From: Greg Kroah-Hartman Date: Sat, 11 Jan 2025 16:33:23 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.1.125~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dd2bae62f4e18ca27d0b8a12d37ce2d9d8203ba3;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch ksmbd-implement-new-smb3-posix-type.patch mptcp-sysctl-sched-avoid-using-current-nsproxy.patch scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch --- diff --git a/queue-6.6/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch b/queue-6.6/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch new file mode 100644 index 00000000000..fccd894f101 --- /dev/null +++ b/queue-6.6/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch @@ -0,0 +1,33 @@ +From 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 7 Jan 2025 17:47:01 +0100 +Subject: dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY + +From: Mikulas Patocka + +commit 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 upstream. + +dm-ebs uses dm-bufio to process requests that are not aligned on logical +sector size. dm-bufio doesn't support passing integrity data (and it is +unclear how should it do it), so we shouldn't set the +DM_TARGET_PASSES_INTEGRITY flag. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: d3c7b35c20d6 ("dm: add emulated block size target") +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -442,7 +442,7 @@ static int ebs_iterate_devices(struct dm + static struct target_type ebs_target = { + .name = "ebs", + .version = {1, 0, 1}, +- .features = DM_TARGET_PASSES_INTEGRITY, ++ .features = 0, + .module = THIS_MODULE, + .ctr = ebs_ctr, + .dtr = ebs_dtr, diff --git a/queue-6.6/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch b/queue-6.6/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch new file mode 100644 index 00000000000..3d6e33a06da --- /dev/null +++ b/queue-6.6/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch @@ -0,0 +1,64 @@ +From 80f130bfad1dab93b95683fc39b87235682b8f72 Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Tue, 7 Jan 2025 15:24:58 -0800 +Subject: dm thin: make get_first_thin use rcu-safe list first function + +From: Krister Johansen + +commit 80f130bfad1dab93b95683fc39b87235682b8f72 upstream. + +The documentation in rculist.h explains the absence of list_empty_rcu() +and cautions programmers against relying on a list_empty() -> +list_first() sequence in RCU safe code. This is because each of these +functions performs its own READ_ONCE() of the list head. This can lead +to a situation where the list_empty() sees a valid list entry, but the +subsequent list_first() sees a different view of list head state after a +modification. + +In the case of dm-thin, this author had a production box crash from a GP +fault in the process_deferred_bios path. This function saw a valid list +head in get_first_thin() but when it subsequently dereferenced that and +turned it into a thin_c, it got the inside of the struct pool, since the +list was now empty and referring to itself. The kernel on which this +occurred printed both a warning about a refcount_t being saturated, and +a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, +prior to the fault itself. When the resulting kdump was examined, it +was possible to see another thread patiently waiting in thin_dtr's +synchronize_rcu. + +The thin_dtr call managed to pull the thin_c out of the active thins +list (and have it be the last entry in the active_thins list) at just +the wrong moment which lead to this crash. + +Fortunately, the fix here is straight forward. Switch get_first_thin() +function to use list_first_or_null_rcu() which performs just a single +READ_ONCE() and returns NULL if the list is already empty. + +This was run against the devicemapper test suite's thin-provisioning +suites for delete and suspend and no regressions were observed. + +Signed-off-by: Krister Johansen +Fixes: b10ebd34ccca ("dm thin: fix rcu_read_lock being held in code that can sleep") +Cc: stable@vger.kernel.org +Acked-by: Ming-Hung Tsai +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2334,10 +2334,9 @@ static struct thin_c *get_first_thin(str + struct thin_c *tc = NULL; + + rcu_read_lock(); +- if (!list_empty(&pool->active_thins)) { +- tc = list_entry_rcu(pool->active_thins.next, struct thin_c, list); ++ tc = list_first_or_null_rcu(&pool->active_thins, struct thin_c, list); ++ if (tc) + thin_get(tc); +- } + rcu_read_unlock(); + + return tc; diff --git a/queue-6.6/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch b/queue-6.6/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch new file mode 100644 index 00000000000..3c4690f0901 --- /dev/null +++ b/queue-6.6/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch @@ -0,0 +1,63 @@ +From 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Fri, 13 Dec 2024 13:51:07 -0500 +Subject: drm/amd/display: Add check for granularity in dml ceil/floor helpers + +From: Roman Li + +commit 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 upstream. + +[Why] +Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2() +should check for granularity is non zero to avoid assert and +divide-by-zero error in dcn_bw_ functions. + +[How] +Add check for granularity 0. + +Cc: Mario Limonciello +Reviewed-by: Alvin Lee +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h +@@ -66,11 +66,15 @@ static inline double dml_max5(double a, + + static inline double dml_ceil(double a, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_ceil2(a, granularity); + } + + static inline double dml_floor(double a, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_floor2(a, granularity); + } + +@@ -114,11 +118,15 @@ static inline double dml_ceil_2(double f + + static inline double dml_ceil_ex(double x, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_ceil2(x, granularity); + } + + static inline double dml_floor_ex(double x, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_floor2(x, granularity); + } + diff --git a/queue-6.6/ksmbd-implement-new-smb3-posix-type.patch b/queue-6.6/ksmbd-implement-new-smb3-posix-type.patch new file mode 100644 index 00000000000..1e30c760cf9 --- /dev/null +++ b/queue-6.6/ksmbd-implement-new-smb3-posix-type.patch @@ -0,0 +1,96 @@ +From e8580b4c600e085b3c8e6404392de2f822d4c132 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 7 Jan 2025 17:41:21 +0900 +Subject: ksmbd: Implement new SMB3 POSIX type + +From: Namjae Jeon + +commit e8580b4c600e085b3c8e6404392de2f822d4c132 upstream. + +As SMB3 posix extension specification, Give posix file type to posix +mode. + +https://www.samba.org/~slow/SMB3_POSIX/fscc_posix_extensions.html#posix-file-type-definition + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 40 ++++++++++++++++++++++++++++++++++++++++ + fs/smb/server/smb2pdu.h | 10 ++++++++++ + 2 files changed, 50 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3989,6 +3989,26 @@ static int smb2_populate_readdir_entry(s + posix_info->DeviceId = cpu_to_le32(ksmbd_kstat->kstat->rdev); + posix_info->HardLinks = cpu_to_le32(ksmbd_kstat->kstat->nlink); + posix_info->Mode = cpu_to_le32(ksmbd_kstat->kstat->mode & 0777); ++ switch (ksmbd_kstat->kstat->mode & S_IFMT) { ++ case S_IFDIR: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_DIR << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFLNK: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_SYMLINK << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFCHR: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_CHARDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFBLK: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_BLKDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFIFO: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_FIFO << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFSOCK: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_SOCKET << POSIX_FILETYPE_SHIFT); ++ } ++ + posix_info->Inode = cpu_to_le64(ksmbd_kstat->kstat->ino); + posix_info->DosAttributes = + S_ISDIR(ksmbd_kstat->kstat->mode) ? +@@ -5177,6 +5197,26 @@ static int find_file_posix_info(struct s + file_info->AllocationSize = cpu_to_le64(stat.blocks << 9); + file_info->HardLinks = cpu_to_le32(stat.nlink); + file_info->Mode = cpu_to_le32(stat.mode & 0777); ++ switch (stat.mode & S_IFMT) { ++ case S_IFDIR: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_DIR << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFLNK: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_SYMLINK << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFCHR: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_CHARDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFBLK: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_BLKDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFIFO: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_FIFO << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFSOCK: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_SOCKET << POSIX_FILETYPE_SHIFT); ++ } ++ + file_info->DeviceId = cpu_to_le32(stat.rdev); + + /* +--- a/fs/smb/server/smb2pdu.h ++++ b/fs/smb/server/smb2pdu.h +@@ -500,4 +500,14 @@ static inline void *smb2_get_msg(void *b + return buf + 4; + } + ++#define POSIX_TYPE_FILE 0 ++#define POSIX_TYPE_DIR 1 ++#define POSIX_TYPE_SYMLINK 2 ++#define POSIX_TYPE_CHARDEV 3 ++#define POSIX_TYPE_BLKDEV 4 ++#define POSIX_TYPE_FIFO 5 ++#define POSIX_TYPE_SOCKET 6 ++ ++#define POSIX_FILETYPE_SHIFT 12 ++ + #endif /* _SMB2PDU_H */ diff --git a/queue-6.6/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch b/queue-6.6/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..6ea7fbf7ab7 --- /dev/null +++ b/queue-6.6/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch @@ -0,0 +1,169 @@ +From d38e26e36206ae3d544d496513212ae931d1da0a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:30 +0100 +Subject: mptcp: sysctl: sched: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit d38e26e36206ae3d544d496513212ae931d1da0a upstream. + +Using the 'net' structure via 'current' is not recommended for different +reasons. + +First, if the goal is to use it to read or write per-netns data, this is +inconsistent with how the "generic" sysctl entries are doing: directly +by only using pointers set to the table entry, e.g. table->data. Linked +to that, the per-netns data should always be obtained from the table +linked to the netns it had been created for, which may not coincide with +the reader's or writer's netns. + +Another reason is that access to current->nsproxy->netns can oops if +attempted when current->nsproxy had been dropped when the current task +is exiting. This is what syzbot found, when using acct(2): + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI + KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] + CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 + Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 + RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 + + RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 + RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 + RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 + R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 + R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 + FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601 + __kernel_write_iter+0x318/0xa80 fs/read_write.c:612 + __kernel_write+0xf6/0x140 fs/read_write.c:632 + do_acct_process+0xcb0/0x14a0 kernel/acct.c:539 + acct_pin_kill+0x2d/0x100 kernel/acct.c:192 + pin_kill+0x194/0x7c0 fs/fs_pin.c:44 + mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81 + cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366 + task_work_run+0x14e/0x250 kernel/task_work.c:239 + exit_task_work include/linux/task_work.h:43 [inline] + do_exit+0xad8/0x2d70 kernel/exit.c:938 + do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 + get_signal+0x2576/0x2610 kernel/signal.c:3017 + arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop kernel/entry/common.c:111 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 + do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7fee3cb87a6a + Code: Unable to access opcode bytes at 0x7fee3cb87a40. + RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037 + RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a + RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003 + RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7 + R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500 + R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000 + + Modules linked in: + ---[ end trace 0000000000000000 ]--- + RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 + Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 + RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 + RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 + RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 + R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 + R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 + FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + ---------------- + Code disassembly (best guess), 1 bytes skipped: + 0: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) + 5: 0f 85 fe 02 00 00 jne 0x309 + b: 4d 8b a4 24 08 09 00 mov 0x908(%r12),%r12 + 12: 00 + 13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax + 1a: fc ff df + 1d: 49 8d 7c 24 28 lea 0x28(%r12),%rdi + 22: 48 89 fa mov %rdi,%rdx + 25: 48 c1 ea 03 shr $0x3,%rdx + * 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction + 2d: 0f 85 cc 02 00 00 jne 0x2ff + 33: 4d 8b 7c 24 28 mov 0x28(%r12),%r15 + 38: 48 rex.W + 39: 8d .byte 0x8d + 3a: 84 24 c8 test %ah,(%rax,%rcx,8) + +Here with 'net.mptcp.scheduler', the 'net' structure is not really +needed, because the table->data already has a pointer to the current +scheduler, the only thing needed from the per-netns data. +Simply use 'data', instead of getting (most of the time) the same thing, +but from a longer and indirect way. + +Fixes: 6963c508fd7a ("mptcp: only allow set existing scheduler for net.mptcp.scheduler") +Cc: stable@vger.kernel.org +Reported-by: syzbot+e364f774c6f57f2c86d1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com +Suggested-by: Al Viro +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-2-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/ctrl.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/net/mptcp/ctrl.c ++++ b/net/mptcp/ctrl.c +@@ -87,16 +87,15 @@ static void mptcp_pernet_set_defaults(st + } + + #ifdef CONFIG_SYSCTL +-static int mptcp_set_scheduler(const struct net *net, const char *name) ++static int mptcp_set_scheduler(char *scheduler, const char *name) + { +- struct mptcp_pernet *pernet = mptcp_get_pernet(net); + struct mptcp_sched_ops *sched; + int ret = 0; + + rcu_read_lock(); + sched = mptcp_sched_find(name); + if (sched) +- strscpy(pernet->scheduler, name, MPTCP_SCHED_NAME_MAX); ++ strscpy(scheduler, name, MPTCP_SCHED_NAME_MAX); + else + ret = -ENOENT; + rcu_read_unlock(); +@@ -107,7 +106,7 @@ static int mptcp_set_scheduler(const str + static int proc_scheduler(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- const struct net *net = current->nsproxy->net_ns; ++ char (*scheduler)[MPTCP_SCHED_NAME_MAX] = ctl->data; + char val[MPTCP_SCHED_NAME_MAX]; + struct ctl_table tbl = { + .data = val, +@@ -115,11 +114,11 @@ static int proc_scheduler(struct ctl_tab + }; + int ret; + +- strscpy(val, mptcp_get_scheduler(net), MPTCP_SCHED_NAME_MAX); ++ strscpy(val, *scheduler, MPTCP_SCHED_NAME_MAX); + + ret = proc_dostring(&tbl, write, buffer, lenp, ppos); + if (write && ret == 0) +- ret = mptcp_set_scheduler(net, val); ++ ret = mptcp_set_scheduler(*scheduler, val); + + return ret; + } diff --git a/queue-6.6/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch b/queue-6.6/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch new file mode 100644 index 00000000000..83078f0f1aa --- /dev/null +++ b/queue-6.6/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch @@ -0,0 +1,147 @@ +From 7bac65687510038390a0a54cbe14fba08d037e46 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 19 Dec 2024 22:20:41 +0530 +Subject: scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence() + +From: Manivannan Sadhasivam + +commit 7bac65687510038390a0a54cbe14fba08d037e46 upstream. + +PHY might already be powered on during ufs_qcom_power_up_sequence() in a +couple of cases: + + 1. During UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH quirk + + 2. Resuming from spm_lvl = 5 suspend + +In those cases, it is necessary to call phy_power_off() and phy_exit() in +ufs_qcom_power_up_sequence() function to power off the PHY before calling +phy_init() and phy_power_on(). + +Case (1) is doing it via ufs_qcom_reinit_notify() callback, but case (2) is +not handled. So to satisfy both cases, call phy_power_off() and phy_exit() +if the phy_count is non-zero. And with this change, the reinit_notify() +callback is no longer needed. + +This fixes the below UFS resume failure with spm_lvl = 5: + +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufs_device_wlun 0:0:0:49488: ufshcd_wl_resume failed: -5 +ufs_device_wlun 0:0:0:49488: PM: dpm_run_callback(): scsi_bus_resume returns -5 +ufs_device_wlun 0:0:0:49488: PM: failed to resume async: error -5 + +Cc: stable@vger.kernel.org # 6.3 +Fixes: baf5ddac90dc ("scsi: ufs: ufs-qcom: Add support for reinitializing the UFS device") +Reported-by: Ram Kumar Dwivedi +Tested-by: Amit Pundir # on SM8550-HDK +Reviewed-by: Bart Van Assche +Tested-by: Neil Armstrong # on SM8550-QRD +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-1-63c4b95a70b9@linaro.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd-priv.h | 6 ------ + drivers/ufs/core/ufshcd.c | 1 - + drivers/ufs/host/ufs-qcom.c | 13 +++++-------- + include/ufs/ufshcd.h | 2 -- + 4 files changed, 5 insertions(+), 17 deletions(-) + +--- a/drivers/ufs/core/ufshcd-priv.h ++++ b/drivers/ufs/core/ufshcd-priv.h +@@ -242,12 +242,6 @@ static inline void ufshcd_vops_config_sc + hba->vops->config_scaling_param(hba, p, data); + } + +-static inline void ufshcd_vops_reinit_notify(struct ufs_hba *hba) +-{ +- if (hba->vops && hba->vops->reinit_notify) +- hba->vops->reinit_notify(hba); +-} +- + static inline int ufshcd_vops_mcq_config_resource(struct ufs_hba *hba) + { + if (hba->vops && hba->vops->mcq_config_resource) +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8795,7 +8795,6 @@ static int ufshcd_probe_hba(struct ufs_h + ufshcd_device_reset(hba); + ufs_put_device_desc(hba); + ufshcd_hba_stop(hba); +- ufshcd_vops_reinit_notify(hba); + ret = ufshcd_hba_enable(hba); + if (ret) { + dev_err(hba->dev, "Host controller enable failed\n"); +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -455,6 +455,11 @@ static int ufs_qcom_power_up_sequence(st + dev_warn(hba->dev, "%s: host reset returned %d\n", + __func__, ret); + ++ if (phy->power_count) { ++ phy_power_off(phy); ++ phy_exit(phy); ++ } ++ + /* phy initialization - calibrate the phy */ + ret = phy_init(phy); + if (ret) { +@@ -1638,13 +1643,6 @@ static void ufs_qcom_config_scaling_para + } + #endif + +-static void ufs_qcom_reinit_notify(struct ufs_hba *hba) +-{ +- struct ufs_qcom_host *host = ufshcd_get_variant(hba); +- +- phy_power_off(host->generic_phy); +-} +- + /* Resources */ + static const struct ufshcd_res_info ufs_res_info[RES_MAX] = { + {.name = "ufs_mem",}, +@@ -1887,7 +1885,6 @@ static const struct ufs_hba_variant_ops + .device_reset = ufs_qcom_device_reset, + .config_scaling_param = ufs_qcom_config_scaling_param, + .program_key = ufs_qcom_ice_program_key, +- .reinit_notify = ufs_qcom_reinit_notify, + .mcq_config_resource = ufs_qcom_mcq_config_resource, + .get_hba_mac = ufs_qcom_get_hba_mac, + .op_runtime_config = ufs_qcom_op_runtime_config, +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -324,7 +324,6 @@ struct ufs_pwr_mode_info { + * @config_scaling_param: called to configure clock scaling parameters + * @program_key: program or evict an inline encryption key + * @event_notify: called to notify important events +- * @reinit_notify: called to notify reinit of UFSHCD during max gear switch + * @mcq_config_resource: called to configure MCQ platform resources + * @get_hba_mac: called to get vendor specific mac value, mandatory for mcq mode + * @op_runtime_config: called to config Operation and runtime regs Pointers +@@ -369,7 +368,6 @@ struct ufs_hba_variant_ops { + const union ufs_crypto_cfg_entry *cfg, int slot); + void (*event_notify)(struct ufs_hba *hba, + enum ufs_event_type evt, void *data); +- void (*reinit_notify)(struct ufs_hba *); + int (*mcq_config_resource)(struct ufs_hba *hba); + int (*get_hba_mac)(struct ufs_hba *hba); + int (*op_runtime_config)(struct ufs_hba *hba); diff --git a/queue-6.6/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch b/queue-6.6/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..f6ae0f437e2 --- /dev/null +++ b/queue-6.6/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch @@ -0,0 +1,49 @@ +From 15649fd5415eda664ef35780c2013adeb5d9c695 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:34 +0100 +Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, but that would +increase the size of this fix, while 'sctp.ctl_sock' still needs to be +retrieved from 'net' structure. + +Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -503,7 +503,7 @@ static int proc_sctp_do_alpha_beta(struc + static int proc_sctp_do_auth(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.auth_enable); + struct ctl_table tbl; + int new_value, ret; + diff --git a/queue-6.6/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch b/queue-6.6/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..ec2fd356487 --- /dev/null +++ b/queue-6.6/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch @@ -0,0 +1,51 @@ +From ea62dd1383913b5999f3d16ae99d411f41b528d4 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:32 +0100 +Subject: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is +used. + +Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -391,7 +391,8 @@ static struct ctl_table sctp_net_table[] + static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, ++ sctp.sctp_hmac_alg); + struct ctl_table tbl; + bool changed = false; + char *none = "none"; diff --git a/queue-6.6/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch b/queue-6.6/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..e36943a2f64 --- /dev/null +++ b/queue-6.6/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch @@ -0,0 +1,51 @@ +From 6259d2484d0ceff42245d1f09cc8cb6ee72d847a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:36 +0100 +Subject: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 6259d2484d0ceff42245d1f09cc8cb6ee72d847a upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is +used. + +Fixes: d1e462a7a5f3 ("sctp: add probe_interval in sysctl and sock/asoc/transport") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-8-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -573,7 +573,8 @@ static int proc_sctp_do_udp_port(struct + static int proc_sctp_do_probe_interval(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, ++ sctp.probe_interval); + struct ctl_table tbl; + int ret, new_value; + diff --git a/queue-6.6/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch b/queue-6.6/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..701748f2283 --- /dev/null +++ b/queue-6.6/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch @@ -0,0 +1,58 @@ +From 9fc17b76fc70763780aa78b38fcf4742384044a5 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:33 +0100 +Subject: sctp: sysctl: rto_min/max: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 9fc17b76fc70763780aa78b38fcf4742384044a5 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. + +Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-5-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -437,7 +437,7 @@ static int proc_sctp_do_hmac_alg(struct + static int proc_sctp_do_rto_min(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.rto_min); + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; + struct ctl_table tbl; +@@ -465,7 +465,7 @@ static int proc_sctp_do_rto_min(struct c + static int proc_sctp_do_rto_max(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.rto_max); + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; + struct ctl_table tbl; diff --git a/queue-6.6/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch b/queue-6.6/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..85ce1dd6785 --- /dev/null +++ b/queue-6.6/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch @@ -0,0 +1,49 @@ +From c10377bbc1972d858eaf0ab366a311b39f8ef1b6 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:35 +0100 +Subject: sctp: sysctl: udp_port: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, but that would +increase the size of this fix, while 'sctp.ctl_sock' still needs to be +retrieved from 'net' structure. + +Fixes: 046c052b475e ("sctp: enable udp tunneling socks") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-7-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -532,7 +532,7 @@ static int proc_sctp_do_auth(struct ctl_ + static int proc_sctp_do_udp_port(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.udp_port); + unsigned int min = *(unsigned int *)ctl->extra1; + unsigned int max = *(unsigned int *)ctl->extra2; + struct ctl_table tbl; diff --git a/queue-6.6/series b/queue-6.6/series index 739eb45c34d..d2c5900d39d 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -57,3 +57,14 @@ platform-x86-amd-pmc-only-disable-irq1-wakeup-where-.patch ksmbd-fix-unexpectedly-changed-path-in-ksmbd_vfs_ker.patch cpuidle-riscv-sbi-fix-device-node-release-in-early-e.patch riscv-mm-fix-the-out-of-bound-issue-of-vmemmap-addre.patch +dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch +scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch +dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch +mptcp-sysctl-sched-avoid-using-current-nsproxy.patch +sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch +sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch +sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch +sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch +sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch +ksmbd-implement-new-smb3-posix-type.patch +drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch