From: Greg Kroah-Hartman Date: Tue, 15 Jul 2025 12:00:45 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.4.296~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36273172d8b0bcf25538134fbb6c4554f2e4ef53;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch net-wangxun-revert-the-adjustment-of-the-irq-vector-sequence.patch --- diff --git a/queue-6.12/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch b/queue-6.12/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch new file mode 100644 index 0000000000..83a15cf05b --- /dev/null +++ b/queue-6.12/kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch @@ -0,0 +1,71 @@ +From 6ee9b3d84775944fb8c8a447961cd01274ac671c Mon Sep 17 00:00:00 2001 +From: Yeoreum Yun +Date: Thu, 3 Jul 2025 19:10:18 +0100 +Subject: kasan: remove kasan_find_vm_area() to prevent possible deadlock + +From: Yeoreum Yun + +commit 6ee9b3d84775944fb8c8a447961cd01274ac671c upstream. + +find_vm_area() couldn't be called in atomic_context. If find_vm_area() is +called to reports vm area information, kasan can trigger deadlock like: + +CPU0 CPU1 +vmalloc(); + alloc_vmap_area(); + spin_lock(&vn->busy.lock) + spin_lock_bh(&some_lock); + + + spin_lock(&some_lock); + + kasan_report(); + print_report(); + print_address_description(); + kasan_find_vm_area(); + find_vm_area(); + spin_lock(&vn->busy.lock) // deadlock! + +To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). + +Link: https://lkml.kernel.org/r/20250703181018.580833-1-yeoreum.yun@arm.com +Fixes: c056a364e954 ("kasan: print virtual mapping info in reports") +Signed-off-by: Yeoreum Yun +Reported-by: Yunseong Kim +Reviewed-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Andrey Konovalov +Cc: Byungchul Park +Cc: Dmitriy Vyukov +Cc: Sebastian Andrzej Siewior +Cc: Steven Rostedt +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/report.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/mm/kasan/report.c ++++ b/mm/kasan/report.c +@@ -398,17 +398,8 @@ static void print_address_description(vo + } + + if (is_vmalloc_addr(addr)) { +- struct vm_struct *va = find_vm_area(addr); +- +- if (va) { +- pr_err("The buggy address belongs to the virtual mapping at\n" +- " [%px, %px) created by:\n" +- " %pS\n", +- va->addr, va->addr + va->size, va->caller); +- pr_err("\n"); +- +- page = vmalloc_to_page(addr); +- } ++ pr_err("The buggy address %px belongs to a vmalloc virtual mapping\n", addr); ++ page = vmalloc_to_page(addr); + } + + if (page) { diff --git a/queue-6.12/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch b/queue-6.12/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch new file mode 100644 index 0000000000..72e7f0c6d2 --- /dev/null +++ b/queue-6.12/ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch @@ -0,0 +1,90 @@ +From 50f930db22365738d9387c974416f38a06e8057e Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 8 Jul 2025 07:47:40 +0900 +Subject: ksmbd: fix potential use-after-free in oplock/lease break ack + +From: Namjae Jeon + +commit 50f930db22365738d9387c974416f38a06e8057e upstream. + +If ksmbd_iov_pin_rsp return error, use-after-free can happen by +accessing opinfo->state and opinfo_put and ksmbd_fd_put could +called twice. + +Reported-by: Ziyan Xu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -8517,11 +8517,6 @@ static void smb20_oplock_break_ack(struc + goto err_out; + } + +- opinfo->op_state = OPLOCK_STATE_NONE; +- wake_up_interruptible_all(&opinfo->oplock_q); +- opinfo_put(opinfo); +- ksmbd_fd_put(work, fp); +- + rsp->StructureSize = cpu_to_le16(24); + rsp->OplockLevel = rsp_oplevel; + rsp->Reserved = 0; +@@ -8529,16 +8524,15 @@ static void smb20_oplock_break_ack(struc + rsp->VolatileFid = volatile_id; + rsp->PersistentFid = persistent_id; + ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_oplock_break)); +- if (!ret) +- return; +- ++ if (ret) { + err_out: ++ smb2_set_err_rsp(work); ++ } ++ + opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); +- + opinfo_put(opinfo); + ksmbd_fd_put(work, fp); +- smb2_set_err_rsp(work); + } + + static int check_lease_state(struct lease *lease, __le32 req_state) +@@ -8668,11 +8662,6 @@ static void smb21_lease_break_ack(struct + } + + lease_state = lease->state; +- opinfo->op_state = OPLOCK_STATE_NONE; +- wake_up_interruptible_all(&opinfo->oplock_q); +- atomic_dec(&opinfo->breaking_cnt); +- wake_up_interruptible_all(&opinfo->oplock_brk); +- opinfo_put(opinfo); + + rsp->StructureSize = cpu_to_le16(36); + rsp->Reserved = 0; +@@ -8681,16 +8670,16 @@ static void smb21_lease_break_ack(struct + rsp->LeaseState = lease_state; + rsp->LeaseDuration = 0; + ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_lease_ack)); +- if (!ret) +- return; +- ++ if (ret) { + err_out: ++ smb2_set_err_rsp(work); ++ } ++ ++ opinfo->op_state = OPLOCK_STATE_NONE; + wake_up_interruptible_all(&opinfo->oplock_q); + atomic_dec(&opinfo->breaking_cnt); + wake_up_interruptible_all(&opinfo->oplock_brk); +- + opinfo_put(opinfo); +- smb2_set_err_rsp(work); + } + + /** diff --git a/queue-6.12/net-wangxun-revert-the-adjustment-of-the-irq-vector-sequence.patch b/queue-6.12/net-wangxun-revert-the-adjustment-of-the-irq-vector-sequence.patch new file mode 100644 index 0000000000..f46a4b0557 --- /dev/null +++ b/queue-6.12/net-wangxun-revert-the-adjustment-of-the-irq-vector-sequence.patch @@ -0,0 +1,162 @@ +From e37546ad1f9b2c777d3a21d7e50ce265ee3dece8 Mon Sep 17 00:00:00 2001 +From: Jiawen Wu +Date: Tue, 1 Jul 2025 14:30:29 +0800 +Subject: net: wangxun: revert the adjustment of the IRQ vector sequence + +From: Jiawen Wu + +commit e37546ad1f9b2c777d3a21d7e50ce265ee3dece8 upstream. + +Due to hardware limitations of NGBE, queue IRQs can only be requested +on vector 0 to 7. When the number of queues is set to the maximum 8, +the PCI IRQ vectors are allocated from 0 to 8. The vector 0 is used by +MISC interrupt, and althrough the vector 8 is used by queue interrupt, +it is unable to receive packets. This will cause some packets to be +dropped when RSS is enabled and they are assigned to queue 8. + +So revert the adjustment of the MISC IRQ location, to make it be the +last one in IRQ vectors. + +Fixes: 937d46ecc5f9 ("net: wangxun: add ethtool_ops for channel number") +Cc: stable@vger.kernel.org +Signed-off-by: Jiawen Wu +Reviewed-by: Larysa Zaremba +Link: https://patch.msgid.link/20250701063030.59340-3-jiawenwu@trustnetic.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/wangxun/libwx/wx_lib.c | 16 ++++++++-------- + drivers/net/ethernet/wangxun/libwx/wx_type.h | 2 +- + drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 +- + drivers/net/ethernet/wangxun/ngbe/ngbe_type.h | 2 +- + drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 4 ++-- + drivers/net/ethernet/wangxun/txgbe/txgbe_type.h | 4 ++-- + 6 files changed, 15 insertions(+), 15 deletions(-) + +--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c ++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c +@@ -1624,7 +1624,7 @@ static void wx_set_num_queues(struct wx + */ + static int wx_acquire_msix_vectors(struct wx *wx) + { +- struct irq_affinity affd = { .pre_vectors = 1 }; ++ struct irq_affinity affd = { .post_vectors = 1 }; + int nvecs, i; + + /* We start by asking for one vector per queue pair */ +@@ -1661,16 +1661,17 @@ static int wx_acquire_msix_vectors(struc + return nvecs; + } + +- wx->msix_entry->entry = 0; +- wx->msix_entry->vector = pci_irq_vector(wx->pdev, 0); + nvecs -= 1; + for (i = 0; i < nvecs; i++) { + wx->msix_q_entries[i].entry = i; +- wx->msix_q_entries[i].vector = pci_irq_vector(wx->pdev, i + 1); ++ wx->msix_q_entries[i].vector = pci_irq_vector(wx->pdev, i); + } + + wx->num_q_vectors = nvecs; + ++ wx->msix_entry->entry = nvecs; ++ wx->msix_entry->vector = pci_irq_vector(wx->pdev, nvecs); ++ + return 0; + } + +@@ -2120,7 +2121,6 @@ static void wx_set_ivar(struct wx *wx, s + wr32(wx, WX_PX_MISC_IVAR, ivar); + } else { + /* tx or rx causes */ +- msix_vector += 1; /* offset for queue vectors */ + msix_vector |= WX_PX_IVAR_ALLOC_VAL; + index = ((16 * (queue & 1)) + (8 * direction)); + ivar = rd32(wx, WX_PX_IVAR(queue >> 1)); +@@ -2151,7 +2151,7 @@ void wx_write_eitr(struct wx_q_vector *q + + itr_reg |= WX_PX_ITR_CNT_WDIS; + +- wr32(wx, WX_PX_ITR(v_idx + 1), itr_reg); ++ wr32(wx, WX_PX_ITR(v_idx), itr_reg); + } + + /** +@@ -2197,9 +2197,9 @@ void wx_configure_vectors(struct wx *wx) + wx_write_eitr(q_vector); + } + +- wx_set_ivar(wx, -1, 0, 0); ++ wx_set_ivar(wx, -1, 0, v_idx); + if (pdev->msix_enabled) +- wr32(wx, WX_PX_ITR(0), 1950); ++ wr32(wx, WX_PX_ITR(v_idx), 1950); + } + EXPORT_SYMBOL(wx_configure_vectors); + +--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h ++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h +@@ -1136,7 +1136,7 @@ struct wx { + }; + + #define WX_INTR_ALL (~0ULL) +-#define WX_INTR_Q(i) BIT((i) + 1) ++#define WX_INTR_Q(i) BIT((i)) + + /* register operations */ + #define wr32(a, reg, value) writel((value), ((a)->hw_addr + (reg))) +--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c ++++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c +@@ -154,7 +154,7 @@ static void ngbe_irq_enable(struct wx *w + if (queues) + wx_intr_enable(wx, NGBE_INTR_ALL); + else +- wx_intr_enable(wx, NGBE_INTR_MISC); ++ wx_intr_enable(wx, NGBE_INTR_MISC(wx)); + } + + /** +--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h ++++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_type.h +@@ -80,7 +80,7 @@ + NGBE_PX_MISC_IEN_GPIO) + + #define NGBE_INTR_ALL 0x1FF +-#define NGBE_INTR_MISC BIT(0) ++#define NGBE_INTR_MISC(A) BIT((A)->num_q_vectors) + + #define NGBE_PHY_CONFIG(reg_offset) (0x14000 + ((reg_offset) * 4)) + #define NGBE_CFG_LAN_SPEED 0x14440 +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c +@@ -21,7 +21,7 @@ void txgbe_irq_enable(struct wx *wx, boo + wr32(wx, WX_PX_MISC_IEN, TXGBE_PX_MISC_IEN_MASK); + + /* unmask interrupt */ +- wx_intr_enable(wx, TXGBE_INTR_MISC); ++ wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); + if (queues) + wx_intr_enable(wx, TXGBE_INTR_QALL(wx)); + } +@@ -147,7 +147,7 @@ static irqreturn_t txgbe_misc_irq_thread + nhandled++; + } + +- wx_intr_enable(wx, TXGBE_INTR_MISC); ++ wx_intr_enable(wx, TXGBE_INTR_MISC(wx)); + return (nhandled > 0 ? IRQ_HANDLED : IRQ_NONE); + } + +--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h ++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_type.h +@@ -264,8 +264,8 @@ struct txgbe_fdir_filter { + #define TXGBE_DEFAULT_RX_WORK 128 + #endif + +-#define TXGBE_INTR_MISC BIT(0) +-#define TXGBE_INTR_QALL(A) GENMASK((A)->num_q_vectors, 1) ++#define TXGBE_INTR_MISC(A) BIT((A)->num_q_vectors) ++#define TXGBE_INTR_QALL(A) (TXGBE_INTR_MISC(A) - 1) + + #define TXGBE_MAX_EITR GENMASK(11, 3) + diff --git a/queue-6.12/series b/queue-6.12/series index fcd4547e7b..67d4036e04 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -157,3 +157,6 @@ hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch hid-nintendo-avoid-bluetooth-suspend-resume-stalls.patch selftests-bpf-adapt-one-more-case-in-test_lru_map-to-the-new-target_free.patch erofs-fix-rare-pcluster-memory-leak-after-unmounting.patch +net-wangxun-revert-the-adjustment-of-the-irq-vector-sequence.patch +kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch +ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch