From 37f826bd190429a0a624cbac4e3af01fda365286 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 27 Nov 2025 14:49:00 +0100 Subject: [PATCH] 5.15-stable patches added patches: ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch input-remove-third-argument-of-usb_maxpacket.patch makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch mptcp-disallow-mptcp-subflows-from-sockmap.patch mptcp-do-not-fallback-when-ooo-is-present.patch mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch mptcp-fix-ack-generation-for-fallback-msk.patch mptcp-fix-premature-close-in-case-of-fallback.patch mptcp-fix-proto-fallback-detection-with-bpf.patch net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch net-qede-initialize-qede_ll_ops-with-designated-initializer.patch pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch pmdomain-samsung-plug-potential-memleak-during-probe.patch revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch uio_hv_generic-set-event-for-all-channels-on-the-device.patch usb-deprecate-the-third-argument-of-usb_maxpacket.patch --- ...-suspend-for-a-security-locked-drive.patch | 82 ++++++ ...ncate-inode-items-when-logging-inode.patch | 92 +++++++ ...d-size-extending-write-into-prealloc.patch | 219 ++++++++++++++++ ...sconti-fix-number-of-items-in-groups.patch | 67 +++++ ...r-fix-potential-out-of-bounds-access.patch | 58 +++++ ...move-third-argument-of-usb_maxpacket.patch | 106 ++++++++ ...ersion-with-compiler-specific-macros.patch | 240 ++++++++++++++++++ ...poisoning-order-0-pages-with-highmem.patch | 110 ++++++++ ...ace-kmap_atomic-with-kmap_local_page.patch | 71 ++++++ ...nge-dll_strbin_tapnum_default-to-0x4.patch | 38 +++ ...disallow-mptcp-subflows-from-sockmap.patch | 85 +++++++ ...-do-not-fallback-when-ooo-is-present.patch | 50 ++++ ...fix-a-race-in-mptcp_pm_del_add_timer.patch | 199 +++++++++++++++ ...-fix-ack-generation-for-fallback-msk.patch | 92 +++++++ ...-premature-close-in-case-of-fallback.patch | 65 +++++ ...ix-proto-fallback-detection-with-bpf.patch | 101 ++++++++ ...t-handling-causing-incorrect-cleanup.patch | 85 +++++++ ...e_ll_ops-with-designated-initializer.patch | 43 ++++ ...eak-on-provider-registration-failure.patch | 82 ++++++ ...ference-count-leak-in-imx_gpc_remove.patch | 38 +++ ...-plug-potential-memleak-during-probe.patch | 69 +++++ ...on-on-the-disk-with-genhd_fl_no_part.patch | 69 +++++ ...nhd_fl_no_part-to-bdev_add_partition.patch | 84 ++++++ ...connect-fix-fallback-note-due-to-ooo.patch | 45 ++++ queue-5.15/series | 26 ++ ...event-for-all-channels-on-the-device.patch | 74 ++++++ ...-the-third-argument-of-usb_maxpacket.patch | 85 +++++++ 27 files changed, 2375 insertions(+) create mode 100644 queue-5.15/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch create mode 100644 queue-5.15/btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch create mode 100644 queue-5.15/btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch create mode 100644 queue-5.15/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch create mode 100644 queue-5.15/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch create mode 100644 queue-5.15/input-remove-third-argument-of-usb_maxpacket.patch create mode 100644 queue-5.15/makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch create mode 100644 queue-5.15/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch create mode 100644 queue-5.15/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch create mode 100644 queue-5.15/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch create mode 100644 queue-5.15/mptcp-disallow-mptcp-subflows-from-sockmap.patch create mode 100644 queue-5.15/mptcp-do-not-fallback-when-ooo-is-present.patch create mode 100644 queue-5.15/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch create mode 100644 queue-5.15/mptcp-fix-ack-generation-for-fallback-msk.patch create mode 100644 queue-5.15/mptcp-fix-premature-close-in-case-of-fallback.patch create mode 100644 queue-5.15/mptcp-fix-proto-fallback-detection-with-bpf.patch create mode 100644 queue-5.15/net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch create mode 100644 queue-5.15/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch create mode 100644 queue-5.15/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch create mode 100644 queue-5.15/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch create mode 100644 queue-5.15/pmdomain-samsung-plug-potential-memleak-during-probe.patch create mode 100644 queue-5.15/revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch create mode 100644 queue-5.15/revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch create mode 100644 queue-5.15/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch create mode 100644 queue-5.15/uio_hv_generic-set-event-for-all-channels-on-the-device.patch create mode 100644 queue-5.15/usb-deprecate-the-third-argument-of-usb_maxpacket.patch diff --git a/queue-5.15/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch b/queue-5.15/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch new file mode 100644 index 0000000000..847f9da91b --- /dev/null +++ b/queue-5.15/ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch @@ -0,0 +1,82 @@ +From stable+bounces-196783-greg=kroah.com@vger.kernel.org Mon Nov 24 19:49:16 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 13:48:38 -0500 +Subject: ata: libata-scsi: Fix system suspend for a security locked drive +To: stable@vger.kernel.org +Cc: Niklas Cassel , Ilia Baryshnikov , Hannes Reinecke , "Martin K. Petersen" , Damien Le Moal , Sasha Levin +Message-ID: <20251124184838.4189739-1-sashal@kernel.org> + +From: Niklas Cassel + +[ Upstream commit b11890683380a36b8488229f818d5e76e8204587 ] + +Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status +handling") fixed ata_to_sense_error() to properly generate sense key +ABORTED COMMAND (without any additional sense code), instead of the +previous bogus sense key ILLEGAL REQUEST with the additional sense code +UNALIGNED WRITE COMMAND, for a failed command. + +However, this broke suspend for Security locked drives (drives that have +Security enabled, and have not been Security unlocked by boot firmware). + +The reason for this is that the SCSI disk driver, for the Synchronize +Cache command only, treats any sense data with sense key ILLEGAL REQUEST +as a successful command (regardless of ASC / ASCQ). + +After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() +status handling") the code that treats any sense data with sense key +ILLEGAL REQUEST as a successful command is no longer applicable, so the +command fails, which causes the system suspend to be aborted: + + sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5 + sd 1:0:0:0: PM: failed to suspend async: error -5 + PM: Some devices failed to suspend, or early wake event detected + +To make suspend work once again, for a Security locked device only, +return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense +data which a real SCSI device would have returned if locked. +The SCSI disk driver treats this sense data as a successful command. + +Cc: stable@vger.kernel.org +Reported-by: Ilia Baryshnikov +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704 +Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling") +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Reviewed-by: Damien Le Moal +Signed-off-by: Niklas Cassel +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 8 ++++++++ + include/linux/ata.h | 1 + + 2 files changed, 9 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -968,6 +968,14 @@ static void ata_gen_ata_sense(struct ata + ata_scsi_set_sense(dev, cmd, NOT_READY, 0x04, 0x21); + return; + } ++ ++ if (ata_id_is_locked(dev->id)) { ++ /* Security locked */ ++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */ ++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71); ++ return; ++ } ++ + /* Use ata_to_sense_error() to map status register bits + * onto sense key, asc & ascq. + */ +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -557,6 +557,7 @@ struct ata_bmdma_prd { + #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8)) + #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1) + #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7)) ++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7) + #define ata_id_has_atapi_AN(id) \ + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ diff --git a/queue-5.15/btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch b/queue-5.15/btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch new file mode 100644 index 0000000000..457be80f18 --- /dev/null +++ b/queue-5.15/btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch @@ -0,0 +1,92 @@ +From 8a2b3da191e5a167bba9776e109b775b21cb4d85 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 31 Aug 2021 15:30:36 +0100 +Subject: btrfs: add helper to truncate inode items when logging inode + +From: Filipe Manana + +commit 8a2b3da191e5a167bba9776e109b775b21cb4d85 upstream. + +Move the call to btrfs_truncate_inode_items(), and the surrounding retry +loop, into a local helper function. This avoids some repetition and avoids +making the next change a bit awkward due to a bit of too much indentation. + +This patch is part of a patch set comprised of the following patches: + + btrfs: check if a log tree exists at inode_logged() + btrfs: remove no longer needed checks for NULL log context + btrfs: do not log new dentries when logging that a new name exists + btrfs: always update the logged transaction when logging new names + btrfs: avoid expensive search when dropping inode items from log + btrfs: add helper to truncate inode items when logging inode + btrfs: avoid expensive search when truncating inode items from the log + btrfs: avoid search for logged i_size when logging inode if possible + btrfs: avoid attempt to drop extents when logging inode for the first time + btrfs: do not commit delayed inode when logging a file in full sync mode + +This is patch 6/10 and test results are listed in the change log of the +last patch in the set. + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Harshvardhan Jha +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3955,6 +3955,21 @@ static int drop_objectid_items(struct bt + return ret; + } + ++static int truncate_inode_items(struct btrfs_trans_handle *trans, ++ struct btrfs_root *log_root, ++ struct btrfs_inode *inode, ++ u64 new_size, u32 min_type) ++{ ++ int ret; ++ ++ do { ++ ret = btrfs_truncate_inode_items(trans, log_root, inode, ++ new_size, min_type, NULL); ++ } while (ret == -EAGAIN); ++ ++ return ret; ++} ++ + static void fill_inode_item(struct btrfs_trans_handle *trans, + struct extent_buffer *leaf, + struct btrfs_inode_item *item, +@@ -4548,13 +4563,9 @@ static int btrfs_log_prealloc_extents(st + * Avoid logging extent items logged in past fsync calls + * and leading to duplicate keys in the log tree. + */ +- do { +- ret = btrfs_truncate_inode_items(trans, +- root->log_root, +- inode, truncate_offset, +- BTRFS_EXTENT_DATA_KEY, +- NULL); +- } while (ret == -EAGAIN); ++ ret = truncate_inode_items(trans, root->log_root, inode, ++ truncate_offset, ++ BTRFS_EXTENT_DATA_KEY); + if (ret) + goto out; + dropped_extents = true; +@@ -5531,12 +5542,7 @@ static int btrfs_log_inode(struct btrfs_ + &inode->runtime_flags); + clear_bit(BTRFS_INODE_COPY_EVERYTHING, + &inode->runtime_flags); +- while(1) { +- ret = btrfs_truncate_inode_items(trans, +- log, inode, 0, 0, NULL); +- if (ret != -EAGAIN) +- break; +- } ++ ret = truncate_inode_items(trans, log, inode, 0, 0); + } + } else if (test_and_clear_bit(BTRFS_INODE_COPY_EVERYTHING, + &inode->runtime_flags) || diff --git a/queue-5.15/btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch b/queue-5.15/btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch new file mode 100644 index 0000000000..c3bddfeea0 --- /dev/null +++ b/queue-5.15/btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch @@ -0,0 +1,219 @@ +From 9d274c19a71b3a276949933859610721a453946b Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Fri, 24 May 2024 13:58:11 -0700 +Subject: btrfs: fix crash on racing fsync and size-extending write into prealloc + +From: Omar Sandoval + +commit 9d274c19a71b3a276949933859610721a453946b upstream. + +We have been seeing crashes on duplicate keys in +btrfs_set_item_key_safe(): + + BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192) + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/ctree.c:2620! + invalid opcode: 0000 [#1] PREEMPT SMP PTI + CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 + RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs] + +With the following stack trace: + + #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4) + #1 btrfs_drop_extents (fs/btrfs/file.c:411:4) + #2 log_one_extent (fs/btrfs/tree-log.c:4732:9) + #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9) + #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9) + #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8) + #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8) + #7 btrfs_sync_file (fs/btrfs/file.c:1933:8) + #8 vfs_fsync_range (fs/sync.c:188:9) + #9 vfs_fsync (fs/sync.c:202:9) + #10 do_fsync (fs/sync.c:212:9) + #11 __do_sys_fdatasync (fs/sync.c:225:9) + #12 __se_sys_fdatasync (fs/sync.c:223:1) + #13 __x64_sys_fdatasync (fs/sync.c:223:1) + #14 do_syscall_x64 (arch/x86/entry/common.c:52:14) + #15 do_syscall_64 (arch/x86/entry/common.c:83:7) + #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121) + +So we're logging a changed extent from fsync, which is splitting an +extent in the log tree. But this split part already exists in the tree, +triggering the BUG(). + +This is the state of the log tree at the time of the crash, dumped with +drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py) +to get more details than btrfs_print_leaf() gives us: + + >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"]) + leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610 + leaf 33439744 flags 0x100000000000000 + fs uuid e5bd3946-400c-4223-8923-190ef1f18677 + chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da + item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 7 transid 9 size 8192 nbytes 8473563889606862198 + block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 + sequence 204 flags 0x10(PREALLOC) + atime 1716417703.220000000 (2024-05-22 15:41:43) + ctime 1716417704.983333333 (2024-05-22 15:41:44) + mtime 1716417704.983333333 (2024-05-22 15:41:44) + otime 17592186044416.000000000 (559444-03-08 01:40:16) + item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13 + index 195 namelen 3 name: 193 + item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37 + location key (0 UNKNOWN.0 0) type XATTR + transid 7 data_len 1 name_len 6 + name: user.a + data a + item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53 + generation 9 type 1 (regular) + extent data disk byte 303144960 nr 12288 + extent data offset 0 nr 4096 ram 12288 + extent compression 0 (none) + item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53 + generation 9 type 2 (prealloc) + prealloc data disk byte 303144960 nr 12288 + prealloc data offset 4096 nr 8192 + item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53 + generation 9 type 2 (prealloc) + prealloc data disk byte 303144960 nr 12288 + prealloc data offset 8192 nr 4096 + ... + +So the real problem happened earlier: notice that items 4 (4k-12k) and 5 +(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and +item 5 starts at i_size. + +Here is the state of the filesystem tree at the time of the crash: + + >>> root = prog.crashed_thread().stack_trace()[2]["inode"].root + >>> ret, nodes, slots = btrfs_search_slot(root, BtrfsKey(450, 0, 0)) + >>> print_extent_buffer(nodes[0]) + leaf 30425088 level 0 items 184 generation 9 owner 5 + leaf 30425088 flags 0x100000000000000 + fs uuid e5bd3946-400c-4223-8923-190ef1f18677 + chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da + ... + item 179 key (450 INODE_ITEM 0) itemoff 4907 itemsize 160 + generation 7 transid 7 size 4096 nbytes 12288 + block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0 + sequence 6 flags 0x10(PREALLOC) + atime 1716417703.220000000 (2024-05-22 15:41:43) + ctime 1716417703.220000000 (2024-05-22 15:41:43) + mtime 1716417703.220000000 (2024-05-22 15:41:43) + otime 1716417703.220000000 (2024-05-22 15:41:43) + item 180 key (450 INODE_REF 256) itemoff 4894 itemsize 13 + index 195 namelen 3 name: 193 + item 181 key (450 XATTR_ITEM 1640047104) itemoff 4857 itemsize 37 + location key (0 UNKNOWN.0 0) type XATTR + transid 7 data_len 1 name_len 6 + name: user.a + data a + item 182 key (450 EXTENT_DATA 0) itemoff 4804 itemsize 53 + generation 9 type 1 (regular) + extent data disk byte 303144960 nr 12288 + extent data offset 0 nr 8192 ram 12288 + extent compression 0 (none) + item 183 key (450 EXTENT_DATA 8192) itemoff 4751 itemsize 53 + generation 9 type 2 (prealloc) + prealloc data disk byte 303144960 nr 12288 + prealloc data offset 8192 nr 4096 + +Item 5 in the log tree corresponds to item 183 in the filesystem tree, +but nothing matches item 4. Furthermore, item 183 is the last item in +the leaf. + +btrfs_log_prealloc_extents() is responsible for logging prealloc extents +beyond i_size. It first truncates any previously logged prealloc extents +that start beyond i_size. Then, it walks the filesystem tree and copies +the prealloc extent items to the log tree. + +If it hits the end of a leaf, then it calls btrfs_next_leaf(), which +unlocks the tree and does another search. However, while the filesystem +tree is unlocked, an ordered extent completion may modify the tree. In +particular, it may insert an extent item that overlaps with an extent +item that was already copied to the log tree. + +This may manifest in several ways depending on the exact scenario, +including an EEXIST error that is silently translated to a full sync, +overlapping items in the log tree, or this crash. This particular crash +is triggered by the following sequence of events: + +- Initially, the file has i_size=4k, a regular extent from 0-4k, and a + prealloc extent beyond i_size from 4k-12k. The prealloc extent item is + the last item in its B-tree leaf. +- The file is fsync'd, which copies its inode item and both extent items + to the log tree. +- An xattr is set on the file, which sets the + BTRFS_INODE_COPY_EVERYTHING flag. +- The range 4k-8k in the file is written using direct I/O. i_size is + extended to 8k, but the ordered extent is still in flight. +- The file is fsync'd. Since BTRFS_INODE_COPY_EVERYTHING is set, this + calls copy_inode_items_to_log(), which calls + btrfs_log_prealloc_extents(). +- btrfs_log_prealloc_extents() finds the 4k-12k prealloc extent in the + filesystem tree. Since it starts before i_size, it skips it. Since it + is the last item in its B-tree leaf, it calls btrfs_next_leaf(). +- btrfs_next_leaf() unlocks the path. +- The ordered extent completion runs, which converts the 4k-8k part of + the prealloc extent to written and inserts the remaining prealloc part + from 8k-12k. +- btrfs_next_leaf() does a search and finds the new prealloc extent + 8k-12k. +- btrfs_log_prealloc_extents() copies the 8k-12k prealloc extent into + the log tree. Note that it overlaps with the 4k-12k prealloc extent + that was copied to the log tree by the first fsync. +- fsync calls btrfs_log_changed_extents(), which tries to log the 4k-8k + extent that was written. +- This tries to drop the range 4k-8k in the log tree, which requires + adjusting the start of the 4k-12k prealloc extent in the log tree to + 8k. +- btrfs_set_item_key_safe() sees that there is already an extent + starting at 8k in the log tree and calls BUG(). + +Fix this by detecting when we're about to insert an overlapping file +extent item in the log tree and truncating the part that would overlap. + +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Filipe Manana +Signed-off-by: Omar Sandoval +Signed-off-by: David Sterba +Signed-off-by: Harshvardhan Jha +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -4558,18 +4558,23 @@ static int btrfs_log_prealloc_extents(st + path->slots[0]++; + continue; + } +- if (!dropped_extents) { +- /* +- * Avoid logging extent items logged in past fsync calls +- * and leading to duplicate keys in the log tree. +- */ ++ /* ++ * Avoid overlapping items in the log tree. The first time we ++ * get here, get rid of everything from a past fsync. After ++ * that, if the current extent starts before the end of the last ++ * extent we copied, truncate the last one. This can happen if ++ * an ordered extent completion modifies the subvolume tree ++ * while btrfs_next_leaf() has the tree unlocked. ++ */ ++ if (!dropped_extents || key.offset < truncate_offset) { + ret = truncate_inode_items(trans, root->log_root, inode, +- truncate_offset, ++ min(key.offset, truncate_offset), + BTRFS_EXTENT_DATA_KEY); + if (ret) + goto out; + dropped_extents = true; + } ++ truncate_offset = btrfs_file_extent_end(path); + if (ins_nr == 0) + start_slot = slot; + ins_nr++; diff --git a/queue-5.15/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch b/queue-5.15/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch new file mode 100644 index 0000000000..a950a11e14 --- /dev/null +++ b/queue-5.15/dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch @@ -0,0 +1,67 @@ +From stable+bounces-196805-greg=kroah.com@vger.kernel.org Mon Nov 24 22:18:43 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 16:18:06 -0500 +Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups +To: stable@vger.kernel.org +Cc: Krzysztof Kozlowski , Conor Dooley , Linus Walleij , Sasha Levin +Message-ID: <20251124211806.34641-1-sashal@kernel.org> + +From: Krzysztof Kozlowski + +[ Upstream commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 ] + +The "groups" property can hold multiple entries (e.g. +toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect +type (pinmux-node.yaml schema already defines that as string-array) and +adding constraints for items. This fixes dtbs_check warnings like: + + toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl): + pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long + +Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Acked-by: Conor Dooley +Signed-off-by: Linus Walleij +[ adjusted $ref context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++++----- + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml ++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml +@@ -46,18 +46,20 @@ patternProperties: + groups: + description: + Name of the pin group to use for the functions. +- $ref: "/schemas/types.yaml#/definitions/string" +- enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, +- i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, +- spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, +- spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, +- uart0_grp, uart1_grp, uart2_grp, uart3_grp, +- pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, +- pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, +- pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, +- pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, +- pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, +- pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] ++ items: ++ enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp, ++ i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp, ++ spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp, ++ spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp, ++ uart0_grp, uart1_grp, uart2_grp, uart3_grp, ++ pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp, ++ pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp, ++ pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp, ++ pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp, ++ pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp, ++ pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp] ++ minItems: 1 ++ maxItems: 8 + + drive-strength: + enum: [2, 4, 6, 8, 16, 24, 32] diff --git a/queue-5.15/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch b/queue-5.15/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch new file mode 100644 index 0000000000..ba0e0b3aa8 --- /dev/null +++ b/queue-5.15/input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch @@ -0,0 +1,58 @@ +From stable+bounces-196782-greg=kroah.com@vger.kernel.org Mon Nov 24 19:38:24 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 13:37:58 -0500 +Subject: Input: pegasus-notetaker - fix potential out-of-bounds access +To: stable@vger.kernel.org +Cc: Seungjin Bae , Dmitry Torokhov , Sasha Levin +Message-ID: <20251124183758.4187087-3-sashal@kernel.org> + +From: Seungjin Bae + +[ Upstream commit 69aeb507312306f73495598a055293fa749d454e ] + +In the pegasus_notetaker driver, the pegasus_probe() function allocates +the URB transfer buffer using the wMaxPacketSize value from +the endpoint descriptor. An attacker can use a malicious USB descriptor +to force the allocation of a very small buffer. + +Subsequently, if the device sends an interrupt packet with a specific +pattern (e.g., where the first byte is 0x80 or 0x42), +the pegasus_parse_packet() function parses the packet without checking +the allocated buffer size. This leads to an out-of-bounds memory access. + +Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") +Signed-off-by: Seungjin Bae +Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/input/tablet/pegasus_notetaker.c ++++ b/drivers/input/tablet/pegasus_notetaker.c +@@ -63,6 +63,9 @@ + #define BUTTON_PRESSED 0xb5 + #define COMMAND_VERSION 0xa9 + ++/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */ ++#define NOTETAKER_PACKET_SIZE 6 ++ + /* in xy data packet */ + #define BATTERY_NO_REPORT 0x40 + #define BATTERY_LOW 0x41 +@@ -297,6 +300,12 @@ static int pegasus_probe(struct usb_inte + + pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress); + pegasus->data_len = usb_maxpacket(dev, pipe); ++ if (pegasus->data_len < NOTETAKER_PACKET_SIZE) { ++ dev_err(&intf->dev, "packet size is too small (%d)\n", ++ pegasus->data_len); ++ error = -EINVAL; ++ goto err_free_mem; ++ } + + pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, + &pegasus->data_dma); diff --git a/queue-5.15/input-remove-third-argument-of-usb_maxpacket.patch b/queue-5.15/input-remove-third-argument-of-usb_maxpacket.patch new file mode 100644 index 0000000000..1c1031d809 --- /dev/null +++ b/queue-5.15/input-remove-third-argument-of-usb_maxpacket.patch @@ -0,0 +1,106 @@ +From stable+bounces-196781-greg=kroah.com@vger.kernel.org Mon Nov 24 19:38:23 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 13:37:57 -0500 +Subject: Input: remove third argument of usb_maxpacket() +To: stable@vger.kernel.org +Cc: Vincent Mailhol , Ville Syrjala , Dmitry Torokhov , Henk Vergonet , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251124183758.4187087-2-sashal@kernel.org> + +From: Vincent Mailhol + +[ Upstream commit 948bf187694fc1f4c20cf972fa18b1a6fb3d7603 ] + +The third argument of usb_maxpacket(): in_out has been deprecated +because it could be derived from the second argument (e.g. using +usb_pipeout(pipe)). + +N.B. function usb_maxpacket() was made variadic to accommodate the +transition from the old prototype with three arguments to the new one +with only two arguments (so that no renaming is needed). The variadic +argument is to be removed once all users of usb_maxpacket() get +migrated. + +CC: Ville Syrjala +CC: Dmitry Torokhov +CC: Henk Vergonet +Signed-off-by: Vincent Mailhol +Link: https://lore.kernel.org/r/20220317035514.6378-4-mailhol.vincent@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 69aeb5073123 ("Input: pegasus-notetaker - fix potential out-of-bounds access") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/ati_remote2.c | 2 +- + drivers/input/misc/cm109.c | 2 +- + drivers/input/misc/powermate.c | 2 +- + drivers/input/misc/yealink.c | 2 +- + drivers/input/tablet/acecad.c | 2 +- + drivers/input/tablet/pegasus_notetaker.c | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/input/misc/ati_remote2.c ++++ b/drivers/input/misc/ati_remote2.c +@@ -639,7 +639,7 @@ static int ati_remote2_urb_init(struct a + return -ENOMEM; + + pipe = usb_rcvintpipe(udev, ar2->ep[i]->bEndpointAddress); +- maxp = usb_maxpacket(udev, pipe, usb_pipeout(pipe)); ++ maxp = usb_maxpacket(udev, pipe); + maxp = maxp > 4 ? 4 : maxp; + + usb_fill_int_urb(ar2->urb[i], udev, pipe, ar2->buf[i], maxp, +--- a/drivers/input/misc/cm109.c ++++ b/drivers/input/misc/cm109.c +@@ -745,7 +745,7 @@ static int cm109_usb_probe(struct usb_in + + /* get a handle to the interrupt data pipe */ + pipe = usb_rcvintpipe(udev, endpoint->bEndpointAddress); +- ret = usb_maxpacket(udev, pipe, usb_pipeout(pipe)); ++ ret = usb_maxpacket(udev, pipe); + if (ret != USB_PKT_LEN) + dev_err(&intf->dev, "invalid payload size %d, expected %d\n", + ret, USB_PKT_LEN); +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -374,7 +374,7 @@ static int powermate_probe(struct usb_in + + /* get a handle to the interrupt data pipe */ + pipe = usb_rcvintpipe(udev, endpoint->bEndpointAddress); +- maxp = usb_maxpacket(udev, pipe, usb_pipeout(pipe)); ++ maxp = usb_maxpacket(udev, pipe); + + if (maxp < POWERMATE_PAYLOAD_SIZE_MIN || maxp > POWERMATE_PAYLOAD_SIZE_MAX) { + printk(KERN_WARNING "powermate: Expected payload of %d--%d bytes, found %d bytes!\n", +--- a/drivers/input/misc/yealink.c ++++ b/drivers/input/misc/yealink.c +@@ -905,7 +905,7 @@ static int usb_probe(struct usb_interfac + + /* get a handle to the interrupt data pipe */ + pipe = usb_rcvintpipe(udev, endpoint->bEndpointAddress); +- ret = usb_maxpacket(udev, pipe, usb_pipeout(pipe)); ++ ret = usb_maxpacket(udev, pipe); + if (ret != USB_PKT_LEN) + dev_err(&intf->dev, "invalid payload size %d, expected %zd\n", + ret, USB_PKT_LEN); +--- a/drivers/input/tablet/acecad.c ++++ b/drivers/input/tablet/acecad.c +@@ -130,7 +130,7 @@ static int usb_acecad_probe(struct usb_i + return -ENODEV; + + pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress); +- maxp = usb_maxpacket(dev, pipe, usb_pipeout(pipe)); ++ maxp = usb_maxpacket(dev, pipe); + + acecad = kzalloc(sizeof(struct usb_acecad), GFP_KERNEL); + input_dev = input_allocate_device(); +--- a/drivers/input/tablet/pegasus_notetaker.c ++++ b/drivers/input/tablet/pegasus_notetaker.c +@@ -296,7 +296,7 @@ static int pegasus_probe(struct usb_inte + pegasus->intf = intf; + + pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress); +- pegasus->data_len = usb_maxpacket(dev, pipe, usb_pipeout(pipe)); ++ pegasus->data_len = usb_maxpacket(dev, pipe); + + pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, + &pegasus->data_dma); diff --git a/queue-5.15/makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch b/queue-5.15/makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch new file mode 100644 index 0000000000..a89144cf37 --- /dev/null +++ b/queue-5.15/makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch @@ -0,0 +1,240 @@ +From 88b61e3bff93f99712718db785b4aa0c1165f35c Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Mon, 19 Sep 2022 10:08:28 -0700 +Subject: Makefile.compiler: replace cc-ifversion with compiler-specific macros + +From: Nick Desaulniers + +commit 88b61e3bff93f99712718db785b4aa0c1165f35c upstream. + +cc-ifversion is GCC specific. Replace it with compiler specific +variants. Update the users of cc-ifversion to use these new macros. + +Link: https://github.com/ClangBuiltLinux/linux/issues/350 +Link: https://lore.kernel.org/llvm/CAGG=3QWSAUakO42kubrCap8fp-gm1ERJJAYXTnP1iHk_wrH=BQ@mail.gmail.com/ +Suggested-by: Bill Wendling +Reviewed-by: Nathan Chancellor +Signed-off-by: Nick Desaulniers +Signed-off-by: Masahiro Yamada +[nathan: Backport to 5.15 and eliminate instances of cc-ifversion that + did not exist upstream when this change was original created] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/kbuild/makefiles.rst | 29 ++++++++++++++----------- + Makefile | 6 +---- + arch/mips/loongson64/Platform | 2 - + arch/s390/Makefile | 4 +-- + drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dcn30/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dcn301/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dcn302/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dcn303/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dcn31/Makefile | 2 - + drivers/gpu/drm/amd/display/dc/dml/Makefile | 2 - + scripts/Makefile.compiler | 10 ++++++-- + 13 files changed, 37 insertions(+), 30 deletions(-) + +--- a/Documentation/kbuild/makefiles.rst ++++ b/Documentation/kbuild/makefiles.rst +@@ -682,22 +682,27 @@ more details, with real examples. + In the above example, -Wno-unused-but-set-variable will be added to + KBUILD_CFLAGS only if gcc really accepts it. + +- cc-ifversion +- cc-ifversion tests the version of $(CC) and equals the fourth parameter +- if version expression is true, or the fifth (if given) if the version +- expression is false. ++ gcc-min-version ++ gcc-min-version tests if the value of $(CONFIG_GCC_VERSION) is greater than ++ or equal to the provided value and evaluates to y if so. + + Example:: + +- #fs/reiserfs/Makefile +- ccflags-y := $(call cc-ifversion, -lt, 0402, -O1) ++ cflags-$(call gcc-min-version, 70100) := -foo + +- In this example, ccflags-y will be assigned the value -O1 if the +- $(CC) version is less than 4.2. +- cc-ifversion takes all the shell operators: +- -eq, -ne, -lt, -le, -gt, and -ge +- The third parameter may be a text as in this example, but it may also +- be an expanded variable or a macro. ++ In this example, cflags-y will be assigned the value -foo if $(CC) is gcc and ++ $(CONFIG_GCC_VERSION) is >= 7.1. ++ ++ clang-min-version ++ clang-min-version tests if the value of $(CONFIG_CLANG_VERSION) is greater ++ than or equal to the provided value and evaluates to y if so. ++ ++ Example:: ++ ++ cflags-$(call clang-min-version, 110000) := -foo ++ ++ In this example, cflags-y will be assigned the value -foo if $(CC) is clang ++ and $(CONFIG_CLANG_VERSION) is >= 11.0.0. + + cc-cross-prefix + cc-cross-prefix is used to check if there exists a $(CC) in path with +--- a/Makefile ++++ b/Makefile +@@ -804,7 +804,6 @@ stackp-flags-$(CONFIG_STACKPROTECTOR_STR + KBUILD_CFLAGS += $(stackp-flags-y) + + KBUILD_CFLAGS-$(CONFIG_WERROR) += -Werror +-KBUILD_CFLAGS += $(KBUILD_CFLAGS-y) + + ifdef CONFIG_CC_IS_CLANG + KBUILD_CPPFLAGS += -Qunused-arguments +@@ -1043,7 +1042,6 @@ ifdef CONFIG_CC_IS_GCC + KBUILD_CFLAGS += -Wno-maybe-uninitialized + endif + +-ifdef CONFIG_CC_IS_GCC + # The allocators already balk at large sizes, so silence the compiler + # warnings for bounds checks involving those possible values. While + # -Wno-alloc-size-larger-than would normally be used here, earlier versions +@@ -1055,8 +1053,8 @@ ifdef CONFIG_CC_IS_GCC + # ignored, continuing to default to PTRDIFF_MAX. So, left with no other + # choice, we must perform a versioned check to disable this warning. + # https://lore.kernel.org/lkml/20210824115859.187f272f@canb.auug.org.au +-KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0901, -Wno-alloc-size-larger-than) +-endif ++KBUILD_CFLAGS-$(call gcc-min-version, 90100) += -Wno-alloc-size-larger-than ++KBUILD_CFLAGS += $(KBUILD_CFLAGS-y) + + # disable invalid "can't wrap" optimizations for signed / pointers + KBUILD_CFLAGS += -fno-strict-overflow +--- a/arch/mips/loongson64/Platform ++++ b/arch/mips/loongson64/Platform +@@ -12,7 +12,7 @@ cflags-$(CONFIG_CPU_LOONGSON64) += -Wa,- + # by GAS. The cc-option can't probe for this behaviour so -march=loongson3a + # can't easily be used safely within the kbuild framework. + # +-ifeq ($(call cc-ifversion, -ge, 0409, y), y) ++ifeq ($(call gcc-min-version, 40900), y) + ifeq ($(call ld-ifversion, -ge, 22500, y), y) + cflags-$(CONFIG_CPU_LOONGSON64) += \ + $(call cc-option,-march=loongson3a -U_MIPS_ISA -D_MIPS_ISA=_MIPS_ISA_MIPS64) +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -35,8 +35,8 @@ KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CON + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO_DWARF4), $(call cc-option, -gdwarf-4,)) + + ifdef CONFIG_CC_IS_GCC +- ifeq ($(call cc-ifversion, -ge, 1200, y), y) +- ifeq ($(call cc-ifversion, -lt, 1300, y), y) ++ ifeq ($(call gcc-min-version, 120000), y) ++ ifneq ($(call gcc-min-version, 130000), y) + KBUILD_CFLAGS += $(call cc-disable-warning, array-bounds) + KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, array-bounds) + endif +--- a/drivers/gpu/drm/amd/display/dc/dcn20/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/Makefile +@@ -18,7 +18,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn20/dcn20_reso + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + endif +--- a/drivers/gpu/drm/amd/display/dc/dcn21/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/Makefile +@@ -14,7 +14,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn21/dcn21_reso + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + endif +--- a/drivers/gpu/drm/amd/display/dc/dcn30/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/Makefile +@@ -42,7 +42,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn30/dcn30_optc + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + CFLAGS_$(AMDDALPATH)/dc/dcn30/dcn30_resource.o += -mhard-float +--- a/drivers/gpu/drm/amd/display/dc/dcn301/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn301/Makefile +@@ -22,7 +22,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn301/dcn301_re + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + CFLAGS_$(AMDDALPATH)/dc/dcn301/dcn301_resource.o += -mhard-float +--- a/drivers/gpu/drm/amd/display/dc/dcn302/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn302/Makefile +@@ -21,7 +21,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn302/dcn302_re + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + CFLAGS_$(AMDDALPATH)/dc/dcn302/dcn302_resource.o += -mhard-float +--- a/drivers/gpu/drm/amd/display/dc/dcn303/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn303/Makefile +@@ -17,7 +17,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn303/dcn303_re + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + CFLAGS_$(AMDDALPATH)/dc/dcn303/dcn303_resource.o += -mhard-float +--- a/drivers/gpu/drm/amd/display/dc/dcn31/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/Makefile +@@ -22,7 +22,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn31/dcn31_reso + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100), y) + IS_OLD_GCC = 1 + endif + CFLAGS_$(AMDDALPATH)/dc/dcn31/dcn31_resource.o += -mhard-float +--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile ++++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile +@@ -35,7 +35,7 @@ dml_ccflags := -mhard-float -maltivec + endif + + ifdef CONFIG_CC_IS_GCC +-ifeq ($(call cc-ifversion, -lt, 0701, y), y) ++ifneq ($(call gcc-min-version, 70100),y) + IS_OLD_GCC = 1 + endif + endif +--- a/scripts/Makefile.compiler ++++ b/scripts/Makefile.compiler +@@ -61,9 +61,13 @@ cc-option-yn = $(call try-run,\ + cc-disable-warning = $(call try-run,\ + $(CC) -Werror $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1))) + +-# cc-ifversion +-# Usage: EXTRA_CFLAGS += $(call cc-ifversion, -lt, 0402, -O1) +-cc-ifversion = $(shell [ $(CONFIG_GCC_VERSION)0 $(1) $(2)000 ] && echo $(3) || echo $(4)) ++# gcc-min-version ++# Usage: cflags-$(call gcc-min-version, 70100) += -foo ++gcc-min-version = $(shell [ $(CONFIG_GCC_VERSION)0 -ge $(1)0 ] && echo y) ++ ++# clang-min-version ++# Usage: cflags-$(call clang-min-version, 110000) += -foo ++clang-min-version = $(shell [ $(CONFIG_CLANG_VERSION)0 -ge $(1)0 ] && echo y) + + # ld-option + # Usage: KBUILD_LDFLAGS += $(call ld-option, -X, -Y) diff --git a/queue-5.15/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch b/queue-5.15/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch new file mode 100644 index 0000000000..6731e7f793 --- /dev/null +++ b/queue-5.15/mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch @@ -0,0 +1,110 @@ +From stable+bounces-196808-greg=kroah.com@vger.kernel.org Mon Nov 24 22:33:40 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 16:33:30 -0500 +Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM +To: stable@vger.kernel.org +Cc: Vlastimil Babka , kernel test robot , Christoph Hellwig , Sasha Levin +Message-ID: <20251124213330.39729-2-sashal@kernel.org> + +From: Vlastimil Babka + +[ Upstream commit ec33b59542d96830e3c89845ff833cf7b25ef172 ] + +The kernel test has reported: + + BUG: unable to handle page fault for address: fffba000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + *pde = 03171067 *pte = 00000000 + Oops: Oops: 0002 [#1] + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca + Tainted: [T]=RANDSTRUCT + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) + Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 + EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b + ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 + DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 + CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 + Call Trace: + poison_element (mm/mempool.c:83 mm/mempool.c:102) + mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) + mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) + ? mempool_alloc_pages (mm/mempool.c:640) + bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) + ? mempool_alloc_pages (mm/mempool.c:640) + do_one_initcall (init/main.c:1283) + +Christoph found out this is due to the poisoning code not dealing +properly with CONFIG_HIGHMEM because only the first page is mapped but +then the whole potentially high-order page is accessed. + +We could give up on HIGHMEM here, but it's straightforward to fix this +with a loop that's mapping, poisoning or checking and unmapping +individual pages. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com +Analyzed-by: Christoph Hellwig +Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator") +Cc: stable@vger.kernel.org +Tested-by: kernel test robot +Reviewed-by: Christoph Hellwig +Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz +Signed-off-by: Vlastimil Babka +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempool.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/mm/mempool.c ++++ b/mm/mempool.c +@@ -63,10 +63,20 @@ static void check_element(mempool_t *poo + } else if (pool->free == mempool_free_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_local_page((struct page *)element); + +- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_local(addr); ++#ifdef CONFIG_HIGHMEM ++ for (int i = 0; i < (1 << order); i++) { ++ struct page *page = (struct page *)element; ++ void *addr = kmap_local_page(page + i); ++ ++ __check_element(pool, addr, PAGE_SIZE); ++ kunmap_local(addr); ++ } ++#else ++ void *addr = page_address((struct page *)element); ++ ++ __check_element(pool, addr, PAGE_SIZE << order); ++#endif + } + } + +@@ -86,10 +96,20 @@ static void poison_element(mempool_t *po + } else if (pool->alloc == mempool_alloc_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_local_page((struct page *)element); + +- __poison_element(addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_local(addr); ++#ifdef CONFIG_HIGHMEM ++ for (int i = 0; i < (1 << order); i++) { ++ struct page *page = (struct page *)element; ++ void *addr = kmap_local_page(page + i); ++ ++ __poison_element(addr, PAGE_SIZE); ++ kunmap_local(addr); ++ } ++#else ++ void *addr = page_address((struct page *)element); ++ ++ __poison_element(addr, PAGE_SIZE << order); ++#endif + } + } + #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */ diff --git a/queue-5.15/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch b/queue-5.15/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch new file mode 100644 index 0000000000..e5383c109a --- /dev/null +++ b/queue-5.15/mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch @@ -0,0 +1,71 @@ +From stable+bounces-196807-greg=kroah.com@vger.kernel.org Mon Nov 24 22:33:36 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 16:33:29 -0500 +Subject: mm/mempool: replace kmap_atomic() with kmap_local_page() +To: stable@vger.kernel.org +Cc: "Fabio M. De Francesco" , Ira Weiny , Andrew Morton , Sasha Levin +Message-ID: <20251124213330.39729-1-sashal@kernel.org> + +From: "Fabio M. De Francesco" + +[ Upstream commit f2bcc99a5e901a13b754648d1dbab60f4adf9375 ] + +kmap_atomic() has been deprecated in favor of kmap_local_page(). + +Therefore, replace kmap_atomic() with kmap_local_page(). + +kmap_atomic() is implemented like a kmap_local_page() which also disables +page-faults and preemption (the latter only in !PREEMPT_RT kernels). The +kernel virtual addresses returned by these two API are only valid in the +context of the callers (i.e., they cannot be handed to other threads). + +With kmap_local_page() the mappings are per thread and CPU local like in +kmap_atomic(); however, they can handle page-faults and can be called from +any context (including interrupts). The tasks that call kmap_local_page() +can be preempted and, when they are scheduled to run again, the kernel +virtual addresses are restored and are still valid. + +The code blocks between the mappings and un-mappings don't rely on the +above-mentioned side effects of kmap_atomic(), so that mere replacements +of the old API with the new one is all that they require (i.e., there is +no need to explicitly call pagefault_disable() and/or preempt_disable()). + +Link: https://lkml.kernel.org/r/20231120142640.7077-1-fabio.maria.de.francesco@linux.intel.com +Signed-off-by: Fabio M. De Francesco +Cc: Ira Weiny +Signed-off-by: Andrew Morton +Stable-dep-of: ec33b59542d9 ("mm/mempool: fix poisoning order>0 pages with HIGHMEM") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempool.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/mm/mempool.c ++++ b/mm/mempool.c +@@ -63,10 +63,10 @@ static void check_element(mempool_t *poo + } else if (pool->free == mempool_free_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_atomic((struct page *)element); ++ void *addr = kmap_local_page((struct page *)element); + + __check_element(pool, addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_atomic(addr); ++ kunmap_local(addr); + } + } + +@@ -86,10 +86,10 @@ static void poison_element(mempool_t *po + } else if (pool->alloc == mempool_alloc_pages) { + /* Mempools backed by page allocator */ + int order = (int)(long)pool->pool_data; +- void *addr = kmap_atomic((struct page *)element); ++ void *addr = kmap_local_page((struct page *)element); + + __poison_element(addr, 1UL << (PAGE_SHIFT + order)); +- kunmap_atomic(addr); ++ kunmap_local(addr); + } + } + #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */ diff --git a/queue-5.15/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch b/queue-5.15/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch new file mode 100644 index 0000000000..73d4fe4276 --- /dev/null +++ b/queue-5.15/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch @@ -0,0 +1,38 @@ +From stable+bounces-195439-greg=kroah.com@vger.kernel.org Fri Nov 21 02:45:59 2025 +From: Sasha Levin +Date: Thu, 20 Nov 2025 20:45:42 -0500 +Subject: mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 +To: stable@vger.kernel.org +Cc: Shawn Lin , Alexey Charkov , Hugh Cole-Baker , Ulf Hansson , Sasha Levin +Message-ID: <20251121014542.2332865-1-sashal@kernel.org> + +From: Shawn Lin + +[ Upstream commit a28352cf2d2f8380e7aca8cb61682396dca7a991 ] + +strbin signal delay under 0x8 configuration is not stable after massive +test. The recommandation of it should be 0x4. + +Signed-off-by: Shawn Lin +Tested-by: Alexey Charkov +Tested-by: Hugh Cole-Baker +Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-dwcmshc.c ++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c +@@ -49,7 +49,7 @@ + #define DWCMSHC_EMMC_DLL_INC 8 + #define DWCMSHC_EMMC_DLL_DLYENA BIT(27) + #define DLL_TXCLK_TAPNUM_DEFAULT 0x8 +-#define DLL_STRBIN_TAPNUM_DEFAULT 0x8 ++#define DLL_STRBIN_TAPNUM_DEFAULT 0x4 + #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24) + #define DLL_RXCLK_NO_INVERTER 1 + #define DLL_RXCLK_INVERTER 0 diff --git a/queue-5.15/mptcp-disallow-mptcp-subflows-from-sockmap.patch b/queue-5.15/mptcp-disallow-mptcp-subflows-from-sockmap.patch new file mode 100644 index 0000000000..dcbf0f0a1b --- /dev/null +++ b/queue-5.15/mptcp-disallow-mptcp-subflows-from-sockmap.patch @@ -0,0 +1,85 @@ +From stable+bounces-196758-greg=kroah.com@vger.kernel.org Mon Nov 24 16:18:22 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 10:18:14 -0500 +Subject: mptcp: Disallow MPTCP subflows from sockmap +To: stable@vger.kernel.org +Cc: Jiayuan Chen , Martin KaFai Lau , "Matthieu Baerts (NGI0)" , Sasha Levin +Message-ID: <20251124151814.4126349-1-sashal@kernel.org> + +From: Jiayuan Chen + +[ Upstream commit fbade4bd08ba52cbc74a71c4e86e736f059f99f7 ] + +The sockmap feature allows bpf syscall from userspace, or based on bpf +sockops, replacing the sk_prot of sockets during protocol stack processing +with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' +Consider two scenarios: + +1. When the server has MPTCP enabled and the client also requests MPTCP, + the sk passed to the BPF program is a subflow sk. Since subflows only + handle partial data, replacing their sk_prot is meaningless and will + cause traffic disruption. + +2. When the server has MPTCP enabled but the client sends a TCP SYN + without MPTCP, subflow_syn_recv_sock() performs a fallback on the + subflow, replacing the subflow sk's sk_prot with the native sk_prot. + ''' + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() + ''' + Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops() + converts the subflow to plain TCP. + +For the first case, we should prevent it from being combined with sockmap +by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by +sockmap's own flow. + +For the second case, since subflow_syn_recv_sock() has already restored +sk_prot to native tcp_prot/tcpv6_prot, no further action is needed. + +Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/subflow.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -1854,6 +1854,10 @@ void __init mptcp_subflow_init(void) + + tcp_prot_override = tcp_prot; + tcp_prot_override.release_cb = tcp_release_cb_override; ++#ifdef CONFIG_BPF_SYSCALL ++ /* Disable sockmap processing for subflows */ ++ tcp_prot_override.psock_update_sk_prot = NULL; ++#endif + + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + /* In struct mptcp_subflow_request_sock, we assume the TCP request sock +@@ -1887,6 +1891,10 @@ void __init mptcp_subflow_init(void) + + tcpv6_prot_override = tcpv6_prot; + tcpv6_prot_override.release_cb = tcp_release_cb_override; ++#ifdef CONFIG_BPF_SYSCALL ++ /* Disable sockmap processing for subflows */ ++ tcpv6_prot_override.psock_update_sk_prot = NULL; ++#endif + #endif + + mptcp_diag_subflow_init(&subflow_ulp_ops); diff --git a/queue-5.15/mptcp-do-not-fallback-when-ooo-is-present.patch b/queue-5.15/mptcp-do-not-fallback-when-ooo-is-present.patch new file mode 100644 index 0000000000..5241c534af --- /dev/null +++ b/queue-5.15/mptcp-do-not-fallback-when-ooo-is-present.patch @@ -0,0 +1,50 @@ +From stable+bounces-196844-greg=kroah.com@vger.kernel.org Tue Nov 25 04:07:19 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 22:07:11 -0500 +Subject: mptcp: do not fallback when OoO is present +To: stable@vger.kernel.org +Cc: Paolo Abeni , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20251125030711.325345-1-sashal@kernel.org> + +From: Paolo Abeni + +[ Upstream commit 1bba3f219c5e8c29e63afa3c1fc24f875ebec119 ] + +In case of DSS corruption, the MPTCP protocol tries to avoid the subflow +reset if fallback is possible. Such corruptions happen in the receive +path; to ensure fallback is possible the stack additionally needs to +check for OoO data, otherwise the fallback will break the data stream. + +Fixes: e32d262c89e2 ("mptcp: handle consistently DSS corruption") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/598 +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-4-806d3781c95f@kernel.org +Signed-off-by: Jakub Kicinski +[ patch mptcp_dss_corruption() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -574,6 +574,15 @@ static bool mptcp_check_data_fin(struct + static void mptcp_dss_corruption(struct mptcp_sock *msk, struct sock *ssk) + { + if (READ_ONCE(msk->allow_infinite_fallback)) { ++ /* The caller possibly is not holding the msk socket lock, but ++ * in the fallback case only the current subflow is touching ++ * the OoO queue. ++ */ ++ if (!RB_EMPTY_ROOT(&msk->out_of_order_queue)) { ++ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSCORRUPTIONRESET); ++ mptcp_subflow_reset(ssk); ++ return; ++ } + MPTCP_INC_STATS(sock_net(ssk), + MPTCP_MIB_DSSCORRUPTIONFALLBACK); + mptcp_do_fallback(ssk); diff --git a/queue-5.15/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch b/queue-5.15/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch new file mode 100644 index 0000000000..8cb7a3c088 --- /dev/null +++ b/queue-5.15/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch @@ -0,0 +1,199 @@ +From stable+bounces-196839-greg=kroah.com@vger.kernel.org Tue Nov 25 03:39:18 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 21:39:10 -0500 +Subject: mptcp: fix a race in mptcp_pm_del_add_timer() +To: stable@vger.kernel.org +Cc: Eric Dumazet , syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20251125023910.292706-1-sashal@kernel.org> + +From: Eric Dumazet + +[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ] + +mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) +while another might have free entry already, as reported by syzbot. + +Add RCU protection to fix this issue. + +Also change confusing add_timer variable with stop_timer boolean. + +syzbot report: + +BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 +Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 + +CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 +Workqueue: events mptcp_worker +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 + sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 + mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 + mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 + tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 + tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 + tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 + tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 + ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + __netif_receive_skb_one_core net/core/dev.c:6079 [inline] + __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 + process_backlog+0x31e/0x900 net/core/dev.c:6544 + __napi_poll+0xb6/0x540 net/core/dev.c:7594 + napi_poll net/core/dev.c:7657 [inline] + net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 + handle_softirqs+0x22f/0x710 kernel/softirq.c:622 + __do_softirq kernel/softirq.c:656 [inline] + __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 + mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] + mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 + mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 + mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 + process_one_work kernel/workqueue.c:3263 [inline] + process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +Allocated by task 44: + kasan_save_stack mm/kasan/common.c:56 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:400 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 + kasan_kmalloc include/linux/kasan.h:262 [inline] + __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 + kmalloc_noprof include/linux/slab.h:957 [inline] + mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 + mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 + mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] + __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 + mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 + mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 + process_one_work kernel/workqueue.c:3263 [inline] + process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 6630: + kasan_save_stack mm/kasan/common.c:56 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 + __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 + kasan_save_free_info mm/kasan/kasan.h:406 [inline] + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2523 [inline] + slab_free mm/slub.c:6611 [inline] + kfree+0x197/0x950 mm/slub.c:6818 + mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 + mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] + mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] + mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 + genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x508/0x820 net/socket.c:2630 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 + __sys_sendmsg net/socket.c:2716 [inline] + __do_sys_sendmsg net/socket.c:2721 [inline] + __se_sys_sendmsg net/socket.c:2719 [inline] + __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Cc: stable@vger.kernel.org +Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") +Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com +Signed-off-by: Eric Dumazet +Cc: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +[ applied changes to pm_netlink.c instead of pm.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -36,6 +36,7 @@ struct mptcp_pm_add_entry { + struct timer_list add_timer; + struct mptcp_sock *sock; + u8 retrans_times; ++ struct rcu_head rcu; + }; + + /* max value of mptcp_addr_info.id */ +@@ -366,22 +367,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock + { + struct mptcp_pm_add_entry *entry; + struct sock *sk = (struct sock *)msk; +- struct timer_list *add_timer = NULL; ++ bool stop_timer = false; ++ ++ rcu_read_lock(); + + spin_lock_bh(&msk->pm.lock); + entry = mptcp_lookup_anno_list_by_saddr(msk, addr); + if (entry && (!check_id || entry->addr.id == addr->id)) { + entry->retrans_times = ADD_ADDR_RETRANS_MAX; +- add_timer = &entry->add_timer; ++ stop_timer = true; + } + if (!check_id && entry) + list_del(&entry->list); + spin_unlock_bh(&msk->pm.lock); + +- /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */ +- if (add_timer) +- sk_stop_timer_sync(sk, add_timer); ++ /* Note: entry might have been removed by another thread. ++ * We hold rcu_read_lock() to ensure it is not freed under us. ++ */ ++ if (stop_timer) ++ sk_stop_timer_sync(sk, &entry->add_timer); + ++ rcu_read_unlock(); + return entry; + } + +@@ -430,7 +436,7 @@ void mptcp_pm_free_anno_list(struct mptc + + list_for_each_entry_safe(entry, tmp, &free_list, list) { + sk_stop_timer_sync(sk, &entry->add_timer); +- kfree(entry); ++ kfree_rcu(entry, rcu); + } + } + +@@ -1425,7 +1431,7 @@ static bool remove_anno_list_by_saddr(st + + entry = mptcp_pm_del_add_timer(msk, addr, false); + if (entry) { +- kfree(entry); ++ kfree_rcu(entry, rcu); + return true; + } + diff --git a/queue-5.15/mptcp-fix-ack-generation-for-fallback-msk.patch b/queue-5.15/mptcp-fix-ack-generation-for-fallback-msk.patch new file mode 100644 index 0000000000..674750e68b --- /dev/null +++ b/queue-5.15/mptcp-fix-ack-generation-for-fallback-msk.patch @@ -0,0 +1,92 @@ +From stable+bounces-196824-greg=kroah.com@vger.kernel.org Mon Nov 24 23:40:17 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 17:39:38 -0500 +Subject: mptcp: fix ack generation for fallback msk +To: stable@vger.kernel.org +Cc: Paolo Abeni , Geliang Tang , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20251124223938.74969-1-sashal@kernel.org> + +From: Paolo Abeni + +[ Upstream commit 5e15395f6d9ec07395866c5511f4b4ac566c0c9b ] + +mptcp_cleanup_rbuf() needs to know the last most recent, mptcp-level +rcv_wnd sent, and such information is tracked into the msk->old_wspace +field, updated at ack transmission time by mptcp_write_options(). + +Fallback socket do not add any mptcp options, such helper is never +invoked, and msk->old_wspace value remain stale. That in turn makes +ack generation at recvmsg() time quite random. + +Address the issue ensuring mptcp_write_options() is invoked even for +fallback sockets, and just update the needed info in such a case. + +The issue went unnoticed for a long time, as mptcp currently overshots +the fallback socket receive buffer autotune significantly. It is going +to change in the near future. + +Fixes: e3859603ba13 ("mptcp: better msk receive window updates") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/594 +Signed-off-by: Paolo Abeni +Reviewed-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-1-806d3781c95f@kernel.org +Signed-off-by: Jakub Kicinski +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -810,8 +810,11 @@ bool mptcp_established_options(struct so + + opts->suboptions = 0; + ++ /* Force later mptcp_write_options(), but do not use any actual ++ * option space. ++ */ + if (unlikely(__mptcp_check_fallback(msk))) +- return false; ++ return true; + + if (unlikely(skb && TCP_SKB_CB(skb)->tcp_flags & TCPHDR_RST)) { + if (mptcp_established_options_mp_fail(sk, &opt_size, remaining, opts)) { +@@ -1222,6 +1225,20 @@ static void mptcp_set_rwin(const struct + WRITE_ONCE(msk->rcv_wnd_sent, ack_seq); + } + ++static void mptcp_track_rwin(const struct tcp_sock *tp) ++{ ++ const struct sock *ssk = (const struct sock *)tp; ++ struct mptcp_subflow_context *subflow; ++ struct mptcp_sock *msk; ++ ++ if (!ssk) ++ return; ++ ++ subflow = mptcp_subflow_ctx(ssk); ++ msk = mptcp_sk(subflow->conn); ++ WRITE_ONCE(msk->old_wspace, tp->rcv_wnd); ++} ++ + __sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum) + { + struct csum_pseudo_header header; +@@ -1283,6 +1300,12 @@ void mptcp_write_options(__be32 *ptr, co + return; + } + ++ /* Fallback to TCP */ ++ if (unlikely(!opts->suboptions)) { ++ mptcp_track_rwin(tp); ++ return; ++ } ++ + /* DSS, MPC, MPJ and ADD_ADDR are mutually exclusive, see + * mptcp_established_options*() + */ diff --git a/queue-5.15/mptcp-fix-premature-close-in-case-of-fallback.patch b/queue-5.15/mptcp-fix-premature-close-in-case-of-fallback.patch new file mode 100644 index 0000000000..29d76b4048 --- /dev/null +++ b/queue-5.15/mptcp-fix-premature-close-in-case-of-fallback.patch @@ -0,0 +1,65 @@ +From stable+bounces-196832-greg=kroah.com@vger.kernel.org Tue Nov 25 01:48:23 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 19:48:16 -0500 +Subject: mptcp: fix premature close in case of fallback +To: stable@vger.kernel.org +Cc: Paolo Abeni , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20251125004816.192030-1-sashal@kernel.org> + +From: Paolo Abeni + +[ Upstream commit 17393fa7b7086664be519e7230cb6ed7ec7d9462 ] + +I'm observing very frequent self-tests failures in case of fallback when +running on a CONFIG_PREEMPT kernel. + +The root cause is that subflow_sched_work_if_closed() closes any subflow +as soon as it is half-closed and has no incoming data pending. + +That works well for regular subflows - MPTCP needs bi-directional +connectivity to operate on a given subflow - but for fallback socket is +race prone. + +When TCP peer closes the connection before the MPTCP one, +subflow_sched_work_if_closed() will schedule the MPTCP worker to +gracefully close the subflow, and shortly after will do another schedule +to inject and process a dummy incoming DATA_FIN. + +On CONFIG_PREEMPT kernel, the MPTCP worker can kick-in and close the +fallback subflow before subflow_sched_work_if_closed() is able to create +the dummy DATA_FIN, unexpectedly interrupting the transfer. + +Address the issue explicitly avoiding closing fallback subflows on when +the peer is only half-closed. + +Note that, when the subflow is able to create the DATA_FIN before the +worker invocation, the worker will change the msk state before trying to +close the subflow and will skip the latter operation as the msk will not +match anymore the precondition in __mptcp_close_subflow(). + +Fixes: f09b0ad55a11 ("mptcp: close subflow when receiving TCP+FIN") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-3-806d3781c95f@kernel.org +Signed-off-by: Jakub Kicinski +[ sk -> ssk ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2412,7 +2412,8 @@ static void __mptcp_close_subflow(struct + + if (ssk_state != TCP_CLOSE && + (ssk_state != TCP_CLOSE_WAIT || +- inet_sk_state_load((struct sock *)ssk) != TCP_ESTABLISHED)) ++ inet_sk_state_load((struct sock *)ssk) != TCP_ESTABLISHED || ++ __mptcp_check_fallback(msk))) + continue; + + /* 'subflow_data_ready' will re-sched once rx queue is empty */ diff --git a/queue-5.15/mptcp-fix-proto-fallback-detection-with-bpf.patch b/queue-5.15/mptcp-fix-proto-fallback-detection-with-bpf.patch new file mode 100644 index 0000000000..936095005c --- /dev/null +++ b/queue-5.15/mptcp-fix-proto-fallback-detection-with-bpf.patch @@ -0,0 +1,101 @@ +From stable+bounces-196772-greg=kroah.com@vger.kernel.org Mon Nov 24 18:24:35 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 12:24:26 -0500 +Subject: mptcp: Fix proto fallback detection with BPF +To: stable@vger.kernel.org +Cc: Jiayuan Chen , Martin KaFai Lau , Jakub Sitnicki , "Matthieu Baerts (NGI0)" , Sasha Levin +Message-ID: <20251124172426.4160679-1-sashal@kernel.org> + +From: Jiayuan Chen + +[ Upstream commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f ] + +The sockmap feature allows bpf syscall from userspace, or based +on bpf sockops, replacing the sk_prot of sockets during protocol stack +processing with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + syn_recv_sock()/subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' + +When the server has MPTCP enabled but the client sends a TCP SYN +without MPTCP, subflow_syn_recv_sock() performs a fallback on the +subflow, replacing the subflow sk's sk_prot with the native sk_prot. +''' +subflow_syn_recv_sock() + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() +''' + +Then, this subflow can be normally used by sockmap, which replaces the +native sk_prot with sockmap's custom sk_prot. The issue occurs when the +user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). +Here, it uses sk->sk_prot to compare with the native sk_prot, but this +is incorrect when sockmap is used, as we may incorrectly set +sk->sk_socket->ops. + +This fix uses the more generic sk_family for the comparison instead. + +Additionally, this also prevents a WARNING from occurring: + +result from ./scripts/decode_stacktrace.sh: +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ +(net/mptcp/protocol.c:4005) +Modules linked in: +... + +PKRU: 55555554 +Call Trace: + +do_accept (net/socket.c:1989) +__sys_accept4 (net/socket.c:2028 net/socket.c:2057) +__x64_sys_accept (net/socket.c:2067) +x64_sys_call (arch/x86/entry/syscall_64.c:41) +do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +RIP: 0033:0x7f87ac92b83d + +---[ end trace 0000000000000000 ]--- + +Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Jakub Sitnicki +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev +[ applied fix to mptcp_is_tcpsk() instead of mptcp_fallback_tcp_ops() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -77,8 +77,9 @@ static u64 mptcp_wnd_end(const struct mp + static bool mptcp_is_tcpsk(struct sock *sk) + { + struct socket *sock = sk->sk_socket; ++ unsigned short family = READ_ONCE(sk->sk_family); + +- if (unlikely(sk->sk_prot == &tcp_prot)) { ++ if (unlikely(family == AF_INET)) { + /* we are being invoked after mptcp_accept() has + * accepted a non-mp-capable flow: sk is a tcp_sk, + * not an mptcp one. +@@ -89,7 +90,7 @@ static bool mptcp_is_tcpsk(struct sock * + sock->ops = &inet_stream_ops; + return true; + #if IS_ENABLED(CONFIG_MPTCP_IPV6) +- } else if (unlikely(sk->sk_prot == &tcpv6_prot)) { ++ } else if (unlikely(family == AF_INET6)) { + sock->ops = &inet6_stream_ops; + return true; + #endif diff --git a/queue-5.15/net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch b/queue-5.15/net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch new file mode 100644 index 0000000000..0daf9c8eac --- /dev/null +++ b/queue-5.15/net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch @@ -0,0 +1,85 @@ +From stable+bounces-195440-greg=kroah.com@vger.kernel.org Fri Nov 21 02:52:25 2025 +From: Sasha Levin +Date: Thu, 20 Nov 2025 20:52:15 -0500 +Subject: net: netpoll: fix incorrect refcount handling causing incorrect cleanup +To: stable@vger.kernel.org +Cc: Breno Leitao , Jay Vosburgh , Simon Horman , Jakub Kicinski , Sasha Levin +Message-ID: <20251121015215.2335584-1-sashal@kernel.org> + +From: Breno Leitao + +[ Upstream commit 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 ] + +commit efa95b01da18 ("netpoll: fix use after free") incorrectly +ignored the refcount and prematurely set dev->npinfo to NULL during +netpoll cleanup, leading to improper behavior and memory leaks. + +Scenario causing lack of proper cleanup: + +1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is + allocated, and refcnt = 1 + - Keep in mind that npinfo is shared among all netpoll instances. In + this case, there is just one. + +2) Another netpoll is also associated with the same NIC and + npinfo->refcnt += 1. + - Now dev->npinfo->refcnt = 2; + - There is just one npinfo associated to the netdev. + +3) When the first netpolls goes to clean up: + - The first cleanup succeeds and clears np->dev->npinfo, ignoring + refcnt. + - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` + - Set dev->npinfo = NULL, without proper cleanup + - No ->ndo_netpoll_cleanup() is either called + +4) Now the second target tries to clean up + - The second cleanup fails because np->dev->npinfo is already NULL. + * In this case, ops->ndo_netpoll_cleanup() was never called, and + the skb pool is not cleaned as well (for the second netpoll + instance) + - This leaks npinfo and skbpool skbs, which is clearly reported by + kmemleak. + +Revert commit efa95b01da18 ("netpoll: fix use after free") and adds +clarifying comments emphasizing that npinfo cleanup should only happen +once the refcount reaches zero, ensuring stable and correct netpoll +behavior. + +Cc: # 3.17.x +Cc: Jay Vosburgh +Fixes: efa95b01da18 ("netpoll: fix use after free") +Signed-off-by: Breno Leitao +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@debian.org +Signed-off-by: Jakub Kicinski +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netpoll.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -851,6 +851,10 @@ void __netpoll_cleanup(struct netpoll *n + + synchronize_srcu(&netpoll_srcu); + ++ /* At this point, there is a single npinfo instance per netdevice, and ++ * its refcnt tracks how many netpoll structures are linked to it. We ++ * only perform npinfo cleanup when the refcnt decrements to zero. ++ */ + if (refcount_dec_and_test(&npinfo->refcnt)) { + const struct net_device_ops *ops; + +@@ -860,8 +864,7 @@ void __netpoll_cleanup(struct netpoll *n + + RCU_INIT_POINTER(np->dev->npinfo, NULL); + call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info); +- } else +- RCU_INIT_POINTER(np->dev->npinfo, NULL); ++ } + } + EXPORT_SYMBOL_GPL(__netpoll_cleanup); + diff --git a/queue-5.15/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch b/queue-5.15/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch new file mode 100644 index 0000000000..9952ae3d40 --- /dev/null +++ b/queue-5.15/net-qede-initialize-qede_ll_ops-with-designated-initializer.patch @@ -0,0 +1,43 @@ +From 6b3ab7f2cbfaeb6580709cd8ef4d72cfd01bfde4 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 7 May 2025 21:47:45 +0100 +Subject: net: qede: Initialize qede_ll_ops with designated initializer + +From: Nathan Chancellor + +commit 6b3ab7f2cbfaeb6580709cd8ef4d72cfd01bfde4 upstream. + +After a recent change [1] in clang's randstruct implementation to +randomize structures that only contain function pointers, there is an +error because qede_ll_ops get randomized but does not use a designated +initializer for the first member: + + drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer + 206 | { + | ^ + +Explicitly initialize the common member using a designated initializer +to fix the build. + +Cc: stable@vger.kernel.org +Fixes: 035f7f87b729 ("randstruct: Enable Clang support") +Link: https://github.com/llvm/llvm-project/commit/04364fb888eea6db9811510607bed4b200bcb082 [1] +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20250507-qede-fix-clang-randstruct-v1-1-5ccc15626fba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -194,7 +194,7 @@ static struct pci_driver qede_pci_driver + }; + + static struct qed_eth_cb_ops qede_ll_ops = { +- { ++ .common = { + #ifdef CONFIG_RFS_ACCEL + .arfs_filter_op = qede_arfs_filter_op, + #endif diff --git a/queue-5.15/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch b/queue-5.15/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch new file mode 100644 index 0000000000..a9f3298282 --- /dev/null +++ b/queue-5.15/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch @@ -0,0 +1,82 @@ +From stable+bounces-196522-greg=kroah.com@vger.kernel.org Fri Nov 21 17:23:45 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 11:22:09 -0500 +Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure +To: stable@vger.kernel.org +Cc: Sudeep Holla , Peng Fan , Ulf Hansson , Sasha Levin +Message-ID: <20251121162209.2595547-1-sashal@kernel.org> + +From: Sudeep Holla + +[ Upstream commit 7458f72cc28f9eb0de811effcb5376d0ec19094a ] + +If of_genpd_add_provider_onecell() fails during probe, the previously +created generic power domains are not removed, leading to a memory leak +and potential kernel crash later in genpd_debug_add(). + +Add proper error handling to unwind the initialized domains before +returning from probe to ensure all resources are correctly released on +failure. + +Example crash trace observed without this fix: + + | Unable to handle kernel paging request at virtual address fffffffffffffc70 + | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT + | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform + | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + | pc : genpd_debug_add+0x2c/0x160 + | lr : genpd_debug_init+0x74/0x98 + | Call trace: + | genpd_debug_add+0x2c/0x160 (P) + | genpd_debug_init+0x74/0x98 + | do_one_initcall+0xd0/0x2d8 + | do_initcall_level+0xa0/0x140 + | do_initcalls+0x60/0xa8 + | do_basic_setup+0x28/0x40 + | kernel_init_freeable+0xe8/0x170 + | kernel_init+0x2c/0x140 + | ret_from_fork+0x10/0x20 + +Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") +Signed-off-by: Sudeep Holla +Reviewed-by: Peng Fan +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +[ drivers/pmdomain/arm/scmi_pm_domain.c -> drivers/firmware/arm_scmi/scmi_pm_domain.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c ++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c +@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene + + static int scmi_pm_domain_probe(struct scmi_device *sdev) + { +- int num_domains, i; ++ int num_domains, i, ret; + struct device *dev = &sdev->dev; + struct device_node *np = dev->of_node; + struct scmi_pm_domain *scmi_pd; +@@ -112,9 +112,18 @@ static int scmi_pm_domain_probe(struct s + scmi_pd_data->domains = domains; + scmi_pd_data->num_domains = num_domains; + ++ ret = of_genpd_add_provider_onecell(np, scmi_pd_data); ++ if (ret) ++ goto err_rm_genpds; ++ + dev_set_drvdata(dev, scmi_pd_data); + +- return of_genpd_add_provider_onecell(np, scmi_pd_data); ++ return 0; ++err_rm_genpds: ++ for (i = num_domains - 1; i >= 0; i--) ++ pm_genpd_remove(domains[i]); ++ ++ return ret; + } + + static void scmi_pm_domain_remove(struct scmi_device *sdev) diff --git a/queue-5.15/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch b/queue-5.15/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch new file mode 100644 index 0000000000..07a9c42737 --- /dev/null +++ b/queue-5.15/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch @@ -0,0 +1,38 @@ +From stable+bounces-196521-greg=kroah.com@vger.kernel.org Fri Nov 21 17:23:43 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 11:22:06 -0500 +Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove +To: stable@vger.kernel.org +Cc: Miaoqian Lin , Ulf Hansson , Sasha Levin +Message-ID: <20251121162206.2595501-1-sashal@kernel.org> + +From: Miaoqian Lin + +[ Upstream commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 ] + +of_get_child_by_name() returns a node pointer with refcount incremented, we +should use of_node_put() on it when not needed anymore. Add the missing +of_node_put() to avoid refcount leak. + +Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Ulf Hansson +[ drivers/pmdomain/imx/gpc.c -> drivers/soc/imx/gpc.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/imx/gpc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -540,6 +540,8 @@ static int imx_gpc_remove(struct platfor + return ret; + } + ++ of_node_put(pgc_node); ++ + return 0; + } + diff --git a/queue-5.15/pmdomain-samsung-plug-potential-memleak-during-probe.patch b/queue-5.15/pmdomain-samsung-plug-potential-memleak-during-probe.patch new file mode 100644 index 0000000000..aa0f395147 --- /dev/null +++ b/queue-5.15/pmdomain-samsung-plug-potential-memleak-during-probe.patch @@ -0,0 +1,69 @@ +From stable+bounces-196543-greg=kroah.com@vger.kernel.org Fri Nov 21 18:21:36 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 12:16:26 -0500 +Subject: pmdomain: samsung: plug potential memleak during probe +To: stable@vger.kernel.org +Cc: "André Draszik" , "Peter Griffin" , "Krzysztof Kozlowski" , "Marek Szyprowski" , "Ulf Hansson" , "Sasha Levin" +Message-ID: <20251121171626.2611968-1-sashal@kernel.org> + +From: André Draszik + +[ Upstream commit 90c82941adf1986364e0f82c35cf59f2bf5f6a1d ] + +of_genpd_add_provider_simple() could fail, in which case this code +leaks the domain name, pd->pd.name. + +Use devm_kstrdup_const() to plug this leak. As a side-effect, we can +simplify existing error handling. + +Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver") +Cc: stable@vger.kernel.org +Reviewed-by: Peter Griffin +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: André Draszik +Tested-by: Marek Szyprowski +Signed-off-by: Ulf Hansson +[ drivers/pmdomain/samsung/exynos-pm-domains.c -> drivers/soc/samsung/pm_domains.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/samsung/pm_domains.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/soc/samsung/pm_domains.c ++++ b/drivers/soc/samsung/pm_domains.c +@@ -92,13 +92,14 @@ static const struct of_device_id exynos_ + { }, + }; + +-static const char *exynos_get_domain_name(struct device_node *node) ++static const char *exynos_get_domain_name(struct device *dev, ++ struct device_node *node) + { + const char *name; + + if (of_property_read_string(node, "label", &name) < 0) + name = kbasename(node->full_name); +- return kstrdup_const(name, GFP_KERNEL); ++ return devm_kstrdup_const(dev, name, GFP_KERNEL); + } + + static int exynos_pd_probe(struct platform_device *pdev) +@@ -115,15 +116,13 @@ static int exynos_pd_probe(struct platfo + if (!pd) + return -ENOMEM; + +- pd->pd.name = exynos_get_domain_name(np); ++ pd->pd.name = exynos_get_domain_name(dev, np); + if (!pd->pd.name) + return -ENOMEM; + + pd->base = of_iomap(np, 0); +- if (!pd->base) { +- kfree_const(pd->pd.name); ++ if (!pd->base) + return -ENODEV; +- } + + pd->pd.power_off = exynos_pd_power_off; + pd->pd.power_on = exynos_pd_power_on; diff --git a/queue-5.15/revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch b/queue-5.15/revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch new file mode 100644 index 0000000000..5194a35d8e --- /dev/null +++ b/queue-5.15/revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch @@ -0,0 +1,69 @@ +From stable+bounces-197047-greg=kroah.com@vger.kernel.org Wed Nov 26 18:54:34 2025 +From: Gulam Mohamed +Date: Wed, 26 Nov 2025 17:54:15 +0000 +Subject: Revert "block: don't add or resize partition on the disk with GENHD_FL_NO_PART" +To: linux-kernel@vger.kernel.org, hch@lst.de +Cc: stable@vger.kernel.org, gulam.mohamed@oracle.com +Message-ID: <20251126175415.259906-2-gulam.mohamed@oracle.com> + +From: Gulam Mohamed + +This reverts commit 1a721de8489fa559ff4471f73c58bb74ac5580d3. + +The commit 1a721de8489f ("block: don't add or resize partition on the disk +with GENHD_FL_NO_PART") and the commit 7777f47f2ea6 ("block: Move checking +GENHD_FL_NO_PART to bdev_add_partition()") used the flag GENHD_FL_NO_PART +to prevent the add or resize of partitions in 5.15 stable kernels.But in +these 5.15 kernels, this is giving an issue with the following error +where the loop driver wants to create a partition when the partscan is +disabled on the loop device: + +dd if=/dev/zero of=loopDisk.dsk bs=1M count=1 seek=10240; +losetup -f loopDisk.dsk;parted -s /dev/loop0 -- mklabel gpt mkpart primary + 2048s 4096s +1+0 records in +1+0 records out +1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0016293 s, 644 MB/s +"" +Error: Partition(s) 1 on /dev/loop0 have been written, but we have been +unable to inform the kernel of the change, probably because it/they are +in use. As a result, the old partition(s) will remain in use. You should +reboot now before making further changes. +"" +If the partition scan is not enabled on the loop device, this flag +GENHD_FL_NO_PART is getting set and when partition creation is tried, +it returns an error EINVAL thereby preventing the creation of partitions. +So, there is no such distinction between disabling of partition scan and +partition creation. + +Later in 6.xxx kernels, the commit b9684a71fca7 ("block, loop: support +partitions without scanning") a new flag GD_SUPPRESS_PART_SCAN was +introduced that just disables the partition scan and uses GENHD_FL_NO_PART +only to prevent creating partition scan. So, the partition creationg can +proceed with even if partition scan is disabled. + +As the commit b9684a71fca7 ("block, loop: support partitions without +scanning") is not available in 5.15 stable kernel, and since there is no +distinction between disabling of "partition scan" and "partition +creation", we need to revert the commits 1a721de8489f and 7777f47f2ea6 +from 5.15 stable kernel to allow partition creation when partscan is +disabled. + +Cc: stable@vger.kernel.org +Signed-off-by: Gulam Mohamed +Signed-off-by: Greg Kroah-Hartman +--- + block/ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -20,8 +20,6 @@ static int blkpg_do_ioctl(struct block_d + struct blkpg_partition p; + sector_t start, length; + +- if (disk->flags & GENHD_FL_NO_PART) +- return -EINVAL; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + if (copy_from_user(&p, upart, sizeof(struct blkpg_partition))) diff --git a/queue-5.15/revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch b/queue-5.15/revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch new file mode 100644 index 0000000000..7df031c237 --- /dev/null +++ b/queue-5.15/revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch @@ -0,0 +1,84 @@ +From stable+bounces-197046-greg=kroah.com@vger.kernel.org Wed Nov 26 18:54:35 2025 +From: Gulam Mohamed +Date: Wed, 26 Nov 2025 17:54:14 +0000 +Subject: Revert "block: Move checking GENHD_FL_NO_PART to bdev_add_partition()" +To: linux-kernel@vger.kernel.org, hch@lst.de +Cc: stable@vger.kernel.org, gulam.mohamed@oracle.com +Message-ID: <20251126175415.259906-1-gulam.mohamed@oracle.com> + +From: Gulam Mohamed + +This reverts commit 7777f47f2ea64efd1016262e7b59fab34adfb869. + +The commit 1a721de8489f ("block: don't add or resize partition on the disk +with GENHD_FL_NO_PART") and the commit 7777f47f2ea6 ("block: Move checking +GENHD_FL_NO_PART to bdev_add_partition()") used the flag GENHD_FL_NO_PART +to prevent the add or resize of partitions in 5.15 stable kernels.But in +these 5.15 kernels, this is giving an issue with the following error +where the loop driver wants to create a partition when the partscan is +disabled on the loop device: + +dd if=/dev/zero of=loopDisk.dsk bs=1M count=1 seek=10240; +losetup -f loopDisk.dsk;parted -s /dev/loop0 -- mklabel gpt mkpart primary + 2048s 4096s +1+0 records in +1+0 records out +1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0016293 s, 644 MB/s +"" +Error: Partition(s) 1 on /dev/loop0 have been written, but we have been +unable to inform the kernel of the change, probably because it/they are +in use. As a result, the old partition(s) will remain in use. You should +reboot now before making further changes. +"" +If the partition scan is not enabled on the loop device, this flag +GENHD_FL_NO_PART is getting set and when partition creation is tried, +it returns an error EINVAL thereby preventing the creation of partitions. +So, there is no such distinction between disabling of partition scan and +partition creation. + +Later in 6.xxx kernels, the commit b9684a71fca7 ("block, loop: support +partitions without scanning") a new flag GD_SUPPRESS_PART_SCAN was +introduced that just disables the partition scan and uses GENHD_FL_NO_PART +only to prevent creating partition scan. So, the partition creationg can +proceed with even if partition scan is disabled. + +As the commit b9684a71fca7 ("block, loop: support partitions without +scanning") is not available in 5.15 stable kernel, and since there is no +distinction between disabling of "partition scan" and "partition +creation", we need to revert the commits 1a721de8489f and 7777f47f2ea6 +from 5.15 stable kernel to allow partition creation when partscan is +disabled. + +Cc: stable@vger.kernel.org +Signed-off-by: Gulam Mohamed +Signed-off-by: Greg Kroah-Hartman +--- + block/ioctl.c | 2 ++ + block/partitions/core.c | 5 ----- + 2 files changed, 2 insertions(+), 5 deletions(-) + +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -20,6 +20,8 @@ static int blkpg_do_ioctl(struct block_d + struct blkpg_partition p; + sector_t start, length; + ++ if (disk->flags & GENHD_FL_NO_PART) ++ return -EINVAL; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + if (copy_from_user(&p, upart, sizeof(struct blkpg_partition))) +--- a/block/partitions/core.c ++++ b/block/partitions/core.c +@@ -463,11 +463,6 @@ int bdev_add_partition(struct gendisk *d + goto out; + } + +- if (disk->flags & GENHD_FL_NO_PART) { +- ret = -EINVAL; +- goto out; +- } +- + if (partition_overlaps(disk, start, length, -1)) { + ret = -EBUSY; + goto out; diff --git a/queue-5.15/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch b/queue-5.15/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch new file mode 100644 index 0000000000..39fbcdf57e --- /dev/null +++ b/queue-5.15/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch @@ -0,0 +1,45 @@ +From stable+bounces-196551-greg=kroah.com@vger.kernel.org Fri Nov 21 19:14:02 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 13:10:34 -0500 +Subject: selftests: mptcp: connect: fix fallback note due to OoO +To: stable@vger.kernel.org +Cc: "Matthieu Baerts (NGI0)" , Geliang Tang , Jakub Kicinski , Sasha Levin +Message-ID: <20251121181034.2640730-1-sashal@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +[ Upstream commit 63c643aa7b7287fdbb0167063785f89ece3f000f ] + +The "fallback due to TCP OoO" was never printed because the stat_ooo_now +variable was checked twice: once in the parent if-statement, and one in +the child one. The second condition was then always true then, and the +'else' branch was never taken. + +The idea is that when there are more ACK + MP_CAPABLE than expected, the +test either fails if there was no out of order packets, or a notice is +printed. + +Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +[ Different operators used ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +@@ -535,7 +535,7 @@ do_transfer() + "${stat_synrx_now_l}" "${expect_synrx}" 1>&2 + retc=1 + fi +- if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} -a ${stat_ooo_now} -eq 0 ]; then ++ if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then + if [ ${stat_ooo_now} -eq 0 ]; then + printf "[ FAIL ] lower MPC ACK rx (%d) than expected (%d)\n" \ + "${stat_ackrx_now_l}" "${expect_ackrx}" 1>&2 diff --git a/queue-5.15/series b/queue-5.15/series index b760837da2..1dc0f362c7 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -311,3 +311,29 @@ mm-secretmem-fix-use-after-free-race-in-fault-handle.patch alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch tracing-tools-fix-incorrcet-short-option-in-usage-te.patch +uio_hv_generic-set-event-for-all-channels-on-the-device.patch +makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch +btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch +btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch +net-qede-initialize-qede_ll_ops-with-designated-initializer.patch +mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch +net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch +pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch +pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch +pmdomain-samsung-plug-potential-memleak-during-probe.patch +selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch +mptcp-disallow-mptcp-subflows-from-sockmap.patch +mptcp-fix-proto-fallback-detection-with-bpf.patch +usb-deprecate-the-third-argument-of-usb_maxpacket.patch +input-remove-third-argument-of-usb_maxpacket.patch +input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch +ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch +dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch +mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch +mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch +mptcp-fix-ack-generation-for-fallback-msk.patch +mptcp-fix-premature-close-in-case-of-fallback.patch +mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch +mptcp-do-not-fallback-when-ooo-is-present.patch +revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch +revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch diff --git a/queue-5.15/uio_hv_generic-set-event-for-all-channels-on-the-device.patch b/queue-5.15/uio_hv_generic-set-event-for-all-channels-on-the-device.patch new file mode 100644 index 0000000000..7152ae9abe --- /dev/null +++ b/queue-5.15/uio_hv_generic-set-event-for-all-channels-on-the-device.patch @@ -0,0 +1,74 @@ +From d062463edf1770427dc2d637df4088df4835aa47 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Mon, 10 Mar 2025 15:12:01 -0700 +Subject: uio_hv_generic: Set event for all channels on the device + +From: Long Li + +commit d062463edf1770427dc2d637df4088df4835aa47 upstream. + +Hyper-V may offer a non latency sensitive device with subchannels without +monitor bit enabled. The decision is entirely on the Hyper-V host not +configurable within guest. + +When a device has subchannels, also signal events for the subchannel +if its monitor bit is disabled. + +This patch also removes the memory barrier when monitor bit is enabled +as it is not necessary. The memory barrier is only needed between +setting up interrupt mask and calling vmbus_set_event() when monitor +bit is disabled. + +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Reviewed-by: Saurabh Sengar +Link: https://lore.kernel.org/r/1741644721-20389-1-git-send-email-longli@linuxonhyperv.com +Fixes: b15b7d2a1b09 ("uio_hv_generic: Let userspace take care of interrupt mask") +Closes: https://bugs.debian.org/1120602 +Signed-off-by: Naman Jain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio_hv_generic.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio_hv_generic.c ++++ b/drivers/uio/uio_hv_generic.c +@@ -80,9 +80,15 @@ hv_uio_irqcontrol(struct uio_info *info, + { + struct hv_uio_private_data *pdata = info->priv; + struct hv_device *dev = pdata->device; ++ struct vmbus_channel *primary, *sc; + +- dev->channel->inbound.ring_buffer->interrupt_mask = !irq_state; +- virt_mb(); ++ primary = dev->channel; ++ primary->inbound.ring_buffer->interrupt_mask = !irq_state; ++ ++ mutex_lock(&vmbus_connection.channel_mutex); ++ list_for_each_entry(sc, &primary->sc_list, sc_list) ++ sc->inbound.ring_buffer->interrupt_mask = !irq_state; ++ mutex_unlock(&vmbus_connection.channel_mutex); + + return 0; + } +@@ -93,11 +99,18 @@ hv_uio_irqcontrol(struct uio_info *info, + static void hv_uio_channel_cb(void *context) + { + struct vmbus_channel *chan = context; +- struct hv_device *hv_dev = chan->device_obj; +- struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); ++ struct hv_device *hv_dev; ++ struct hv_uio_private_data *pdata; + + virt_mb(); + ++ /* ++ * The callback may come from a subchannel, in which case look ++ * for the hv device in the primary channel ++ */ ++ hv_dev = chan->primary_channel ? ++ chan->primary_channel->device_obj : chan->device_obj; ++ pdata = hv_get_drvdata(hv_dev); + uio_event_notify(&pdata->info); + } + diff --git a/queue-5.15/usb-deprecate-the-third-argument-of-usb_maxpacket.patch b/queue-5.15/usb-deprecate-the-third-argument-of-usb_maxpacket.patch new file mode 100644 index 0000000000..377849dd9d --- /dev/null +++ b/queue-5.15/usb-deprecate-the-third-argument-of-usb_maxpacket.patch @@ -0,0 +1,85 @@ +From stable+bounces-196780-greg=kroah.com@vger.kernel.org Mon Nov 24 19:38:15 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 13:37:56 -0500 +Subject: usb: deprecate the third argument of usb_maxpacket() +To: stable@vger.kernel.org +Cc: Vincent Mailhol , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251124183758.4187087-1-sashal@kernel.org> + +From: Vincent Mailhol + +[ Upstream commit 0f08c2e7458e25c967d844170f8ad1aac3b57a02 ] + +This is a transitional patch with the ultimate goal of changing the +prototype of usb_maxpacket() from: +| static inline __u16 +| usb_maxpacket(struct usb_device *udev, int pipe, int is_out) + +into: +| static inline u16 usb_maxpacket(struct usb_device *udev, int pipe) + +The third argument of usb_maxpacket(): is_out gets removed because it +can be derived from its second argument: pipe using +usb_pipeout(pipe). Furthermore, in the current version, +ubs_pipeout(pipe) is called regardless in order to sanitize the is_out +parameter. + +In order to make a smooth change, we first deprecate the is_out +parameter by simply ignoring it (using a variadic function) and will +remove it later, once all the callers get updated. + +The body of the function is reworked accordingly and is_out is +replaced by usb_pipeout(pipe). The WARN_ON() calls become unnecessary +and get removed. + +Finally, the return type is changed from __u16 to u16 because this is +not a UAPI function. + +Signed-off-by: Vincent Mailhol +Link: https://lore.kernel.org/r/20220317035514.6378-2-mailhol.vincent@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 69aeb5073123 ("Input: pegasus-notetaker - fix potential out-of-bounds access") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/usb.h | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -1987,21 +1987,17 @@ usb_pipe_endpoint(struct usb_device *dev + return eps[usb_pipeendpoint(pipe)]; + } + +-/*-------------------------------------------------------------------------*/ +- +-static inline __u16 +-usb_maxpacket(struct usb_device *udev, int pipe, int is_out) ++static inline u16 usb_maxpacket(struct usb_device *udev, int pipe, ++ /* int is_out deprecated */ ...) + { + struct usb_host_endpoint *ep; + unsigned epnum = usb_pipeendpoint(pipe); + +- if (is_out) { +- WARN_ON(usb_pipein(pipe)); ++ if (usb_pipeout(pipe)) + ep = udev->ep_out[epnum]; +- } else { +- WARN_ON(usb_pipeout(pipe)); ++ else + ep = udev->ep_in[epnum]; +- } ++ + if (!ep) + return 0; + +@@ -2009,8 +2005,6 @@ usb_maxpacket(struct usb_device *udev, i + return usb_endpoint_maxp(&ep->desc); + } + +-/* ----------------------------------------------------------------------- */ +- + /* translate USB error codes to codes user space understands */ + static inline int usb_translate_errors(int error_code) + { -- 2.47.3