From: Greg Kroah-Hartman Date: Mon, 28 Jul 2025 13:54:59 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.6.101~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3de0b8674a455e3106581d17edc049cf7b88da7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch e1000e-ignore-uninitialized-checksum-word-on-tgp.patch gve-fix-stuck-tx-queue-for-dq-queue-format.patch mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch nilfs2-reject-invalid-file-types-when-reading-inodes.patch --- diff --git a/queue-5.15/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch b/queue-5.15/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch new file mode 100644 index 0000000000..dff43575b2 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch @@ -0,0 +1,34 @@ +From 9744ede7099e8a69c04aa23fbea44c15bc390c04 Mon Sep 17 00:00:00 2001 +From: Dawid Rezler +Date: Sun, 20 Jul 2025 17:49:08 +0200 +Subject: ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx + +From: Dawid Rezler + +commit 9744ede7099e8a69c04aa23fbea44c15bc390c04 upstream. + +The mute LED on the HP Pavilion Laptop 15-eg0xxx, +which uses the ALC287 codec, didn't work. +This patch fixes the issue by enabling the ALC287_FIXUP_HP_GPIO_LED quirk. + +Tested on a physical device, the LED now works as intended. + +Signed-off-by: Dawid Rezler +Cc: +Link: https://patch.msgid.link/20250720154907.80815-2-dawidrezler.patches@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9350,6 +9350,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED), ++ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED), diff --git a/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch b/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch new file mode 100644 index 0000000000..5f315cab48 --- /dev/null +++ b/queue-5.15/arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch @@ -0,0 +1,125 @@ +From d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb Mon Sep 17 00:00:00 2001 +From: Ada Couprie Diaz +Date: Fri, 18 Jul 2025 15:28:14 +0100 +Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() + +From: Ada Couprie Diaz + +commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb upstream. + +`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change +to different stacks along with the Shadow Call Stack if it is enabled. +Those two stack changes cannot be done atomically and both functions +can be interrupted by SErrors or Debug Exceptions which, though unlikely, +is very much broken : if interrupted, we can end up with mismatched stacks +and Shadow Call Stack leading to clobbered stacks. + +In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, +but x18 stills points to the old task's SCS. When the interrupt handler +tries to save the task's SCS pointer, it will save the old task +SCS pointer (x18) into the new task struct (pointed to by SP_EL0), +clobbering it. + +In `call_on_irq_stack()`, it can happen when switching from the task stack +to the IRQ stack and when switching back. In both cases, we can be +interrupted when the SCS pointer points to the IRQ SCS, but SP points to +the task stack. The nested interrupt handler pushes its return addresses +on the IRQ SCS. It then detects that SP points to the task stack, +calls `call_on_irq_stack()` and clobbers the task SCS pointer with +the IRQ SCS pointer, which it will also use ! + +This leads to tasks returning to addresses on the wrong SCS, +or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK +or FPAC if enabled. + +This is possible on a default config, but unlikely. +However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and +instead the GIC is responsible for filtering what interrupts the CPU +should receive based on priority. +Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU +even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* +frequently depending on the system configuration and workload, leading +to unpredictable kernel panics. + +Completely mask DAIF in `cpu_switch_to()` and restore it when returning. +Do the same in `call_on_irq_stack()`, but restore and mask around +the branch. +Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency +of behaviour between all configurations. + +Introduce and use an assembly macro for saving and masking DAIF, +as the existing one saves but only masks IF. + +Cc: +Signed-off-by: Ada Couprie Diaz +Reported-by: Cristian Prundeanu +Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt") +Tested-by: Cristian Prundeanu +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/assembler.h | 5 +++++ + arch/arm64/kernel/entry.S | 6 ++++++ + 2 files changed, 11 insertions(+) + +--- a/arch/arm64/include/asm/assembler.h ++++ b/arch/arm64/include/asm/assembler.h +@@ -58,6 +58,11 @@ + /* + * Save/restore interrupts. + */ ++ .macro save_and_disable_daif, flags ++ mrs \flags, daif ++ msr daifset, #0xf ++ .endm ++ + .macro save_and_disable_irq, flags + mrs \flags, daif + msr daifset, #3 +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -833,6 +833,7 @@ SYM_CODE_END(__bp_harden_el1_vectors) + * + */ + SYM_FUNC_START(cpu_switch_to) ++ save_and_disable_daif x11 + mov x10, #THREAD_CPU_CONTEXT + add x8, x0, x10 + mov x9, sp +@@ -856,6 +857,7 @@ SYM_FUNC_START(cpu_switch_to) + ptrauth_keys_install_kernel x1, x8, x9, x10 + scs_save x0 + scs_load_current ++ restore_irq x11 + ret + SYM_FUNC_END(cpu_switch_to) + NOKPROBE(cpu_switch_to) +@@ -882,6 +884,7 @@ NOKPROBE(ret_from_fork) + * Calls func(regs) using this CPU's irq stack and shadow irq stack. + */ + SYM_FUNC_START(call_on_irq_stack) ++ save_and_disable_daif x9 + #ifdef CONFIG_SHADOW_CALL_STACK + get_current_task x16 + scs_save x16 +@@ -896,8 +899,10 @@ SYM_FUNC_START(call_on_irq_stack) + + /* Move to the new stack and call the function there */ + add sp, x16, #IRQ_STACK_SIZE ++ restore_irq x9 + blr x1 + ++ save_and_disable_daif x9 + /* + * Restore the SP from the FP, and restore the FP and LR from the frame + * record. +@@ -905,6 +910,7 @@ SYM_FUNC_START(call_on_irq_stack) + mov sp, x29 + ldp x29, x30, [sp], #16 + scs_load_current ++ restore_irq x9 + ret + SYM_FUNC_END(call_on_irq_stack) + NOKPROBE(call_on_irq_stack) diff --git a/queue-5.15/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch b/queue-5.15/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch new file mode 100644 index 0000000000..a316ec8fe0 --- /dev/null +++ b/queue-5.15/dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch @@ -0,0 +1,68 @@ +From ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 17 Jul 2025 10:23:08 +0800 +Subject: dpaa2-eth: Fix device reference count leak in MAC endpoint handling + +From: Ma Ke + +commit ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc upstream. + +The fsl_mc_get_endpoint() function uses device_find_child() for +localization, which implicitly calls get_device() to increment the +device's reference count before returning the pointer. However, the +caller dpaa2_eth_connect_mac() fails to properly release this +reference in multiple scenarios. We should call put_device() to +decrement reference count properly. + +As comment of device_find_child() says, 'NOTE: you will need to drop +the reference with put_device() after use'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink") +Signed-off-by: Ma Ke +Tested-by: Ioana Ciornei +Reviewed-by: Ioana Ciornei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717022309.3339976-2-make24@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c +@@ -4228,12 +4228,19 @@ static int dpaa2_eth_connect_mac(struct + if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) + return PTR_ERR(dpmac_dev); + +- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) ++ if (IS_ERR(dpmac_dev)) + return 0; + ++ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { ++ err = 0; ++ goto out_put_device; ++ } ++ + mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL); +- if (!mac) +- return -ENOMEM; ++ if (!mac) { ++ err = -ENOMEM; ++ goto out_put_device; ++ } + + mac->mc_dev = dpmac_dev; + mac->mc_io = priv->mc_io; +@@ -4260,6 +4267,8 @@ err_close_mac: + priv->mac = NULL; + err_free_mac: + kfree(mac); ++out_put_device: ++ put_device(&dpmac_dev->dev); + return err; + } + diff --git a/queue-5.15/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch b/queue-5.15/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch new file mode 100644 index 0000000000..08b2f059d8 --- /dev/null +++ b/queue-5.15/dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch @@ -0,0 +1,68 @@ +From 96e056ffba912ef18a72177f71956a5b347b5177 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Thu, 17 Jul 2025 10:23:09 +0800 +Subject: dpaa2-switch: Fix device reference count leak in MAC endpoint handling + +From: Ma Ke + +commit 96e056ffba912ef18a72177f71956a5b347b5177 upstream. + +The fsl_mc_get_endpoint() function uses device_find_child() for +localization, which implicitly calls get_device() to increment the +device's reference count before returning the pointer. However, the +caller dpaa2_switch_port_connect_mac() fails to properly release this +reference in multiple scenarios. We should call put_device() to +decrement reference count properly. + +As comment of device_find_child() says, 'NOTE: you will need to drop +the reference with put_device() after use'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support") +Signed-off-by: Ma Ke +Tested-by: Ioana Ciornei +Reviewed-by: Ioana Ciornei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717022309.3339976-3-make24@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -1435,12 +1435,19 @@ static int dpaa2_switch_port_connect_mac + if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER) + return PTR_ERR(dpmac_dev); + +- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) ++ if (IS_ERR(dpmac_dev)) + return 0; + ++ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) { ++ err = 0; ++ goto out_put_device; ++ } ++ + mac = kzalloc(sizeof(*mac), GFP_KERNEL); +- if (!mac) +- return -ENOMEM; ++ if (!mac) { ++ err = -ENOMEM; ++ goto out_put_device; ++ } + + mac->mc_dev = dpmac_dev; + mac->mc_io = port_priv->ethsw_data->mc_io; +@@ -1468,6 +1475,8 @@ err_close_mac: + port_priv->mac = NULL; + err_free_mac: + kfree(mac); ++out_put_device: ++ put_device(&dpmac_dev->dev); + return err; + } + diff --git a/queue-5.15/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch b/queue-5.15/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch new file mode 100644 index 0000000000..f59fe19264 --- /dev/null +++ b/queue-5.15/e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch @@ -0,0 +1,42 @@ +From 536fd741c7ac907d63166cdae1081b1febfab613 Mon Sep 17 00:00:00 2001 +From: Jacek Kowalski +Date: Mon, 30 Jun 2025 10:33:39 +0200 +Subject: e1000e: disregard NVM checksum on tgp when valid checksum bit is not set + +From: Jacek Kowalski + +commit 536fd741c7ac907d63166cdae1081b1febfab613 upstream. + +As described by Vitaly Lifshits: + +> Starting from Tiger Lake, LAN NVM is locked for writes by SW, so the +> driver cannot perform checksum validation and correction. This means +> that all NVM images must leave the factory with correct checksum and +> checksum valid bit set. Since Tiger Lake devices were the first to have +> this lock, some systems in the field did not meet this requirement. +> Therefore, for these transitional devices we skip checksum update and +> verification, if the valid bit is not set. + +Signed-off-by: Jacek Kowalski +Reviewed-by: Simon Horman +Reviewed-by: Vitaly Lifshits +Fixes: 4051f68318ca9 ("e1000e: Do not take care about recovery NVM checksum") +Cc: stable@vger.kernel.org +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -4146,6 +4146,8 @@ static s32 e1000_validate_nvm_checksum_i + ret_val = e1000e_update_nvm_checksum(hw); + if (ret_val) + return ret_val; ++ } else if (hw->mac.type == e1000_pch_tgp) { ++ return 0; + } + } + diff --git a/queue-5.15/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch b/queue-5.15/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch new file mode 100644 index 0000000000..79904f2294 --- /dev/null +++ b/queue-5.15/e1000e-ignore-uninitialized-checksum-word-on-tgp.patch @@ -0,0 +1,62 @@ +From 61114910a5f6a71d0b6ea3b95082dfe031b19dfe Mon Sep 17 00:00:00 2001 +From: Jacek Kowalski +Date: Mon, 30 Jun 2025 10:35:00 +0200 +Subject: e1000e: ignore uninitialized checksum word on tgp + +From: Jacek Kowalski + +commit 61114910a5f6a71d0b6ea3b95082dfe031b19dfe upstream. + +As described by Vitaly Lifshits: + +> Starting from Tiger Lake, LAN NVM is locked for writes by SW, so the +> driver cannot perform checksum validation and correction. This means +> that all NVM images must leave the factory with correct checksum and +> checksum valid bit set. + +Unfortunately some systems have left the factory with an uninitialized +value of 0xFFFF at register address 0x3F (checksum word location). +So on Tiger Lake platform we ignore the computed checksum when such +condition is encountered. + +Signed-off-by: Jacek Kowalski +Tested-by: Vlad URSU +Fixes: 4051f68318ca9 ("e1000e: Do not take care about recovery NVM checksum") +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Reviewed-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/defines.h | 3 +++ + drivers/net/ethernet/intel/e1000e/nvm.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/defines.h ++++ b/drivers/net/ethernet/intel/e1000e/defines.h +@@ -638,6 +638,9 @@ + /* For checksumming, the sum of all words in the NVM should equal 0xBABA. */ + #define NVM_SUM 0xBABA + ++/* Uninitialized ("empty") checksum word value */ ++#define NVM_CHECKSUM_UNINITIALIZED 0xFFFF ++ + /* PBA (printed board assembly) number words */ + #define NVM_PBA_OFFSET_0 8 + #define NVM_PBA_OFFSET_1 9 +--- a/drivers/net/ethernet/intel/e1000e/nvm.c ++++ b/drivers/net/ethernet/intel/e1000e/nvm.c +@@ -558,6 +558,12 @@ s32 e1000e_validate_nvm_checksum_generic + checksum += nvm_data; + } + ++ if (hw->mac.type == e1000_pch_tgp && ++ nvm_data == NVM_CHECKSUM_UNINITIALIZED) { ++ e_dbg("Uninitialized NVM Checksum on TGP platform - ignoring\n"); ++ return 0; ++ } ++ + if (checksum != (u16)NVM_SUM) { + e_dbg("NVM Checksum Invalid\n"); + return -E1000_ERR_NVM; diff --git a/queue-5.15/gve-fix-stuck-tx-queue-for-dq-queue-format.patch b/queue-5.15/gve-fix-stuck-tx-queue-for-dq-queue-format.patch new file mode 100644 index 0000000000..3087670da0 --- /dev/null +++ b/queue-5.15/gve-fix-stuck-tx-queue-for-dq-queue-format.patch @@ -0,0 +1,125 @@ +From b03f15c0192b184078206760c839054ae6eb4eaa Mon Sep 17 00:00:00 2001 +From: Praveen Kaligineedi +Date: Thu, 17 Jul 2025 19:20:24 +0000 +Subject: gve: Fix stuck TX queue for DQ queue format + +From: Praveen Kaligineedi + +commit b03f15c0192b184078206760c839054ae6eb4eaa upstream. + +gve_tx_timeout was calculating missed completions in a way that is only +relevant in the GQ queue format. Additionally, it was attempting to +disable device interrupts, which is not needed in either GQ or DQ queue +formats. + +As a result, TX timeouts with the DQ queue format likely would have +triggered early resets without kicking the queue at all. + +This patch drops the check for pending work altogether and always kicks +the queue after validating the queue has not seen a TX timeout too +recently. + +Cc: stable@vger.kernel.org +Fixes: 87a7f321bb6a ("gve: Recover from queue stall due to missed IRQ") +Co-developed-by: Tim Hostetler +Signed-off-by: Tim Hostetler +Signed-off-by: Praveen Kaligineedi +Signed-off-by: Harshitha Ramamurthy +Link: https://patch.msgid.link/20250717192024.1820931-1-hramamurthy@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve_main.c | 71 +++++++++++++++-------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1111,49 +1111,56 @@ static void gve_turnup(struct gve_priv * + gve_set_napi_enabled(priv); + } + +-static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue) ++static struct gve_notify_block *gve_get_tx_notify_block(struct gve_priv *priv, ++ unsigned int txqueue) + { +- struct gve_notify_block *block; +- struct gve_tx_ring *tx = NULL; +- struct gve_priv *priv; +- u32 last_nic_done; +- u32 current_time; + u32 ntfy_idx; + +- netdev_info(dev, "Timeout on tx queue, %d", txqueue); +- priv = netdev_priv(dev); + if (txqueue > priv->tx_cfg.num_queues) +- goto reset; ++ return NULL; + + ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue); + if (ntfy_idx >= priv->num_ntfy_blks) +- goto reset; ++ return NULL; ++ ++ return &priv->ntfy_blocks[ntfy_idx]; ++} ++ ++static bool gve_tx_timeout_try_q_kick(struct gve_priv *priv, ++ unsigned int txqueue) ++{ ++ struct gve_notify_block *block; ++ u32 current_time; + +- block = &priv->ntfy_blocks[ntfy_idx]; +- tx = block->tx; ++ block = gve_get_tx_notify_block(priv, txqueue); ++ ++ if (!block) ++ return false; + + current_time = jiffies_to_msecs(jiffies); +- if (tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time) +- goto reset; ++ if (block->tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time) ++ return false; ++ ++ netdev_info(priv->dev, "Kicking queue %d", txqueue); ++ napi_schedule(&block->napi); ++ block->tx->last_kick_msec = current_time; ++ return true; ++} ++ ++static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue) ++{ ++ struct gve_notify_block *block; ++ struct gve_priv *priv; ++ ++ netdev_info(dev, "Timeout on tx queue, %d", txqueue); ++ priv = netdev_priv(dev); ++ ++ if (!gve_tx_timeout_try_q_kick(priv, txqueue)) ++ gve_schedule_reset(priv); + +- /* Check to see if there are missed completions, which will allow us to +- * kick the queue. +- */ +- last_nic_done = gve_tx_load_event_counter(priv, tx); +- if (last_nic_done - tx->done) { +- netdev_info(dev, "Kicking queue %d", txqueue); +- iowrite32be(GVE_IRQ_MASK, gve_irq_doorbell(priv, block)); +- napi_schedule(&block->napi); +- tx->last_kick_msec = current_time; +- goto out; +- } // Else reset. +- +-reset: +- gve_schedule_reset(priv); +- +-out: +- if (tx) +- tx->queue_timeout++; ++ block = gve_get_tx_notify_block(priv, txqueue); ++ if (block) ++ block->tx->queue_timeout++; + priv->tx_timeo_cnt++; + } + diff --git a/queue-5.15/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch b/queue-5.15/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch new file mode 100644 index 0000000000..7fc1e3fba7 --- /dev/null +++ b/queue-5.15/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch @@ -0,0 +1,55 @@ +From 694d6b99923eb05a8fd188be44e26077d19f0e21 Mon Sep 17 00:00:00 2001 +From: Harry Yoo +Date: Fri, 4 Jul 2025 19:30:53 +0900 +Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n + +From: Harry Yoo + +commit 694d6b99923eb05a8fd188be44e26077d19f0e21 upstream. + +Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for +migrating zsmalloc pages using the movable_operations migration framework. +However, the commit did not take into account that zsmalloc supports +migration only when CONFIG_COMPACTION is enabled. Tracing shows that +zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is +not supported. + +This can result in unmovable pages being allocated from movable page +blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. + +Possible user visible effects: +- Some ZONE_MOVABLE memory can be not actually movable +- CMA allocation can fail because of this +- Increased memory fragmentation due to ignoring the page mobility + grouping feature +I'm not really sure who uses kernels without compaction support, though :( + + +To fix this, clear the __GFP_MOVABLE flag when +!IS_ENABLED(CONFIG_COMPACTION). + +Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com +Fixes: 48b4800a1c6a ("zsmalloc: page migration support") +Signed-off-by: Harry Yoo +Acked-by: David Hildenbrand +Reviewed-by: Sergey Senozhatsky +Cc: Minchan Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/zsmalloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -1064,6 +1064,9 @@ static struct zspage *alloc_zspage(struc + if (!zspage) + return NULL; + ++ if (!IS_ENABLED(CONFIG_COMPACTION)) ++ gfp &= ~__GFP_MOVABLE; ++ + zspage->magic = ZSPAGE_MAGIC; + migrate_lock_init(zspage); + diff --git a/queue-5.15/nilfs2-reject-invalid-file-types-when-reading-inodes.patch b/queue-5.15/nilfs2-reject-invalid-file-types-when-reading-inodes.patch new file mode 100644 index 0000000000..7014a2c6c1 --- /dev/null +++ b/queue-5.15/nilfs2-reject-invalid-file-types-when-reading-inodes.patch @@ -0,0 +1,48 @@ +From 4aead50caf67e01020c8be1945c3201e8a972a27 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 10 Jul 2025 22:49:08 +0900 +Subject: nilfs2: reject invalid file types when reading inodes + +From: Ryusuke Konishi + +commit 4aead50caf67e01020c8be1945c3201e8a972a27 upstream. + +To prevent inodes with invalid file types from tripping through the vfs +and causing malfunctions or assertion failures, add a missing sanity check +when reading an inode from a block device. If the file type is not valid, +treat it as a filesystem error. + +Link: https://lkml.kernel.org/r/20250710134952.29862-1-konishi.ryusuke@gmail.com +Fixes: 05fe58fdc10d ("nilfs2: inode operations") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -517,11 +517,18 @@ static int __nilfs_read_inode(struct sup + inode->i_op = &nilfs_symlink_inode_operations; + inode_nohighmem(inode); + inode->i_mapping->a_ops = &nilfs_aops; +- } else { ++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || ++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + inode->i_op = &nilfs_special_inode_operations; + init_special_inode( + inode, inode->i_mode, + huge_decode_dev(le64_to_cpu(raw_inode->i_device_code))); ++ } else { ++ nilfs_error(sb, ++ "invalid file type bits in mode 0%o for inode %lu", ++ inode->i_mode, ino); ++ err = -EIO; ++ goto failed_unmap; + } + nilfs_ifile_unmap_inode(root->ifile, ino, bh); + brelse(bh); diff --git a/queue-5.15/series b/queue-5.15/series index c0b9e0f23e..9f6d285ebb 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -89,3 +89,12 @@ platform-x86-ideapad-laptop-fix-kbd-backlight-not-remembered-among-boots.patch i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch i2c-virtio-avoid-hang-by-using-interruptible-completion-wait.patch bus-fsl-mc-fix-potential-double-device-reference-in-fsl_mc_get_endpoint.patch +alsa-hda-realtek-add-mute-led-support-for-hp-pavilion-15-eg0xxx.patch +arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch +dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch +dpaa2-switch-fix-device-reference-count-leak-in-mac-endpoint-handling.patch +e1000e-disregard-nvm-checksum-on-tgp-when-valid-checksum-bit-is-not-set.patch +e1000e-ignore-uninitialized-checksum-word-on-tgp.patch +gve-fix-stuck-tx-queue-for-dq-queue-format.patch +nilfs2-reject-invalid-file-types-when-reading-inodes.patch +mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch