use-kmalloc_array-for-array-space-allocation.patch new file mode 100644 index 0000000000..b2f602c938 --- /dev/null +++ b/queue-6.16/ext4-use-kmalloc_array-for-array-space-allocation.patch @@ -0,0 +1,35 @@ +From 76dba1fe277f6befd6ef650e1946f626c547387a Mon Sep 17 00:00:00 2001 +From: Liao Yuanhong +Date: Mon, 11 Aug 2025 20:58:16 +0800 +Subject: ext4: use kmalloc_array() for array space allocation + +From: Liao Yuanhong + +commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream. + +Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory +allocation and overflow prevention. + +Cc: stable@kernel.org +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/orphan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/orphan.c ++++ b/fs/ext4/orphan.c +@@ -589,8 +589,9 @@ int ext4_init_orphan_info(struct super_b + } + oi->of_blocks = inode->i_size >> sb->s_blocksize_bits; + oi->of_csum_seed = EXT4_I(inode)->i_csum_seed; +- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block), +- GFP_KERNEL); ++ oi->of_binfo = kmalloc_array(oi->of_blocks, ++ sizeof(struct ext4_orphan_block), ++ GFP_KERNEL); + if (!oi->of_binfo) { + ret = -ENOMEM; + goto out_put; diff --git a/queue-6.16/ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch b/queue-6.16/ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch new file mode 100644 index 0000000000..973d2191d1 --- /dev/null +++ b/queue-6.16/ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch @@ -0,0 +1,93 @@ +From c0d41112f1a5828c194b59cca953114bc3776ef2 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 17 Aug 2025 09:48:40 +0900 +Subject: ksmbd: extend the connection limiting mechanism to support IPv6 + +From: Namjae Jeon + +commit c0d41112f1a5828c194b59cca953114bc3776ef2 upstream. + +Update the connection tracking logic to handle both IPv4 and IPv6 +address families. + +Cc: stable@vger.kernel.org +Fixes: e6bb91939740 ("ksmbd: limit repeated connections from clients with the same IP") +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.h | 7 ++++++- + fs/smb/server/transport_tcp.c | 26 +++++++++++++++++++++++--- + 2 files changed, 29 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -46,7 +46,12 @@ struct ksmbd_conn { + struct mutex srv_mutex; + int status; + unsigned int cli_cap; +- __be32 inet_addr; ++ union { ++ __be32 inet_addr; ++#if IS_ENABLED(CONFIG_IPV6) ++ u8 inet6_addr[16]; ++#endif ++ }; + char *request_buf; + struct ksmbd_transport *transport; + struct nls_table *local_nls; +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -87,7 +87,14 @@ static struct tcp_transport *alloc_trans + return NULL; + } + ++#if IS_ENABLED(CONFIG_IPV6) ++ if (client_sk->sk->sk_family == AF_INET6) ++ memcpy(&conn->inet6_addr, &client_sk->sk->sk_v6_daddr, 16); ++ else ++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr; ++#else + conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr; ++#endif + conn->transport = KSMBD_TRANS(t); + KSMBD_TRANS(t)->conn = conn; + KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops; +@@ -231,7 +238,6 @@ static int ksmbd_kthread_fn(void *p) + { + struct socket *client_sk = NULL; + struct interface *iface = (struct interface *)p; +- struct inet_sock *csk_inet; + struct ksmbd_conn *conn; + int ret; + +@@ -254,13 +260,27 @@ static int ksmbd_kthread_fn(void *p) + /* + * Limits repeated connections from clients with the same IP. + */ +- csk_inet = inet_sk(client_sk->sk); + down_read(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) +- if (csk_inet->inet_daddr == conn->inet_addr) { ++#if IS_ENABLED(CONFIG_IPV6) ++ if (client_sk->sk->sk_family == AF_INET6) { ++ if (memcmp(&client_sk->sk->sk_v6_daddr, ++ &conn->inet6_addr, 16) == 0) { ++ ret = -EAGAIN; ++ break; ++ } ++ } else if (inet_sk(client_sk->sk)->inet_daddr == ++ conn->inet_addr) { + ret = -EAGAIN; + break; + } ++#else ++ if (inet_sk(client_sk->sk)->inet_daddr == ++ conn->inet_addr) { ++ ret = -EAGAIN; ++ break; ++ } ++#endif + up_read(&conn_list_lock); + if (ret == -EAGAIN) + continue; diff --git a/queue-6.16/ksmbd-fix-refcount-leak-causing-resource-not-released.patch b/queue-6.16/ksmbd-fix-refcount-leak-causing-resource-not-released.patch new file mode 100644 index 0000000000..a591a62431 --- /dev/null +++ b/queue-6.16/ksmbd-fix-refcount-leak-causing-resource-not-released.patch @@ -0,0 +1,61 @@ +From 89bb430f621124af39bb31763c4a8b504c9651e2 Mon Sep 17 00:00:00 2001 +From: Ziyan Xu +Date: Sat, 16 Aug 2025 10:20:05 +0900 +Subject: ksmbd: fix refcount leak causing resource not released + +From: Ziyan Xu + +commit 89bb430f621124af39bb31763c4a8b504c9651e2 upstream. + +When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not +decremented properly, causing a refcount leak that prevents the count from +reaching zero and the memory from being released. + +Cc: stable@vger.kernel.org +Signed-off-by: Ziyan Xu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1102,8 +1102,10 @@ void smb_send_parent_lease_break_noti(st + if (!atomic_inc_not_zero(&opinfo->refcount)) + continue; + +- if (ksmbd_conn_releasing(opinfo->conn)) ++ if (ksmbd_conn_releasing(opinfo->conn)) { ++ opinfo_put(opinfo); + continue; ++ } + + oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL); + opinfo_put(opinfo); +@@ -1139,8 +1141,11 @@ void smb_lazy_parent_lease_break_close(s + if (!atomic_inc_not_zero(&opinfo->refcount)) + continue; + +- if (ksmbd_conn_releasing(opinfo->conn)) ++ if (ksmbd_conn_releasing(opinfo->conn)) { ++ opinfo_put(opinfo); + continue; ++ } ++ + oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL); + opinfo_put(opinfo); + } +@@ -1343,8 +1348,10 @@ void smb_break_all_levII_oplock(struct k + if (!atomic_inc_not_zero(&brk_op->refcount)) + continue; + +- if (ksmbd_conn_releasing(brk_op->conn)) ++ if (ksmbd_conn_releasing(brk_op->conn)) { ++ opinfo_put(brk_op); + continue; ++ } + + if (brk_op->is_lease && (brk_op->o_lease->state & + (~(SMB2_LEASE_READ_CACHING_LE | diff --git a/queue-6.16/lib-crypto-arm-poly1305-fix-register-corruption-in-no-simd-contexts.patch b/queue-6.16/lib-crypto-arm-poly1305-fix-register-corruption-in-no-simd-contexts.patch new file mode 100644 index 0000000000..95fda1d97e --- /dev/null +++ b/queue-6.16/lib-crypto-arm-poly1305-fix-register-corruption-in-no-simd-contexts.patch @@ -0,0 +1,50 @@ +From 52c3e242f4d0043186b70d65460ba1767f27494a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 6 Jul 2025 16:10:57 -0700 +Subject: lib/crypto: arm/poly1305: Fix register corruption in no-SIMD contexts + +From: Eric Biggers + +commit 52c3e242f4d0043186b70d65460ba1767f27494a upstream. + +Restore the SIMD usability check that was removed by commit 773426f4771b +("crypto: arm/poly1305 - Add block-only interface"). + +This safety check is cheap and is well worth eliminating a footgun. +While the Poly1305 functions should not be called when SIMD registers +are unusable, if they are anyway, they should just do the right thing +instead of corrupting random tasks' registers and/or computing incorrect +MACs. Fixing this is also needed for poly1305_kunit to pass. + +Just use may_use_simd() instead of the original crypto_simd_usable(), +since poly1305_kunit won't rely on crypto_simd_disabled_for_test. + +Fixes: 773426f4771b ("crypto: arm/poly1305 - Add block-only interface") +Cc: stable@vger.kernel.org +Reviewed-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20250706231100.176113-3-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/lib/crypto/poly1305-glue.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/lib/crypto/poly1305-glue.c ++++ b/arch/arm/lib/crypto/poly1305-glue.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -39,7 +40,7 @@ void poly1305_blocks_arch(struct poly130 + { + len = round_down(len, POLY1305_BLOCK_SIZE); + if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && +- static_branch_likely(&have_neon)) { ++ static_branch_likely(&have_neon) && likely(may_use_simd())) { + do { + unsigned int todo = min_t(unsigned int, len, SZ_4K); + diff --git a/queue-6.16/lib-crypto-arm64-poly1305-fix-register-corruption-in-no-simd-contexts.patch b/queue-6.16/lib-crypto-arm64-poly1305-fix-register-corruption-in-no-simd-contexts.patch new file mode 100644 index 0000000000..2a36ac3ba5 --- /dev/null +++ b/queue-6.16/lib-crypto-arm64-poly1305-fix-register-corruption-in-no-simd-contexts.patch @@ -0,0 +1,50 @@ +From eec76ea5a7213c48529a46eed1b343e5cee3aaab Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 6 Jul 2025 16:10:58 -0700 +Subject: lib/crypto: arm64/poly1305: Fix register corruption in no-SIMD contexts + +From: Eric Biggers + +commit eec76ea5a7213c48529a46eed1b343e5cee3aaab upstream. + +Restore the SIMD usability check that was removed by commit a59e5468a921 +("crypto: arm64/poly1305 - Add block-only interface"). + +This safety check is cheap and is well worth eliminating a footgun. +While the Poly1305 functions should not be called when SIMD registers +are unusable, if they are anyway, they should just do the right thing +instead of corrupting random tasks' registers and/or computing incorrect +MACs. Fixing this is also needed for poly1305_kunit to pass. + +Just use may_use_simd() instead of the original crypto_simd_usable(), +since poly1305_kunit won't rely on crypto_simd_disabled_for_test. + +Fixes: a59e5468a921 ("crypto: arm64/poly1305 - Add block-only interface") +Cc: stable@vger.kernel.org +Reviewed-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20250706231100.176113-4-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/lib/crypto/poly1305-glue.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/lib/crypto/poly1305-glue.c ++++ b/arch/arm64/lib/crypto/poly1305-glue.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -33,7 +34,7 @@ void poly1305_blocks_arch(struct poly130 + unsigned int len, u32 padbit) + { + len = round_down(len, POLY1305_BLOCK_SIZE); +- if (static_branch_likely(&have_neon)) { ++ if (static_branch_likely(&have_neon) && likely(may_use_simd())) { + do { + unsigned int todo = min_t(unsigned int, len, SZ_4K); + diff --git a/queue-6.16/lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch b/queue-6.16/lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch new file mode 100644 index 0000000000..1086847b6e --- /dev/null +++ b/queue-6.16/lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch @@ -0,0 +1,104 @@ +From 22375adaa0d9fbba9646c8e2b099c6e87c97bfae Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 19 Jun 2025 15:55:35 -0700 +Subject: lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap + +From: Eric Biggers + +commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream. + +The MIPS32r2 ChaCha code has never been buildable with the clang +assembler. First, clang doesn't support the 'rotl' pseudo-instruction: + + error: unknown instruction, did you mean: rol, rotr? + +Second, clang requires that both operands of the 'wsbh' instruction be +explicitly given: + + error: too few operands for instruction + +To fix this, align the code with the real instruction set by (1) using +the real instruction 'rotr' instead of the nonstandard pseudo- +instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'. + +To make removing the use of 'rotl' a bit easier, also remove the +unnecessary special-casing for big endian CPUs at +.Lchacha_mips_xor_bytes. The tail handling is actually +endian-independent since it processes one byte at a time. On big endian +CPUs the old code byte-swapped SAVED_X, then iterated through it in +reverse order. But the byteswap and reverse iteration canceled out. + +Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both +little endian and big endian mips32r2 kernels. + +Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc") +Cc: stable@vger.kernel.org +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/ +Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/lib/crypto/chacha-core.S | 20 +++++++------------- + 1 file changed, 7 insertions(+), 13 deletions(-) + +--- a/arch/mips/lib/crypto/chacha-core.S ++++ b/arch/mips/lib/crypto/chacha-core.S +@@ -55,17 +55,13 @@ + #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + #define MSB 0 + #define LSB 3 +-#define ROTx rotl +-#define ROTR(n) rotr n, 24 + #define CPU_TO_LE32(n) \ +- wsbh n; \ ++ wsbh n, n; \ + rotr n, 16; + #else + #define MSB 3 + #define LSB 0 +-#define ROTx rotr + #define CPU_TO_LE32(n) +-#define ROTR(n) + #endif + + #define FOR_EACH_WORD(x) \ +@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS + xor X(W), X(B); \ + xor X(Y), X(C); \ + xor X(Z), X(D); \ +- rotl X(V), S; \ +- rotl X(W), S; \ +- rotl X(Y), S; \ +- rotl X(Z), S; ++ rotr X(V), 32 - S; \ ++ rotr X(W), 32 - S; \ ++ rotr X(Y), 32 - S; \ ++ rotr X(Z), 32 - S; + + .text + .set reorder +@@ -372,21 +368,19 @@ chacha_crypt_arch: + /* First byte */ + lbu T1, 0(IN) + addiu $at, BYTES, 1 +- CPU_TO_LE32(SAVED_X) +- ROTR(SAVED_X) + xor T1, SAVED_X + sb T1, 0(OUT) + beqz $at, .Lchacha_mips_xor_done + /* Second byte */ + lbu T1, 1(IN) + addiu $at, BYTES, 2 +- ROTx SAVED_X, 8 ++ rotr SAVED_X, 8 + xor T1, SAVED_X + sb T1, 1(OUT) + beqz $at, .Lchacha_mips_xor_done + /* Third byte */ + lbu T1, 2(IN) +- ROTx SAVED_X, 8 ++ rotr SAVED_X, 8 + xor T1, SAVED_X + sb T1, 2(OUT) + b .Lchacha_mips_xor_done diff --git a/queue-6.16/revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch b/queue-6.16/revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch new file mode 100644 index 0000000000..3961871221 --- /dev/null +++ b/queue-6.16/revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch @@ -0,0 +1,40 @@ +From e4fc307d8e24f122402907ebf585248cad52841d Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 2 Aug 2025 21:34:37 +0200 +Subject: Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" + +From: Helge Deller + +commit e4fc307d8e24f122402907ebf585248cad52841d upstream. + +This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003. + +The patch is wrong as it checks vc_origin against vc_screenbuf, +while in text mode it should compare against vga_vram_base. + +As such it broke VGA text scrolling, which can be reproduced like this: +(1) boot a kernel that is configured to use text mode VGA-console +(2) type commands: ls -l /usr/bin | less -S +(3) scroll up/down with cursor-down/up keys + +Reported-by: Jari Ruusu +Cc: stable@vger.kernel.org +Cc: Yi Yang +Cc: GONG Ruiqi +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/console/vgacon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -1168,7 +1168,7 @@ static bool vgacon_scroll(struct vc_data + c->vc_screenbuf_size - delta); + c->vc_origin = vga_vram_end - c->vc_screenbuf_size; + vga_rolled_over = 0; +- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf) ++ } else + c->vc_origin -= delta; + c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size; + scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char, diff --git a/queue-6.16/series b/queue-6.16/series index 60235c31ee..248becdd3f 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -17,3 +17,31 @@ bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch vt-keyboard-don-t-process-unicode-characters-in-k_off-mode.patch vt-defkeymap-map-keycodes-above-127-to-k_hole.patch netfs-fix-unbuffered-write-error-handling.patch +lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch +lib-crypto-arm-poly1305-fix-register-corruption-in-no-simd-contexts.patch +lib-crypto-arm64-poly1305-fix-register-corruption-in-no-simd-contexts.patch +crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch +crypto-ccp-fix-snp-panic-notifier-unregistration.patch +crypto-caam-prevent-crash-on-suspend-with-imx8qm-imx8ulp.patch +crypto-qat-flush-misc-workqueue-during-device-shutdown.patch +crypto-x86-aegis-fix-sleeping-when-disallowed-on-preempt_rt.patch +crypto-x86-aegis-add-missing-error-checks.patch +crypto-octeontx2-fix-address-alignment-issue-on-ucode-loading.patch +crypto-octeontx2-fix-address-alignment-on-cn10k-a0-a1-and-octeontx2.patch +crypto-octeontx2-fix-address-alignment-on-cn10kb-and-cn10ka-b0.patch +crypto-hash-increase-hash_max_descsize-for-hmac-sha3-224-s390.patch +revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch +ksmbd-fix-refcount-leak-causing-resource-not-released.patch +ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch +tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch +ext4-preserve-sb_i_version-on-remount.patch +ext4-check-fast-symlink-for-ea_inode-correctly.patch +ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch +ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch +ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch +ext4-use-kmalloc_array-for-array-space-allocation.patch +ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch +btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch +btrfs-fix-incorrect-log-message-for-nobarrier-mount-option.patch +btrfs-restore-mount-option-info-messages-during-mount.patch +btrfs-fix-printing-of-mount-info-messages-for-nodatacow-nodatasum.patch diff --git a/queue-6.16/tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch b/queue-6.16/tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch new file mode 100644 index 0000000000..64ab0d10d7 --- /dev/null +++ b/queue-6.16/tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch @@ -0,0 +1,41 @@ +From ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Sat, 16 Aug 2025 23:10:51 +0900 +Subject: tracing: fprobe-event: Sanitize wildcard for fprobe event name + +From: Masami Hiramatsu (Google) + +commit ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 upstream. + +Fprobe event accepts wildcards for the target functions, but unless user +specifies its event name, it makes an event with the wildcards. + + /sys/kernel/tracing # echo 'f mutex*' >> dynamic_events + /sys/kernel/tracing # cat dynamic_events + f:fprobes/mutex*__entry mutex* + /sys/kernel/tracing # ls events/fprobes/ + enable filter mutex*__entry + +To fix this, replace the wildcard ('*') with an underscore. + +Link: https://lore.kernel.org/all/175535345114.282990.12294108192847938710.stgit@devnote2/ + +Fixes: 334e5519c375 ("tracing/probes: Add fprobe events for tracing function entry and exit.") +Signed-off-by: Masami Hiramatsu (Google) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -2204,7 +2204,7 @@ static inline bool is_good_system_name(c + static inline void sanitize_event_name(char *name) + { + while (*name++ != '\0') +- if (*name == ':' || *name == '.') ++ if (*name == ':' || *name == '.' || *name == '*') + *name = '_'; + } +