From: Greg Kroah-Hartman Date: Sun, 8 Feb 2026 15:02:48 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.10.250~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b59cf0d355bf661641a492c65c7c006d58007b2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch gve-correct-ethtool-rx_dropped-calculation.patch gve-fix-stats-report-corruption-on-queue-count-change.patch hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch tracing-fix-ftrace-event-field-alignments.patch --- diff --git a/queue-5.15/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch b/queue-5.15/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch new file mode 100644 index 0000000000..be0cb1c41d --- /dev/null +++ b/queue-5.15/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch @@ -0,0 +1,58 @@ +From 35264909e9d1973ab9aaa2a1b07cda70f12bb828 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 11 Mar 2024 15:51:59 +0100 +Subject: gfs2: Fix NULL pointer dereference in gfs2_log_flush + +From: Andreas Gruenbacher + +commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828 upstream. + +In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush +lock to provide exclusion against gfs2_log_flush(). + +In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before +dereferencing it. Otherwise, we could run into a NULL pointer +dereference when outstanding glock work races with an unmount +(glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> +gfs2_log_flush). + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +[ The context change is due to the commit 4d927b03a688 + ("gfs2: Rename gfs2_withdrawn to gfs2_withdrawing_or_withdrawn") in v6.8 + which is irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +--- +--- + fs/gfs2/log.c | 3 ++- + fs/gfs2/super.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -1094,7 +1094,8 @@ repeat: + lops_before_commit(sdp, tr); + if (gfs2_withdrawn(sdp)) + goto out_withdraw; +- gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); ++ if (sdp->sd_jdesc) ++ gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); + if (gfs2_withdrawn(sdp)) + goto out_withdraw; + +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *s + sdp->sd_journals = 0; + spin_unlock(&sdp->sd_jindex_spin); + ++ down_write(&sdp->sd_log_flush_lock); + sdp->sd_jdesc = NULL; ++ up_write(&sdp->sd_log_flush_lock); ++ + while (!list_empty(&list)) { + jd = list_first_entry(&list, struct gfs2_jdesc, jd_list); ++ BUG_ON(jd->jd_log_bio); + gfs2_free_journal_extents(jd); + list_del(&jd->jd_list); + iput(jd->jd_inode); diff --git a/queue-5.15/gve-correct-ethtool-rx_dropped-calculation.patch b/queue-5.15/gve-correct-ethtool-rx_dropped-calculation.patch new file mode 100644 index 0000000000..180be2aec1 --- /dev/null +++ b/queue-5.15/gve-correct-ethtool-rx_dropped-calculation.patch @@ -0,0 +1,60 @@ +From stable+bounces-214824-greg=kroah.com@vger.kernel.org Sat Feb 7 20:30:54 2026 +From: Sasha Levin +Date: Sat, 7 Feb 2026 14:30:47 -0500 +Subject: gve: Correct ethtool rx_dropped calculation +To: stable@vger.kernel.org +Cc: Max Yuan , Jordan Rhee , Joshua Washington , Matt Olson , Harshitha Ramamurthy , Jacob Keller , Jakub Kicinski , Sasha Levin +Message-ID: <20260207193047.526604-1-sashal@kernel.org> + +From: Max Yuan + +[ Upstream commit c7db85d579a1dccb624235534508c75fbf2dfe46 ] + +The gve driver's "rx_dropped" statistic, exposed via `ethtool -S`, +incorrectly includes `rx_buf_alloc_fail` counts. These failures +represent an inability to allocate receive buffers, not true packet +drops where a received packet is discarded. This misrepresentation can +lead to inaccurate diagnostics. + +This patch rectifies the ethtool "rx_dropped" calculation. It removes +`rx_buf_alloc_fail` from the total and adds `xdp_tx_errors` and +`xdp_redirect_errors`, which represent legitimate packet drops within +the XDP path. + +Cc: stable@vger.kernel.org +Fixes: 433e274b8f7b ("gve: Add stats for gve.") +Signed-off-by: Max Yuan +Reviewed-by: Jordan Rhee +Reviewed-by: Joshua Washington +Reviewed-by: Matt Olson +Signed-off-by: Harshitha Ramamurthy +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20260202193925.3106272-3-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +[ removed rx_buf_alloc_fail from rx_dropped calculation ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -212,8 +212,7 @@ gve_get_ethtool_stats(struct net_device + data[i++] = rx_bytes; + data[i++] = tx_bytes; + /* total rx dropped packets */ +- data[i++] = rx_skb_alloc_fail + rx_buf_alloc_fail + +- rx_desc_err_dropped_pkt; ++ data[i++] = rx_skb_alloc_fail + rx_desc_err_dropped_pkt; + /* Skip tx_dropped */ + i++; + +@@ -287,7 +286,6 @@ gve_get_ethtool_stats(struct net_device + data[i++] = tmp_rx_bytes; + /* rx dropped packets */ + data[i++] = tmp_rx_skb_alloc_fail + +- tmp_rx_buf_alloc_fail + + tmp_rx_desc_err_dropped_pkt; + data[i++] = rx->rx_copybreak_pkt; + data[i++] = rx->rx_copied_pkt; diff --git a/queue-5.15/gve-fix-stats-report-corruption-on-queue-count-change.patch b/queue-5.15/gve-fix-stats-report-corruption-on-queue-count-change.patch new file mode 100644 index 0000000000..af8d04b335 --- /dev/null +++ b/queue-5.15/gve-fix-stats-report-corruption-on-queue-count-change.patch @@ -0,0 +1,124 @@ +From stable+bounces-214816-greg=kroah.com@vger.kernel.org Sat Feb 7 19:09:38 2026 +From: Sasha Levin +Date: Sat, 7 Feb 2026 13:09:30 -0500 +Subject: gve: Fix stats report corruption on queue count change +To: stable@vger.kernel.org +Cc: Debarghya Kundu , Joshua Washington , Harshitha Ramamurthy , Jacob Keller , Jakub Kicinski , Sasha Levin +Message-ID: <20260207180930.486611-1-sashal@kernel.org> + +From: Debarghya Kundu + +[ Upstream commit 7b9ebcce0296e104a0d82a6b09d68564806158ff ] + +The driver and the NIC share a region in memory for stats reporting. +The NIC calculates its offset into this region based on the total size +of the stats region and the size of the NIC's stats. + +When the number of queues is changed, the driver's stats region is +resized. If the queue count is increased, the NIC can write past +the end of the allocated stats region, causing memory corruption. +If the queue count is decreased, there is a gap between the driver +and NIC stats, leading to incorrect stats reporting. + +This change fixes the issue by allocating stats region with maximum +size, and the offset calculation for NIC stats is changed to match +with the calculation of the NIC. + +Cc: stable@vger.kernel.org +Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.") +Signed-off-by: Debarghya Kundu +Reviewed-by: Joshua Washington +Signed-off-by: Harshitha Ramamurthy +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20260202193925.3106272-2-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +[ Same changes as 6.1 + context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 42 +++++++++++++++++--------- + drivers/net/ethernet/google/gve/gve_main.c | 4 +- + 2 files changed, 31 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -142,7 +142,8 @@ gve_get_ethtool_stats(struct net_device + tmp_rx_desc_err_dropped_pkt, tmp_tx_pkts, tmp_tx_bytes; + u64 rx_buf_alloc_fail, rx_desc_err_dropped_pkt, rx_pkts, + rx_skb_alloc_fail, rx_bytes, tx_pkts, tx_bytes; +- int stats_idx, base_stats_idx, max_stats_idx; ++ int rx_base_stats_idx, max_rx_stats_idx, max_tx_stats_idx; ++ int stats_idx, stats_region_len, nic_stats_len; + struct stats *report_stats; + int *rx_qid_to_stats_idx; + int *tx_qid_to_stats_idx; +@@ -228,14 +229,33 @@ gve_get_ethtool_stats(struct net_device + data[i++] = priv->stats_report_trigger_cnt; + i = GVE_MAIN_STATS_LEN; + +- /* For rx cross-reporting stats, start from nic rx stats in report */ +- base_stats_idx = GVE_TX_STATS_REPORT_NUM * priv->tx_cfg.num_queues + +- GVE_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues; +- max_stats_idx = NIC_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues + +- base_stats_idx; ++ rx_base_stats_idx = 0; ++ max_rx_stats_idx = 0; ++ max_tx_stats_idx = 0; ++ stats_region_len = priv->stats_report_len - ++ sizeof(struct gve_stats_report); ++ nic_stats_len = (NIC_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues + ++ NIC_TX_STATS_REPORT_NUM * priv->tx_cfg.num_queues) * ++ sizeof(struct stats); ++ if (unlikely((stats_region_len - ++ nic_stats_len) % sizeof(struct stats))) { ++ net_err_ratelimited("Starting index of NIC stats should be multiple of stats size"); ++ } else { ++ /* For rx cross-reporting stats, ++ * start from nic rx stats in report ++ */ ++ rx_base_stats_idx = (stats_region_len - nic_stats_len) / ++ sizeof(struct stats); ++ max_rx_stats_idx = NIC_RX_STATS_REPORT_NUM * ++ priv->rx_cfg.num_queues + ++ rx_base_stats_idx; ++ max_tx_stats_idx = NIC_TX_STATS_REPORT_NUM * ++ priv->tx_cfg.num_queues + ++ max_rx_stats_idx; ++ } + /* Preprocess the stats report for rx, map queue id to start index */ + skip_nic_stats = false; +- for (stats_idx = base_stats_idx; stats_idx < max_stats_idx; ++ for (stats_idx = rx_base_stats_idx; stats_idx < max_rx_stats_idx; + stats_idx += NIC_RX_STATS_REPORT_NUM) { + u32 stat_name = be32_to_cpu(report_stats[stats_idx].stat_name); + u32 queue_id = be32_to_cpu(report_stats[stats_idx].queue_id); +@@ -288,13 +308,9 @@ gve_get_ethtool_stats(struct net_device + i += priv->rx_cfg.num_queues * NUM_GVE_RX_CNTS; + } + +- /* For tx cross-reporting stats, start from nic tx stats in report */ +- base_stats_idx = max_stats_idx; +- max_stats_idx = NIC_TX_STATS_REPORT_NUM * priv->tx_cfg.num_queues + +- max_stats_idx; +- /* Preprocess the stats report for tx, map queue id to start index */ + skip_nic_stats = false; +- for (stats_idx = base_stats_idx; stats_idx < max_stats_idx; ++ /* NIC TX stats start right after NIC RX stats */ ++ for (stats_idx = max_rx_stats_idx; stats_idx < max_tx_stats_idx; + stats_idx += NIC_TX_STATS_REPORT_NUM) { + u32 stat_name = be32_to_cpu(report_stats[stats_idx].stat_name); + u32 queue_id = be32_to_cpu(report_stats[stats_idx].queue_id); +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -135,9 +135,9 @@ static int gve_alloc_stats_report(struct + int tx_stats_num, rx_stats_num; + + tx_stats_num = (GVE_TX_STATS_REPORT_NUM + NIC_TX_STATS_REPORT_NUM) * +- priv->tx_cfg.num_queues; ++ priv->tx_cfg.max_queues; + rx_stats_num = (GVE_RX_STATS_REPORT_NUM + NIC_RX_STATS_REPORT_NUM) * +- priv->rx_cfg.num_queues; ++ priv->rx_cfg.max_queues; + priv->stats_report_len = struct_size(priv->stats_report, stats, + size_add(tx_stats_num, rx_stats_num)); + priv->stats_report = diff --git a/queue-5.15/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch b/queue-5.15/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch new file mode 100644 index 0000000000..9654a47078 --- /dev/null +++ b/queue-5.15/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch @@ -0,0 +1,176 @@ +From bea3e1d4467bcf292c8e54f080353d556d355e26 Mon Sep 17 00:00:00 2001 +From: Kang Chen +Date: Tue, 9 Sep 2025 11:13:16 +0800 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() + +From: Kang Chen + +commit bea3e1d4467bcf292c8e54f080353d556d355e26 upstream. + +BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 +Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290 + +CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x5f0 mm/kasan/report.c:482 + kasan_report+0xca/0x100 mm/kasan/report.c:595 + hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 + hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 + vfs_listxattr+0xbe/0x140 fs/xattr.c:493 + listxattr+0xee/0x190 fs/xattr.c:924 + filename_listxattr fs/xattr.c:958 [inline] + path_listxattrat+0x143/0x360 fs/xattr.c:988 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe0e9fae16d +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3 +RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16d +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000 +RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 + + +Allocated by task 14290: + kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4333 [inline] + __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 + kmalloc_noprof include/linux/slab.h:909 [inline] + hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 + hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 + vfs_listxattr+0xbe/0x140 fs/xattr.c:493 + listxattr+0xee/0x190 fs/xattr.c:924 + filename_listxattr fs/xattr.c:958 [inline] + path_listxattrat+0x143/0x360 fs/xattr.c:988 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +When hfsplus_uni2asc is called from hfsplus_listxattr, +it actually passes in a struct hfsplus_attr_unistr*. +The size of the corresponding structure is different from that of hfsplus_unistr, +so the previous fix (94458781aee6) is insufficient. +The pointer on the unicode buffer is still going beyond the allocated memory. + +This patch introduces two warpper functions hfsplus_uni2asc_xattr_str and +hfsplus_uni2asc_str to process two unicode buffers, +struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively. +When ustrlen value is bigger than the allocated memory size, +the ustrlen value is limited to an safe size. + +Fixes: 94458781aee6 ("hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()") +Signed-off-by: Kang Chen +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250909031316.1647094-1-k.chen@smail.nju.edu.cn +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Jianqiang kang +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/dir.c | 2 +- + fs/hfsplus/hfsplus_fs.h | 8 ++++++-- + fs/hfsplus/unicode.c | 24 +++++++++++++++++++----- + fs/hfsplus/xattr.c | 6 +++--- + 4 files changed, 29 insertions(+), 11 deletions(-) + +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -204,7 +204,7 @@ static int hfsplus_readdir(struct file * + fd.entrylength); + type = be16_to_cpu(entry.type); + len = NLS_MAX_CHARSET_SIZE * HFSPLUS_MAX_STRLEN; +- err = hfsplus_uni2asc(sb, &fd.key->cat.name, strbuf, &len); ++ err = hfsplus_uni2asc_str(sb, &fd.key->cat.name, strbuf, &len); + if (err) + goto out; + if (type == HFSPLUS_FOLDER) { +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -516,8 +516,12 @@ int hfsplus_strcasecmp(const struct hfsp + const struct hfsplus_unistr *s2); + int hfsplus_strcmp(const struct hfsplus_unistr *s1, + const struct hfsplus_unistr *s2); +-int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr, +- char *astr, int *len_p); ++int hfsplus_uni2asc_str(struct super_block *sb, ++ const struct hfsplus_unistr *ustr, char *astr, ++ int *len_p); ++int hfsplus_uni2asc_xattr_str(struct super_block *sb, ++ const struct hfsplus_attr_unistr *ustr, ++ char *astr, int *len_p); + int hfsplus_asc2uni(struct super_block *sb, struct hfsplus_unistr *ustr, + int max_unistr_len, const char *astr, int len); + int hfsplus_hash_dentry(const struct dentry *dentry, struct qstr *str); +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -143,9 +143,8 @@ static u16 *hfsplus_compose_lookup(u16 * + return NULL; + } + +-int hfsplus_uni2asc(struct super_block *sb, +- const struct hfsplus_unistr *ustr, +- char *astr, int *len_p) ++static int hfsplus_uni2asc(struct super_block *sb, const struct hfsplus_unistr *ustr, ++ int max_len, char *astr, int *len_p) + { + const hfsplus_unichr *ip; + struct nls_table *nls = HFSPLUS_SB(sb)->nls; +@@ -158,8 +157,8 @@ int hfsplus_uni2asc(struct super_block * + ip = ustr->unicode; + + ustrlen = be16_to_cpu(ustr->length); +- if (ustrlen > HFSPLUS_MAX_STRLEN) { +- ustrlen = HFSPLUS_MAX_STRLEN; ++ if (ustrlen > max_len) { ++ ustrlen = max_len; + pr_err("invalid length %u has been corrected to %d\n", + be16_to_cpu(ustr->length), ustrlen); + } +@@ -280,6 +279,21 @@ out: + return res; + } + ++inline int hfsplus_uni2asc_str(struct super_block *sb, ++ const struct hfsplus_unistr *ustr, char *astr, ++ int *len_p) ++{ ++ return hfsplus_uni2asc(sb, ustr, HFSPLUS_MAX_STRLEN, astr, len_p); ++} ++ ++inline int hfsplus_uni2asc_xattr_str(struct super_block *sb, ++ const struct hfsplus_attr_unistr *ustr, ++ char *astr, int *len_p) ++{ ++ return hfsplus_uni2asc(sb, (const struct hfsplus_unistr *)ustr, ++ HFSPLUS_ATTR_MAX_STRLEN, astr, len_p); ++} ++ + /* + * Convert one or more ASCII characters into a single unicode character. + * Returns the number of ASCII characters corresponding to the unicode char. +--- a/fs/hfsplus/xattr.c ++++ b/fs/hfsplus/xattr.c +@@ -737,9 +737,9 @@ ssize_t hfsplus_listxattr(struct dentry + goto end_listxattr; + + xattr_name_len = NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN; +- if (hfsplus_uni2asc(inode->i_sb, +- (const struct hfsplus_unistr *)&fd.key->attr.key_name, +- strbuf, &xattr_name_len)) { ++ if (hfsplus_uni2asc_xattr_str(inode->i_sb, ++ &fd.key->attr.key_name, strbuf, ++ &xattr_name_len)) { + pr_err("unicode conversion failed\n"); + res = -EIO; + goto end_listxattr; diff --git a/queue-5.15/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch b/queue-5.15/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch new file mode 100644 index 0000000000..afb8627617 --- /dev/null +++ b/queue-5.15/riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch @@ -0,0 +1,57 @@ +From 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= +Date: Sat, 19 Apr 2025 13:14:00 +0200 +Subject: riscv: uprobes: Add missing fence.i after building the XOL buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +commit 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 upstream. + +The XOL (execute out-of-line) buffer is used to single-step the +replaced instruction(s) for uprobes. The RISC-V port was missing a +proper fence.i (i$ flushing) after constructing the XOL buffer, which +can result in incorrect execution of stale/broken instructions. + +This was found running the BPF selftests "test_progs: +uprobe_autoattach, attach_probe" on the Spacemit K1/X60, where the +uprobes tests randomly blew up. + +Reviewed-by: Guo Ren +Fixes: 74784081aac8 ("riscv: Add uprobes supported") +Signed-off-by: Björn Töpel +Link: https://lore.kernel.org/r/20250419111402.1660267-2-bjorn@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kernel/probes/uprobes.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/arch/riscv/kernel/probes/uprobes.c ++++ b/arch/riscv/kernel/probes/uprobes.c +@@ -161,6 +161,7 @@ void arch_uprobe_copy_ixol(struct page * + /* Initialize the slot */ + void *kaddr = kmap_atomic(page); + void *dst = kaddr + (vaddr & ~PAGE_MASK); ++ unsigned long start = (unsigned long)dst; + + memcpy(dst, src, len); + +@@ -170,13 +171,6 @@ void arch_uprobe_copy_ixol(struct page * + *(uprobe_opcode_t *)dst = __BUG_INSN_32; + } + ++ flush_icache_range(start, start + len); + kunmap_atomic(kaddr); +- +- /* +- * We probably need flush_icache_user_page() but it needs vma. +- * This should work on most of architectures by default. If +- * architecture needs to do something different it can define +- * its own version of the function. +- */ +- flush_dcache_page(page); + } diff --git a/queue-5.15/series b/queue-5.15/series index 5359d04e47..968ee7bf35 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -59,3 +59,9 @@ nvmet-tcp-fix-regression-in-data_digest-calculation.patch nvmet-tcp-don-t-map-pages-which-can-t-come-from-high.patch nvmet-tcp-add-bounds-checks-in-nvmet_tcp_build_pdu_i.patch asoc-amd-fix-memory-leak-in-acp3x-pdm-dma-ops.patch +riscv-uprobes-add-missing-fence.i-after-building-the-xol-buffer.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2asc.patch +gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch +tracing-fix-ftrace-event-field-alignments.patch +gve-fix-stats-report-corruption-on-queue-count-change.patch +gve-correct-ethtool-rx_dropped-calculation.patch diff --git a/queue-5.15/tracing-fix-ftrace-event-field-alignments.patch b/queue-5.15/tracing-fix-ftrace-event-field-alignments.patch new file mode 100644 index 0000000000..de64f0f183 --- /dev/null +++ b/queue-5.15/tracing-fix-ftrace-event-field-alignments.patch @@ -0,0 +1,188 @@ +From stable+bounces-214815-greg=kroah.com@vger.kernel.org Sat Feb 7 18:55:26 2026 +From: Sasha Levin +Date: Sat, 7 Feb 2026 12:55:20 -0500 +Subject: tracing: Fix ftrace event field alignments +To: stable@vger.kernel.org +Cc: Steven Rostedt , Mathieu Desnoyers , Mark Rutland , "Masami Hiramatsu (Google)" , "jempty.liang" , Sasha Levin +Message-ID: <20260207175520.482420-1-sashal@kernel.org> + +From: Steven Rostedt + +[ Upstream commit 033c55fe2e326bea022c3cc5178ecf3e0e459b82 ] + +The fields of ftrace specific events (events used to save ftrace internal +events like function traces and trace_printk) are generated similarly to +how normal trace event fields are generated. That is, the fields are added +to a trace_events_fields array that saves the name, offset, size, +alignment and signness of the field. It is used to produce the output in +the format file in tracefs so that tooling knows how to parse the binary +data of the trace events. + +The issue is that some of the ftrace event structures are packed. The +function graph exit event structures are one of them. The 64 bit calltime +and rettime fields end up 4 byte aligned, but the algorithm to show to +userspace shows them as 8 byte aligned. + +The macros that create the ftrace events has one for embedded structure +fields. There's two macros for theses fields: + + __field_desc() and __field_packed() + +The difference of the latter macro is that it treats the field as packed. + +Rename that field to __field_desc_packed() and create replace the +__field_packed() to be a normal field that is packed and have the calltime +and rettime use those. + +This showed up on 32bit architectures for function graph time fields. It +had: + + ~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format +[..] + field:unsigned long func; offset:8; size:4; signed:0; + field:unsigned int depth; offset:12; size:4; signed:0; + field:unsigned int overrun; offset:16; size:4; signed:0; + field:unsigned long long calltime; offset:24; size:8; signed:0; + field:unsigned long long rettime; offset:32; size:8; signed:0; + +Notice that overrun is at offset 16 with size 4, where in the structure +calltime is at offset 20 (16 + 4), but it shows the offset at 24. That's +because it used the alignment of unsigned long long when used as a +declaration and not as a member of a structure where it would be aligned +by word size (in this case 4). + +By using the proper structure alignment, the format has it at the correct +offset: + + ~# cat /sys/kernel/tracing/events/ftrace/funcgraph_exit/format +[..] + field:unsigned long func; offset:8; size:4; signed:0; + field:unsigned int depth; offset:12; size:4; signed:0; + field:unsigned int overrun; offset:16; size:4; signed:0; + field:unsigned long long calltime; offset:20; size:8; signed:0; + field:unsigned long long rettime; offset:28; size:8; signed:0; + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Cc: Mark Rutland +Acked-by: Masami Hiramatsu (Google) +Reported-by: "jempty.liang" +Link: https://patch.msgid.link/20260204113628.53faec78@gandalf.local.home +Fixes: 04ae87a52074e ("ftrace: Rework event_create_dir()") +Closes: https://lore.kernel.org/all/20260130015740.212343-1-imntjempty@163.com/ +Closes: https://lore.kernel.org/all/20260202123342.2544795-1-imntjempty@163.com/ +Signed-off-by: Steven Rostedt (Google) +[ Context / renames ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.h | 7 +++++-- + kernel/trace/trace_entries.h | 14 +++++++------- + kernel/trace/trace_export.c | 21 +++++++++++++++------ + 3 files changed, 27 insertions(+), 15 deletions(-) + +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -65,14 +65,17 @@ enum trace_type { + #undef __field_fn + #define __field_fn(type, item) type item; + ++#undef __field_packed ++#define __field_packed(type, item) type item; ++ + #undef __field_struct + #define __field_struct(type, item) __field(type, item) + + #undef __field_desc + #define __field_desc(type, container, item) + +-#undef __field_packed +-#define __field_packed(type, container, item) ++#undef __field_desc_packed ++#define __field_desc_packed(type, container, item) + + #undef __array + #define __array(type, item, size) type item[size]; +--- a/kernel/trace/trace_entries.h ++++ b/kernel/trace/trace_entries.h +@@ -78,8 +78,8 @@ FTRACE_ENTRY_PACKED(funcgraph_entry, ftr + + F_STRUCT( + __field_struct( struct ftrace_graph_ent, graph_ent ) +- __field_packed( unsigned long, graph_ent, func ) +- __field_packed( int, graph_ent, depth ) ++ __field_desc_packed( unsigned long, graph_ent, func ) ++ __field_desc_packed( int, graph_ent, depth ) + ), + + F_printk("--> %ps (%d)", (void *)__entry->func, __entry->depth) +@@ -92,11 +92,11 @@ FTRACE_ENTRY_PACKED(funcgraph_exit, ftra + + F_STRUCT( + __field_struct( struct ftrace_graph_ret, ret ) +- __field_packed( unsigned long, ret, func ) +- __field_packed( int, ret, depth ) +- __field_packed( unsigned int, ret, overrun ) +- __field_packed( unsigned long long, ret, calltime) +- __field_packed( unsigned long long, ret, rettime ) ++ __field_desc_packed( unsigned long, ret, func ) ++ __field_desc_packed( int, ret, depth ) ++ __field_desc_packed( unsigned int, ret, overrun ) ++ __field_desc_packed( unsigned long long, ret, calltime) ++ __field_desc_packed( unsigned long long, ret, rettime ) + ), + + F_printk("<-- %ps (%d) (start: %llx end: %llx) over: %d", +--- a/kernel/trace/trace_export.c ++++ b/kernel/trace/trace_export.c +@@ -42,11 +42,14 @@ static int ftrace_event_register(struct + #undef __field_fn + #define __field_fn(type, item) type item; + ++#undef __field_packed ++#define __field_packed(type, item) type item; ++ + #undef __field_desc + #define __field_desc(type, container, item) type item; + +-#undef __field_packed +-#define __field_packed(type, container, item) type item; ++#undef __field_desc_packed ++#define __field_desc_packed(type, container, item) type item; + + #undef __array + #define __array(type, item, size) type item[size]; +@@ -101,11 +104,14 @@ static void __always_unused ____ftrace_c + #undef __field_fn + #define __field_fn(_type, _item) __field_ext(_type, _item, FILTER_TRACE_FN) + ++#undef __field_packed ++#define __field_packed(_type, _item) __field_ext_packed(_type, _item, FILTER_OTHER) ++ + #undef __field_desc + #define __field_desc(_type, _container, _item) __field_ext(_type, _item, FILTER_OTHER) + +-#undef __field_packed +-#define __field_packed(_type, _container, _item) __field_ext_packed(_type, _item, FILTER_OTHER) ++#undef __field_desc_packed ++#define __field_desc_packed(_type, _container, _item) __field_ext_packed(_type, _item, FILTER_OTHER) + + #undef __array + #define __array(_type, _item, _len) { \ +@@ -139,11 +145,14 @@ static struct trace_event_fields ftrace_ + #undef __field_fn + #define __field_fn(type, item) + ++#undef __field_packed ++#define __field_packed(type, item) ++ + #undef __field_desc + #define __field_desc(type, container, item) + +-#undef __field_packed +-#define __field_packed(type, container, item) ++#undef __field_desc_packed ++#define __field_desc_packed(type, container, item) + + #undef __array + #define __array(type, item, len)