From: Greg Kroah-Hartman Date: Tue, 30 Sep 2025 11:10:53 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.300~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f319d47e17814495028ae9ff07b96794a7ba78bd;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch i40e-add-validation-for-ring_len-param.patch i40e-fix-idx-validation-in-config-queues-msg.patch i40e-fix-validation-of-vf-state-in-get-resources.patch i40e-increase-max-descriptors-for-xl710.patch kmsan-fix-out-of-bounds-access-to-shadow-memory.patch --- diff --git a/queue-6.1/drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch b/queue-6.1/drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch new file mode 100644 index 0000000000..4e39f88900 --- /dev/null +++ b/queue-6.1/drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch @@ -0,0 +1,45 @@ +From stable+bounces-181949-greg=kroah.com@vger.kernel.org Mon Sep 29 17:54:28 2025 +From: Sasha Levin +Date: Mon, 29 Sep 2025 11:54:09 -0400 +Subject: drm/ast: Use msleep instead of mdelay for edid read +To: stable@vger.kernel.org +Cc: Nirmoy Das , Thomas Zimmermann , KuoHsiang Chou , Dave Airlie , Jocelyn Falempe , dri-devel@lists.freedesktop.org, Sasha Levin +Message-ID: <20250929155412.141429-1-sashal@kernel.org> + +From: Nirmoy Das + +[ Upstream commit c7c31f8dc54aa3c9b2c994b5f1ff7e740a654e97 ] + +The busy-waiting in `mdelay()` can cause CPU stalls and kernel timeouts +during boot. + +Signed-off-by: Nirmoy Das +Reviewed-by: Thomas Zimmermann +Tested-by: Carol L Soto csoto@nvidia.com +Fixes: 594e9c04b586 ("drm/ast: Create the driver for ASPEED proprietory Display-Port") +Cc: KuoHsiang Chou +Cc: Thomas Zimmermann +Cc: Dave Airlie +Cc: Jocelyn Falempe +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.19+ +Signed-off-by: Thomas Zimmermann +Link: https://lore.kernel.org/r/20250917194346.2905522-1-nirmoyd@nvidia.com +[ Applied change to ast_astdp_read_edid() instead of ast_astdp_read_edid_block() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_dp.c ++++ b/drivers/gpu/drm/ast/ast_dp.c +@@ -51,7 +51,7 @@ int ast_astdp_read_edid(struct drm_devic + * of right-click of mouse. + * 2. The Delays are often longer a lot when system resume from S3/S4. + */ +- mdelay(j+1); ++ msleep(j + 1); + + if (!(ast_get_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xD1, + ASTDP_MCU_FW_EXECUTING) && diff --git a/queue-6.1/i40e-add-validation-for-ring_len-param.patch b/queue-6.1/i40e-add-validation-for-ring_len-param.patch new file mode 100644 index 0000000000..a89b205d06 --- /dev/null +++ b/queue-6.1/i40e-add-validation-for-ring_len-param.patch @@ -0,0 +1,66 @@ +From stable+bounces-181924-greg=kroah.com@vger.kernel.org Mon Sep 29 16:26:10 2025 +From: Sasha Levin +Date: Mon, 29 Sep 2025 10:25:17 -0400 +Subject: i40e: add validation for ring_len param +To: stable@vger.kernel.org +Cc: Lukasz Czapnik , Aleksandr Loktionov , Przemek Kitszel , Simon Horman , Rafal Romanowski , Tony Nguyen , Sasha Levin +Message-ID: <20250929142517.86759-2-sashal@kernel.org> + +From: Lukasz Czapnik + +[ Upstream commit 55d225670def06b01af2e7a5e0446fbe946289e8 ] + +The `ring_len` parameter provided by the virtual function (VF) +is assigned directly to the hardware memory context (HMC) without +any validation. + +To address this, introduce an upper boundary check for both Tx and Rx +queue lengths. The maximum number of descriptors supported by the +hardware is 8k-32. +Additionally, enforce alignment constraints: Tx rings must be a multiple +of 8, and Rx rings must be a multiple of 32. + +Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface") +Cc: stable@vger.kernel.org +Signed-off-by: Lukasz Czapnik +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -653,6 +653,13 @@ static int i40e_config_vsi_tx_queue(stru + + /* only set the required fields */ + tx_ctx.base = info->dma_ring_addr / 128; ++ ++ /* ring_len has to be multiple of 8 */ ++ if (!IS_ALIGNED(info->ring_len, 8) || ++ info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ ret = -EINVAL; ++ goto error_context; ++ } + tx_ctx.qlen = info->ring_len; + tx_ctx.rdylist = le16_to_cpu(vsi->info.qs_handle[0]); + tx_ctx.rdylist_act = 0; +@@ -718,6 +725,13 @@ static int i40e_config_vsi_rx_queue(stru + + /* only set the required fields */ + rx_ctx.base = info->dma_ring_addr / 128; ++ ++ /* ring_len has to be multiple of 32 */ ++ if (!IS_ALIGNED(info->ring_len, 32) || ++ info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ ret = -EINVAL; ++ goto error_param; ++ } + rx_ctx.qlen = info->ring_len; + + if (info->splithdr_enabled) { diff --git a/queue-6.1/i40e-fix-idx-validation-in-config-queues-msg.patch b/queue-6.1/i40e-fix-idx-validation-in-config-queues-msg.patch new file mode 100644 index 0000000000..4299c3f57b --- /dev/null +++ b/queue-6.1/i40e-fix-idx-validation-in-config-queues-msg.patch @@ -0,0 +1,50 @@ +From stable+bounces-181931-greg=kroah.com@vger.kernel.org Mon Sep 29 16:42:50 2025 +From: Sasha Levin +Date: Mon, 29 Sep 2025 10:42:43 -0400 +Subject: i40e: fix idx validation in config queues msg +To: stable@vger.kernel.org +Cc: Lukasz Czapnik , Aleksandr Loktionov , Przemek Kitszel , Simon Horman , Kamakshi Nellore , Tony Nguyen , Sasha Levin +Message-ID: <20250929144243.104777-1-sashal@kernel.org> + +From: Lukasz Czapnik + +[ Upstream commit f1ad24c5abe1eaef69158bac1405a74b3c365115 ] + +Ensure idx is within range of active/initialized TCs when iterating over +vf->ch[idx] in i40e_vc_config_queues_msg(). + +Fixes: c27eac48160d ("i40e: Enable ADq and create queue channel/s on VF") +Cc: stable@vger.kernel.org +Signed-off-by: Lukasz Czapnik +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Kamakshi Nellore (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -2391,7 +2391,7 @@ static int i40e_vc_config_queues_msg(str + } + + if (vf->adq_enabled) { +- if (idx >= ARRAY_SIZE(vf->ch)) { ++ if (idx >= vf->num_tc) { + aq_ret = I40E_ERR_NO_AVAILABLE_VSI; + goto error_param; + } +@@ -2412,7 +2412,7 @@ static int i40e_vc_config_queues_msg(str + * to its appropriate VSIs based on TC mapping + */ + if (vf->adq_enabled) { +- if (idx >= ARRAY_SIZE(vf->ch)) { ++ if (idx >= vf->num_tc) { + aq_ret = I40E_ERR_NO_AVAILABLE_VSI; + goto error_param; + } diff --git a/queue-6.1/i40e-fix-validation-of-vf-state-in-get-resources.patch b/queue-6.1/i40e-fix-validation-of-vf-state-in-get-resources.patch new file mode 100644 index 0000000000..6f4bfe934d --- /dev/null +++ b/queue-6.1/i40e-fix-validation-of-vf-state-in-get-resources.patch @@ -0,0 +1,77 @@ +From stable+bounces-181932-greg=kroah.com@vger.kernel.org Mon Sep 29 16:46:27 2025 +From: Sasha Levin +Date: Mon, 29 Sep 2025 10:45:51 -0400 +Subject: i40e: fix validation of VF state in get resources +To: stable@vger.kernel.org +Cc: Lukasz Czapnik , Aleksandr Loktionov , Przemek Kitszel , Simon Horman , Rafal Romanowski , Tony Nguyen , Sasha Levin +Message-ID: <20250929144551.106680-1-sashal@kernel.org> + +From: Lukasz Czapnik + +[ Upstream commit 877b7e6ffc23766448236e8732254534c518ba42 ] + +VF state I40E_VF_STATE_ACTIVE is not the only state in which +VF is actually active so it should not be used to determine +if a VF is allowed to obtain resources. + +Use I40E_VF_STATE_RESOURCES_LOADED that is set only in +i40e_vc_get_vf_resources_msg() and cleared during reset. + +Fixes: 61125b8be85d ("i40e: Fix failed opcode appearing if handling messages from VF") +Cc: stable@vger.kernel.org +Signed-off-by: Lukasz Czapnik +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 7 ++++++- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 ++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1455,6 +1455,7 @@ static void i40e_trigger_vf_reset(struct + * functions that may still be running at this point. + */ + clear_bit(I40E_VF_STATE_INIT, &vf->vf_states); ++ clear_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states); + + /* In the case of a VFLR, the HW has already reset the VF and we + * just need to clean up, so don't hit the VFRTRIG register. +@@ -2121,7 +2122,10 @@ static int i40e_vc_get_vf_resources_msg( + size_t len = 0; + int ret; + +- if (!i40e_sync_vf_state(vf, I40E_VF_STATE_INIT)) { ++ i40e_sync_vf_state(vf, I40E_VF_STATE_INIT); ++ ++ if (!test_bit(I40E_VF_STATE_INIT, &vf->vf_states) || ++ test_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states)) { + aq_ret = I40E_ERR_PARAM; + goto err; + } +@@ -2224,6 +2228,7 @@ static int i40e_vc_get_vf_resources_msg( + vf->default_lan_addr.addr); + } + set_bit(I40E_VF_STATE_ACTIVE, &vf->vf_states); ++ set_bit(I40E_VF_STATE_RESOURCES_LOADED, &vf->vf_states); + + err: + /* send the response back to the VF */ +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +@@ -39,7 +39,8 @@ enum i40e_vf_states { + I40E_VF_STATE_MC_PROMISC, + I40E_VF_STATE_UC_PROMISC, + I40E_VF_STATE_PRE_ENABLE, +- I40E_VF_STATE_RESETTING ++ I40E_VF_STATE_RESETTING, ++ I40E_VF_STATE_RESOURCES_LOADED, + }; + + /* VF capabilities */ diff --git a/queue-6.1/i40e-increase-max-descriptors-for-xl710.patch b/queue-6.1/i40e-increase-max-descriptors-for-xl710.patch new file mode 100644 index 0000000000..048b11faff --- /dev/null +++ b/queue-6.1/i40e-increase-max-descriptors-for-xl710.patch @@ -0,0 +1,105 @@ +From stable+bounces-181925-greg=kroah.com@vger.kernel.org Mon Sep 29 16:26:11 2025 +From: Sasha Levin +Date: Mon, 29 Sep 2025 10:25:16 -0400 +Subject: i40e: increase max descriptors for XL710 +To: stable@vger.kernel.org +Cc: Justin Bronder , Jacob Keller , Pucha Himasekhar Reddy , Tony Nguyen , Jakub Kicinski , Sasha Levin +Message-ID: <20250929142517.86759-1-sashal@kernel.org> + +From: Justin Bronder + +[ Upstream commit aa6908ca3bd1e713fd6cd8d7193a008f060bf7d9 ] + +In Tables 8-12 and 8-22 in the X710/XXV710/XL710 datasheet, the QLEN +description states that the maximum size of the descriptor queue is 8k +minus 32, or 8160. + +Signed-off-by: Justin Bronder +Reviewed-by: Jacob Keller +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20231113231047.548659-2-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 55d225670def ("i40e: add validation for ring_len param") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e.h | 1 + + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 25 +++++++++++++++++++------ + 2 files changed, 20 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -50,6 +50,7 @@ + #define I40E_MAX_VEB 16 + + #define I40E_MAX_NUM_DESCRIPTORS 4096 ++#define I40E_MAX_NUM_DESCRIPTORS_XL710 8160 + #define I40E_MAX_CSR_SPACE (4 * 1024 * 1024 - 64 * 1024) + #define I40E_DEFAULT_NUM_DESCRIPTORS 512 + #define I40E_REQ_DESCRIPTOR_MULTIPLE 32 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -2012,6 +2012,18 @@ static void i40e_get_drvinfo(struct net_ + drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN; + } + ++static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf) ++{ ++ struct i40e_hw *hw = &pf->hw; ++ ++ switch (hw->mac.type) { ++ case I40E_MAC_XL710: ++ return I40E_MAX_NUM_DESCRIPTORS_XL710; ++ default: ++ return I40E_MAX_NUM_DESCRIPTORS; ++ } ++} ++ + static void i40e_get_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring, + struct kernel_ethtool_ringparam *kernel_ring, +@@ -2021,8 +2033,8 @@ static void i40e_get_ringparam(struct ne + struct i40e_pf *pf = np->vsi->back; + struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; + +- ring->rx_max_pending = I40E_MAX_NUM_DESCRIPTORS; +- ring->tx_max_pending = I40E_MAX_NUM_DESCRIPTORS; ++ ring->rx_max_pending = i40e_get_max_num_descriptors(pf); ++ ring->tx_max_pending = i40e_get_max_num_descriptors(pf); + ring->rx_mini_max_pending = 0; + ring->rx_jumbo_max_pending = 0; + ring->rx_pending = vsi->rx_rings[0]->count; +@@ -2047,12 +2059,12 @@ static int i40e_set_ringparam(struct net + struct kernel_ethtool_ringparam *kernel_ring, + struct netlink_ext_ack *extack) + { ++ u32 new_rx_count, new_tx_count, max_num_descriptors; + struct i40e_ring *tx_rings = NULL, *rx_rings = NULL; + struct i40e_netdev_priv *np = netdev_priv(netdev); + struct i40e_hw *hw = &np->vsi->back->hw; + struct i40e_vsi *vsi = np->vsi; + struct i40e_pf *pf = vsi->back; +- u32 new_rx_count, new_tx_count; + u16 tx_alloc_queue_pairs; + int timeout = 50; + int i, err = 0; +@@ -2060,14 +2072,15 @@ static int i40e_set_ringparam(struct net + if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) + return -EINVAL; + +- if (ring->tx_pending > I40E_MAX_NUM_DESCRIPTORS || ++ max_num_descriptors = i40e_get_max_num_descriptors(pf); ++ if (ring->tx_pending > max_num_descriptors || + ring->tx_pending < I40E_MIN_NUM_DESCRIPTORS || +- ring->rx_pending > I40E_MAX_NUM_DESCRIPTORS || ++ ring->rx_pending > max_num_descriptors || + ring->rx_pending < I40E_MIN_NUM_DESCRIPTORS) { + netdev_info(netdev, + "Descriptors requested (Tx: %d / Rx: %d) out of range [%d-%d]\n", + ring->tx_pending, ring->rx_pending, +- I40E_MIN_NUM_DESCRIPTORS, I40E_MAX_NUM_DESCRIPTORS); ++ I40E_MIN_NUM_DESCRIPTORS, max_num_descriptors); + return -EINVAL; + } + diff --git a/queue-6.1/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch b/queue-6.1/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch new file mode 100644 index 0000000000..4ff7f6e49a --- /dev/null +++ b/queue-6.1/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch @@ -0,0 +1,133 @@ +From stable+bounces-181992-greg=kroah.com@vger.kernel.org Mon Sep 29 21:22:46 2025 +From: Sasha Levin +Date: Mon, 29 Sep 2025 15:22:34 -0400 +Subject: kmsan: fix out-of-bounds access to shadow memory +To: stable@vger.kernel.org +Cc: Eric Biggers , Alexander Potapenko , Dmitriy Vyukov , Marco Elver , Andrew Morton , Sasha Levin +Message-ID: <20250929192234.298716-1-sashal@kernel.org> + +From: Eric Biggers + +[ Upstream commit 85e1ff61060a765d91ee62dc5606d4d547d9d105 ] + +Running sha224_kunit on a KMSAN-enabled kernel results in a crash in +kmsan_internal_set_shadow_origin(): + + BUG: unable to handle page fault for address: ffffbc3840291000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 + Oops: 0000 [#1] SMP NOPTI + CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) + Tainted: [N]=TEST + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 + RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 + [...] + Call Trace: + + __msan_memset+0xee/0x1a0 + sha224_final+0x9e/0x350 + test_hash_buffer_overruns+0x46f/0x5f0 + ? kmsan_get_shadow_origin_ptr+0x46/0xa0 + ? __pfx_test_hash_buffer_overruns+0x10/0x10 + kunit_try_run_case+0x198/0xa00 + +This occurs when memset() is called on a buffer that is not 4-byte aligned +and extends to the end of a guard page, i.e. the next page is unmapped. + +The bug is that the loop at the end of kmsan_internal_set_shadow_origin() +accesses the wrong shadow memory bytes when the address is not 4-byte +aligned. Since each 4 bytes are associated with an origin, it rounds the +address and size so that it can access all the origins that contain the +buffer. However, when it checks the corresponding shadow bytes for a +particular origin, it incorrectly uses the original unrounded shadow +address. This results in reads from shadow memory beyond the end of the +buffer's shadow memory, which crashes when that memory is not mapped. + +To fix this, correctly align the shadow address before accessing the 4 +shadow bytes corresponding to each origin. + +Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org +Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") +Signed-off-by: Eric Biggers +Tested-by: Alexander Potapenko +Reviewed-by: Alexander Potapenko +Cc: Dmitriy Vyukov +Cc: Marco Elver +Cc: +Signed-off-by: Andrew Morton +[ Adjust context in tests ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmsan/core.c | 10 +++++++--- + mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +--- a/mm/kmsan/core.c ++++ b/mm/kmsan/core.c +@@ -258,7 +258,8 @@ void kmsan_internal_set_shadow_origin(vo + u32 origin, bool checked) + { + u64 address = (u64)addr; +- u32 *shadow_start, *origin_start; ++ void *shadow_start; ++ u32 *aligned_shadow, *origin_start; + size_t pad = 0; + + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); +@@ -277,9 +278,12 @@ void kmsan_internal_set_shadow_origin(vo + } + __memset(shadow_start, b, size); + +- if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { ++ if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { ++ aligned_shadow = shadow_start; ++ } else { + pad = address % KMSAN_ORIGIN_SIZE; + address -= pad; ++ aligned_shadow = shadow_start - pad; + size += pad; + } + size = ALIGN(size, KMSAN_ORIGIN_SIZE); +@@ -293,7 +297,7 @@ void kmsan_internal_set_shadow_origin(vo + * corresponding shadow slot is zero. + */ + for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { +- if (origin || !shadow_start[i]) ++ if (origin || !aligned_shadow[i]) + origin_start[i] = origin; + } + } +--- a/mm/kmsan/kmsan_test.c ++++ b/mm/kmsan/kmsan_test.c +@@ -470,6 +470,21 @@ static void test_memcpy_aligned_to_unali + KUNIT_EXPECT_TRUE(test, report_matches(&expect)); + } + ++/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ ++static void test_memset_on_guarded_buffer(struct kunit *test) ++{ ++ void *buf = vmalloc(PAGE_SIZE); ++ ++ kunit_info(test, ++ "memset() on ends of guarded buffer should not crash\n"); ++ ++ for (size_t size = 0; size <= 128; size++) { ++ memset(buf, 0xff, size); ++ memset(buf + PAGE_SIZE - size, 0xff, size); ++ } ++ vfree(buf); ++} ++ + static noinline void fibonacci(int *array, int size, int start) { + if (start < 2 || (start == size)) + return; +@@ -515,6 +530,7 @@ static struct kunit_case kmsan_test_case + KUNIT_CASE(test_memcpy_aligned_to_aligned), + KUNIT_CASE(test_memcpy_aligned_to_unaligned), + KUNIT_CASE(test_memcpy_aligned_to_unaligned2), ++ KUNIT_CASE(test_memset_on_guarded_buffer), + KUNIT_CASE(test_long_origin_chain), + {}, + }; diff --git a/queue-6.1/series b/queue-6.1/series index 38e1f6f009..467d908bd1 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -64,3 +64,9 @@ minmax-fix-indentation-of-__cmp_once-and-__clamp_once.patch minmax-avoid-overly-complicated-constant-expressions-in-vm-code.patch minmax-simplify-and-clarify-min_t-max_t-implementation.patch minmax-add-a-few-more-min_t-max_t-users.patch +drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch +i40e-fix-validation-of-vf-state-in-get-resources.patch +i40e-fix-idx-validation-in-config-queues-msg.patch +i40e-increase-max-descriptors-for-xl710.patch +i40e-add-validation-for-ring_len-param.patch +kmsan-fix-out-of-bounds-access-to-shadow-memory.patch