From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 13:25:49 +0000 (+0200) Subject: 6.17-stable patches X-Git-Tag: v5.15.195~60 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44a2491115b2fca5b2ce66cf0fb1a2588858a021;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch mm-damon-vaddr-do-not-repeat-pte_offset_map_lock-until-success.patch mm-hugetlb-early-exit-from-hugetlb_pages_alloc_boot-when-max_huge_pages-0.patch mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch mm-rmap-fix-soft-dirty-and-uffd-wp-bit-loss-when-remapping-zero-filled-mthp-subpage-to-shared-zeropage.patch mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch mptcp-pm-in-kernel-usable-client-side-with-c-flag.patch mptcp-reset-blackhole-on-success-with-non-loopback-ifaces.patch nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch s390-add-wno-pointer-sign-to-kbuild_cflags_decompressor.patch s390-cio-ioasm-fix-__xsch-condition-code-handling.patch s390-dasd-enforce-dma_alignment-to-ensure-proper-buffer-validation.patch s390-dasd-return-blk_sts_inval-for-einval-from-do_dasd_request.patch selftests-mptcp-join-validate-c-flag-def-limit.patch slab-mark-slab-obj_exts-allocation-failures-unconditionally.patch slab-prevent-warnings-when-slab-obj_exts-vector-allocation-fails.patch wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch wifi-iwlwifi-fix-dentry-reference-leak-in-iwl_mld_add_link_debugfs.patch wifi-mt76-mt7921u-add-vid-pid-for-netgear-a7500.patch wifi-mt76-mt7925u-add-vid-pid-for-netgear-a9000.patch wifi-rtw89-avoid-possible-tx-wait-initialization-race.patch --- diff --git a/queue-6.17/mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch b/queue-6.17/mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch new file mode 100644 index 0000000000..7db04f64e6 --- /dev/null +++ b/queue-6.17/mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch @@ -0,0 +1,40 @@ +From e18190b7e97e9db6546390e6e0ceddae606892b2 Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 15 Sep 2025 20:15:49 -0700 +Subject: mm/damon/lru_sort: use param_ctx for damon_attrs staging + +From: SeongJae Park + +commit e18190b7e97e9db6546390e6e0ceddae606892b2 upstream. + +damon_lru_sort_apply_parameters() allocates a new DAMON context, stages +user-specified DAMON parameters on it, and commits to running DAMON +context at once, using damon_commit_ctx(). The code is, however, directly +updating the monitoring attributes of the running context. And the +attributes are over-written by later damon_commit_ctx() call. This means +that the monitoring attributes parameters are not really working. Fix the +wrong use of the parameter context. + +Link: https://lkml.kernel.org/r/20250916031549.115326-1-sj@kernel.org +Fixes: a30969436428 ("mm/damon/lru_sort: use damon_commit_ctx()") +Signed-off-by: SeongJae Park +Reviewed-by: Joshua Hahn +Cc: Joshua Hahn +Cc: [6.11+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/lru_sort.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/damon/lru_sort.c ++++ b/mm/damon/lru_sort.c +@@ -203,7 +203,7 @@ static int damon_lru_sort_apply_paramete + goto out; + } + +- err = damon_set_attrs(ctx, &damon_lru_sort_mon_attrs); ++ err = damon_set_attrs(param_ctx, &damon_lru_sort_mon_attrs); + if (err) + goto out; + diff --git a/queue-6.17/mm-damon-vaddr-do-not-repeat-pte_offset_map_lock-until-success.patch b/queue-6.17/mm-damon-vaddr-do-not-repeat-pte_offset_map_lock-until-success.patch new file mode 100644 index 0000000000..2ea3ad5144 --- /dev/null +++ b/queue-6.17/mm-damon-vaddr-do-not-repeat-pte_offset_map_lock-until-success.patch @@ -0,0 +1,64 @@ +From b93af2cc8e036754c0d9970d9ddc47f43cc94b9f Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 29 Sep 2025 17:44:09 -0700 +Subject: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success + +From: SeongJae Park + +commit b93af2cc8e036754c0d9970d9ddc47f43cc94b9f upstream. + +DAMON's virtual address space operation set implementation (vaddr) calls +pte_offset_map_lock() inside the page table walk callback function. This +is for reading and writing page table accessed bits. If +pte_offset_map_lock() fails, it retries by returning the page table walk +callback function with ACTION_AGAIN. + +pte_offset_map_lock() can continuously fail if the target is a pmd +migration entry, though. Hence it could cause an infinite page table walk +if the migration cannot be done until the page table walk is finished. +This indeed caused a soft lockup when CPU hotplugging and DAMON were +running in parallel. + +Avoid the infinite loop by simply not retrying the page table walk. DAMON +is promising only a best-effort accuracy, so missing access to such pages +is no problem. + +Link: https://lkml.kernel.org/r/20250930004410.55228-1-sj@kernel.org +Fixes: 7780d04046a2 ("mm/pagewalkers: ACTION_AGAIN if pte_offset_map_lock() fails") +Signed-off-by: SeongJae Park +Reported-by: Xinyu Zheng +Closes: https://lore.kernel.org/20250918030029.2652607-1-zhengxinyu6@huawei.com +Acked-by: Hugh Dickins +Cc: [6.5+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/vaddr.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/mm/damon/vaddr.c ++++ b/mm/damon/vaddr.c +@@ -328,10 +328,8 @@ static int damon_mkold_pmd_entry(pmd_t * + } + + pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); +- if (!pte) { +- walk->action = ACTION_AGAIN; ++ if (!pte) + return 0; +- } + if (!pte_present(ptep_get(pte))) + goto out; + damon_ptep_mkold(pte, walk->vma, addr); +@@ -481,10 +479,8 @@ regular_page: + #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ + + pte = pte_offset_map_lock(walk->mm, pmd, addr, &ptl); +- if (!pte) { +- walk->action = ACTION_AGAIN; ++ if (!pte) + return 0; +- } + ptent = ptep_get(pte); + if (!pte_present(ptent)) + goto out; diff --git a/queue-6.17/mm-hugetlb-early-exit-from-hugetlb_pages_alloc_boot-when-max_huge_pages-0.patch b/queue-6.17/mm-hugetlb-early-exit-from-hugetlb_pages_alloc_boot-when-max_huge_pages-0.patch new file mode 100644 index 0000000000..8a78fdffdd --- /dev/null +++ b/queue-6.17/mm-hugetlb-early-exit-from-hugetlb_pages_alloc_boot-when-max_huge_pages-0.patch @@ -0,0 +1,41 @@ +From b322e88b3d553e85b4e15779491c70022783faa4 Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Thu, 14 Aug 2025 18:23:33 +0800 +Subject: mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when max_huge_pages=0 + +From: Li RongQing + +commit b322e88b3d553e85b4e15779491c70022783faa4 upstream. + +Optimize hugetlb_pages_alloc_boot() to return immediately when +max_huge_pages is 0, avoiding unnecessary CPU cycles and the below log +message when hugepages aren't configured in the kernel command line. +[ 3.702280] HugeTLB: allocation took 0ms with hugepage_allocation_threads=32 + +Link: https://lkml.kernel.org/r/20250814102333.4428-1-lirongqing@baidu.com +Signed-off-by: Li RongQing +Reviewed-by: Dev Jain +Tested-by: Dev Jain +Reviewed-by: Jane Chu +Acked-by: David Hildenbrand +Cc: Muchun Song +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3654,6 +3654,9 @@ static void __init hugetlb_hstate_alloc_ + return; + } + ++ if (!h->max_huge_pages) ++ return; ++ + /* do node specific alloc */ + if (hugetlb_hstate_alloc_pages_specific_nodes(h)) + return; diff --git a/queue-6.17/mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch b/queue-6.17/mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch new file mode 100644 index 0000000000..39fb77d876 --- /dev/null +++ b/queue-6.17/mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch @@ -0,0 +1,73 @@ +From 6a204d4b14c99232e05d35305c27ebce1c009840 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Thu, 14 Aug 2025 14:22:45 -0300 +Subject: mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations + +From: Thadeu Lima de Souza Cascardo + +commit 6a204d4b14c99232e05d35305c27ebce1c009840 upstream. + +Commit 524c48072e56 ("mm/page_alloc: rename ALLOC_HIGH to +ALLOC_MIN_RESERVE") is the start of a series that explains how __GFP_HIGH, +which implies ALLOC_MIN_RESERVE, is going to be used instead of +__GFP_ATOMIC for high atomic reserves. + +Commit eb2e2b425c69 ("mm/page_alloc: explicitly record high-order atomic +allocations in alloc_flags") introduced ALLOC_HIGHATOMIC for such +allocations of order higher than 0. It still used __GFP_ATOMIC, though. + +Then, commit 1ebbb21811b7 ("mm/page_alloc: explicitly define how +__GFP_HIGH non-blocking allocations accesses reserves") just turned that +check for !__GFP_DIRECT_RECLAIM, ignoring that high atomic reserves were +expected to test for __GFP_HIGH. + +This leads to high atomic reserves being added for high-order GFP_NOWAIT +allocations and others that clear __GFP_DIRECT_RECLAIM, which is +unexpected. Later, those reserves lead to 0-order allocations going to +the slow path and starting reclaim. + +From /proc/pagetypeinfo, without the patch: + +Node 0, zone DMA, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0 +Node 0, zone DMA32, type HighAtomic 1 8 10 9 7 3 0 0 0 0 0 +Node 0, zone Normal, type HighAtomic 64 20 12 5 0 0 0 0 0 0 0 + +With the patch: + +Node 0, zone DMA, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0 +Node 0, zone DMA32, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0 +Node 0, zone Normal, type HighAtomic 0 0 0 0 0 0 0 0 0 0 0 + +Link: https://lkml.kernel.org/r/20250814172245.1259625-1-cascardo@igalia.com +Fixes: 1ebbb21811b7 ("mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves") +Signed-off-by: Thadeu Lima de Souza Cascardo +Tested-by: Helen Koike +Reviewed-by: Vlastimil Babka +Tested-by: Sergey Senozhatsky +Acked-by: Michal Hocko +Cc: Mel Gorman +Cc: Matthew Wilcox +Cc: NeilBrown +Cc: Thierry Reding +Cc: Brendan Jackman +Cc: Johannes Weiner +Cc: Suren Baghdasaryan +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -4408,7 +4408,7 @@ gfp_to_alloc_flags(gfp_t gfp_mask, unsig + if (!(gfp_mask & __GFP_NOMEMALLOC)) { + alloc_flags |= ALLOC_NON_BLOCK; + +- if (order > 0) ++ if (order > 0 && (alloc_flags & ALLOC_MIN_RESERVE)) + alloc_flags |= ALLOC_HIGHATOMIC; + } + diff --git a/queue-6.17/mm-rmap-fix-soft-dirty-and-uffd-wp-bit-loss-when-remapping-zero-filled-mthp-subpage-to-shared-zeropage.patch b/queue-6.17/mm-rmap-fix-soft-dirty-and-uffd-wp-bit-loss-when-remapping-zero-filled-mthp-subpage-to-shared-zeropage.patch new file mode 100644 index 0000000000..29e28baba5 --- /dev/null +++ b/queue-6.17/mm-rmap-fix-soft-dirty-and-uffd-wp-bit-loss-when-remapping-zero-filled-mthp-subpage-to-shared-zeropage.patch @@ -0,0 +1,110 @@ +From 9658d698a8a83540bf6a6c80d13c9a61590ee985 Mon Sep 17 00:00:00 2001 +From: Lance Yang +Date: Tue, 30 Sep 2025 16:10:40 +0800 +Subject: mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage + +From: Lance Yang + +commit 9658d698a8a83540bf6a6c80d13c9a61590ee985 upstream. + +When splitting an mTHP and replacing a zero-filled subpage with the shared +zeropage, try_to_map_unused_to_zeropage() currently drops several +important PTE bits. + +For userspace tools like CRIU, which rely on the soft-dirty mechanism for +incremental snapshots, losing the soft-dirty bit means modified pages are +missed, leading to inconsistent memory state after restore. + +As pointed out by David, the more critical uffd-wp bit is also dropped. +This breaks the userfaultfd write-protection mechanism, causing writes to +be silently missed by monitoring applications, which can lead to data +corruption. + +Preserve both the soft-dirty and uffd-wp bits from the old PTE when +creating the new zeropage mapping to ensure they are correctly tracked. + +Link: https://lkml.kernel.org/r/20250930081040.80926-1-lance.yang@linux.dev +Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") +Signed-off-by: Lance Yang +Suggested-by: David Hildenbrand +Suggested-by: Dev Jain +Acked-by: David Hildenbrand +Reviewed-by: Dev Jain +Acked-by: Zi Yan +Reviewed-by: Liam R. Howlett +Reviewed-by: Harry Yoo +Cc: Alistair Popple +Cc: Baolin Wang +Cc: Barry Song +Cc: Byungchul Park +Cc: Gregory Price +Cc: "Huang, Ying" +Cc: Jann Horn +Cc: Joshua Hahn +Cc: Lorenzo Stoakes +Cc: Mariano Pache +Cc: Mathew Brost +Cc: Peter Xu +Cc: Rakie Kim +Cc: Rik van Riel +Cc: Ryan Roberts +Cc: Usama Arif +Cc: Vlastimil Babka +Cc: Yu Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -297,8 +297,7 @@ bool isolate_folio_to_list(struct folio + } + + static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, +- struct folio *folio, +- unsigned long idx) ++ struct folio *folio, pte_t old_pte, unsigned long idx) + { + struct page *page = folio_page(folio, idx); + pte_t newpte; +@@ -307,7 +306,7 @@ static bool try_to_map_unused_to_zeropag + return false; + VM_BUG_ON_PAGE(!PageAnon(page), page); + VM_BUG_ON_PAGE(!PageLocked(page), page); +- VM_BUG_ON_PAGE(pte_present(ptep_get(pvmw->pte)), page); ++ VM_BUG_ON_PAGE(pte_present(old_pte), page); + + if (folio_test_mlocked(folio) || (pvmw->vma->vm_flags & VM_LOCKED) || + mm_forbids_zeropage(pvmw->vma->vm_mm)) +@@ -323,6 +322,12 @@ static bool try_to_map_unused_to_zeropag + + newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), + pvmw->vma->vm_page_prot)); ++ ++ if (pte_swp_soft_dirty(old_pte)) ++ newpte = pte_mksoft_dirty(newpte); ++ if (pte_swp_uffd_wp(old_pte)) ++ newpte = pte_mkuffd_wp(newpte); ++ + set_pte_at(pvmw->vma->vm_mm, pvmw->address, pvmw->pte, newpte); + + dec_mm_counter(pvmw->vma->vm_mm, mm_counter(folio)); +@@ -365,13 +370,13 @@ static bool remove_migration_pte(struct + continue; + } + #endif ++ old_pte = ptep_get(pvmw.pte); + if (rmap_walk_arg->map_unused_to_zeropage && +- try_to_map_unused_to_zeropage(&pvmw, folio, idx)) ++ try_to_map_unused_to_zeropage(&pvmw, folio, old_pte, idx)) + continue; + + folio_get(folio); + pte = mk_pte(new, READ_ONCE(vma->vm_page_prot)); +- old_pte = ptep_get(pvmw.pte); + + entry = pte_to_swp_entry(old_pte); + if (!is_migration_entry_young(entry)) diff --git a/queue-6.17/mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch b/queue-6.17/mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch new file mode 100644 index 0000000000..d1de60b5de --- /dev/null +++ b/queue-6.17/mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch @@ -0,0 +1,145 @@ +From 1ce6473d17e78e3cb9a40147658231731a551828 Mon Sep 17 00:00:00 2001 +From: Lance Yang +Date: Mon, 22 Sep 2025 10:14:58 +0800 +Subject: mm/thp: fix MTE tag mismatch when replacing zero-filled subpages + +From: Lance Yang + +commit 1ce6473d17e78e3cb9a40147658231731a551828 upstream. + +When both THP and MTE are enabled, splitting a THP and replacing its +zero-filled subpages with the shared zeropage can cause MTE tag mismatch +faults in userspace. + +Remapping zero-filled subpages to the shared zeropage is unsafe, as the +zeropage has a fixed tag of zero, which may not match the tag expected by +the userspace pointer. + +KSM already avoids this problem by using memcmp_pages(), which on arm64 +intentionally reports MTE-tagged pages as non-identical to prevent unsafe +merging. + +As suggested by David[1], this patch adopts the same pattern, replacing the +memchr_inv() byte-level check with a call to pages_identical(). This +leverages existing architecture-specific logic to determine if a page is +truly identical to the shared zeropage. + +Having both the THP shrinker and KSM rely on pages_identical() makes the +design more future-proof, IMO. Instead of handling quirks in generic code, +we just let the architecture decide what makes two pages identical. + +[1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com + +Link: https://lkml.kernel.org/r/20250922021458.68123-1-lance.yang@linux.dev +Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") +Signed-off-by: Lance Yang +Reported-by: Qun-wei Lin +Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@mediatek.com +Suggested-by: David Hildenbrand +Acked-by: Zi Yan +Acked-by: David Hildenbrand +Acked-by: Usama Arif +Reviewed-by: Catalin Marinas +Reviewed-by: Wei Yang +Cc: Alistair Popple +Cc: andrew.yang +Cc: Baolin Wang +Cc: Barry Song +Cc: Byungchul Park +Cc: Charlie Jenkins +Cc: Chinwen Chang +Cc: Dev Jain +Cc: Domenico Cerasuolo +Cc: Gregory Price +Cc: "Huang, Ying" +Cc: Hugh Dickins +Cc: Johannes Weiner +Cc: Joshua Hahn +Cc: Kairui Song +Cc: Kalesh Singh +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Mariano Pache +Cc: Mathew Brost +Cc: Matthew Wilcox (Oracle) +Cc: Mike Rapoport +Cc: Palmer Dabbelt +Cc: Rakie Kim +Cc: Rik van Riel +Cc: Roman Gushchin +Cc: Ryan Roberts +Cc: Samuel Holland +Cc: Shakeel Butt +Cc: Suren Baghdasaryan +Cc: Yu Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 15 +++------------ + mm/migrate.c | 8 +------- + 2 files changed, 4 insertions(+), 19 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -4115,32 +4115,23 @@ static unsigned long deferred_split_coun + static bool thp_underused(struct folio *folio) + { + int num_zero_pages = 0, num_filled_pages = 0; +- void *kaddr; + int i; + + if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1) + return false; + + for (i = 0; i < folio_nr_pages(folio); i++) { +- kaddr = kmap_local_folio(folio, i * PAGE_SIZE); +- if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { +- num_zero_pages++; +- if (num_zero_pages > khugepaged_max_ptes_none) { +- kunmap_local(kaddr); ++ if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { ++ if (++num_zero_pages > khugepaged_max_ptes_none) + return true; +- } + } else { + /* + * Another path for early exit once the number + * of non-zero filled pages exceeds threshold. + */ +- num_filled_pages++; +- if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { +- kunmap_local(kaddr); ++ if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) + return false; +- } + } +- kunmap_local(kaddr); + } + return false; + } +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -301,9 +301,7 @@ static bool try_to_map_unused_to_zeropag + unsigned long idx) + { + struct page *page = folio_page(folio, idx); +- bool contains_data; + pte_t newpte; +- void *addr; + + if (PageCompound(page)) + return false; +@@ -320,11 +318,7 @@ static bool try_to_map_unused_to_zeropag + * this subpage has been non present. If the subpage is only zero-filled + * then map it to the shared zeropage. + */ +- addr = kmap_local_page(page); +- contains_data = memchr_inv(addr, 0, PAGE_SIZE); +- kunmap_local(addr); +- +- if (contains_data) ++ if (!pages_identical(page, ZERO_PAGE(0))) + return false; + + newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), diff --git a/queue-6.17/mptcp-pm-in-kernel-usable-client-side-with-c-flag.patch b/queue-6.17/mptcp-pm-in-kernel-usable-client-side-with-c-flag.patch new file mode 100644 index 0000000000..7117bc4c28 --- /dev/null +++ b/queue-6.17/mptcp-pm-in-kernel-usable-client-side-with-c-flag.patch @@ -0,0 +1,164 @@ +From 4b1ff850e0c1aacc23e923ed22989b827b9808f9 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Thu, 25 Sep 2025 12:32:36 +0200 +Subject: mptcp: pm: in-kernel: usable client side with C-flag + +From: Matthieu Baerts (NGI0) + +commit 4b1ff850e0c1aacc23e923ed22989b827b9808f9 upstream. + +When servers set the C-flag in their MP_CAPABLE to tell clients not to +create subflows to the initial address and port, clients will likely not +use their other endpoints. That's because the in-kernel path-manager +uses the 'subflow' endpoints to create subflows only to the initial +address and port. + +If the limits have not been modified to accept ADD_ADDR, the client +doesn't try to establish new subflows. If the limits accept ADD_ADDR, +the routing routes will be used to select the source IP. + +The C-flag is typically set when the server is operating behind a legacy +Layer 4 load balancer, or using anycast IP address. Clients having their +different 'subflow' endpoints setup, don't end up creating multiple +subflows as expected, and causing some deployment issues. + +A special case is then added here: when servers set the C-flag in the +MPC and directly sends an ADD_ADDR, this single ADD_ADDR is accepted. +The 'subflows' endpoints will then be used with this new remote IP and +port. This exception is only allowed when the ADD_ADDR is sent +immediately after the 3WHS, and makes the client switching to the 'fully +established' mode. After that, 'select_local_address()' will not be able +to find any subflows, because 'id_avail_bitmap' will be filled in +mptcp_pm_create_subflow_or_signal_addr(), when switching to 'fully +established' mode. + +Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/536 +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250925-net-next-mptcp-c-flag-laminar-v1-1-ad126cc47c6b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm.c | 7 +++++-- + net/mptcp/pm_kernel.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++- + net/mptcp/protocol.h | 8 ++++++++ + 3 files changed, 62 insertions(+), 3 deletions(-) + +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -617,9 +617,12 @@ void mptcp_pm_add_addr_received(const st + } else { + __MPTCP_INC_STATS(sock_net((struct sock *)msk), MPTCP_MIB_ADDADDRDROP); + } +- /* id0 should not have a different address */ ++ /* - id0 should not have a different address ++ * - special case for C-flag: linked to fill_local_addresses_vec() ++ */ + } else if ((addr->id == 0 && !mptcp_pm_is_init_remote_addr(msk, addr)) || +- (addr->id > 0 && !READ_ONCE(pm->accept_addr))) { ++ (addr->id > 0 && !READ_ONCE(pm->accept_addr) && ++ !mptcp_pm_add_addr_c_flag_case(msk))) { + mptcp_pm_announce_addr(msk, addr, true); + mptcp_pm_add_addr_send_ack(msk); + } else if (mptcp_pm_schedule_work(msk, MPTCP_PM_ADD_ADDR_RECEIVED)) { +--- a/net/mptcp/pm_kernel.c ++++ b/net/mptcp/pm_kernel.c +@@ -389,10 +389,12 @@ static unsigned int fill_local_addresses + struct mptcp_addr_info mpc_addr; + struct pm_nl_pernet *pernet; + unsigned int subflows_max; ++ bool c_flag_case; + int i = 0; + + pernet = pm_nl_get_pernet_from_msk(msk); + subflows_max = mptcp_pm_get_subflows_max(msk); ++ c_flag_case = remote->id && mptcp_pm_add_addr_c_flag_case(msk); + + mptcp_local_address((struct sock_common *)msk, &mpc_addr); + +@@ -405,12 +407,27 @@ static unsigned int fill_local_addresses + continue; + + if (msk->pm.subflows < subflows_max) { ++ bool is_id0; ++ + locals[i].addr = entry->addr; + locals[i].flags = entry->flags; + locals[i].ifindex = entry->ifindex; + ++ is_id0 = mptcp_addresses_equal(&locals[i].addr, ++ &mpc_addr, ++ locals[i].addr.port); ++ ++ if (c_flag_case && ++ (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)) { ++ __clear_bit(locals[i].addr.id, ++ msk->pm.id_avail_bitmap); ++ ++ if (!is_id0) ++ msk->pm.local_addr_used++; ++ } ++ + /* Special case for ID0: set the correct ID */ +- if (mptcp_addresses_equal(&locals[i].addr, &mpc_addr, locals[i].addr.port)) ++ if (is_id0) + locals[i].addr.id = 0; + + msk->pm.subflows++; +@@ -419,6 +436,37 @@ static unsigned int fill_local_addresses + } + rcu_read_unlock(); + ++ /* Special case: peer sets the C flag, accept one ADD_ADDR if default ++ * limits are used -- accepting no ADD_ADDR -- and use subflow endpoints ++ */ ++ if (!i && c_flag_case) { ++ unsigned int local_addr_max = mptcp_pm_get_local_addr_max(msk); ++ ++ while (msk->pm.local_addr_used < local_addr_max && ++ msk->pm.subflows < subflows_max) { ++ struct mptcp_pm_local *local = &locals[i]; ++ ++ if (!select_local_address(pernet, msk, local)) ++ break; ++ ++ __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); ++ ++ if (!mptcp_pm_addr_families_match(sk, &local->addr, ++ remote)) ++ continue; ++ ++ if (mptcp_addresses_equal(&local->addr, &mpc_addr, ++ local->addr.port)) ++ continue; ++ ++ msk->pm.local_addr_used++; ++ msk->pm.subflows++; ++ i++; ++ } ++ ++ return i; ++ } ++ + /* If the array is empty, fill in the single + * 'IPADDRANY' local address + */ +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -1201,6 +1201,14 @@ static inline void mptcp_pm_close_subflo + spin_unlock_bh(&msk->pm.lock); + } + ++static inline bool mptcp_pm_add_addr_c_flag_case(struct mptcp_sock *msk) ++{ ++ return READ_ONCE(msk->pm.remote_deny_join_id0) && ++ msk->pm.local_addr_used == 0 && ++ mptcp_pm_get_add_addr_accept_max(msk) == 0 && ++ msk->pm.subflows < mptcp_pm_get_subflows_max(msk); ++} ++ + void mptcp_sockopt_sync_locked(struct mptcp_sock *msk, struct sock *ssk); + + static inline struct mptcp_ext *mptcp_get_ext(const struct sk_buff *skb) diff --git a/queue-6.17/mptcp-reset-blackhole-on-success-with-non-loopback-ifaces.patch b/queue-6.17/mptcp-reset-blackhole-on-success-with-non-loopback-ifaces.patch new file mode 100644 index 0000000000..d3fd2f51b7 --- /dev/null +++ b/queue-6.17/mptcp-reset-blackhole-on-success-with-non-loopback-ifaces.patch @@ -0,0 +1,48 @@ +From 833d4313bc1e9e194814917d23e8874d6b651649 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Thu, 18 Sep 2025 10:50:18 +0200 +Subject: mptcp: reset blackhole on success with non-loopback ifaces + +From: Matthieu Baerts (NGI0) + +commit 833d4313bc1e9e194814917d23e8874d6b651649 upstream. + +When a first MPTCP connection gets successfully established after a +blackhole period, 'active_disable_times' was supposed to be reset when +this connection was done via any non-loopback interfaces. + +Unfortunately, the opposite condition was checked: only reset when the +connection was established via a loopback interface. Fixing this by +simply looking at the opposite. + +This is similar to what is done with TCP FastOpen, see +tcp_fastopen_active_disable_ofo_check(). + +This patch is a follow-up of a previous discussion linked to commit +893c49a78d9f ("mptcp: Use __sk_dst_get() and dst_dev_rcu() in +mptcp_active_enable()."), see [1]. + +Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/4209a283-8822-47bd-95b7-87e96d9b7ea3@kernel.org [1] +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250918-net-next-mptcp-blackhole-reset-loopback-v1-1-bf5818326639@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mptcp/ctrl.c ++++ b/net/mptcp/ctrl.c +@@ -507,7 +507,7 @@ void mptcp_active_enable(struct sock *sk + rcu_read_lock(); + dst = __sk_dst_get(sk); + dev = dst ? dst_dev_rcu(dst) : NULL; +- if (dev && (dev->flags & IFF_LOOPBACK)) ++ if (!(dev && (dev->flags & IFF_LOOPBACK))) + atomic_set(&pernet->active_disable_times, 0); + rcu_read_unlock(); + } diff --git a/queue-6.17/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch b/queue-6.17/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch new file mode 100644 index 0000000000..eebf0d36e0 --- /dev/null +++ b/queue-6.17/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch @@ -0,0 +1,222 @@ +From e4f574ca9c6dfa66695bb054ff5df43ecea873ec Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Wed, 6 Aug 2025 15:15:43 -0400 +Subject: nfsd: decouple the xprtsec policy check from check_nfsd_access() + +From: Scott Mayhew + +commit e4f574ca9c6dfa66695bb054ff5df43ecea873ec upstream. + +A while back I had reported that an NFSv3 client could successfully +mount using '-o xprtsec=none' an export that had been exported with +'xprtsec=tls:mtls'. By "successfully" I mean that the mount command +would succeed and the mount would show up in /proc/mount. Attempting +to do anything futher with the mount would be met with NFS3ERR_ACCES. + +This was fixed (albeit accidentally) by commit bb4f07f2409c ("nfsd: +Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT") and was +subsequently re-broken by commit 0813c5f01249 ("nfsd: fix access +checking for NLM under XPRTSEC policies"). + +Transport Layer Security isn't an RPC security flavor or pseudo-flavor, +so we shouldn't be conflating them when determining whether the access +checks can be bypassed. Split check_nfsd_access() into two helpers, and +have __fh_verify() call the helpers directly since __fh_verify() has +logic that allows one or both of the checks to be skipped. All other +sites will continue to call check_nfsd_access(). + +Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/ +Fixes: 9280c5774314 ("NFSD: Handle new xprtsec= export option") +Cc: stable@vger.kernel.org +Signed-off-by: Scott Mayhew +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/export.c | 82 ++++++++++++++++++++++++++++++++++++++----------------- + fs/nfsd/export.h | 3 ++ + fs/nfsd/nfsfh.c | 24 +++++++++++++++- + 3 files changed, 83 insertions(+), 26 deletions(-) + +--- a/fs/nfsd/export.c ++++ b/fs/nfsd/export.c +@@ -1082,50 +1082,62 @@ static struct svc_export *exp_find(struc + } + + /** +- * check_nfsd_access - check if access to export is allowed. ++ * check_xprtsec_policy - check if access to export is allowed by the ++ * xprtsec policy + * @exp: svc_export that is being accessed. +- * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO). +- * @may_bypass_gss: reduce strictness of authorization check ++ * @rqstp: svc_rqst attempting to access @exp. ++ * ++ * Helper function for check_nfsd_access(). Note that callers should be ++ * using check_nfsd_access() instead of calling this function directly. The ++ * one exception is __fh_verify() since it has logic that may result in one ++ * or both of the helpers being skipped. + * + * Return values: + * %nfs_ok if access is granted, or + * %nfserr_wrongsec if access is denied + */ +-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, +- bool may_bypass_gss) ++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) + { +- struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; +- struct svc_xprt *xprt; +- +- /* +- * If rqstp is NULL, this is a LOCALIO request which will only +- * ever use a filehandle/credential pair for which access has +- * been affirmed (by ACCESS or OPEN NFS requests) over the +- * wire. So there is no need for further checks here. +- */ +- if (!rqstp) +- return nfs_ok; +- +- xprt = rqstp->rq_xprt; ++ struct svc_xprt *xprt = rqstp->rq_xprt; + + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { + if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && + !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && + test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } +- if (!may_bypass_gss) +- goto denied; ++ return nfserr_wrongsec; ++} ++ ++/** ++ * check_security_flavor - check if access to export is allowed by the ++ * security flavor ++ * @exp: svc_export that is being accessed. ++ * @rqstp: svc_rqst attempting to access @exp. ++ * @may_bypass_gss: reduce strictness of authorization check ++ * ++ * Helper function for check_nfsd_access(). Note that callers should be ++ * using check_nfsd_access() instead of calling this function directly. The ++ * one exception is __fh_verify() since it has logic that may result in one ++ * or both of the helpers being skipped. ++ * ++ * Return values: ++ * %nfs_ok if access is granted, or ++ * %nfserr_wrongsec if access is denied ++ */ ++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, ++ bool may_bypass_gss) ++{ ++ struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; + +-ok: + /* legacy gss-only clients are always OK: */ + if (exp->ex_client == rqstp->rq_gssclient) + return nfs_ok; +@@ -1167,10 +1179,30 @@ ok: + } + } + +-denied: + return nfserr_wrongsec; + } + ++/** ++ * check_nfsd_access - check if access to export is allowed. ++ * @exp: svc_export that is being accessed. ++ * @rqstp: svc_rqst attempting to access @exp. ++ * @may_bypass_gss: reduce strictness of authorization check ++ * ++ * Return values: ++ * %nfs_ok if access is granted, or ++ * %nfserr_wrongsec if access is denied ++ */ ++__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, ++ bool may_bypass_gss) ++{ ++ __be32 status; ++ ++ status = check_xprtsec_policy(exp, rqstp); ++ if (status != nfs_ok) ++ return status; ++ return check_security_flavor(exp, rqstp, may_bypass_gss); ++} ++ + /* + * Uses rq_client and rq_gssclient to find an export; uses rq_client (an + * auth_unix client) if it's available and has secinfo information; +--- a/fs/nfsd/export.h ++++ b/fs/nfsd/export.h +@@ -101,6 +101,9 @@ struct svc_expkey { + + struct svc_cred; + int nfsexp_flags(struct svc_cred *cred, struct svc_export *exp); ++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp); ++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, ++ bool may_bypass_gss); + __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, + bool may_bypass_gss); + +--- a/fs/nfsd/nfsfh.c ++++ b/fs/nfsd/nfsfh.c +@@ -364,10 +364,30 @@ __fh_verify(struct svc_rqst *rqstp, + if (error) + goto out; + ++ /* ++ * If rqstp is NULL, this is a LOCALIO request which will only ++ * ever use a filehandle/credential pair for which access has ++ * been affirmed (by ACCESS or OPEN NFS requests) over the ++ * wire. Skip both the xprtsec policy and the security flavor ++ * checks. ++ */ ++ if (!rqstp) ++ goto check_permissions; ++ + if ((access & NFSD_MAY_NLM) && (exp->ex_flags & NFSEXP_NOAUTHNLM)) + /* NLM is allowed to fully bypass authentication */ + goto out; + ++ /* ++ * NLM is allowed to bypass the xprtsec policy check because lockd ++ * doesn't support xprtsec. ++ */ ++ if (!(access & NFSD_MAY_NLM)) { ++ error = check_xprtsec_policy(exp, rqstp); ++ if (error) ++ goto out; ++ } ++ + if (access & NFSD_MAY_BYPASS_GSS) + may_bypass_gss = true; + /* +@@ -379,13 +399,15 @@ __fh_verify(struct svc_rqst *rqstp, + && exp->ex_path.dentry == dentry) + may_bypass_gss = true; + +- error = check_nfsd_access(exp, rqstp, may_bypass_gss); ++ error = check_security_flavor(exp, rqstp, may_bypass_gss); + if (error) + goto out; ++ + /* During LOCALIO call to fh_verify will be called with a NULL rqstp */ + if (rqstp) + svc_xprt_set_valid(rqstp->rq_xprt); + ++check_permissions: + /* Finally, check access permissions. */ + error = nfsd_permission(cred, exp, dentry, access); + out: diff --git a/queue-6.17/nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch b/queue-6.17/nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch new file mode 100644 index 0000000000..7aa04f2b12 --- /dev/null +++ b/queue-6.17/nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch @@ -0,0 +1,41 @@ +From ab1c282c010c4f327bd7addc3c0035fd8e3c1721 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 6 Aug 2025 03:10:01 +0200 +Subject: NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() + +From: Thorsten Blum + +commit ab1c282c010c4f327bd7addc3c0035fd8e3c1721 upstream. + +Commit 5304877936c0 ("NFSD: Fix strncpy() fortify warning") replaced +strncpy(,, sizeof(..)) with strlcpy(,, sizeof(..) - 1), but strlcpy() +already guaranteed NUL-termination of the destination buffer and +subtracting one byte potentially truncated the source string. + +The incorrect size was then carried over in commit 72f78ae00a8e ("NFSD: +move from strlcpy with unused retval to strscpy") when switching from +strlcpy() to strscpy(). + +Fix this off-by-one error by using the full size of the destination +buffer again. + +Cc: stable@vger.kernel.org +Fixes: 5304877936c0 ("NFSD: Fix strncpy() fortify warning") +Signed-off-by: Thorsten Blum +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1498,7 +1498,7 @@ try_again: + return 0; + } + if (work) { +- strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1); ++ strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr)); + refcount_set(&work->nsui_refcnt, 2); + work->nsui_busy = true; + list_add_tail(&work->nsui_list, &nn->nfsd_ssc_mount_list); diff --git a/queue-6.17/nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch b/queue-6.17/nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch new file mode 100644 index 0000000000..22fb085b35 --- /dev/null +++ b/queue-6.17/nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch @@ -0,0 +1,50 @@ +From a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Thu, 21 Aug 2025 16:31:46 -0400 +Subject: nfsd: nfserr_jukebox in nlm_fopen should lead to a retry + +From: Olga Kornievskaia + +commit a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 upstream. + +When v3 NLM request finds a conflicting delegation, it triggers +a delegation recall and nfsd_open fails with EAGAIN. nfsd_open +then translates EAGAIN into nfserr_jukebox. In nlm_fopen, instead +of returning nlm_failed for when there is a conflicting delegation, +drop this NLM request so that the client retries. Once delegation +is recalled and if a local lock is claimed, a retry would lead to +nfsd returning a nlm_lck_blocked error or a successful nlm lock. + +Fixes: d343fce148a4 ("[PATCH] knfsd: Allow lockd to drop replies as appropriate") +Cc: stable@vger.kernel.org # v6.6 +Signed-off-by: Olga Kornievskaia +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/lockd.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/fs/nfsd/lockd.c ++++ b/fs/nfsd/lockd.c +@@ -57,6 +57,21 @@ nlm_fopen(struct svc_rqst *rqstp, struct + switch (nfserr) { + case nfs_ok: + return 0; ++ case nfserr_jukebox: ++ /* this error can indicate a presence of a conflicting ++ * delegation to an NLM lock request. Options are: ++ * (1) For now, drop this request and make the client ++ * retry. When delegation is returned, client's lock retry ++ * will complete. ++ * (2) NLM4_DENIED as per "spec" signals to the client ++ * that the lock is unavailable now but client can retry. ++ * Linux client implementation does not. It treats ++ * NLM4_DENIED same as NLM4_FAILED and errors the request. ++ * (3) For the future, treat this as blocked lock and try ++ * to callback when the delegation is returned but might ++ * not have a proper lock request to block on. ++ */ ++ fallthrough; + case nfserr_dropit: + return nlm_drop_reply; + case nfserr_stale: diff --git a/queue-6.17/s390-add-wno-pointer-sign-to-kbuild_cflags_decompressor.patch b/queue-6.17/s390-add-wno-pointer-sign-to-kbuild_cflags_decompressor.patch new file mode 100644 index 0000000000..96e7130c6b --- /dev/null +++ b/queue-6.17/s390-add-wno-pointer-sign-to-kbuild_cflags_decompressor.patch @@ -0,0 +1,45 @@ +From fa7a0a53eeb7e16402f82c3d5a9ef4bf5efe9357 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Fri, 26 Sep 2025 15:39:10 +0200 +Subject: s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR + +From: Heiko Carstens + +commit fa7a0a53eeb7e16402f82c3d5a9ef4bf5efe9357 upstream. + +If the decompressor is compiled with clang this can lead to the following +warning: + +In file included from arch/s390/boot/startup.c:4: +... +In file included from ./include/linux/pgtable.h:6: +./arch/s390/include/asm/pgtable.h:2065:48: warning: passing 'unsigned long *' to parameter of type + 'long *' converts between pointers to integer types with different sign [-Wpointer-sign] + 2065 | value = __atomic64_or_barrier(PGSTE_PCL_BIT, ptr); + +Add -Wno-pointer-sign to the decompressor compile flags, like it is also +done for the kernel. This is similar to what was done for x86 to address +the same problem [1]. + +[1] commit dca5203e3fe2 ("x86/boot: Add -Wno-pointer-sign to KBUILD_CFLAGS") + +Cc: stable@vger.kernel.org +Reported-by: Gerd Bayer +Signed-off-by: Heiko Carstens +Reviewed-by: Alexander Gordeev +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -25,6 +25,7 @@ endif + KBUILD_CFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -O2 -mpacked-stack -std=gnu11 + KBUILD_CFLAGS_DECOMPRESSOR += -DDISABLE_BRANCH_PROFILING -D__NO_FORTIFY + KBUILD_CFLAGS_DECOMPRESSOR += -D__DECOMPRESSOR ++KBUILD_CFLAGS_DECOMPRESSOR += -Wno-pointer-sign + KBUILD_CFLAGS_DECOMPRESSOR += -fno-delete-null-pointer-checks -msoft-float -mbackchain + KBUILD_CFLAGS_DECOMPRESSOR += -fno-asynchronous-unwind-tables + KBUILD_CFLAGS_DECOMPRESSOR += -ffreestanding diff --git a/queue-6.17/s390-cio-ioasm-fix-__xsch-condition-code-handling.patch b/queue-6.17/s390-cio-ioasm-fix-__xsch-condition-code-handling.patch new file mode 100644 index 0000000000..71367e9bda --- /dev/null +++ b/queue-6.17/s390-cio-ioasm-fix-__xsch-condition-code-handling.patch @@ -0,0 +1,50 @@ +From f0edc8f113a39d1c9f8cf83e865c32b0668d80e0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 25 Sep 2025 10:45:17 +0200 +Subject: s390/cio/ioasm: Fix __xsch() condition code handling + +From: Heiko Carstens + +commit f0edc8f113a39d1c9f8cf83e865c32b0668d80e0 upstream. + +For the __xsch() inline assembly the conversion to flag output macros is +incomplete. Only the conditional shift of the return value was added, while +the required changes to the inline assembly itself are missing. + +If compiled with GCC versions before 14.2 this leads to a double shift of +the cc output operand and therefore the returned value of __xsch() is +incorrectly always zero, instead of the expected condition code. + +Fixes: e200565d434b ("s390/cio/ioasm: Convert to use flag output macros") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Acked-by: Alexander Gordeev +Reviewed-by: Juergen Christ +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/ioasm.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/s390/cio/ioasm.c b/drivers/s390/cio/ioasm.c +index a540045b64a6..8b06b234e110 100644 +--- a/drivers/s390/cio/ioasm.c ++++ b/drivers/s390/cio/ioasm.c +@@ -253,11 +253,10 @@ static inline int __xsch(struct subchannel_id schid) + asm volatile( + " lgr 1,%[r1]\n" + " xsch\n" +- " ipm %[cc]\n" +- " srl %[cc],28\n" +- : [cc] "=&d" (ccode) ++ CC_IPM(cc) ++ : CC_OUT(cc, ccode) + : [r1] "d" (r1) +- : "cc", "1"); ++ : CC_CLOBBER_LIST("1")); + return CC_TRANSFORM(ccode); + } + +-- +2.51.0 + diff --git a/queue-6.17/s390-dasd-enforce-dma_alignment-to-ensure-proper-buffer-validation.patch b/queue-6.17/s390-dasd-enforce-dma_alignment-to-ensure-proper-buffer-validation.patch new file mode 100644 index 0000000000..286d3ef280 --- /dev/null +++ b/queue-6.17/s390-dasd-enforce-dma_alignment-to-ensure-proper-buffer-validation.patch @@ -0,0 +1,43 @@ +From 130e6de62107116eba124647116276266be0f84c Mon Sep 17 00:00:00 2001 +From: Jaehoon Kim +Date: Thu, 25 Sep 2025 17:47:08 +0200 +Subject: s390/dasd: enforce dma_alignment to ensure proper buffer validation + +From: Jaehoon Kim + +commit 130e6de62107116eba124647116276266be0f84c upstream. + +The block layer validates buffer alignment using the device's +dma_alignment value. If dma_alignment is smaller than +logical_block_size(bp_block) -1, misaligned buffer incorrectly pass +validation and propagate to the lower-level driver. + +This patch adjusts dma_alignment to be at least logical_block_size -1, +ensuring that misalignment buffers are properly rejected at the block +layer and do not reach the DASD driver unnecessarily. + +Fixes: 2a07bb64d801 ("s390/dasd: Remove DMA alignment") +Reviewed-by: Stefan Haberland +Cc: stable@vger.kernel.org #6.11+ +Signed-off-by: Jaehoon Kim +Signed-off-by: Stefan Haberland +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -334,6 +334,11 @@ static int dasd_state_basic_to_ready(str + lim.max_dev_sectors = device->discipline->max_sectors(block); + lim.max_hw_sectors = lim.max_dev_sectors; + lim.logical_block_size = block->bp_block; ++ /* ++ * Adjust dma_alignment to match block_size - 1 ++ * to ensure proper buffer alignment checks in the block layer. ++ */ ++ lim.dma_alignment = lim.logical_block_size - 1; + + if (device->discipline->has_discard) { + unsigned int max_bytes; diff --git a/queue-6.17/s390-dasd-return-blk_sts_inval-for-einval-from-do_dasd_request.patch b/queue-6.17/s390-dasd-return-blk_sts_inval-for-einval-from-do_dasd_request.patch new file mode 100644 index 0000000000..72377e18ce --- /dev/null +++ b/queue-6.17/s390-dasd-return-blk_sts_inval-for-einval-from-do_dasd_request.patch @@ -0,0 +1,52 @@ +From 8f4ed0ce4857ceb444174503fc9058720d4faaa1 Mon Sep 17 00:00:00 2001 +From: Jaehoon Kim +Date: Thu, 25 Sep 2025 17:47:07 +0200 +Subject: s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request + +From: Jaehoon Kim + +commit 8f4ed0ce4857ceb444174503fc9058720d4faaa1 upstream. + +Currently, if CCW request creation fails with -EINVAL, the DASD driver +returns BLK_STS_IOERR to the block layer. + +This can happen, for example, when a user-space application such as QEMU +passes a misaligned buffer, but the original cause of the error is +masked as a generic I/O error. + +This patch changes the behavior so that -EINVAL is returned as +BLK_STS_INVAL, allowing user space to properly detect alignment issues +instead of interpreting them as I/O errors. + +Reviewed-by: Stefan Haberland +Cc: stable@vger.kernel.org #6.11+ +Signed-off-by: Jaehoon Kim +Signed-off-by: Stefan Haberland +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -3119,12 +3119,14 @@ static blk_status_t do_dasd_request(stru + PTR_ERR(cqr) == -ENOMEM || + PTR_ERR(cqr) == -EAGAIN) { + rc = BLK_STS_RESOURCE; +- goto out; ++ } else if (PTR_ERR(cqr) == -EINVAL) { ++ rc = BLK_STS_INVAL; ++ } else { ++ DBF_DEV_EVENT(DBF_ERR, basedev, ++ "CCW creation failed (rc=%ld) on request %p", ++ PTR_ERR(cqr), req); ++ rc = BLK_STS_IOERR; + } +- DBF_DEV_EVENT(DBF_ERR, basedev, +- "CCW creation failed (rc=%ld) on request %p", +- PTR_ERR(cqr), req); +- rc = BLK_STS_IOERR; + goto out; + } + /* diff --git a/queue-6.17/selftests-mptcp-join-validate-c-flag-def-limit.patch b/queue-6.17/selftests-mptcp-join-validate-c-flag-def-limit.patch new file mode 100644 index 0000000000..53304f3155 --- /dev/null +++ b/queue-6.17/selftests-mptcp-join-validate-c-flag-def-limit.patch @@ -0,0 +1,59 @@ +From 008385efd05e04d8dff299382df2e8be0f91d8a0 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Thu, 25 Sep 2025 12:32:37 +0200 +Subject: selftests: mptcp: join: validate C-flag + def limit + +From: Matthieu Baerts (NGI0) + +commit 008385efd05e04d8dff299382df2e8be0f91d8a0 upstream. + +The previous commit adds an exception for the C-flag case. The +'mptcp_join.sh' selftest is extended to validate this case. + +In this subtest, there is a typical CDN deployment with a client where +MPTCP endpoints have been 'automatically' configured: + +- the server set net.mptcp.allow_join_initial_addr_port=0 + +- the client has multiple 'subflow' endpoints, and the default limits: + not accepting ADD_ADDRs. + +Without the parent patch, the client is not able to establish new +subflows using its 'subflow' endpoints. The parent commit fixes that. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250925-net-next-mptcp-c-flag-laminar-v1-2-ad126cc47c6b@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3187,6 +3187,17 @@ deny_join_id0_tests() + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 1 1 1 + fi ++ ++ # default limits, server deny join id 0 + signal ++ if reset_with_allow_join_id0 "default limits, server deny join id 0" 0 1; then ++ pm_nl_set_limits $ns1 0 2 ++ pm_nl_set_limits $ns2 0 2 ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow ++ run_tests $ns1 $ns2 10.0.1.1 ++ chk_join_nr 2 2 2 ++ fi + } + + fullmesh_tests() diff --git a/queue-6.17/series b/queue-6.17/series index 92169f1b1d..d886da2235 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -298,3 +298,26 @@ xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch x86-fred-remove-endbr64-from-fred-entry-points.patch x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch +mptcp-pm-in-kernel-usable-client-side-with-c-flag.patch +mptcp-reset-blackhole-on-success-with-non-loopback-ifaces.patch +selftests-mptcp-join-validate-c-flag-def-limit.patch +s390-cio-ioasm-fix-__xsch-condition-code-handling.patch +s390-dasd-enforce-dma_alignment-to-ensure-proper-buffer-validation.patch +s390-dasd-return-blk_sts_inval-for-einval-from-do_dasd_request.patch +s390-add-wno-pointer-sign-to-kbuild_cflags_decompressor.patch +slab-prevent-warnings-when-slab-obj_exts-vector-allocation-fails.patch +slab-mark-slab-obj_exts-allocation-failures-unconditionally.patch +wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch +wifi-iwlwifi-fix-dentry-reference-leak-in-iwl_mld_add_link_debugfs.patch +wifi-rtw89-avoid-possible-tx-wait-initialization-race.patch +wifi-mt76-mt7925u-add-vid-pid-for-netgear-a9000.patch +wifi-mt76-mt7921u-add-vid-pid-for-netgear-a7500.patch +mm-thp-fix-mte-tag-mismatch-when-replacing-zero-filled-subpages.patch +mm-rmap-fix-soft-dirty-and-uffd-wp-bit-loss-when-remapping-zero-filled-mthp-subpage-to-shared-zeropage.patch +mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch +mm-hugetlb-early-exit-from-hugetlb_pages_alloc_boot-when-max_huge_pages-0.patch +mm-damon-vaddr-do-not-repeat-pte_offset_map_lock-until-success.patch +mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch +nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch +nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch +nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch diff --git a/queue-6.17/slab-mark-slab-obj_exts-allocation-failures-unconditionally.patch b/queue-6.17/slab-mark-slab-obj_exts-allocation-failures-unconditionally.patch new file mode 100644 index 0000000000..26a7bb5d8f --- /dev/null +++ b/queue-6.17/slab-mark-slab-obj_exts-allocation-failures-unconditionally.patch @@ -0,0 +1,38 @@ +From f7381b9116407ba2a429977c80ff8df953ea9354 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Mon, 15 Sep 2025 13:09:18 -0700 +Subject: slab: mark slab->obj_exts allocation failures unconditionally + +From: Suren Baghdasaryan + +commit f7381b9116407ba2a429977c80ff8df953ea9354 upstream. + +alloc_slab_obj_exts() should mark failed obj_exts vector allocations +independent on whether the vector is being allocated for a new or an +existing slab. Current implementation skips doing this for existing +slabs. Fix this by marking failed allocations unconditionally. + +Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations") +Reported-by: Shakeel Butt +Closes: https://lore.kernel.org/all/avhakjldsgczmq356gkwmvfilyvf7o6temvcmtt5lqd4fhp5rk@47gp2ropyixg/ +Signed-off-by: Suren Baghdasaryan +Cc: stable@vger.kernel.org # v6.10+ +Acked-by: Shakeel Butt +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2034,8 +2034,7 @@ int alloc_slab_obj_exts(struct slab *sla + slab_nid(slab)); + if (!vec) { + /* Mark vectors which failed to allocate */ +- if (new_slab) +- mark_failed_objexts_alloc(slab); ++ mark_failed_objexts_alloc(slab); + + return -ENOMEM; + } diff --git a/queue-6.17/slab-prevent-warnings-when-slab-obj_exts-vector-allocation-fails.patch b/queue-6.17/slab-prevent-warnings-when-slab-obj_exts-vector-allocation-fails.patch new file mode 100644 index 0000000000..afa33673a4 --- /dev/null +++ b/queue-6.17/slab-prevent-warnings-when-slab-obj_exts-vector-allocation-fails.patch @@ -0,0 +1,48 @@ +From 4038016397da5c1cebb10e7c85a36d06123724a8 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Mon, 15 Sep 2025 13:09:17 -0700 +Subject: slab: prevent warnings when slab obj_exts vector allocation fails + +From: Suren Baghdasaryan + +commit 4038016397da5c1cebb10e7c85a36d06123724a8 upstream. + +When object extension vector allocation fails, we set slab->obj_exts to +OBJEXTS_ALLOC_FAIL to indicate the failure. Later, once the vector is +successfully allocated, we will use this flag to mark codetag references +stored in that vector as empty to avoid codetag warnings. + +slab_obj_exts() used to retrieve the slab->obj_exts vector pointer checks +slab->obj_exts for being either NULL or a pointer with MEMCG_DATA_OBJEXTS +bit set. However it does not handle the case when slab->obj_exts equals +OBJEXTS_ALLOC_FAIL. Add the missing condition to avoid extra warning. + +Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations") +Reported-by: Shakeel Butt +Closes: https://lore.kernel.org/all/jftidhymri2af5u3xtcqry3cfu6aqzte3uzlznhlaylgrdztsi@5vpjnzpsemf5/ +Signed-off-by: Suren Baghdasaryan +Cc: stable@vger.kernel.org # v6.10+ +Acked-by: Shakeel Butt +Signed-off-by: Vlastimil Babka +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -526,8 +526,12 @@ static inline struct slabobj_ext *slab_o + unsigned long obj_exts = READ_ONCE(slab->obj_exts); + + #ifdef CONFIG_MEMCG +- VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS), +- slab_page(slab)); ++ /* ++ * obj_exts should be either NULL, a valid pointer with ++ * MEMCG_DATA_OBJEXTS bit set or be equal to OBJEXTS_ALLOC_FAIL. ++ */ ++ VM_BUG_ON_PAGE(obj_exts && !(obj_exts & MEMCG_DATA_OBJEXTS) && ++ obj_exts != OBJEXTS_ALLOC_FAIL, slab_page(slab)); + VM_BUG_ON_PAGE(obj_exts & MEMCG_DATA_KMEM, slab_page(slab)); + #endif + return (struct slabobj_ext *)(obj_exts & ~OBJEXTS_FLAGS_MASK); diff --git a/queue-6.17/wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch b/queue-6.17/wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch new file mode 100644 index 0000000000..e0bbb7fd60 --- /dev/null +++ b/queue-6.17/wifi-ath11k-hal-srng-don-t-deinitialize-and-re-initialize-again.patch @@ -0,0 +1,82 @@ +From 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 Mon Sep 17 00:00:00 2001 +From: Muhammad Usama Anjum +Date: Tue, 22 Jul 2025 10:31:21 +0500 +Subject: wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again + +From: Muhammad Usama Anjum + +commit 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 upstream. + +Don't deinitialize and reinitialize the HAL helpers. The dma memory is +deallocated and there is high possibility that we'll not be able to get +the same memory allocated from dma when there is high memory pressure. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org +Cc: Baochen Qiang +Reviewed-by: Baochen Qiang +Signed-off-by: Muhammad Usama Anjum +Link: https://patch.msgid.link/20250722053121.1145001-1-usama.anjum@collabora.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/core.c | 6 +----- + drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ + drivers/net/wireless/ath/ath11k/hal.h | 1 + + 3 files changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -2215,14 +2215,10 @@ static int ath11k_core_reconfigure_on_cr + mutex_unlock(&ab->core_lock); + + ath11k_dp_free(ab); +- ath11k_hal_srng_deinit(ab); ++ ath11k_hal_srng_clear(ab); + + ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; + +- ret = ath11k_hal_srng_init(ab); +- if (ret) +- return ret; +- + clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); + + ret = ath11k_core_qmi_firmware_ready(ab); +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -1386,6 +1386,22 @@ void ath11k_hal_srng_deinit(struct ath11 + } + EXPORT_SYMBOL(ath11k_hal_srng_deinit); + ++void ath11k_hal_srng_clear(struct ath11k_base *ab) ++{ ++ /* No need to memset rdp and wrp memory since each individual ++ * segment would get cleared in ath11k_hal_srng_src_hw_init() ++ * and ath11k_hal_srng_dst_hw_init(). ++ */ ++ memset(ab->hal.srng_list, 0, ++ sizeof(ab->hal.srng_list)); ++ memset(ab->hal.shadow_reg_addr, 0, ++ sizeof(ab->hal.shadow_reg_addr)); ++ ab->hal.avail_blk_resource = 0; ++ ab->hal.current_blk_index = 0; ++ ab->hal.num_shadow_reg_configured = 0; ++} ++EXPORT_SYMBOL(ath11k_hal_srng_clear); ++ + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) + { + struct hal_srng *srng; +--- a/drivers/net/wireless/ath/ath11k/hal.h ++++ b/drivers/net/wireless/ath/ath11k/hal.h +@@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_ + struct hal_srng_params *params); + int ath11k_hal_srng_init(struct ath11k_base *ath11k); + void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); ++void ath11k_hal_srng_clear(struct ath11k_base *ab); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); + void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, + u32 **cfg, u32 *len); diff --git a/queue-6.17/wifi-iwlwifi-fix-dentry-reference-leak-in-iwl_mld_add_link_debugfs.patch b/queue-6.17/wifi-iwlwifi-fix-dentry-reference-leak-in-iwl_mld_add_link_debugfs.patch new file mode 100644 index 0000000000..c498c6b47f --- /dev/null +++ b/queue-6.17/wifi-iwlwifi-fix-dentry-reference-leak-in-iwl_mld_add_link_debugfs.patch @@ -0,0 +1,44 @@ +From ff46e2e7034c78489fa7a6bc35f7c9dd8ab82905 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 2 Sep 2025 12:09:49 +0800 +Subject: wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs + +From: Miaoqian Lin + +commit ff46e2e7034c78489fa7a6bc35f7c9dd8ab82905 upstream. + +The debugfs_lookup() function increases the dentry reference count. +Add missing dput() call to release the reference when the "iwlmld" +directory already exists. + +Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Link: https://patch.msgid.link/20250902040955.2362472-1-linmq006@gmail.com +Signed-off-by: Miri Korenblit +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mld/debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c +index cc052b0aa53f..372204bf8452 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mld/debugfs.c +@@ -1001,8 +1001,12 @@ void iwl_mld_add_link_debugfs(struct ieee80211_hw *hw, + * If not, this is a per-link dir of a MLO vif, add in it the iwlmld + * dir. + */ +- if (!mld_link_dir) ++ if (!mld_link_dir) { + mld_link_dir = debugfs_create_dir("iwlmld", dir); ++ } else { ++ /* Release the reference from debugfs_lookup */ ++ dput(mld_link_dir); ++ } + } + + static ssize_t _iwl_dbgfs_fixed_rate_write(struct iwl_mld *mld, char *buf, +-- +2.51.0 + diff --git a/queue-6.17/wifi-mt76-mt7921u-add-vid-pid-for-netgear-a7500.patch b/queue-6.17/wifi-mt76-mt7921u-add-vid-pid-for-netgear-a7500.patch new file mode 100644 index 0000000000..9b4d22245d --- /dev/null +++ b/queue-6.17/wifi-mt76-mt7921u-add-vid-pid-for-netgear-a7500.patch @@ -0,0 +1,35 @@ +From fc6627ca8a5f811b601aea74e934cf8a048c88ac Mon Sep 17 00:00:00 2001 +From: Nick Morrow +Date: Fri, 12 Sep 2025 15:45:56 -0500 +Subject: wifi: mt76: mt7921u: Add VID/PID for Netgear A7500 + +From: Nick Morrow + +commit fc6627ca8a5f811b601aea74e934cf8a048c88ac upstream. + +Add VID/PID 0846/9065 for Netgear A7500. + +Reported-by: Autumn Dececco +Tested-by: Autumn Dececco +Signed-off-by: Nick Morrow +Cc: stable@vger.kernel.org +Acked-by: Lorenzo Bianconi +Link: https://patch.msgid.link/80bacfd6-6073-4ce5-be32-ae9580832337@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c +@@ -21,6 +21,9 @@ static const struct usb_device_id mt7921 + /* Netgear, Inc. [A8000,AXE3000] */ + { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, ++ /* Netgear, Inc. A7500 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9065, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, + /* TP-Link TXE50UH */ + { USB_DEVICE_AND_INTERFACE_INFO(0x35bc, 0x0107, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM }, diff --git a/queue-6.17/wifi-mt76-mt7925u-add-vid-pid-for-netgear-a9000.patch b/queue-6.17/wifi-mt76-mt7925u-add-vid-pid-for-netgear-a9000.patch new file mode 100644 index 0000000000..90642a4cee --- /dev/null +++ b/queue-6.17/wifi-mt76-mt7925u-add-vid-pid-for-netgear-a9000.patch @@ -0,0 +1,32 @@ +From f6159b2051e157550d7609e19d04471609c6050b Mon Sep 17 00:00:00 2001 +From: Nick Morrow +Date: Tue, 8 Jul 2025 16:40:42 -0500 +Subject: wifi: mt76: mt7925u: Add VID/PID for Netgear A9000 + +From: Nick Morrow + +commit f6159b2051e157550d7609e19d04471609c6050b upstream. + +Add VID/PID 0846/9072 for recently released Netgear A9000. + +Signed-off-by: Nick Morrow +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/7afd3c3c-e7cf-4bd9-801d-bdfc76def506@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/usb.c +@@ -12,6 +12,9 @@ + static const struct usb_device_id mt7925u_device_table[] = { + { USB_DEVICE_AND_INTERFACE_INFO(0x0e8d, 0x7925, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)MT7925_FIRMWARE_WM }, ++ /* Netgear, Inc. A9000 */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9072, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t)MT7925_FIRMWARE_WM }, + { }, + }; + diff --git a/queue-6.17/wifi-rtw89-avoid-possible-tx-wait-initialization-race.patch b/queue-6.17/wifi-rtw89-avoid-possible-tx-wait-initialization-race.patch new file mode 100644 index 0000000000..2b35907baa --- /dev/null +++ b/queue-6.17/wifi-rtw89-avoid-possible-tx-wait-initialization-race.patch @@ -0,0 +1,202 @@ +From c24248ed78f33ea299ea61d105355ba47157d49f Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Sat, 20 Sep 2025 00:08:48 +0300 +Subject: wifi: rtw89: avoid possible TX wait initialization race + +From: Fedor Pchelkin + +commit c24248ed78f33ea299ea61d105355ba47157d49f upstream. + +The value of skb_data->wait indicates whether skb is passed on to the +core mac80211 stack or released by the driver itself. Make sure that by +the time skb is added to txwd queue and becomes visible to the completing +side, it has already allocated and initialized TX wait related data (in +case it's needed). + +This is found by code review and addresses a possible race scenario +described below: + + Waiting thread Completing thread + +rtw89_core_send_nullfunc() + rtw89_core_tx_write_link() + ... + rtw89_pci_txwd_submit() + skb_data->wait = NULL + /* add skb to the queue */ + skb_queue_tail(&txwd->queue, skb) + + /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */ + + rtw89_pci_napi_poll() + ... + rtw89_pci_release_txwd_skb() + /* get skb from the queue */ + skb_unlink(skb, &txwd->queue) + rtw89_pci_tx_status() + rtw89_core_tx_wait_complete() + /* use incorrect skb_data->wait */ + rtw89_core_tx_kick_off_and_wait() + /* assign skb_data->wait but too late */ + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250919210852.823912-3-pchelkin@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw89/core.c | 39 ++++++++++++++++-------------- + drivers/net/wireless/realtek/rtw89/core.h | 3 +- + drivers/net/wireless/realtek/rtw89/pci.c | 2 - + 3 files changed, 24 insertions(+), 20 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw89/core.c ++++ b/drivers/net/wireless/realtek/rtw89/core.c +@@ -1091,25 +1091,14 @@ void rtw89_core_tx_kick_off(struct rtw89 + } + + int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, +- int qsel, unsigned int timeout) ++ struct rtw89_tx_wait_info *wait, int qsel, ++ unsigned int timeout) + { +- struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); +- struct rtw89_tx_wait_info *wait; + unsigned long time_left; + int ret = 0; + + lockdep_assert_wiphy(rtwdev->hw->wiphy); + +- wait = kzalloc(sizeof(*wait), GFP_KERNEL); +- if (!wait) { +- rtw89_core_tx_kick_off(rtwdev, qsel); +- return 0; +- } +- +- init_completion(&wait->completion); +- wait->skb = skb; +- rcu_assign_pointer(skb_data->wait, wait); +- + rtw89_core_tx_kick_off(rtwdev, qsel); + time_left = wait_for_completion_timeout(&wait->completion, + msecs_to_jiffies(timeout)); +@@ -1172,10 +1161,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwde + static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, + struct rtw89_vif_link *rtwvif_link, + struct rtw89_sta_link *rtwsta_link, +- struct sk_buff *skb, int *qsel, bool sw_mld) ++ struct sk_buff *skb, int *qsel, bool sw_mld, ++ struct rtw89_tx_wait_info *wait) + { + struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); + struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); ++ struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); + struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; + struct rtw89_core_tx_request tx_req = {}; + int ret; +@@ -1192,6 +1183,8 @@ static int rtw89_core_tx_write_link(stru + rtw89_core_tx_update_desc_info(rtwdev, &tx_req); + rtw89_core_tx_wake(rtwdev, &tx_req); + ++ rcu_assign_pointer(skb_data->wait, wait); ++ + ret = rtw89_hci_tx_write(rtwdev, &tx_req); + if (ret) { + rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); +@@ -1228,7 +1221,8 @@ int rtw89_core_tx_write(struct rtw89_dev + } + } + +- return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); ++ return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, ++ NULL); + } + + static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) +@@ -3426,6 +3420,7 @@ int rtw89_core_send_nullfunc(struct rtw8 + struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; + struct rtw89_sta_link *rtwsta_link; ++ struct rtw89_tx_wait_info *wait; + struct ieee80211_sta *sta; + struct ieee80211_hdr *hdr; + struct rtw89_sta *rtwsta; +@@ -3435,6 +3430,12 @@ int rtw89_core_send_nullfunc(struct rtw8 + if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) + return 0; + ++ wait = kzalloc(sizeof(*wait), GFP_KERNEL); ++ if (!wait) ++ return -ENOMEM; ++ ++ init_completion(&wait->completion); ++ + rcu_read_lock(); + sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); + if (!sta) { +@@ -3449,6 +3450,8 @@ int rtw89_core_send_nullfunc(struct rtw8 + goto out; + } + ++ wait->skb = skb; ++ + hdr = (struct ieee80211_hdr *)skb->data; + if (ps) + hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); +@@ -3460,7 +3463,8 @@ int rtw89_core_send_nullfunc(struct rtw8 + goto out; + } + +- ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); ++ ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, ++ wait); + if (ret) { + rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); + dev_kfree_skb_any(skb); +@@ -3469,10 +3473,11 @@ int rtw89_core_send_nullfunc(struct rtw8 + + rcu_read_unlock(); + +- return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel, ++ return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, wait, qsel, + timeout); + out: + rcu_read_unlock(); ++ kfree(wait); + + return ret; + } +--- a/drivers/net/wireless/realtek/rtw89/core.h ++++ b/drivers/net/wireless/realtek/rtw89/core.h +@@ -7389,7 +7389,8 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwde + struct sk_buff *skb, bool fwdl); + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel); + int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, +- int qsel, unsigned int timeout); ++ struct rtw89_tx_wait_info *wait, int qsel, ++ unsigned int timeout); + void rtw89_core_fill_txdesc(struct rtw89_dev *rtwdev, + struct rtw89_tx_desc_info *desc_info, + void *txdesc); +--- a/drivers/net/wireless/realtek/rtw89/pci.c ++++ b/drivers/net/wireless/realtek/rtw89/pci.c +@@ -1372,7 +1372,6 @@ static int rtw89_pci_txwd_submit(struct + struct pci_dev *pdev = rtwpci->pdev; + struct sk_buff *skb = tx_req->skb; + struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); +- struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); + bool en_wd_info = desc_info->en_wd_info; + u32 txwd_len; + u32 txwp_len; +@@ -1388,7 +1387,6 @@ static int rtw89_pci_txwd_submit(struct + } + + tx_data->dma = dma; +- rcu_assign_pointer(skb_data->wait, NULL); + + txwp_len = sizeof(*txwp_info); + txwd_len = chip->txwd_body_size;