From: Greg Kroah-Hartman Date: Fri, 15 Aug 2025 17:02:49 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.12.43~79 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db9d442c119a10fbbb2fcc3f05a1779ed79ffec6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: fs-prevent-file-descriptor-table-allocations-exceeding-int_max.patch loongarch-bpf-fix-jump-offset-calculation-in-tailcall.patch nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch nfsd-detect-mismatch-of-file-handle-and-delegation-stateid-in-open-op.patch nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch pci-extend-isolated-function-probing-to-loongarch.patch sunvdc-balance-device-refcount-in-vdc_port_mpgroup_check.patch --- diff --git a/queue-6.6/fs-prevent-file-descriptor-table-allocations-exceeding-int_max.patch b/queue-6.6/fs-prevent-file-descriptor-table-allocations-exceeding-int_max.patch new file mode 100644 index 0000000000..4f414977db --- /dev/null +++ b/queue-6.6/fs-prevent-file-descriptor-table-allocations-exceeding-int_max.patch @@ -0,0 +1,104 @@ +From 04a2c4b4511d186b0fce685da21085a5d4acd370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jun 2025 03:40:21 -0400 +Subject: fs: Prevent file descriptor table allocations exceeding INT_MAX + +From: Sasha Levin + +commit 04a2c4b4511d186b0fce685da21085a5d4acd370 upstream. + +When sysctl_nr_open is set to a very high value (for example, 1073741816 +as set by systemd), processes attempting to use file descriptors near +the limit can trigger massive memory allocation attempts that exceed +INT_MAX, resulting in a WARNING in mm/slub.c: + + WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288 + +This happens because kvmalloc_array() and kvmalloc() check if the +requested size exceeds INT_MAX and emit a warning when the allocation is +not flagged with __GFP_NOWARN. + +Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a +process calls dup2(oldfd, 1073741880), the kernel attempts to allocate: +- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes +- Multiple bitmaps: ~400MB +- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647) + +Reproducer: +1. Set /proc/sys/fs/nr_open to 1073741816: + # echo 1073741816 > /proc/sys/fs/nr_open + +2. Run a program that uses a high file descriptor: + #include + #include + + int main() { + struct rlimit rlim = {1073741824, 1073741824}; + setrlimit(RLIMIT_NOFILE, &rlim); + dup2(2, 1073741880); // Triggers the warning + return 0; + } + +3. Observe WARNING in dmesg at mm/slub.c:5027 + +systemd commit a8b627a introduced automatic bumping of fs.nr_open to the +maximum possible value. The rationale was that systems with memory +control groups (memcg) no longer need separate file descriptor limits +since memory is properly accounted. However, this change overlooked +that: + +1. The kernel's allocation functions still enforce INT_MAX as a maximum + size regardless of memcg accounting +2. Programs and tests that legitimately test file descriptor limits can + inadvertently trigger massive allocations +3. The resulting allocations (>8GB) are impractical and will always fail + +systemd's algorithm starts with INT_MAX and keeps halving the value +until the kernel accepts it. On most systems, this results in nr_open +being set to 1073741816 (0x3ffffff8), which is just under 1GB of file +descriptors. + +While processes rarely use file descriptors near this limit in normal +operation, certain selftests (like +tools/testing/selftests/core/unshare_test.c) and programs that test file +descriptor limits can trigger this issue. + +Fix this by adding a check in alloc_fdtable() to ensure the requested +allocation size does not exceed INT_MAX. This causes the operation to +fail with -EMFILE instead of triggering a kernel warning and avoids the +impractical >8GB memory allocation request. + +Fixes: 9cfe015aa424 ("get rid of NR_OPEN and introduce a sysctl_nr_open") +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +Link: https://lore.kernel.org/20250629074021.1038845-1-sashal@kernel.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -126,6 +126,21 @@ static struct fdtable * alloc_fdtable(un + if (unlikely(nr > sysctl_nr_open)) + nr = ((sysctl_nr_open - 1) | (BITS_PER_LONG - 1)) + 1; + ++ /* ++ * Check if the allocation size would exceed INT_MAX. kvmalloc_array() ++ * and kvmalloc() will warn if the allocation size is greater than ++ * INT_MAX, as filp_cachep objects are not __GFP_NOWARN. ++ * ++ * This can happen when sysctl_nr_open is set to a very high value and ++ * a process tries to use a file descriptor near that limit. For example, ++ * if sysctl_nr_open is set to 1073741816 (0x3ffffff8) - which is what ++ * systemd typically sets it to - then trying to use a file descriptor ++ * close to that value will require allocating a file descriptor table ++ * that exceeds 8GB in size. ++ */ ++ if (unlikely(nr > INT_MAX / sizeof(struct file *))) ++ return ERR_PTR(-EMFILE); ++ + fdt = kmalloc(sizeof(struct fdtable), GFP_KERNEL_ACCOUNT); + if (!fdt) + goto out; diff --git a/queue-6.6/loongarch-bpf-fix-jump-offset-calculation-in-tailcall.patch b/queue-6.6/loongarch-bpf-fix-jump-offset-calculation-in-tailcall.patch new file mode 100644 index 0000000000..7d1a4da77c --- /dev/null +++ b/queue-6.6/loongarch-bpf-fix-jump-offset-calculation-in-tailcall.patch @@ -0,0 +1,109 @@ +From cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3 Mon Sep 17 00:00:00 2001 +From: Haoran Jiang +Date: Tue, 5 Aug 2025 19:00:22 +0800 +Subject: LoongArch: BPF: Fix jump offset calculation in tailcall + +From: Haoran Jiang + +commit cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3 upstream. + +The extra pass of bpf_int_jit_compile() skips JIT context initialization +which essentially skips offset calculation leaving out_offset = -1, so +the jmp_offset in emit_bpf_tail_call is calculated by + +"#define jmp_offset (out_offset - (cur_offset))" + +is a negative number, which is wrong. The final generated assembly are +as follow. + +54: bgeu $a2, $t1, -8 # 0x0000004c +58: addi.d $a6, $s5, -1 +5c: bltz $a6, -16 # 0x0000004c +60: alsl.d $t2, $a2, $a1, 0x3 +64: ld.d $t2, $t2, 264 +68: beq $t2, $zero, -28 # 0x0000004c + +Before apply this patch, the follow test case will reveal soft lock issues. + +cd tools/testing/selftests/bpf/ +./test_progs --allow=tailcalls/tailcall_bpf2bpf_1 + +dmesg: +watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056] + +Cc: stable@vger.kernel.org +Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support") +Reviewed-by: Hengqi Chen +Signed-off-by: Haoran Jiang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/net/bpf_jit.c | 21 +++++---------------- + 1 file changed, 5 insertions(+), 16 deletions(-) + +--- a/arch/loongarch/net/bpf_jit.c ++++ b/arch/loongarch/net/bpf_jit.c +@@ -203,11 +203,9 @@ bool bpf_jit_supports_kfunc_call(void) + return true; + } + +-/* initialized on the first pass of build_body() */ +-static int out_offset = -1; +-static int emit_bpf_tail_call(struct jit_ctx *ctx) ++static int emit_bpf_tail_call(struct jit_ctx *ctx, int insn) + { +- int off; ++ int off, tc_ninsn = 0; + u8 tcc = tail_call_reg(ctx); + u8 a1 = LOONGARCH_GPR_A1; + u8 a2 = LOONGARCH_GPR_A2; +@@ -217,7 +215,7 @@ static int emit_bpf_tail_call(struct jit + const int idx0 = ctx->idx; + + #define cur_offset (ctx->idx - idx0) +-#define jmp_offset (out_offset - (cur_offset)) ++#define jmp_offset (tc_ninsn - (cur_offset)) + + /* + * a0: &ctx +@@ -227,6 +225,7 @@ static int emit_bpf_tail_call(struct jit + * if (index >= array->map.max_entries) + * goto out; + */ ++ tc_ninsn = insn ? ctx->offset[insn+1] - ctx->offset[insn] : ctx->offset[0]; + off = offsetof(struct bpf_array, map.max_entries); + emit_insn(ctx, ldwu, t1, a1, off); + /* bgeu $a2, $t1, jmp_offset */ +@@ -258,15 +257,6 @@ static int emit_bpf_tail_call(struct jit + emit_insn(ctx, ldd, t3, t2, off); + __build_epilogue(ctx, true); + +- /* out: */ +- if (out_offset == -1) +- out_offset = cur_offset; +- if (cur_offset != out_offset) { +- pr_err_once("tail_call out_offset = %d, expected %d!\n", +- cur_offset, out_offset); +- return -1; +- } +- + return 0; + + toofar: +@@ -853,7 +843,7 @@ static int build_insn(const struct bpf_i + /* tail call */ + case BPF_JMP | BPF_TAIL_CALL: + mark_tail_call(ctx); +- if (emit_bpf_tail_call(ctx) < 0) ++ if (emit_bpf_tail_call(ctx, i) < 0) + return -EINVAL; + break; + +@@ -1251,7 +1241,6 @@ out: + if (tmp_blinded) + bpf_jit_prog_release_other(prog, prog == orig_prog ? tmp : orig_prog); + +- out_offset = -1; + + return prog; + } diff --git a/queue-6.6/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch b/queue-6.6/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch new file mode 100644 index 0000000000..8953d1e5db --- /dev/null +++ b/queue-6.6/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch @@ -0,0 +1,164 @@ +From b01f21cacde9f2878492cf318fee61bf4ccad323 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 3 Aug 2025 14:31:59 -0700 +Subject: NFS: Fix the setting of capabilities when automounting a new filesystem + +From: Trond Myklebust + +commit b01f21cacde9f2878492cf318fee61bf4ccad323 upstream. + +Capabilities cannot be inherited when we cross into a new filesystem. +They need to be reset to the minimal defaults, and then probed for +again. + +Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + fs/nfs/internal.h | 2 +- + fs/nfs/nfs4client.c | 20 +------------------- + fs/nfs/nfs4proc.c | 2 +- + 4 files changed, 45 insertions(+), 23 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -668,6 +668,44 @@ struct nfs_client *nfs_init_client(struc + } + EXPORT_SYMBOL_GPL(nfs_init_client); + ++static void nfs4_server_set_init_caps(struct nfs_server *server) ++{ ++#if IS_ENABLED(CONFIG_NFS_V4) ++ /* Set the basic capabilities */ ++ server->caps = server->nfs_client->cl_mvops->init_caps; ++ if (server->flags & NFS_MOUNT_NORDIRPLUS) ++ server->caps &= ~NFS_CAP_READDIRPLUS; ++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) ++ server->caps &= ~NFS_CAP_READ_PLUS; ++ ++ /* ++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower ++ * authentication. ++ */ ++ if (nfs4_disable_idmapping && ++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) ++ server->caps |= NFS_CAP_UIDGID_NOMAP; ++#endif ++} ++ ++void nfs_server_set_init_caps(struct nfs_server *server) ++{ ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ break; ++ case 3: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS)) ++ server->caps |= NFS_CAP_READDIRPLUS; ++ break; ++ default: ++ nfs4_server_set_init_caps(server); ++ break; ++ } ++} ++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps); ++ + /* + * Create a version 2 or 3 client + */ +@@ -709,7 +747,6 @@ static int nfs_init_server(struct nfs_se + /* Initialise the client representation from the mount data */ + server->flags = ctx->flags; + server->options = ctx->options; +- server->caps |= NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; + + switch (clp->rpc_ops->version) { + case 2: +@@ -745,6 +782,8 @@ static int nfs_init_server(struct nfs_se + if (error < 0) + goto error; + ++ nfs_server_set_init_caps(server); ++ + /* Preserve the values of mount_server-related mount options */ + if (ctx->mount_server.addrlen) { + memcpy(&server->mountd_address, &ctx->mount_server.address, +@@ -919,7 +958,6 @@ void nfs_server_copy_userdata(struct nfs + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; + target->acdirmax = source->acdirmax; +- target->caps = source->caps; + target->options = source->options; + target->auth_info = source->auth_info; + target->port = source->port; +@@ -1145,6 +1183,8 @@ struct nfs_server *nfs_clone_server(stru + if (error < 0) + goto out_free_server; + ++ nfs_server_set_init_caps(server); ++ + /* probe the filesystem info for this server filesystem */ + error = nfs_probe_server(server, fh); + if (error < 0) +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -223,7 +223,7 @@ extern struct nfs_client * + nfs4_find_client_sessionid(struct net *, const struct sockaddr *, + struct nfs4_sessionid *, u32); + extern struct nfs_server *nfs_create_server(struct fs_context *); +-extern void nfs4_server_set_init_caps(struct nfs_server *); ++extern void nfs_server_set_init_caps(struct nfs_server *); + extern struct nfs_server *nfs4_create_server(struct fs_context *); + extern struct nfs_server *nfs4_create_referral_server(struct fs_context *); + extern int nfs4_update_server(struct nfs_server *server, const char *hostname, +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1079,24 +1079,6 @@ static void nfs4_session_limit_xasize(st + #endif + } + +-void nfs4_server_set_init_caps(struct nfs_server *server) +-{ +- /* Set the basic capabilities */ +- server->caps |= server->nfs_client->cl_mvops->init_caps; +- if (server->flags & NFS_MOUNT_NORDIRPLUS) +- server->caps &= ~NFS_CAP_READDIRPLUS; +- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA) +- server->caps &= ~NFS_CAP_READ_PLUS; +- +- /* +- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower +- * authentication. +- */ +- if (nfs4_disable_idmapping && +- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) +- server->caps |= NFS_CAP_UIDGID_NOMAP; +-} +- + static int nfs4_server_common_setup(struct nfs_server *server, + struct nfs_fh *mntfh, bool auth_probe) + { +@@ -1111,7 +1093,7 @@ static int nfs4_server_common_setup(stru + if (error < 0) + goto out; + +- nfs4_server_set_init_caps(server); ++ nfs_server_set_init_caps(server); + + /* Probe the root fh to retrieve its FSID and filehandle */ + error = nfs4_get_rootfh(server, mntfh, auth_probe); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3951,7 +3951,7 @@ int nfs4_server_capabilities(struct nfs_ + }; + int err; + +- nfs4_server_set_init_caps(server); ++ nfs_server_set_init_caps(server); + do { + err = nfs4_handle_exception(server, + _nfs4_server_capabilities(server, fhandle), diff --git a/queue-6.6/nfsd-detect-mismatch-of-file-handle-and-delegation-stateid-in-open-op.patch b/queue-6.6/nfsd-detect-mismatch-of-file-handle-and-delegation-stateid-in-open-op.patch new file mode 100644 index 0000000000..799fc79e36 --- /dev/null +++ b/queue-6.6/nfsd-detect-mismatch-of-file-handle-and-delegation-stateid-in-open-op.patch @@ -0,0 +1,54 @@ +From 9c65001c57164033ad08b654c8b5ae35512ddf4a Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Tue, 10 Jun 2025 08:35:28 -0700 +Subject: NFSD: detect mismatch of file handle and delegation stateid in OPEN op + +From: Dai Ngo + +commit 9c65001c57164033ad08b654c8b5ae35512ddf4a upstream. + +When the client sends an OPEN with claim type CLAIM_DELEG_CUR_FH or +CLAIM_DELEGATION_CUR, the delegation stateid and the file handle +must belong to the same file, otherwise return NFS4ERR_INVAL. + +Note that RFC8881, section 8.2.4, mandates the server to return +NFS4ERR_BAD_STATEID if the selected table entry does not match the +current filehandle. However returning NFS4ERR_BAD_STATEID in the +OPEN causes the client to retry the operation and therefor get the +client into a loop. To avoid this situation we return NFS4ERR_INVAL +instead. + +Reported-by: Petro Pavlov +Fixes: c44c5eeb2c02 ("[PATCH] nfsd4: add open state code for CLAIM_DELEGATE_CUR") +Cc: stable@vger.kernel.org +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5775,6 +5775,20 @@ nfsd4_process_open2(struct svc_rqst *rqs + status = nfs4_check_deleg(cl, open, &dp); + if (status) + goto out; ++ if (dp && nfsd4_is_deleg_cur(open) && ++ (dp->dl_stid.sc_file != fp)) { ++ /* ++ * RFC8881 section 8.2.4 mandates the server to return ++ * NFS4ERR_BAD_STATEID if the selected table entry does ++ * not match the current filehandle. However returning ++ * NFS4ERR_BAD_STATEID in the OPEN can cause the client ++ * to repeatedly retry the operation with the same ++ * stateid, since the stateid itself is valid. To avoid ++ * this situation NFSD returns NFS4ERR_INVAL instead. ++ */ ++ status = nfserr_inval; ++ goto out; ++ } + stp = nfsd4_find_and_lock_existing_open(fp, open); + } else { + open->op_file = NULL; diff --git a/queue-6.6/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch b/queue-6.6/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch new file mode 100644 index 0000000000..43ee715e1a --- /dev/null +++ b/queue-6.6/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch @@ -0,0 +1,71 @@ +From 908e4ead7f757504d8b345452730636e298cbf68 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 4 Jun 2025 12:01:10 -0400 +Subject: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() + +From: Jeff Layton + +commit 908e4ead7f757504d8b345452730636e298cbf68 upstream. + +Lei Lu recently reported that nfsd4_setclientid_confirm() did not check +the return value from get_client_locked(). a SETCLIENTID_CONFIRM could +race with a confirmed client expiring and fail to get a reference. That +could later lead to a UAF. + +Fix this by getting a reference early in the case where there is an +extant confirmed client. If that fails then treat it as if there were no +confirmed client found at all. + +In the case where the unconfirmed client is expiring, just fail and +return the result from get_client_locked(). + +Reported-by: lei lu +Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/ +Fixes: d20c11d86d8f ("nfsd: Protect session creation and client confirm using client_lock") +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4282,10 +4282,16 @@ nfsd4_setclientid_confirm(struct svc_rqs + } + status = nfs_ok; + if (conf) { +- old = unconf; +- unhash_client_locked(old); +- nfsd4_change_callback(conf, &unconf->cl_cb_conn); +- } else { ++ if (get_client_locked(conf) == nfs_ok) { ++ old = unconf; ++ unhash_client_locked(old); ++ nfsd4_change_callback(conf, &unconf->cl_cb_conn); ++ } else { ++ conf = NULL; ++ } ++ } ++ ++ if (!conf) { + old = find_confirmed_client_by_name(&unconf->cl_name, nn); + if (old) { + status = nfserr_clid_inuse; +@@ -4302,10 +4308,14 @@ nfsd4_setclientid_confirm(struct svc_rqs + } + trace_nfsd_clid_replaced(&old->cl_clientid); + } ++ status = get_client_locked(unconf); ++ if (status != nfs_ok) { ++ old = NULL; ++ goto out; ++ } + move_to_confirmed(unconf); + conf = unconf; + } +- get_client_locked(conf); + spin_unlock(&nn->client_lock); + if (conf == unconf) + fsnotify_dentry(conf->cl_nfsd_info_dentry, FS_MODIFY); diff --git a/queue-6.6/pci-extend-isolated-function-probing-to-loongarch.patch b/queue-6.6/pci-extend-isolated-function-probing-to-loongarch.patch new file mode 100644 index 0000000000..c175f4f2d2 --- /dev/null +++ b/queue-6.6/pci-extend-isolated-function-probing-to-loongarch.patch @@ -0,0 +1,41 @@ +From a02fd05661d73a8507dd70dd820e9b984490c545 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 24 Jun 2025 14:29:27 +0800 +Subject: PCI: Extend isolated function probing to LoongArch + +From: Huacai Chen + +commit a02fd05661d73a8507dd70dd820e9b984490c545 upstream. + +Like s390 and the jailhouse hypervisor, LoongArch's PCI architecture allows +passing isolated PCI functions to a guest OS instance. So it is possible +that there is a multi-function device without function 0 for the host or +guest. + +Allow probing such functions by adding a IS_ENABLED(CONFIG_LOONGARCH) case +in the hypervisor_isolated_pci_functions() helper. + +This is similar to commit 189c6c33ff42 ("PCI: Extend isolated function +probing to s390"). + +Signed-off-by: Huacai Chen +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624062927.4037734-1-chenhuacai@loongson.cn +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hypervisor.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/linux/hypervisor.h ++++ b/include/linux/hypervisor.h +@@ -37,6 +37,9 @@ static inline bool hypervisor_isolated_p + if (IS_ENABLED(CONFIG_S390)) + return true; + ++ if (IS_ENABLED(CONFIG_LOONGARCH)) ++ return true; ++ + return jailhouse_paravirt(); + } + diff --git a/queue-6.6/series b/queue-6.6/series index 46d329ae3e..0b01ae0817 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -19,3 +19,10 @@ net-ti-icss-iep-fix-device-and-of-node-leaks-at-probe.patch net-dpaa-fix-device-leak-when-querying-time-stamp-info.patch net-usb-asix_devices-add-phy_mask-for-ax88772-mdio-bus.patch io_uring-net-commit-partial-buffers-on-retry.patch +nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch +nfsd-detect-mismatch-of-file-handle-and-delegation-stateid-in-open-op.patch +nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch +pci-extend-isolated-function-probing-to-loongarch.patch +loongarch-bpf-fix-jump-offset-calculation-in-tailcall.patch +sunvdc-balance-device-refcount-in-vdc_port_mpgroup_check.patch +fs-prevent-file-descriptor-table-allocations-exceeding-int_max.patch diff --git a/queue-6.6/sunvdc-balance-device-refcount-in-vdc_port_mpgroup_check.patch b/queue-6.6/sunvdc-balance-device-refcount-in-vdc_port_mpgroup_check.patch new file mode 100644 index 0000000000..b4d4386d95 --- /dev/null +++ b/queue-6.6/sunvdc-balance-device-refcount-in-vdc_port_mpgroup_check.patch @@ -0,0 +1,48 @@ +From 63ce53724637e2e7ba51fe3a4f78351715049905 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sat, 19 Jul 2025 15:58:56 +0800 +Subject: sunvdc: Balance device refcount in vdc_port_mpgroup_check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Ke + +commit 63ce53724637e2e7ba51fe3a4f78351715049905 upstream. + +Using device_find_child() to locate a probed virtual-device-port node +causes a device refcount imbalance, as device_find_child() internally +calls get_device() to increment the device’s reference count before +returning its pointer. vdc_port_mpgroup_check() directly returns true +upon finding a matching device without releasing the reference via +put_device(). We should call put_device() to decrement refcount. + +As comment of device_find_child() says, 'NOTE: you will need to drop +the reference with put_device() after use'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain") +Signed-off-by: Ma Ke +Link: https://lore.kernel.org/r/20250719075856.3447953-1-make24@iscas.ac.cn +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/sunvdc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -956,8 +956,10 @@ static bool vdc_port_mpgroup_check(struc + dev = device_find_child(vdev->dev.parent, &port_data, + vdc_device_probed); + +- if (dev) ++ if (dev) { ++ put_device(dev); + return true; ++ } + + return false; + }