From: Greg Kroah-Hartman Date: Tue, 3 Feb 2026 14:19:55 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v5.10.249~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=492acf18a7dd0345cf37e27262448b09380d2617;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: asoc-amd-yc-add-dmi-quirk-for-acer-travelmate-p216-41-tco.patch asoc-fsl-imx-card-do-not-force-slot-width-to-sample-width.patch efivarfs-fix-error-propagation-in-efivar_entry_get.patch flex_proportions-make-fprop_new_period-hardirq-safe.patch gpio-pca953x-mask-interrupts-in-irq-shutdown.patch gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch mm-kasan-fix-kasan-poisoning-in-vrealloc.patch mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch mm-memory-failure-teach-kill_accessing_process-to-accept-hugetlb-tail-page-pfn.patch mm-shmem-swap-fix-race-of-truncate-and-swap-entry-split.patch mptcp-only-reset-subflow-errors-when-propagated.patch net-fix-segmentation-of-forwarding-fraglist-gro.patch nvmet-fix-race-in-nvmet_bio_done-leading-to-null-pointer-dereference.patch pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch riscv-compat-fix-compat_uts_machine-definition.patch rust-kbuild-give-config-path-to-rustfmt-in-.rsi-target.patch rust-rbtree-fix-documentation-typo-in-cursormut-peek_next-method.patch scsi-be2iscsi-fix-a-memory-leak-in-beiscsi_boot_get_sinfo.patch scsi-qla2xxx-edif-fix-dma_free_coherent-size.patch selftests-mptcp-check-no-dup-close-events-after-error.patch selftests-mptcp-check-subflow-errors-in-close-events.patch selftests-mptcp-join-fix-local-endp-not-being-tracked.patch --- diff --git a/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-acer-travelmate-p216-41-tco.patch b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-acer-travelmate-p216-41-tco.patch new file mode 100644 index 0000000000..a3c905a732 --- /dev/null +++ b/queue-6.12/asoc-amd-yc-add-dmi-quirk-for-acer-travelmate-p216-41-tco.patch @@ -0,0 +1,39 @@ +From 9502b7df5a3c7e174f74f20324ac1fe781fc5c2d Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Mon, 26 Jan 2026 09:49:52 +0800 +Subject: ASoC: amd: yc: Add DMI quirk for Acer TravelMate P216-41-TCO + +From: Zhang Heng + +commit 9502b7df5a3c7e174f74f20324ac1fe781fc5c2d upstream. + +Add a DMI quirk for the Acer TravelMate P216-41-TCO fixing the +issue where the internal microphone was not detected. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220983 +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Heng +Link: https://patch.msgid.link/20260126014952.3674450-1-zhangheng@kylinos.cn +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -661,6 +661,14 @@ static const struct dmi_system_id yc_acp + DMI_MATCH(DMI_PRODUCT_NAME, "GOH-X"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "RB"), ++ DMI_MATCH(DMI_BOARD_NAME, "XyloD5_RBU"), ++ } ++ }, ++ + {} + }; + diff --git a/queue-6.12/asoc-fsl-imx-card-do-not-force-slot-width-to-sample-width.patch b/queue-6.12/asoc-fsl-imx-card-do-not-force-slot-width-to-sample-width.patch new file mode 100644 index 0000000000..4823182a7c --- /dev/null +++ b/queue-6.12/asoc-fsl-imx-card-do-not-force-slot-width-to-sample-width.patch @@ -0,0 +1,47 @@ +From 9210f5ff6318163835d9e42ee68006be4da0f531 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Sun, 18 Jan 2026 17:50:30 -0300 +Subject: ASoC: fsl: imx-card: Do not force slot width to sample width + +From: Fabio Estevam + +commit 9210f5ff6318163835d9e42ee68006be4da0f531 upstream. + +imx-card currently sets the slot width to the physical sample width +for I2S links. This breaks controllers that use fixed-width slots +(e.g. 32-bit FIFO words), causing the unused bits in the slot to +contain undefined data when playing 16-bit streams. + +Do not override the slot width in the machine driver and let the CPU +DAI select an appropriate default instead. This matches the behavior +of simple-audio-card and avoids embedding controller-specific policy +in the machine driver. + +On an i.MX8MP-based board using SAI as the I2S master with 32-bit slots, +playing 16-bit audio resulted in spurious frequencies and an incorrect +SAI data waveform, as the slot width was forced to 16 bits. After this +change, audio artifacts are eliminated and the 16-bit samples correctly +occupy the first half of the 32-bit slot, with the remaining bits padded +with zeroes. + +Cc: stable@vger.kernel.org +Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver") +Signed-off-by: Fabio Estevam +Acked-by: Shengjiu Wang +Link: https://patch.msgid.link/20260118205030.1532696-1-festevam@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/imx-card.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/sound/soc/fsl/imx-card.c ++++ b/sound/soc/fsl/imx-card.c +@@ -313,7 +313,6 @@ static int imx_aif_hw_params(struct snd_ + SND_SOC_DAIFMT_PDM; + } else { + slots = 2; +- slot_width = params_physical_width(params); + fmt = (rtd->dai_link->dai_fmt & ~SND_SOC_DAIFMT_FORMAT_MASK) | + SND_SOC_DAIFMT_I2S; + } diff --git a/queue-6.12/efivarfs-fix-error-propagation-in-efivar_entry_get.patch b/queue-6.12/efivarfs-fix-error-propagation-in-efivar_entry_get.patch new file mode 100644 index 0000000000..e9ab4a4771 --- /dev/null +++ b/queue-6.12/efivarfs-fix-error-propagation-in-efivar_entry_get.patch @@ -0,0 +1,37 @@ +From 4b22ec1685ce1fc0d862dcda3225d852fb107995 Mon Sep 17 00:00:00 2001 +From: Kohei Enju +Date: Sat, 17 Jan 2026 16:00:45 +0000 +Subject: efivarfs: fix error propagation in efivar_entry_get() + +From: Kohei Enju + +commit 4b22ec1685ce1fc0d862dcda3225d852fb107995 upstream. + +efivar_entry_get() always returns success even if the underlying +__efivar_entry_get() fails, masking errors. + +This may result in uninitialized heap memory being copied to userspace +in the efivarfs_file_read() path. + +Fix it by returning the error from __efivar_entry_get(). + +Fixes: 2d82e6227ea1 ("efi: vars: Move efivar caching layer into efivarfs") +Cc: # v6.1+ +Signed-off-by: Kohei Enju +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + fs/efivarfs/vars.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/efivarfs/vars.c ++++ b/fs/efivarfs/vars.c +@@ -609,7 +609,7 @@ int efivar_entry_get(struct efivar_entry + err = __efivar_entry_get(entry, attributes, size, data); + efivar_unlock(); + +- return 0; ++ return err; + } + + /** diff --git a/queue-6.12/flex_proportions-make-fprop_new_period-hardirq-safe.patch b/queue-6.12/flex_proportions-make-fprop_new_period-hardirq-safe.patch new file mode 100644 index 0000000000..9c7b2625bb --- /dev/null +++ b/queue-6.12/flex_proportions-make-fprop_new_period-hardirq-safe.patch @@ -0,0 +1,79 @@ +From dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jan 2026 12:27:30 +0100 +Subject: flex_proportions: make fprop_new_period() hardirq safe + +From: Jan Kara + +commit dd9e2f5b38f1fdd49b1ab6d3a85f81c14369eacc upstream. + +Bernd has reported a lockdep splat from flexible proportions code that is +essentially complaining about the following race: + + +run_timer_softirq - we are in softirq context + call_timer_fn + writeout_period + fprop_new_period + write_seqcount_begin(&p->sequence); + + + ... + blk_mq_end_request() + blk_update_request() + ext4_end_bio() + folio_end_writeback() + __wb_writeout_add() + __fprop_add_percpu_max() + if (unlikely(max_frac < FPROP_FRAC_BASE)) { + fprop_fraction_percpu() + seq = read_seqcount_begin(&p->sequence); + - sees odd sequence so loops indefinitely + +Note that a deadlock like this is only possible if the bdi has configured +maximum fraction of writeout throughput which is very rare in general but +frequent for example for FUSE bdis. To fix this problem we have to make +sure write section of the sequence counter is irqsafe. + +Link: https://lkml.kernel.org/r/20260121112729.24463-2-jack@suse.cz +Fixes: a91befde3503 ("lib/flex_proportions.c: remove local_irq_ops in fprop_new_period()") +Signed-off-by: Jan Kara +Reported-by: Bernd Schubert +Link: https://lore.kernel.org/all/9b845a47-9aee-43dd-99bc-1a82bea00442@bsbernd.com/ +Reviewed-by: Matthew Wilcox (Oracle) +Cc: Joanne Koong +Cc: Miklos Szeredi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/flex_proportions.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/lib/flex_proportions.c ++++ b/lib/flex_proportions.c +@@ -64,13 +64,14 @@ void fprop_global_destroy(struct fprop_g + bool fprop_new_period(struct fprop_global *p, int periods) + { + s64 events = percpu_counter_sum(&p->events); ++ unsigned long flags; + + /* + * Don't do anything if there are no events. + */ + if (events <= 1) + return false; +- preempt_disable_nested(); ++ local_irq_save(flags); + write_seqcount_begin(&p->sequence); + if (periods < 64) + events -= events >> periods; +@@ -78,7 +79,7 @@ bool fprop_new_period(struct fprop_globa + percpu_counter_add(&p->events, -events); + p->period += periods; + write_seqcount_end(&p->sequence); +- preempt_enable_nested(); ++ local_irq_restore(flags); + + return true; + } diff --git a/queue-6.12/gpio-pca953x-mask-interrupts-in-irq-shutdown.patch b/queue-6.12/gpio-pca953x-mask-interrupts-in-irq-shutdown.patch new file mode 100644 index 0000000000..703c145a9f --- /dev/null +++ b/queue-6.12/gpio-pca953x-mask-interrupts-in-irq-shutdown.patch @@ -0,0 +1,34 @@ +From d02f20a4de0c498fbba2b0e3c1496e72c630a91e Mon Sep 17 00:00:00 2001 +From: Martin Larsson +Date: Wed, 21 Jan 2026 12:57:22 +0000 +Subject: gpio: pca953x: mask interrupts in irq shutdown + +From: Martin Larsson + +commit d02f20a4de0c498fbba2b0e3c1496e72c630a91e upstream. + +In the existing implementation irq_shutdown does not mask the interrupts +in hardware. This can cause spurious interrupts from the IO expander. +Add masking to irq_shutdown to prevent spurious interrupts. + +Cc: stable@vger.kernel.org +Signed-off-by: Martin Larsson +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20260121125631.2758346-1-martin.larsson@actia.se +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-pca953x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpio/gpio-pca953x.c ++++ b/drivers/gpio/gpio-pca953x.c +@@ -817,6 +817,8 @@ static void pca953x_irq_shutdown(struct + clear_bit(hwirq, chip->irq_trig_fall); + clear_bit(hwirq, chip->irq_trig_level_low); + clear_bit(hwirq, chip->irq_trig_level_high); ++ ++ pca953x_irq_mask(d); + } + + static void pca953x_irq_print_chip(struct irq_data *data, struct seq_file *p) diff --git a/queue-6.12/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch b/queue-6.12/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch new file mode 100644 index 0000000000..3d9d20a4bf --- /dev/null +++ b/queue-6.12/gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch @@ -0,0 +1,89 @@ +From 7ca497be00163610afb663867db24ac408752f13 Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Mon, 26 Jan 2026 12:12:26 +0000 +Subject: gpio: rockchip: Stop calling pinctrl for set_direction + +From: Robin Murphy + +commit 7ca497be00163610afb663867db24ac408752f13 upstream. + +Marking the whole controller as sleeping due to the pinctrl calls in the +.direction_{input,output} callbacks has the unfortunate side effect that +legitimate invocations of .get and .set, which cannot themselves sleep, +in atomic context now spew WARN()s from gpiolib. + +However, as Heiko points out, the driver doing this is a bit silly to +begin with, as the pinctrl .gpio_set_direction hook doesn't even care +about the direction, the hook is only used to claim the mux. And sure +enough, the .gpio_request_enable hook exists to serve this very purpose, +so switch to that and remove the problematic business entirely. + +Cc: stable@vger.kernel.org +Fixes: 20cf2aed89ac ("gpio: rockchip: mark the GPIO controller as sleeping") +Suggested-by: Heiko Stuebner +Signed-off-by: Robin Murphy +Reviewed-by: Heiko Stuebner +Link: https://lore.kernel.org/r/bddc0469f25843ca5ae0cf578ab3671435ae98a7.1769429546.git.robin.murphy@arm.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-rockchip.c | 8 -------- + drivers/pinctrl/pinctrl-rockchip.c | 9 ++++----- + 2 files changed, 4 insertions(+), 13 deletions(-) + +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -18,7 +18,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -157,12 +156,6 @@ static int rockchip_gpio_set_direction(s + unsigned long flags; + u32 data = input ? 0 : 1; + +- +- if (input) +- pinctrl_gpio_direction_input(chip, offset); +- else +- pinctrl_gpio_direction_output(chip, offset); +- + raw_spin_lock_irqsave(&bank->slock, flags); + rockchip_gpio_writel_bit(bank, offset, data, bank->gpio_regs->port_ddr); + raw_spin_unlock_irqrestore(&bank->slock, flags); +@@ -584,7 +577,6 @@ static int rockchip_gpiolib_register(str + gc->ngpio = bank->nr_pins; + gc->label = bank->name; + gc->parent = bank->dev; +- gc->can_sleep = true; + + ret = gpiochip_add_data(gc, bank); + if (ret) { +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -2922,10 +2922,9 @@ static int rockchip_pmx_set(struct pinct + return 0; + } + +-static int rockchip_pmx_gpio_set_direction(struct pinctrl_dev *pctldev, +- struct pinctrl_gpio_range *range, +- unsigned offset, +- bool input) ++static int rockchip_pmx_gpio_request_enable(struct pinctrl_dev *pctldev, ++ struct pinctrl_gpio_range *range, ++ unsigned int offset) + { + struct rockchip_pinctrl *info = pinctrl_dev_get_drvdata(pctldev); + struct rockchip_pin_bank *bank; +@@ -2939,7 +2938,7 @@ static const struct pinmux_ops rockchip_ + .get_function_name = rockchip_pmx_get_func_name, + .get_function_groups = rockchip_pmx_get_groups, + .set_mux = rockchip_pmx_set, +- .gpio_set_direction = rockchip_pmx_gpio_set_direction, ++ .gpio_request_enable = rockchip_pmx_gpio_request_enable, + }; + + /* diff --git a/queue-6.12/mm-kasan-fix-kasan-poisoning-in-vrealloc.patch b/queue-6.12/mm-kasan-fix-kasan-poisoning-in-vrealloc.patch new file mode 100644 index 0000000000..ecc850f452 --- /dev/null +++ b/queue-6.12/mm-kasan-fix-kasan-poisoning-in-vrealloc.patch @@ -0,0 +1,149 @@ +From 9b47d4eea3f7c1f620e95bda1d6221660bde7d7b Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Tue, 13 Jan 2026 20:15:15 +0100 +Subject: mm/kasan: fix KASAN poisoning in vrealloc() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Ryabinin + +commit 9b47d4eea3f7c1f620e95bda1d6221660bde7d7b upstream. + +A KASAN warning can be triggered when vrealloc() changes the requested +size to a value that is not aligned to KASAN_GRANULE_SIZE. + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1 at mm/kasan/shadow.c:174 kasan_unpoison+0x40/0x48 + ... + pc : kasan_unpoison+0x40/0x48 + lr : __kasan_unpoison_vmalloc+0x40/0x68 + Call trace: + kasan_unpoison+0x40/0x48 (P) + vrealloc_node_align_noprof+0x200/0x320 + bpf_patch_insn_data+0x90/0x2f0 + convert_ctx_accesses+0x8c0/0x1158 + bpf_check+0x1488/0x1900 + bpf_prog_load+0xd20/0x1258 + __sys_bpf+0x96c/0xdf0 + __arm64_sys_bpf+0x50/0xa0 + invoke_syscall+0x90/0x160 + +Introduce a dedicated kasan_vrealloc() helper that centralizes KASAN +handling for vmalloc reallocations. The helper accounts for KASAN granule +alignment when growing or shrinking an allocation and ensures that partial +granules are handled correctly. + +Use this helper from vrealloc_node_align_noprof() to fix poisoning logic. + +[ryabinin.a.a@gmail.com: move kasan_enabled() check, fix build] + Link: https://lkml.kernel.org/r/20260119144509.32767-1-ryabinin.a.a@gmail.com +Link: https://lkml.kernel.org/r/20260113191516.31015-1-ryabinin.a.a@gmail.com +Fixes: d699440f58ce ("mm: fix vrealloc()'s KASAN poisoning logic") +Signed-off-by: Andrey Ryabinin +Reported-by: Maciej Żenczykowski +Reported-by: +Closes: https://lkml.kernel.org/r/CANP3RGeuRW53vukDy7WDO3FiVgu34-xVJYkfpm08oLO3odYFrA@mail.gmail.com +Reviewed-by: Andrey Konovalov +Tested-by: Maciej Wieczor-Retman +Cc: Alexander Potapenko +Cc: Dmitriy Vyukov +Cc: Dmitry Vyukov +Cc: Uladzislau Rezki +Cc: Vincenzo Frascino +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kasan.h | 14 ++++++++++++++ + mm/kasan/common.c | 21 +++++++++++++++++++++ + mm/vmalloc.c | 7 ++----- + 3 files changed, 37 insertions(+), 5 deletions(-) + +--- a/include/linux/kasan.h ++++ b/include/linux/kasan.h +@@ -618,6 +618,17 @@ kasan_unpoison_vmap_areas(struct vm_stru + __kasan_unpoison_vmap_areas(vms, nr_vms, flags); + } + ++void __kasan_vrealloc(const void *start, unsigned long old_size, ++ unsigned long new_size); ++ ++static __always_inline void kasan_vrealloc(const void *start, ++ unsigned long old_size, ++ unsigned long new_size) ++{ ++ if (kasan_enabled()) ++ __kasan_vrealloc(start, old_size, new_size); ++} ++ + #else /* CONFIG_KASAN_VMALLOC */ + + static inline void kasan_populate_early_vm_area_shadow(void *start, +@@ -647,6 +658,9 @@ kasan_unpoison_vmap_areas(struct vm_stru + kasan_vmalloc_flags_t flags) + { } + ++static inline void kasan_vrealloc(const void *start, unsigned long old_size, ++ unsigned long new_size) { } ++ + #endif /* CONFIG_KASAN_VMALLOC */ + + #if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \ +--- a/mm/kasan/common.c ++++ b/mm/kasan/common.c +@@ -590,4 +590,25 @@ void __kasan_unpoison_vmap_areas(struct + __kasan_unpoison_vmalloc(addr, size, flags | KASAN_VMALLOC_KEEP_TAG); + } + } ++ ++void __kasan_vrealloc(const void *addr, unsigned long old_size, ++ unsigned long new_size) ++{ ++ if (new_size < old_size) { ++ kasan_poison_last_granule(addr, new_size); ++ ++ new_size = round_up(new_size, KASAN_GRANULE_SIZE); ++ old_size = round_up(old_size, KASAN_GRANULE_SIZE); ++ if (new_size < old_size) ++ __kasan_poison_vmalloc(addr + new_size, ++ old_size - new_size); ++ } else if (new_size > old_size) { ++ old_size = round_down(old_size, KASAN_GRANULE_SIZE); ++ __kasan_unpoison_vmalloc(addr + old_size, ++ new_size - old_size, ++ KASAN_VMALLOC_PROT_NORMAL | ++ KASAN_VMALLOC_VM_ALLOC | ++ KASAN_VMALLOC_KEEP_TAG); ++ } ++} + #endif +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -4109,7 +4109,7 @@ void *vrealloc_noprof(const void *p, siz + if (want_init_on_free() || want_init_on_alloc(flags)) + memset((void *)p + size, 0, old_size - size); + vm->requested_size = size; +- kasan_poison_vmalloc(p + size, old_size - size); ++ kasan_vrealloc(p, old_size, size); + return (void *)p; + } + +@@ -4117,16 +4117,13 @@ void *vrealloc_noprof(const void *p, siz + * We already have the bytes available in the allocation; use them. + */ + if (size <= alloced_size) { +- kasan_unpoison_vmalloc(p + old_size, size - old_size, +- KASAN_VMALLOC_PROT_NORMAL | +- KASAN_VMALLOC_VM_ALLOC | +- KASAN_VMALLOC_KEEP_TAG); + /* + * No need to zero memory here, as unused memory will have + * already been zeroed at initial allocation time or during + * realloc shrink time. + */ + vm->requested_size = size; ++ kasan_vrealloc(p, old_size, size); + return (void *)p; + } + diff --git a/queue-6.12/mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch b/queue-6.12/mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch new file mode 100644 index 0000000000..eb679490d5 --- /dev/null +++ b/queue-6.12/mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch @@ -0,0 +1,230 @@ +From a148a2040191b12b45b82cb29c281cb3036baf90 Mon Sep 17 00:00:00 2001 +From: Jane Chu +Date: Tue, 20 Jan 2026 16:22:33 -0700 +Subject: mm/memory-failure: fix missing ->mf_stats count in hugetlb poison + +From: Jane Chu + +commit a148a2040191b12b45b82cb29c281cb3036baf90 upstream. + +When a newly poisoned subpage ends up in an already poisoned hugetlb +folio, 'num_poisoned_pages' is incremented, but the per node ->mf_stats is +not. Fix the inconsistency by designating action_result() to update them +both. + +While at it, define __get_huge_page_for_hwpoison() return values in terms +of symbol names for better readibility. Also rename +folio_set_hugetlb_hwpoison() to hugetlb_update_hwpoison() since the +function does more than the conventional bit setting and the fact three +possible return values are expected. + +Link: https://lkml.kernel.org/r/20260120232234.3462258-1-jane.chu@oracle.com +Fixes: 18f41fa616ee ("mm: memory-failure: bump memory failure stats to pglist_data") +Signed-off-by: Jane Chu +Acked-by: Miaohe Lin +Cc: Chris Mason +Cc: David Hildenbrand +Cc: David Rientjes +Cc: Jiaqi Yan +Cc: Liam R. Howlett +Cc: Lorenzo Stoakes +Cc: Matthew Wilcox (Oracle) +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Muchun Song +Cc: Naoya Horiguchi +Cc: Oscar Salvador +Cc: Suren Baghdasaryan +Cc: William Roche +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 93 +++++++++++++++++++++++++++++++--------------------- + 1 file changed, 56 insertions(+), 37 deletions(-) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1937,12 +1937,22 @@ static unsigned long __folio_free_raw_hw + return count; + } + +-static int folio_set_hugetlb_hwpoison(struct folio *folio, struct page *page) ++#define MF_HUGETLB_FREED 0 /* freed hugepage */ ++#define MF_HUGETLB_IN_USED 1 /* in-use hugepage */ ++#define MF_HUGETLB_NON_HUGEPAGE 2 /* not a hugepage */ ++#define MF_HUGETLB_FOLIO_PRE_POISONED 3 /* folio already poisoned */ ++#define MF_HUGETLB_PAGE_PRE_POISONED 4 /* exact page already poisoned */ ++#define MF_HUGETLB_RETRY 5 /* hugepage is busy, retry */ ++/* ++ * Set hugetlb folio as hwpoisoned, update folio private raw hwpoison list ++ * to keep track of the poisoned pages. ++ */ ++static int hugetlb_update_hwpoison(struct folio *folio, struct page *page) + { + struct llist_head *head; + struct raw_hwp_page *raw_hwp; + struct raw_hwp_page *p; +- int ret = folio_test_set_hwpoison(folio) ? -EHWPOISON : 0; ++ int ret = folio_test_set_hwpoison(folio) ? MF_HUGETLB_FOLIO_PRE_POISONED : 0; + + /* + * Once the hwpoison hugepage has lost reliable raw error info, +@@ -1950,20 +1960,17 @@ static int folio_set_hugetlb_hwpoison(st + * so skip to add additional raw error info. + */ + if (folio_test_hugetlb_raw_hwp_unreliable(folio)) +- return -EHWPOISON; ++ return MF_HUGETLB_FOLIO_PRE_POISONED; + head = raw_hwp_list_head(folio); + llist_for_each_entry(p, head->first, node) { + if (p->page == page) +- return -EHWPOISON; ++ return MF_HUGETLB_PAGE_PRE_POISONED; + } + + raw_hwp = kmalloc(sizeof(struct raw_hwp_page), GFP_ATOMIC); + if (raw_hwp) { + raw_hwp->page = page; + llist_add(&raw_hwp->node, head); +- /* the first error event will be counted in action_result(). */ +- if (ret) +- num_poisoned_pages_inc(page_to_pfn(page)); + } else { + /* + * Failed to save raw error info. We no longer trace all +@@ -2011,42 +2018,39 @@ void folio_clear_hugetlb_hwpoison(struct + + /* + * Called from hugetlb code with hugetlb_lock held. +- * +- * Return values: +- * 0 - free hugepage +- * 1 - in-use hugepage +- * 2 - not a hugepage +- * -EBUSY - the hugepage is busy (try to retry) +- * -EHWPOISON - the hugepage is already hwpoisoned + */ + int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, + bool *migratable_cleared) + { + struct page *page = pfn_to_page(pfn); + struct folio *folio = page_folio(page); +- int ret = 2; /* fallback to normal page handling */ + bool count_increased = false; ++ int ret, rc; + +- if (!folio_test_hugetlb(folio)) ++ if (!folio_test_hugetlb(folio)) { ++ ret = MF_HUGETLB_NON_HUGEPAGE; + goto out; +- +- if (flags & MF_COUNT_INCREASED) { +- ret = 1; ++ } else if (flags & MF_COUNT_INCREASED) { ++ ret = MF_HUGETLB_IN_USED; + count_increased = true; + } else if (folio_test_hugetlb_freed(folio)) { +- ret = 0; ++ ret = MF_HUGETLB_FREED; + } else if (folio_test_hugetlb_migratable(folio)) { +- ret = folio_try_get(folio); +- if (ret) ++ if (folio_try_get(folio)) { ++ ret = MF_HUGETLB_IN_USED; + count_increased = true; ++ } else { ++ ret = MF_HUGETLB_FREED; ++ } + } else { +- ret = -EBUSY; ++ ret = MF_HUGETLB_RETRY; + if (!(flags & MF_NO_RETRY)) + goto out; + } + +- if (folio_set_hugetlb_hwpoison(folio, page)) { +- ret = -EHWPOISON; ++ rc = hugetlb_update_hwpoison(folio, page); ++ if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) { ++ ret = rc; + goto out; + } + +@@ -2071,10 +2075,16 @@ out: + * with basic operations like hugepage allocation/free/demotion. + * So some of prechecks for hwpoison (pinning, and testing/setting + * PageHWPoison) should be done in single hugetlb_lock range. ++ * Returns: ++ * 0 - not hugetlb, or recovered ++ * -EBUSY - not recovered ++ * -EOPNOTSUPP - hwpoison_filter'ed ++ * -EHWPOISON - folio or exact page already poisoned ++ * -EFAULT - kill_accessing_process finds current->mm null + */ + static int try_memory_failure_hugetlb(unsigned long pfn, int flags, int *hugetlb) + { +- int res; ++ int res, rv; + struct page *p = pfn_to_page(pfn); + struct folio *folio; + unsigned long page_flags; +@@ -2083,22 +2093,31 @@ static int try_memory_failure_hugetlb(un + *hugetlb = 1; + retry: + res = get_huge_page_for_hwpoison(pfn, flags, &migratable_cleared); +- if (res == 2) { /* fallback to normal page handling */ ++ switch (res) { ++ case MF_HUGETLB_NON_HUGEPAGE: /* fallback to normal page handling */ + *hugetlb = 0; + return 0; +- } else if (res == -EHWPOISON) { +- if (flags & MF_ACTION_REQUIRED) { +- folio = page_folio(p); +- res = kill_accessing_process(current, folio_pfn(folio), flags); +- } +- action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); +- return res; +- } else if (res == -EBUSY) { ++ case MF_HUGETLB_RETRY: + if (!(flags & MF_NO_RETRY)) { + flags |= MF_NO_RETRY; + goto retry; + } + return action_result(pfn, MF_MSG_GET_HWPOISON, MF_IGNORED); ++ case MF_HUGETLB_FOLIO_PRE_POISONED: ++ case MF_HUGETLB_PAGE_PRE_POISONED: ++ rv = -EHWPOISON; ++ if (flags & MF_ACTION_REQUIRED) { ++ folio = page_folio(p); ++ rv = kill_accessing_process(current, folio_pfn(folio), flags); ++ } ++ if (res == MF_HUGETLB_PAGE_PRE_POISONED) ++ action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); ++ else ++ action_result(pfn, MF_MSG_HUGE, MF_FAILED); ++ return rv; ++ default: ++ WARN_ON((res != MF_HUGETLB_FREED) && (res != MF_HUGETLB_IN_USED)); ++ break; + } + + folio = page_folio(p); +@@ -2109,7 +2128,7 @@ retry: + if (migratable_cleared) + folio_set_hugetlb_migratable(folio); + folio_unlock(folio); +- if (res == 1) ++ if (res == MF_HUGETLB_IN_USED) + folio_put(folio); + return -EOPNOTSUPP; + } +@@ -2118,7 +2137,7 @@ retry: + * Handling free hugepage. The possible race with hugepage allocation + * or demotion can be prevented by PageHWPoison flag. + */ +- if (res == 0) { ++ if (res == MF_HUGETLB_FREED) { + folio_unlock(folio); + if (__page_handle_poison(p) > 0) { + page_ref_inc(p); diff --git a/queue-6.12/mm-memory-failure-teach-kill_accessing_process-to-accept-hugetlb-tail-page-pfn.patch b/queue-6.12/mm-memory-failure-teach-kill_accessing_process-to-accept-hugetlb-tail-page-pfn.patch new file mode 100644 index 0000000000..60354ec0f8 --- /dev/null +++ b/queue-6.12/mm-memory-failure-teach-kill_accessing_process-to-accept-hugetlb-tail-page-pfn.patch @@ -0,0 +1,86 @@ +From 057a6f2632c956483e2b2628477f0fcd1cd8a844 Mon Sep 17 00:00:00 2001 +From: Jane Chu +Date: Tue, 20 Jan 2026 16:22:34 -0700 +Subject: mm/memory-failure: teach kill_accessing_process to accept hugetlb tail page pfn + +From: Jane Chu + +commit 057a6f2632c956483e2b2628477f0fcd1cd8a844 upstream. + +When a hugetlb folio is being poisoned again, try_memory_failure_hugetlb() +passed head pfn to kill_accessing_process(), that is not right. The +precise pfn of the poisoned page should be used in order to determine the +precise vaddr as the SIGBUS payload. + +This issue has already been taken care of in the normal path, that is, +hwpoison_user_mappings(), see [1][2]. Further more, for [3] to work +correctly in the hugetlb repoisoning case, it's essential to inform VM the +precise poisoned page, not the head page. + +[1] https://lkml.kernel.org/r/20231218135837.3310403-1-willy@infradead.org +[2] https://lkml.kernel.org/r/20250224211445.2663312-1-jane.chu@oracle.com +[3] https://lore.kernel.org/lkml/20251116013223.1557158-1-jiaqiyan@google.com/ + +Link: https://lkml.kernel.org/r/20260120232234.3462258-2-jane.chu@oracle.com +Signed-off-by: Jane Chu +Reviewed-by: Liam R. Howlett +Acked-by: Miaohe Lin +Cc: Chris Mason +Cc: David Hildenbrand +Cc: David Rientjes +Cc: Jiaqi Yan +Cc: Lorenzo Stoakes +Cc: Matthew Wilcox (Oracle) +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Muchun Song +Cc: Naoya Horiguchi +Cc: Oscar Salvador +Cc: Suren Baghdasaryan +Cc: William Roche +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -754,6 +754,8 @@ static int check_hwpoisoned_entry(pte_t + unsigned long poisoned_pfn, struct to_kill *tk) + { + unsigned long pfn = 0; ++ unsigned long hwpoison_vaddr; ++ unsigned long mask; + + if (pte_present(pte)) { + pfn = pte_pfn(pte); +@@ -764,10 +766,12 @@ static int check_hwpoisoned_entry(pte_t + pfn = swp_offset_pfn(swp); + } + +- if (!pfn || pfn != poisoned_pfn) ++ mask = ~((1UL << (shift - PAGE_SHIFT)) - 1); ++ if (!pfn || pfn != (poisoned_pfn & mask)) + return 0; + +- set_to_kill(tk, addr, shift); ++ hwpoison_vaddr = addr + ((poisoned_pfn - pfn) << PAGE_SHIFT); ++ set_to_kill(tk, hwpoison_vaddr, shift); + return 1; + } + +@@ -2106,10 +2110,8 @@ retry: + case MF_HUGETLB_FOLIO_PRE_POISONED: + case MF_HUGETLB_PAGE_PRE_POISONED: + rv = -EHWPOISON; +- if (flags & MF_ACTION_REQUIRED) { +- folio = page_folio(p); +- rv = kill_accessing_process(current, folio_pfn(folio), flags); +- } ++ if (flags & MF_ACTION_REQUIRED) ++ rv = kill_accessing_process(current, pfn, flags); + if (res == MF_HUGETLB_PAGE_PRE_POISONED) + action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); + else diff --git a/queue-6.12/mm-shmem-swap-fix-race-of-truncate-and-swap-entry-split.patch b/queue-6.12/mm-shmem-swap-fix-race-of-truncate-and-swap-entry-split.patch new file mode 100644 index 0000000000..12f00ad78d --- /dev/null +++ b/queue-6.12/mm-shmem-swap-fix-race-of-truncate-and-swap-entry-split.patch @@ -0,0 +1,130 @@ +From 8a1968bd997f45a9b11aefeabdd1232e1b6c7184 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Tue, 20 Jan 2026 00:11:21 +0800 +Subject: mm/shmem, swap: fix race of truncate and swap entry split + +From: Kairui Song + +commit 8a1968bd997f45a9b11aefeabdd1232e1b6c7184 upstream. + +The helper for shmem swap freeing is not handling the order of swap +entries correctly. It uses xa_cmpxchg_irq to erase the swap entry, but it +gets the entry order before that using xa_get_order without lock +protection, and it may get an outdated order value if the entry is split +or changed in other ways after the xa_get_order and before the +xa_cmpxchg_irq. + +And besides, the order could grow and be larger than expected, and cause +truncation to erase data beyond the end border. For example, if the +target entry and following entries are swapped in or freed, then a large +folio was added in place and swapped out, using the same entry, the +xa_cmpxchg_irq will still succeed, it's very unlikely to happen though. + +To fix that, open code the Xarray cmpxchg and put the order retrieval and +value checking in the same critical section. Also, ensure the order won't +exceed the end border, skip it if the entry goes across the border. + +Skipping large swap entries crosses the end border is safe here. Shmem +truncate iterates the range twice, in the first iteration, +find_lock_entries already filtered such entries, and shmem will swapin the +entries that cross the end border and partially truncate the folio (split +the folio or at least zero part of it). So in the second loop here, if we +see a swap entry that crosses the end order, it must at least have its +content erased already. + +I observed random swapoff hangs and kernel panics when stress testing +ZSWAP with shmem. After applying this patch, all problems are gone. + +Link: https://lkml.kernel.org/r/20260120-shmem-swap-fix-v3-1-3d33ebfbc057@tencent.com +Fixes: 809bc86517cc ("mm: shmem: support large folio swap out") +Signed-off-by: Kairui Song +Reviewed-by: Nhat Pham +Acked-by: Chris Li +Cc: Baolin Wang +Cc: Baoquan He +Cc: Barry Song +Cc: Hugh Dickins +Cc: Kemeng Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 45 ++++++++++++++++++++++++++++++++++----------- + 1 file changed, 34 insertions(+), 11 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -860,17 +860,29 @@ static void shmem_delete_from_page_cache + * being freed). + */ + static long shmem_free_swap(struct address_space *mapping, +- pgoff_t index, void *radswap) ++ pgoff_t index, pgoff_t end, void *radswap) + { +- int order = xa_get_order(&mapping->i_pages, index); +- void *old; ++ XA_STATE(xas, &mapping->i_pages, index); ++ unsigned int nr_pages = 0; ++ pgoff_t base; ++ void *entry; ++ ++ xas_lock_irq(&xas); ++ entry = xas_load(&xas); ++ if (entry == radswap) { ++ nr_pages = 1 << xas_get_order(&xas); ++ base = round_down(xas.xa_index, nr_pages); ++ if (base < index || base + nr_pages - 1 > end) ++ nr_pages = 0; ++ else ++ xas_store(&xas, NULL); ++ } ++ xas_unlock_irq(&xas); + +- old = xa_cmpxchg_irq(&mapping->i_pages, index, radswap, NULL, 0); +- if (old != radswap) +- return 0; +- free_swap_and_cache_nr(radix_to_swp_entry(radswap), 1 << order); ++ if (nr_pages) ++ free_swap_and_cache_nr(radix_to_swp_entry(radswap), nr_pages); + +- return 1 << order; ++ return nr_pages; + } + + /* +@@ -1022,8 +1034,8 @@ static void shmem_undo_range(struct inod + if (xa_is_value(folio)) { + if (unfalloc) + continue; +- nr_swaps_freed += shmem_free_swap(mapping, +- indices[i], folio); ++ nr_swaps_freed += shmem_free_swap(mapping, indices[i], ++ end - 1, folio); + continue; + } + +@@ -1089,12 +1101,23 @@ whole_folios: + folio = fbatch.folios[i]; + + if (xa_is_value(folio)) { ++ int order; + long swaps_freed; + + if (unfalloc) + continue; +- swaps_freed = shmem_free_swap(mapping, indices[i], folio); ++ swaps_freed = shmem_free_swap(mapping, indices[i], ++ end - 1, folio); + if (!swaps_freed) { ++ /* ++ * If found a large swap entry cross the end border, ++ * skip it as the truncate_inode_partial_folio above ++ * should have at least zerod its content once. ++ */ ++ order = shmem_confirm_swap(mapping, indices[i], ++ radix_to_swp_entry(folio)); ++ if (order > 0 && indices[i] + (1 << order) > end) ++ continue; + /* Swap was replaced by page: retry */ + index = indices[i]; + break; diff --git a/queue-6.12/mptcp-only-reset-subflow-errors-when-propagated.patch b/queue-6.12/mptcp-only-reset-subflow-errors-when-propagated.patch new file mode 100644 index 0000000000..91f3ab538b --- /dev/null +++ b/queue-6.12/mptcp-only-reset-subflow-errors-when-propagated.patch @@ -0,0 +1,57 @@ +From dccf46179ddd6c04c14be8ed584dc54665f53f0e Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 27 Jan 2026 20:27:25 +0100 +Subject: mptcp: only reset subflow errors when propagated + +From: Matthieu Baerts (NGI0) + +commit dccf46179ddd6c04c14be8ed584dc54665f53f0e upstream. + +Some subflow socket errors need to be reported to the MPTCP socket: the +initial subflow connect (MP_CAPABLE), and the ones from the fallback +sockets. The others are not propagated. + +The issue is that sock_error() was used to retrieve the error, which was +also resetting the sk_err field. Because of that, when notifying the +userspace about subflow close events later on from the MPTCP worker, the +ssk->sk_err field was always 0. + +Now, the error (sk_err) is only reset when propagating it to the msk. + +Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-3-7f71e1bc4feb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -798,11 +798,8 @@ static bool __mptcp_ofo_queue(struct mpt + + static bool __mptcp_subflow_error_report(struct sock *sk, struct sock *ssk) + { +- int err = sock_error(ssk); + int ssk_state; +- +- if (!err) +- return false; ++ int err; + + /* only propagate errors on fallen-back sockets or + * on MPC connect +@@ -810,6 +807,10 @@ static bool __mptcp_subflow_error_report + if (sk->sk_state != TCP_SYN_SENT && !__mptcp_check_fallback(mptcp_sk(sk))) + return false; + ++ err = sock_error(ssk); ++ if (!err) ++ return false; ++ + /* We need to propagate only transition to CLOSE state. + * Orphaned socket will see such state change via + * subflow_sched_work_if_closed() and that path will properly diff --git a/queue-6.12/net-fix-segmentation-of-forwarding-fraglist-gro.patch b/queue-6.12/net-fix-segmentation-of-forwarding-fraglist-gro.patch new file mode 100644 index 0000000000..53765e5d30 --- /dev/null +++ b/queue-6.12/net-fix-segmentation-of-forwarding-fraglist-gro.patch @@ -0,0 +1,99 @@ +From 426ca15c7f6cb6562a081341ca88893a50c59fa2 Mon Sep 17 00:00:00 2001 +From: Jibin Zhang +Date: Mon, 26 Jan 2026 23:21:11 +0800 +Subject: net: fix segmentation of forwarding fraglist GRO + +From: Jibin Zhang + +commit 426ca15c7f6cb6562a081341ca88893a50c59fa2 upstream. + +This patch enhances GSO segment handling by properly checking +the SKB_GSO_DODGY flag for frag_list GSO packets, addressing +low throughput issues observed when a station accesses IPv4 +servers via hotspots with an IPv6-only upstream interface. + +Specifically, it fixes a bug in GSO segmentation when forwarding +GRO packets containing a frag_list. The function skb_segment_list +cannot correctly process GRO skbs that have been converted by XLAT, +since XLAT only translates the header of the head skb. Consequently, +skbs in the frag_list may remain untranslated, resulting in protocol +inconsistencies and reduced throughput. + +To address this, the patch explicitly sets the SKB_GSO_DODGY flag +for GSO packets in XLAT's IPv4/IPv6 protocol translation helpers +(bpf_skb_proto_4_to_6 and bpf_skb_proto_6_to_4). This marks GSO +packets as potentially modified after protocol translation. As a +result, GSO segmentation will avoid using skb_segment_list and +instead falls back to skb_segment for packets with the SKB_GSO_DODGY +flag. This ensures that only safe and fully translated frag_list +packets are processed by skb_segment_list, resolving protocol +inconsistencies and improving throughput when forwarding GRO packets +converted by XLAT. + +Signed-off-by: Jibin Zhang +Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260126152114.1211-1-jibin.zhang@mediatek.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 2 ++ + net/ipv4/tcp_offload.c | 3 ++- + net/ipv4/udp_offload.c | 3 ++- + net/ipv6/tcpv6_offload.c | 3 ++- + 4 files changed, 8 insertions(+), 3 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3360,6 +3360,7 @@ static int bpf_skb_proto_4_to_6(struct s + shinfo->gso_type &= ~SKB_GSO_TCPV4; + shinfo->gso_type |= SKB_GSO_TCPV6; + } ++ shinfo->gso_type |= SKB_GSO_DODGY; + } + + bpf_skb_change_protocol(skb, ETH_P_IPV6); +@@ -3390,6 +3391,7 @@ static int bpf_skb_proto_6_to_4(struct s + shinfo->gso_type &= ~SKB_GSO_TCPV6; + shinfo->gso_type |= SKB_GSO_TCPV4; + } ++ shinfo->gso_type |= SKB_GSO_DODGY; + } + + bpf_skb_change_protocol(skb, ETH_P_IP); +--- a/net/ipv4/tcp_offload.c ++++ b/net/ipv4/tcp_offload.c +@@ -107,7 +107,8 @@ static struct sk_buff *tcp4_gso_segment( + if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) { + struct tcphdr *th = tcp_hdr(skb); + +- if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) ++ if ((skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) && ++ !(skb_shinfo(skb)->gso_type & SKB_GSO_DODGY)) + return __tcp4_gso_segment_list(skb, features); + + skb->ip_summed = CHECKSUM_NONE; +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -358,7 +358,8 @@ struct sk_buff *__udp_gso_segment(struct + + if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) { + /* Detect modified geometry and pass those to skb_segment. */ +- if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) ++ if ((skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) && ++ !(skb_shinfo(gso_skb)->gso_type & SKB_GSO_DODGY)) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + + ret = __skb_linearize(gso_skb); +--- a/net/ipv6/tcpv6_offload.c ++++ b/net/ipv6/tcpv6_offload.c +@@ -171,7 +171,8 @@ static struct sk_buff *tcp6_gso_segment( + if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) { + struct tcphdr *th = tcp_hdr(skb); + +- if (skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) ++ if ((skb_pagelen(skb) - th->doff * 4 == skb_shinfo(skb)->gso_size) && ++ !(skb_shinfo(skb)->gso_type & SKB_GSO_DODGY)) + return __tcp6_gso_segment_list(skb, features); + + skb->ip_summed = CHECKSUM_NONE; diff --git a/queue-6.12/nvmet-fix-race-in-nvmet_bio_done-leading-to-null-pointer-dereference.patch b/queue-6.12/nvmet-fix-race-in-nvmet_bio_done-leading-to-null-pointer-dereference.patch new file mode 100644 index 0000000000..268a5e6346 --- /dev/null +++ b/queue-6.12/nvmet-fix-race-in-nvmet_bio_done-leading-to-null-pointer-dereference.patch @@ -0,0 +1,61 @@ +From 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 21 Jan 2026 17:38:54 +0800 +Subject: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference + +From: Ming Lei + +commit 0fcee2cfc4b2e16e62ff8e0cc2cd8dd24efad65e upstream. + +There is a race condition in nvmet_bio_done() that can cause a NULL +pointer dereference in blk_cgroup_bio_start(): + +1. nvmet_bio_done() is called when a bio completes +2. nvmet_req_complete() is called, which invokes req->ops->queue_response(req) +3. The queue_response callback can re-queue and re-submit the same request +4. The re-submission reuses the same inline_bio from nvmet_req +5. Meanwhile, nvmet_req_bio_put() (called after nvmet_req_complete) + invokes bio_uninit() for inline_bio, which sets bio->bi_blkg to NULL +6. The re-submitted bio enters submit_bio_noacct_nocheck() +7. blk_cgroup_bio_start() dereferences bio->bi_blkg, causing a crash: + + BUG: kernel NULL pointer dereference, address: 0000000000000028 + #PF: supervisor read access in kernel mode + RIP: 0010:blk_cgroup_bio_start+0x10/0xd0 + Call Trace: + submit_bio_noacct_nocheck+0x44/0x250 + nvmet_bdev_execute_rw+0x254/0x370 [nvmet] + process_one_work+0x193/0x3c0 + worker_thread+0x281/0x3a0 + +Fix this by reordering nvmet_bio_done() to call nvmet_req_bio_put() +BEFORE nvmet_req_complete(). This ensures the bio is cleaned up before +the request can be re-submitted, preventing the race condition. + +Fixes: 190f4c2c863a ("nvmet: fix memory leak of bio integrity") +Cc: Dmitry Bogdanov +Cc: stable@vger.kernel.org +Cc: Guangwu Zhang +Link: http://www.mail-archive.com/debian-kernel@lists.debian.org/msg146238.html +Reviewed-by: Christoph Hellwig +Signed-off-by: Ming Lei +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/io-cmd-bdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -176,9 +176,10 @@ u16 blk_to_nvme_status(struct nvmet_req + static void nvmet_bio_done(struct bio *bio) + { + struct nvmet_req *req = bio->bi_private; ++ blk_status_t blk_status = bio->bi_status; + +- nvmet_req_complete(req, blk_to_nvme_status(req, bio->bi_status)); + nvmet_req_bio_put(req, bio); ++ nvmet_req_complete(req, blk_to_nvme_status(req, blk_status)); + } + + #ifdef CONFIG_BLK_DEV_INTEGRITY diff --git a/queue-6.12/pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch b/queue-6.12/pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch new file mode 100644 index 0000000000..088750dd84 --- /dev/null +++ b/queue-6.12/pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch @@ -0,0 +1,90 @@ +From 28f24068387169722b508bba6b5257cb68b86e74 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Mon, 5 Jan 2026 16:05:08 +0100 +Subject: pinctrl: meson: mark the GPIO controller as sleeping + +From: Bartosz Golaszewski + +commit 28f24068387169722b508bba6b5257cb68b86e74 upstream. + +The GPIO controller is configured as non-sleeping but it uses generic +pinctrl helpers which use a mutex for synchronization. + +This can cause the following lockdep splat with shared GPIOs enabled on +boards which have multiple devices using the same GPIO: + +BUG: sleeping function called from invalid context at +kernel/locking/mutex.c:591 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 142, name: +kworker/u25:3 +preempt_count: 1, expected: 0 +RCU nest depth: 0, expected: 0 +INFO: lockdep is turned off. +irq event stamp: 46379 +hardirqs last enabled at (46379): [] +_raw_spin_unlock_irqrestore+0x74/0x78 +hardirqs last disabled at (46378): [] +_raw_spin_lock_irqsave+0x84/0x88 +softirqs last enabled at (46330): [] +handle_softirqs+0x4c4/0x4dc +softirqs last disabled at (46295): [] +__do_softirq+0x14/0x20 +CPU: 1 UID: 0 PID: 142 Comm: kworker/u25:3 Tainted: G C +6.19.0-rc4-next-20260105+ #11963 PREEMPT +Tainted: [C]=CRAP +Hardware name: Khadas VIM3 (DT) +Workqueue: events_unbound deferred_probe_work_func +Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x90/0xd0 + dump_stack+0x18/0x24 + __might_resched+0x144/0x248 + __might_sleep+0x48/0x98 + __mutex_lock+0x5c/0x894 + mutex_lock_nested+0x24/0x30 + pinctrl_get_device_gpio_range+0x44/0x128 + pinctrl_gpio_set_config+0x40/0xdc + gpiochip_generic_config+0x28/0x3c + gpio_do_set_config+0xa8/0x194 + gpiod_set_config+0x34/0xfc + gpio_shared_proxy_set_config+0x6c/0xfc [gpio_shared_proxy] + gpio_do_set_config+0xa8/0x194 + gpiod_set_transitory+0x4c/0xf0 + gpiod_configure_flags+0xa4/0x480 + gpiod_find_and_request+0x1a0/0x574 + gpiod_get_index+0x58/0x84 + devm_gpiod_get_index+0x20/0xb4 + devm_gpiod_get+0x18/0x24 + mmc_pwrseq_emmc_probe+0x40/0xb8 + platform_probe+0x5c/0xac + really_probe+0xbc/0x298 + __driver_probe_device+0x78/0x12c + driver_probe_device+0xdc/0x164 + __device_attach_driver+0xb8/0x138 + bus_for_each_drv+0x80/0xdc + __device_attach+0xa8/0x1b0 + +Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs") +Cc: stable@vger.kernel.org +Reported-by: Marek Szyprowski +Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/ +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/meson/pinctrl-meson.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/meson/pinctrl-meson.c ++++ b/drivers/pinctrl/meson/pinctrl-meson.c +@@ -619,7 +619,7 @@ static int meson_gpiolib_register(struct + pc->chip.set = meson_gpio_set; + pc->chip.base = -1; + pc->chip.ngpio = pc->data->num_pins; +- pc->chip.can_sleep = false; ++ pc->chip.can_sleep = true; + + ret = gpiochip_add_data(&pc->chip, pc); + if (ret) { diff --git a/queue-6.12/riscv-compat-fix-compat_uts_machine-definition.patch b/queue-6.12/riscv-compat-fix-compat_uts_machine-definition.patch new file mode 100644 index 0000000000..17d03e3d92 --- /dev/null +++ b/queue-6.12/riscv-compat-fix-compat_uts_machine-definition.patch @@ -0,0 +1,34 @@ +From 0ea05c4f7527a98f5946f96c829733788934311d Mon Sep 17 00:00:00 2001 +From: Han Gao +Date: Wed, 28 Jan 2026 03:07:11 +0800 +Subject: riscv: compat: fix COMPAT_UTS_MACHINE definition + +From: Han Gao + +commit 0ea05c4f7527a98f5946f96c829733788934311d upstream. + +The COMPAT_UTS_MACHINE for riscv was incorrectly defined as "riscv". +Change it to "riscv32" to reflect the correct 32-bit compat name. + +Fixes: 06d0e3723647 ("riscv: compat: Add basic compat data type implementation") +Cc: stable@vger.kernel.org +Signed-off-by: Han Gao +Reviewed-by: Guo Ren (Alibaba Damo Academy) +Link: https://patch.msgid.link/20260127190711.2264664-1-gaohan@iscas.ac.cn +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/compat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/riscv/include/asm/compat.h ++++ b/arch/riscv/include/asm/compat.h +@@ -2,7 +2,7 @@ + #ifndef __ASM_COMPAT_H + #define __ASM_COMPAT_H + +-#define COMPAT_UTS_MACHINE "riscv\0\0" ++#define COMPAT_UTS_MACHINE "riscv32\0\0" + + /* + * Architecture specific compatibility types diff --git a/queue-6.12/rust-kbuild-give-config-path-to-rustfmt-in-.rsi-target.patch b/queue-6.12/rust-kbuild-give-config-path-to-rustfmt-in-.rsi-target.patch new file mode 100644 index 0000000000..4f3d9d0154 --- /dev/null +++ b/queue-6.12/rust-kbuild-give-config-path-to-rustfmt-in-.rsi-target.patch @@ -0,0 +1,66 @@ +From af20ae33e7dd949f2e770198e74ac8f058cb299d Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Thu, 15 Jan 2026 19:38:32 +0100 +Subject: rust: kbuild: give `--config-path` to `rustfmt` in `.rsi` target + +From: Miguel Ojeda + +commit af20ae33e7dd949f2e770198e74ac8f058cb299d upstream. + +`rustfmt` is configured via the `.rustfmt.toml` file in the source tree, +and we apply `rustfmt` to the macro expanded sources generated by the +`.rsi` target. + +However, under an `O=` pointing to an external folder (i.e. not just +a subdir), `rustfmt` will not find the file when checking the parent +folders. Since the edition is configured in this file, this can lead to +errors when it encounters newer syntax, e.g. + + error: expected one of `!`, `.`, `::`, `;`, `?`, `where`, `{`, or an operator, found `"rust_minimal"` + --> samples/rust/rust_minimal.rsi:29:49 + | + 28 | impl ::kernel::ModuleMetadata for RustMinimal { + | - while parsing this item list starting here + 29 | const NAME: &'static ::kernel::str::CStr = c"rust_minimal"; + | ^^^^^^^^^^^^^^ expected one of 8 possible tokens + 30 | } + | - the item list ends here + | + = note: you may be trying to write a c-string literal + = note: c-string literals require Rust 2021 or later + = help: pass `--edition 2024` to `rustc` + = note: for more on editions, read https://doc.rust-lang.org/edition-guide + +A workaround is to use `RUSTFMT=n`, which is documented in the `Makefile` +help for cases where macro expanded source may happen to break `rustfmt` +for other reasons, but this is not one of those cases. + +One solution would be to pass `--edition`, but we want `rustfmt` to +use the entire configuration, even if currently we essentially use the +default configuration. + +Thus explicitly give the path to the config file to `rustfmt` instead. + +Reported-by: Alice Ryhl +Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support") +Cc: stable@vger.kernel.org +Reviewed-by: Nathan Chancellor +Reviewed-by: Gary Guo +Link: https://patch.msgid.link/20260115183832.46595-1-ojeda@kernel.org +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -286,7 +286,7 @@ $(obj)/%.o: $(obj)/%.rs FORCE + quiet_cmd_rustc_rsi_rs = $(RUSTC_OR_CLIPPY_QUIET) $(quiet_modtag) $@ + cmd_rustc_rsi_rs = \ + $(rust_common_cmd) -Zunpretty=expanded $< >$@; \ +- command -v $(RUSTFMT) >/dev/null && $(RUSTFMT) $@ ++ command -v $(RUSTFMT) >/dev/null && $(RUSTFMT) --config-path $(srctree)/.rustfmt.toml $@ + + $(obj)/%.rsi: $(obj)/%.rs FORCE + +$(call if_changed_dep,rustc_rsi_rs) diff --git a/queue-6.12/rust-rbtree-fix-documentation-typo-in-cursormut-peek_next-method.patch b/queue-6.12/rust-rbtree-fix-documentation-typo-in-cursormut-peek_next-method.patch new file mode 100644 index 0000000000..2a7d1a2a2b --- /dev/null +++ b/queue-6.12/rust-rbtree-fix-documentation-typo-in-cursormut-peek_next-method.patch @@ -0,0 +1,40 @@ +From 45f6aed8a835ee2bdd0a5d5ee626a91fe285014f Mon Sep 17 00:00:00 2001 +From: Hang Shu +Date: Fri, 7 Nov 2025 09:39:17 +0000 +Subject: rust: rbtree: fix documentation typo in CursorMut peek_next method + +From: Hang Shu + +commit 45f6aed8a835ee2bdd0a5d5ee626a91fe285014f upstream. + +The peek_next method's doc comment incorrectly stated it accesses the +"previous" node when it actually accesses the next node. + +Fix the documentation to accurately reflect the method's behavior. + +Fixes: 98c14e40e07a ("rust: rbtree: add cursor") +Reviewed-by: Alice Ryhl +Signed-off-by: Hang Shu +Reported-by: Miguel Ojeda +Closes: https://github.com/Rust-for-Linux/linux/issues/1205 +Cc: stable@vger.kernel.org +Reviewed-by: Gary Guo +Link: https://patch.msgid.link/20251107093921.3379954-1-m18080292938@163.com +[ Reworded slightly. - Miguel ] +Signed-off-by: Miguel Ojeda +Signed-off-by: Greg Kroah-Hartman +--- + rust/kernel/rbtree.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/rust/kernel/rbtree.rs ++++ b/rust/kernel/rbtree.rs +@@ -838,7 +838,7 @@ impl<'a, K, V> Cursor<'a, K, V> { + self.peek(Direction::Prev) + } + +- /// Access the previous node without moving the cursor. ++ /// Access the next node without moving the cursor. + pub fn peek_next(&self) -> Option<(&K, &V)> { + self.peek(Direction::Next) + } diff --git a/queue-6.12/scsi-be2iscsi-fix-a-memory-leak-in-beiscsi_boot_get_sinfo.patch b/queue-6.12/scsi-be2iscsi-fix-a-memory-leak-in-beiscsi_boot_get_sinfo.patch new file mode 100644 index 0000000000..fdc257fdf5 --- /dev/null +++ b/queue-6.12/scsi-be2iscsi-fix-a-memory-leak-in-beiscsi_boot_get_sinfo.patch @@ -0,0 +1,32 @@ +From 4747bafaa50115d9667ece446b1d2d4aba83dc7f Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Sat, 13 Dec 2025 16:36:43 +0800 +Subject: scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo() + +From: Haoxiang Li + +commit 4747bafaa50115d9667ece446b1d2d4aba83dc7f upstream. + +If nonemb_cmd->va fails to be allocated, free the allocation previously +made by alloc_mcc_wrb(). + +Fixes: 50a4b824be9e ("scsi: be2iscsi: Fix to make boot discovery non-blocking") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20251213083643.301240-1-lihaoxiang@isrc.iscas.ac.cn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/be2iscsi/be_mgmt.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/be2iscsi/be_mgmt.c ++++ b/drivers/scsi/be2iscsi/be_mgmt.c +@@ -1025,6 +1025,7 @@ unsigned int beiscsi_boot_get_sinfo(stru + &nonemb_cmd->dma, + GFP_KERNEL); + if (!nonemb_cmd->va) { ++ free_mcc_wrb(ctrl, tag); + mutex_unlock(&ctrl->mbox_lock); + return 0; + } diff --git a/queue-6.12/scsi-qla2xxx-edif-fix-dma_free_coherent-size.patch b/queue-6.12/scsi-qla2xxx-edif-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..f91a96a8ac --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-edif-fix-dma_free_coherent-size.patch @@ -0,0 +1,34 @@ +From 56bd3c0f749f45793d1eae1d0ddde4255c749bf6 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 12 Jan 2026 14:43:24 +0100 +Subject: scsi: qla2xxx: edif: Fix dma_free_coherent() size + +From: Thomas Fourier + +commit 56bd3c0f749f45793d1eae1d0ddde4255c749bf6 upstream. + +Earlier in the function, the ha->flt buffer is allocated with size +sizeof(struct qla_flt_header) + FLT_REGIONS_SIZE but freed in the error +path with size SFP_DEV_SIZE. + +Fixes: 84318a9f01ce ("scsi: qla2xxx: edif: Add send, receive, and accept for auth_els") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260112134326.55466-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4484,7 +4484,7 @@ fail_lsrjt: + fail_elsrej: + dma_pool_destroy(ha->purex_dma_pool); + fail_flt: +- dma_free_coherent(&ha->pdev->dev, SFP_DEV_SIZE, ++ dma_free_coherent(&ha->pdev->dev, sizeof(struct qla_flt_header) + FLT_REGIONS_SIZE, + ha->flt, ha->flt_dma); + + fail_flt_buffer: diff --git a/queue-6.12/selftests-mptcp-check-no-dup-close-events-after-error.patch b/queue-6.12/selftests-mptcp-check-no-dup-close-events-after-error.patch new file mode 100644 index 0000000000..110352cc2e --- /dev/null +++ b/queue-6.12/selftests-mptcp-check-no-dup-close-events-after-error.patch @@ -0,0 +1,110 @@ +From 8467458dfa61b37e259e3485a5d3e415d08193c1 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 27 Jan 2026 20:27:24 +0100 +Subject: selftests: mptcp: check no dup close events after error + +From: Matthieu Baerts (NGI0) + +commit 8467458dfa61b37e259e3485a5d3e415d08193c1 upstream. + +This validates the previous commit: subflow closed events are re-sent +with less info when the initial subflow is disconnected after an error +and each time a subflow is closed after that. + +In this new test, the userspace PM is involved because that's how it was +discovered, but it is not specific to it. The initial subflow is +terminated with a RESET, and that will cause the subflow disconnect. +Then, a new subflow is initiated, but also got rejected, which cause a +second subflow closed event, but not a third one. + +While at it, in case of failure to get the expected amount of events, +the events are printed. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: d82809b6c5f2 ("mptcp: avoid duplicated SUB_CLOSED events") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-2-7f71e1bc4feb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 51 ++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3506,11 +3506,32 @@ chk_evt_nr() + count=$(grep -cw "type:${evt}" "${evts}") + if [ "${count}" != "${exp}" ]; then + fail_test "got ${count} events, expected ${exp}" ++ cat "${evts}" + else + print_ok + fi + } + ++# $1: ns ; $2: event type ; $3: expected count ++wait_event() ++{ ++ local ns="${1}" ++ local evt_name="${2}" ++ local exp="${3}" ++ ++ local evt="${!evt_name}" ++ local evts="${evts_ns1}" ++ local count ++ ++ [ "${ns}" == "ns2" ] && evts="${evts_ns2}" ++ ++ for _ in $(seq 100); do ++ count=$(grep -cw "type:${evt}" "${evts}") ++ [ "${count}" -ge "${exp}" ] && break ++ sleep 0.1 ++ done ++} ++ + userspace_tests() + { + # userspace pm type prevents add_addr +@@ -3717,6 +3738,36 @@ userspace_tests() + kill_events_pids + mptcp_lib_kill_group_wait $tests_pid + fi ++ ++ # userspace pm no duplicated spurious close events after an error ++ if reset_with_events "userspace pm no dup close events after error" && ++ continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then ++ set_userspace_pm $ns2 ++ pm_nl_set_limits $ns1 0 2 ++ { timeout_test=120 test_linkfail=128 speed=slow \ ++ run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null ++ local tests_pid=$! ++ wait_event ns2 MPTCP_LIB_EVENT_ESTABLISHED 1 ++ userspace_pm_add_sf $ns2 10.0.3.2 20 ++ chk_mptcp_info subflows 1 subflows 1 ++ chk_subflows_total 2 2 ++ ++ # force quick loss ++ ip netns exec $ns2 sysctl -q net.ipv4.tcp_syn_retries=1 ++ if ip netns exec "${ns1}" ${iptables} -A INPUT -s "10.0.1.2" \ ++ -p tcp --tcp-option 30 -j REJECT --reject-with tcp-reset && ++ ip netns exec "${ns2}" ${iptables} -A INPUT -d "10.0.1.2" \ ++ -p tcp --tcp-option 30 -j REJECT --reject-with tcp-reset; then ++ wait_event ns2 MPTCP_LIB_EVENT_SUB_CLOSED 1 ++ wait_event ns1 MPTCP_LIB_EVENT_SUB_CLOSED 1 ++ chk_subflows_total 1 1 ++ userspace_pm_add_sf $ns2 10.0.1.2 0 ++ wait_event ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 ++ chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 ++ fi ++ kill_events_pids ++ mptcp_lib_kill_group_wait $tests_pid ++ fi + } + + endpoint_tests() diff --git a/queue-6.12/selftests-mptcp-check-subflow-errors-in-close-events.patch b/queue-6.12/selftests-mptcp-check-subflow-errors-in-close-events.patch new file mode 100644 index 0000000000..a6de77054a --- /dev/null +++ b/queue-6.12/selftests-mptcp-check-subflow-errors-in-close-events.patch @@ -0,0 +1,93 @@ +From 2ef9e3a3845d0a20b62b01f5b731debd0364688d Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 27 Jan 2026 20:27:26 +0100 +Subject: selftests: mptcp: check subflow errors in close events + +From: Matthieu Baerts (NGI0) + +commit 2ef9e3a3845d0a20b62b01f5b731debd0364688d upstream. + +This validates the previous commit: subflow closed events should contain +an error field when a subflow got closed with an error, e.g. reset or +timeout. + +For this test, the chk_evt_nr helper has been extended to check +attributes in the matched events. + +In this test, the 2 subflow closed events should have an error. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-4-7f71e1bc4feb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3481,21 +3481,28 @@ userspace_pm_chk_get_addr() + fi + } + +-# $1: ns ; $2: event type ; $3: count ++# $1: ns ; $2: event type ; $3: count ; [ $4: attr ; $5: attr count ] + chk_evt_nr() + { + local ns=${1} + local evt_name="${2}" + local exp="${3}" ++ local attr="${4}" ++ local attr_exp="${5}" + + local evts="${evts_ns1}" + local evt="${!evt_name}" ++ local attr_name + local count + ++ if [ -n "${attr}" ]; then ++ attr_name=", ${attr}: ${attr_exp}" ++ fi ++ + evt_name="${evt_name:16}" # without MPTCP_LIB_EVENT_ + [ "${ns}" == "ns2" ] && evts="${evts_ns2}" + +- print_check "event ${ns} ${evt_name} (${exp})" ++ print_check "event ${ns} ${evt_name} (${exp}${attr_name})" + + if [[ "${evt_name}" = "LISTENER_"* ]] && + ! mptcp_lib_kallsyms_has "mptcp_event_pm_listener$"; then +@@ -3507,6 +3514,16 @@ chk_evt_nr() + if [ "${count}" != "${exp}" ]; then + fail_test "got ${count} events, expected ${exp}" + cat "${evts}" ++ return ++ elif [ -z "${attr}" ]; then ++ print_ok ++ return ++ fi ++ ++ count=$(grep -w "type:${evt}" "${evts}" | grep -c ",${attr}:") ++ if [ "${count}" != "${attr_exp}" ]; then ++ fail_test "got ${count} event attributes, expected ${attr_exp}" ++ grep -w "type:${evt}" "${evts}" + else + print_ok + fi +@@ -3763,7 +3780,7 @@ userspace_tests() + chk_subflows_total 1 1 + userspace_pm_add_sf $ns2 10.0.1.2 0 + wait_event ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 +- chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 ++ chk_evt_nr ns2 MPTCP_LIB_EVENT_SUB_CLOSED 2 error 2 + fi + kill_events_pids + mptcp_lib_kill_group_wait $tests_pid diff --git a/queue-6.12/selftests-mptcp-join-fix-local-endp-not-being-tracked.patch b/queue-6.12/selftests-mptcp-join-fix-local-endp-not-being-tracked.patch new file mode 100644 index 0000000000..57467e6cdb --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-fix-local-endp-not-being-tracked.patch @@ -0,0 +1,60 @@ +From c5d5ecf21fdd9ce91e6116feb3aa83cee73352cc Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 27 Jan 2026 20:27:27 +0100 +Subject: selftests: mptcp: join: fix local endp not being tracked + +From: Matthieu Baerts (NGI0) + +commit c5d5ecf21fdd9ce91e6116feb3aa83cee73352cc upstream. + +When running this mptcp_join.sh selftest on older kernel versions not +supporting local endpoints tracking, this test fails because 3 MP_JOIN +ACKs have been received, while only 2 were expected. + +It is not clear why only 2 MP_JOIN ACKs were expected on old kernel +versions, while 3 MP_JOIN SYN and SYN+ACK were expected. When testing on +the v5.15.197 kernel, 3 MP_JOIN ACKs are seen, which is also what is +expected in the selftests included in this kernel version, see commit +f4480eaad489 ("selftests: mptcp: add missing join check"). + +Switch the expected MP_JOIN ACKs to 3. While at it, move this +chk_join_nr helper out of the special condition for older kernel +versions as it is now the same as with more recent ones. Also, invert +the condition to be more logical: what's expected on newer kernel +versions having such helper first. + +Fixes: d4c81bbb8600 ("selftests: mptcp: join: support local endpoint being tracked or not") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260127-net-mptcp-dup-nl-events-v1-5-7f71e1bc4feb@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -2162,17 +2162,16 @@ signal_address_tests() + ip netns exec $ns1 sysctl -q net.mptcp.add_addr_timeout=1 + speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 ++ chk_join_nr 3 3 3 + + # It is not directly linked to the commit introducing this + # symbol but for the parent one which is linked anyway. +- if ! mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then +- chk_join_nr 3 3 2 +- chk_add_nr 4 4 +- else +- chk_join_nr 3 3 3 ++ if mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then + # the server will not signal the address terminating + # the MPC subflow + chk_add_nr 3 3 ++ else ++ chk_add_nr 4 4 + fi + fi + } diff --git a/queue-6.12/series b/queue-6.12/series index 5118e063b4..231d742083 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -31,3 +31,25 @@ bcache-fix-i-o-accounting-leak-in-detached_dev_do_re.patch dma-pool-distinguish-between-missing-and-exhausted-a.patch sched-deadline-document-dl_server.patch sched-deadline-fix-stuck-dl_server.patch +pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch +riscv-compat-fix-compat_uts_machine-definition.patch +rust-rbtree-fix-documentation-typo-in-cursormut-peek_next-method.patch +rust-kbuild-give-config-path-to-rustfmt-in-.rsi-target.patch +asoc-fsl-imx-card-do-not-force-slot-width-to-sample-width.patch +scsi-be2iscsi-fix-a-memory-leak-in-beiscsi_boot_get_sinfo.patch +asoc-amd-yc-add-dmi-quirk-for-acer-travelmate-p216-41-tco.patch +gpio-pca953x-mask-interrupts-in-irq-shutdown.patch +scsi-qla2xxx-edif-fix-dma_free_coherent-size.patch +efivarfs-fix-error-propagation-in-efivar_entry_get.patch +nvmet-fix-race-in-nvmet_bio_done-leading-to-null-pointer-dereference.patch +gpio-rockchip-stop-calling-pinctrl-for-set_direction.patch +mm-kasan-fix-kasan-poisoning-in-vrealloc.patch +mptcp-only-reset-subflow-errors-when-propagated.patch +selftests-mptcp-check-no-dup-close-events-after-error.patch +selftests-mptcp-check-subflow-errors-in-close-events.patch +selftests-mptcp-join-fix-local-endp-not-being-tracked.patch +flex_proportions-make-fprop_new_period-hardirq-safe.patch +mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch +mm-memory-failure-teach-kill_accessing_process-to-accept-hugetlb-tail-page-pfn.patch +mm-shmem-swap-fix-race-of-truncate-and-swap-entry-split.patch +net-fix-segmentation-of-forwarding-fraglist-gro.patch