From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 11:52:22 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4087ef39483a51a0ad7ae3c0784044781e7b336;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: loongarch-handle-percpu-handler-address-for-orc-unwinder.patch loongarch-remove-unnecessary-checks-for-orc-unwinder.patch misc-fastrpc-check-qcom_scm_assign_mem-return-in-rpmsg_probe.patch mptcp-fix-soft-lockup-in-mptcp_recvmsg.patch net-annotate-data-races-around-sk-sk_-data_ready-write_space.patch revert-mptcp-add-needs_id-for-netlink-appending-addr.patch sched_ext-fix-stale-direct-dispatch-state-in-ddsp_dsq_id.patch --- diff --git a/queue-6.12/loongarch-handle-percpu-handler-address-for-orc-unwinder.patch b/queue-6.12/loongarch-handle-percpu-handler-address-for-orc-unwinder.patch new file mode 100644 index 0000000000..5c709f80fd --- /dev/null +++ b/queue-6.12/loongarch-handle-percpu-handler-address-for-orc-unwinder.patch @@ -0,0 +1,88 @@ +From stable+bounces-235878-greg=kroah.com@vger.kernel.org Mon Apr 13 04:37:07 2026 +From: Huacai Chen +Date: Mon, 13 Apr 2026 10:36:47 +0800 +Subject: LoongArch: Handle percpu handler address for ORC unwinder +To: Greg Kroah-Hartman , Sasha Levin , Huacai Chen +Cc: Xuerui Wang , stable@vger.kernel.org, linux-kernel@vger.kernel.org, loongarch@lists.linux.dev, Tiezhu Yang , Huacai Chen +Message-ID: <20260413023647.1368051-1-chenhuacai@loongson.cn> + +From: Tiezhu Yang + +[ Upstream commit 055c7e75190e0be43037bd663a3f6aced194416e ] + +After commit 4cd641a79e69 ("LoongArch: Remove unnecessary checks for ORC +unwinder"), the system can not boot normally under some configs (such as +enable KASAN), there are many error messages "cannot find unwind pc". + +The kernel boots normally with the defconfig, so no problem found out at +the first time. Here is one way to reproduce: + + cd linux + make mrproper defconfig -j"$(nproc)" + scripts/config -e KASAN + make olddefconfig all -j"$(nproc)" + sudo make modules_install + sudo make install + sudo reboot + +The address that can not unwind is not a valid kernel address which is +between "pcpu_handlers[cpu]" and "pcpu_handlers[cpu] + vec_sz" due to +the code of eentry was copied to the new area of pcpu_handlers[cpu] in +setup_tlb_handler(), handle this special case to get the valid address +to unwind normally. + +Cc: stable@vger.kernel.org +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- +V2: Add upstream commit ID. + + arch/loongarch/include/asm/setup.h | 3 +++ + arch/loongarch/kernel/unwind_orc.c | 16 ++++++++++++++++ + 2 files changed, 19 insertions(+) + +--- a/arch/loongarch/include/asm/setup.h ++++ b/arch/loongarch/include/asm/setup.h +@@ -7,6 +7,7 @@ + #define _LOONGARCH_SETUP_H + + #include ++#include + #include + #include + +@@ -14,6 +15,8 @@ + + extern unsigned long eentry; + extern unsigned long tlbrentry; ++extern unsigned long pcpu_handlers[NR_CPUS]; ++extern long exception_handlers[VECSIZE * 128 / sizeof(long)]; + extern char init_command_line[COMMAND_LINE_SIZE]; + extern void tlb_init(int cpu); + extern void cpu_cache_init(void); +--- a/arch/loongarch/kernel/unwind_orc.c ++++ b/arch/loongarch/kernel/unwind_orc.c +@@ -359,6 +359,22 @@ static inline unsigned long bt_address(u + { + extern unsigned long eentry; + ++#if defined(CONFIG_NUMA) && !defined(CONFIG_PREEMPT_RT) ++ int cpu; ++ int vec_sz = sizeof(exception_handlers); ++ ++ for_each_possible_cpu(cpu) { ++ if (!pcpu_handlers[cpu]) ++ continue; ++ ++ if (ra >= pcpu_handlers[cpu] && ++ ra < pcpu_handlers[cpu] + vec_sz) { ++ ra = ra + eentry - pcpu_handlers[cpu]; ++ break; ++ } ++ } ++#endif ++ + if (ra >= eentry && ra < eentry + EXCCODE_INT_END * VECSIZE) { + unsigned long func; + unsigned long type = (ra - eentry) / VECSIZE; diff --git a/queue-6.12/loongarch-remove-unnecessary-checks-for-orc-unwinder.patch b/queue-6.12/loongarch-remove-unnecessary-checks-for-orc-unwinder.patch new file mode 100644 index 0000000000..8ee7144074 --- /dev/null +++ b/queue-6.12/loongarch-remove-unnecessary-checks-for-orc-unwinder.patch @@ -0,0 +1,102 @@ +From stable+bounces-235877-greg=kroah.com@vger.kernel.org Mon Apr 13 04:36:48 2026 +From: Huacai Chen +Date: Mon, 13 Apr 2026 10:36:27 +0800 +Subject: LoongArch: Remove unnecessary checks for ORC unwinder +To: Greg Kroah-Hartman , Sasha Levin , Huacai Chen +Cc: Xuerui Wang , stable@vger.kernel.org, linux-kernel@vger.kernel.org, loongarch@lists.linux.dev, Tiezhu Yang , Huacai Chen +Message-ID: <20260413023627.1363488-1-chenhuacai@loongson.cn> + +From: Tiezhu Yang + +[ Upstream commit 4cd641a79e69270a062777f64a0dd330abb9044a ] + +According to the following function definitions, __kernel_text_address() +already checks __module_text_address(), so it should remove the check of +__module_text_address() in bt_address() at least. + +int __kernel_text_address(unsigned long addr) +{ + if (kernel_text_address(addr)) + return 1; + ... + return 0; +} + +int kernel_text_address(unsigned long addr) +{ + bool no_rcu; + int ret = 1; + ... + if (is_module_text_address(addr)) + goto out; + ... + return ret; +} + +bool is_module_text_address(unsigned long addr) +{ + guard(rcu)(); + return __module_text_address(addr) != NULL; +} + +Furthermore, there are two checks of __kernel_text_address(), one is in +bt_address() and the other is after calling bt_address(), it looks like +redundant. + +Handle the exception address first and then use __kernel_text_address() +to validate the calculated address for exception or the normal address +in bt_address(), then it can remove the check of __kernel_text_address() +after calling bt_address(). + +Just remove unnecessary checks, no functional changes intended. + +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- +V2: Add upstream commit ID. + + arch/loongarch/kernel/unwind_orc.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/arch/loongarch/kernel/unwind_orc.c ++++ b/arch/loongarch/kernel/unwind_orc.c +@@ -359,12 +359,6 @@ static inline unsigned long bt_address(u + { + extern unsigned long eentry; + +- if (__kernel_text_address(ra)) +- return ra; +- +- if (__module_text_address(ra)) +- return ra; +- + if (ra >= eentry && ra < eentry + EXCCODE_INT_END * VECSIZE) { + unsigned long func; + unsigned long type = (ra - eentry) / VECSIZE; +@@ -382,10 +376,13 @@ static inline unsigned long bt_address(u + break; + } + +- return func + offset; ++ ra = func + offset; + } + +- return ra; ++ if (__kernel_text_address(ra)) ++ return ra; ++ ++ return 0; + } + + bool unwind_next_frame(struct unwind_state *state) +@@ -511,9 +508,6 @@ bool unwind_next_frame(struct unwind_sta + goto err; + } + +- if (!__kernel_text_address(state->pc)) +- goto err; +- + preempt_enable(); + return true; + diff --git a/queue-6.12/misc-fastrpc-check-qcom_scm_assign_mem-return-in-rpmsg_probe.patch b/queue-6.12/misc-fastrpc-check-qcom_scm_assign_mem-return-in-rpmsg_probe.patch new file mode 100644 index 0000000000..317c2781af --- /dev/null +++ b/queue-6.12/misc-fastrpc-check-qcom_scm_assign_mem-return-in-rpmsg_probe.patch @@ -0,0 +1,50 @@ +From stable+bounces-233925-greg=kroah.com@vger.kernel.org Wed Apr 8 16:21:51 2026 +From: Sasha Levin +Date: Wed, 8 Apr 2026 10:21:44 -0400 +Subject: misc: fastrpc: check qcom_scm_assign_mem() return in rpmsg_probe +To: stable@vger.kernel.org +Cc: Xingjing Deng , Xingjing Deng , Dmitry Baryshkov , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260408142144.1124899-1-sashal@kernel.org> + +From: Xingjing Deng + +[ Upstream commit 6a502776f4a4f80fb839b22f12aeaf0267fca344 ] + +In the SDSP probe path, qcom_scm_assign_mem() is used to assign the +reserved memory to the configured VMIDs, but its return value was not checked. + +Fail the probe if the SCM call fails to avoid continuing with an +unexpected/incorrect memory permission configuration. + +This issue was found by an in-house analysis workflow that extracts AST-based +information and runs static checks, with LLM assistance for triage, and was +confirmed by manual code review. +No hardware testing was performed. + +Fixes: c3c0363bc72d4 ("misc: fastrpc: support complete DMA pool access to the DSP") +Cc: stable@vger.kernel.org # 6.11-rc1 +Signed-off-by: Xingjing Deng +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20260131065539.2124047-1-xjdeng@buaa.edu.cn +Signed-off-by: Greg Kroah-Hartman +[ adapted qcom_scm_assign_mem() error check to use fdev_error label and rmem-based memory API ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -2346,8 +2346,10 @@ static int fastrpc_rpmsg_probe(struct rp + + src_perms = BIT(QCOM_SCM_VMID_HLOS); + +- qcom_scm_assign_mem(rmem->base, rmem->size, &src_perms, ++ err = qcom_scm_assign_mem(rmem->base, rmem->size, &src_perms, + data->vmperms, data->vmcount); ++ if (err) ++ goto fdev_error; + + } + diff --git a/queue-6.12/mptcp-fix-soft-lockup-in-mptcp_recvmsg.patch b/queue-6.12/mptcp-fix-soft-lockup-in-mptcp_recvmsg.patch new file mode 100644 index 0000000000..4ca5e7c496 --- /dev/null +++ b/queue-6.12/mptcp-fix-soft-lockup-in-mptcp_recvmsg.patch @@ -0,0 +1,125 @@ +From matttbe@kernel.org Thu Apr 9 13:45:18 2026 +From: "Matthieu Baerts (NGI0)" +Date: Thu, 9 Apr 2026 13:44:40 +0200 +Subject: mptcp: fix soft lockup in mptcp_recvmsg() +To: stable@vger.kernel.org, gregkh@linuxfoundation.org, sashal@kernel.org +Cc: MPTCP Upstream , Li Xiasong , "Matthieu Baerts (NGI0)" , Jakub Kicinski +Message-ID: <20260409114439.1158386-2-matttbe@kernel.org> + +From: Li Xiasong + +commit 5dd8025a49c268ab6b94d978532af3ad341132a7 upstream. + +syzbot reported a soft lockup in mptcp_recvmsg() [0]. + +When receiving data with MSG_PEEK | MSG_WAITALL flags, the skb is not +removed from the sk_receive_queue. This causes sk_wait_data() to always +find available data and never perform actual waiting, leading to a soft +lockup. + +Fix this by adding a 'last' parameter to track the last peeked skb. +This allows sk_wait_data() to make informed waiting decisions and prevent +infinite loops when MSG_PEEK is used. + +[0]: +watchdog: BUG: soft lockup - CPU#2 stuck for 156s! [server:1963] +Modules linked in: +CPU: 2 UID: 0 PID: 1963 Comm: server Not tainted 6.19.0-rc8 #61 PREEMPT(none) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:sk_wait_data+0x15/0x190 +Code: 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 56 41 55 41 54 49 89 f4 55 48 89 d5 53 48 89 fb <48> 83 ec 30 65 48 8b 05 17 a4 6b 01 48 89 44 24 28 31 c0 65 48 8b +RSP: 0018:ffffc90000603ca0 EFLAGS: 00000246 +RAX: 0000000000000000 RBX: ffff888102bf0800 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: ffffc90000603d18 RDI: ffff888102bf0800 +RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000101 +R10: 0000000000000000 R11: 0000000000000075 R12: ffffc90000603d18 +R13: ffff888102bf0800 R14: ffff888102bf0800 R15: 0000000000000000 +FS: 00007f6e38b8c4c0(0000) GS:ffff8881b877e000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055aa7bff1680 CR3: 0000000105cbe000 CR4: 00000000000006f0 +Call Trace: + + mptcp_recvmsg+0x547/0x8c0 net/mptcp/protocol.c:2329 + inet_recvmsg+0x11f/0x130 net/ipv4/af_inet.c:891 + sock_recvmsg+0x94/0xc0 net/socket.c:1100 + __sys_recvfrom+0xb2/0x130 net/socket.c:2256 + __x64_sys_recvfrom+0x1f/0x30 net/socket.c:2267 + do_syscall_64+0x59/0x2d0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e arch/x86/entry/entry_64.S:131 +RIP: 0033:0x7f6e386a4a1d +Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8d 05 f1 de 2c 00 41 89 ca 8b 00 85 c0 75 20 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 6b f3 c3 66 0f 1f 84 00 00 00 00 00 41 56 41 +RSP: 002b:00007ffc3c4bb078 EFLAGS: 00000246 ORIG_RAX: 000000000000002d +RAX: ffffffffffffffda RBX: 000000000000861e RCX: 00007f6e386a4a1d +RDX: 00000000000003ff RSI: 00007ffc3c4bb150 RDI: 0000000000000004 +RBP: 00007ffc3c4bb570 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000103 R11: 0000000000000246 R12: 00005605dbc00be0 +R13: 00007ffc3c4bb650 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8e04ce45a8db ("mptcp: fix MSG_PEEK stream corruption") +Signed-off-by: Li Xiasong +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260330120335.659027-1-lixiasong1@huawei.com +Signed-off-by: Jakub Kicinski +[ Conflicts in protocol.c, because commit bc68b0efa1bf ("mptcp: move the + whole rx path under msk socket lock protection") and commit + d88b2127b242 ("mptcp: add eat_recv_skb helper") (with some + dependences) are not in this version. These conflicts were in the + context, and not related to this fix. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1997,7 +1997,7 @@ static int __mptcp_recvmsg_mskq(struct m + struct msghdr *msg, + size_t len, int flags, int copied_total, + struct scm_timestamping_internal *tss, +- int *cmsg_flags) ++ int *cmsg_flags, struct sk_buff **last) + { + struct sk_buff *skb, *tmp; + int total_data_len = 0; +@@ -2013,6 +2013,7 @@ static int __mptcp_recvmsg_mskq(struct m + /* skip already peeked skbs */ + if (total_data_len + data_len <= copied_total) { + total_data_len += data_len; ++ *last = skb; + continue; + } + +@@ -2053,6 +2054,8 @@ static int __mptcp_recvmsg_mskq(struct m + WRITE_ONCE(msk->rmem_released, msk->rmem_released + skb->truesize); + __skb_unlink(skb, &msk->receive_queue); + __kfree_skb(skb); ++ } else { ++ *last = skb; + } + + if (copied >= len) +@@ -2274,10 +2277,12 @@ static int mptcp_recvmsg(struct sock *sk + cmsg_flags = MPTCP_CMSG_INQ; + + while (copied < len) { ++ struct sk_buff *last = NULL; + int err, bytes_read; + + bytes_read = __mptcp_recvmsg_mskq(msk, msg, len - copied, flags, +- copied, &tss, &cmsg_flags); ++ copied, &tss, &cmsg_flags, ++ &last); + if (unlikely(bytes_read < 0)) { + if (!copied) + copied = bytes_read; +@@ -2335,7 +2340,7 @@ static int mptcp_recvmsg(struct sock *sk + + pr_debug("block timeout %ld\n", timeo); + mptcp_cleanup_rbuf(msk, copied); +- err = sk_wait_data(sk, &timeo, NULL); ++ err = sk_wait_data(sk, &timeo, last); + if (err < 0) { + err = copied ? : err; + goto out_err; diff --git a/queue-6.12/net-annotate-data-races-around-sk-sk_-data_ready-write_space.patch b/queue-6.12/net-annotate-data-races-around-sk-sk_-data_ready-write_space.patch new file mode 100644 index 0000000000..30cf5a53c3 --- /dev/null +++ b/queue-6.12/net-annotate-data-races-around-sk-sk_-data_ready-write_space.patch @@ -0,0 +1,245 @@ +From stable+bounces-235979-greg=kroah.com@vger.kernel.org Mon Apr 13 11:40:33 2026 +From: Leon Chen +Date: Mon, 13 Apr 2026 17:40:12 +0800 +Subject: net: annotate data-races around sk->sk_{data_ready,write_space} +To: stable@vger.kernel.org, edumazet@google.com, daniel@iogearbox.net, john.fastabend@gmail.com, jakub@cloudflare.com, willemdebruijn.kernel@gmail.com, kuniyu@google.com, kuba@kernel.org +Message-ID: <20260413094012.10489-1-leonchen.oss@139.com> + +From: Eric Dumazet + +[ Upstream commit 2ef2b20cf4e04ac8a6ba68493f8780776ff84300 ] + +skmsg (and probably other layers) are changing these pointers +while other cpus might read them concurrently. + +Add corresponding READ_ONCE()/WRITE_ONCE() annotations +for UDP, TCP and AF_UNIX. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Reported-by: syzbot+87f770387a9e5dc6b79b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/699ee9fc.050a0220.1cd54b.0009.GAE@google.com/ +Signed-off-by: Eric Dumazet +Cc: Daniel Borkmann +Cc: John Fastabend +Cc: Jakub Sitnicki +Cc: Willem de Bruijn +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260225131547.1085509-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Leon Chen +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skmsg.c | 14 +++++++------- + net/ipv4/tcp.c | 4 ++-- + net/ipv4/tcp_bpf.c | 2 +- + net/ipv4/tcp_input.c | 14 ++++++++------ + net/ipv4/tcp_minisocks.c | 2 +- + net/ipv4/udp.c | 3 ++- + net/ipv4/udp_bpf.c | 2 +- + net/unix/af_unix.c | 8 ++++---- + 8 files changed, 26 insertions(+), 23 deletions(-) + +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -1204,8 +1204,8 @@ void sk_psock_start_strp(struct sock *sk + return; + + psock->saved_data_ready = sk->sk_data_ready; +- sk->sk_data_ready = sk_psock_strp_data_ready; +- sk->sk_write_space = sk_psock_write_space; ++ WRITE_ONCE(sk->sk_data_ready, sk_psock_strp_data_ready); ++ WRITE_ONCE(sk->sk_write_space, sk_psock_write_space); + } + + void sk_psock_stop_strp(struct sock *sk, struct sk_psock *psock) +@@ -1215,8 +1215,8 @@ void sk_psock_stop_strp(struct sock *sk, + if (!psock->saved_data_ready) + return; + +- sk->sk_data_ready = psock->saved_data_ready; +- psock->saved_data_ready = NULL; ++ WRITE_ONCE(sk->sk_data_ready, psock->saved_data_ready); ++ WRITE_ONCE(psock->saved_data_ready, NULL); + strp_stop(&psock->strp); + } + +@@ -1298,8 +1298,8 @@ void sk_psock_start_verdict(struct sock + return; + + psock->saved_data_ready = sk->sk_data_ready; +- sk->sk_data_ready = sk_psock_verdict_data_ready; +- sk->sk_write_space = sk_psock_write_space; ++ WRITE_ONCE(sk->sk_data_ready, sk_psock_verdict_data_ready); ++ WRITE_ONCE(sk->sk_write_space, sk_psock_write_space); + } + + void sk_psock_stop_verdict(struct sock *sk, struct sk_psock *psock) +@@ -1310,6 +1310,6 @@ void sk_psock_stop_verdict(struct sock * + if (!psock->saved_data_ready) + return; + +- sk->sk_data_ready = psock->saved_data_ready; ++ WRITE_ONCE(sk->sk_data_ready, psock->saved_data_ready); + psock->saved_data_ready = NULL; + } +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1346,7 +1346,7 @@ out_err: + err = sk_stream_error(sk, flags, err); + /* make sure we wake any epoll edge trigger waiter */ + if (unlikely(tcp_rtx_and_write_queues_empty(sk) && err == -EAGAIN)) { +- sk->sk_write_space(sk); ++ READ_ONCE(sk->sk_write_space)(sk); + tcp_chrono_stop(sk, TCP_CHRONO_SNDBUF_LIMITED); + } + return err; +@@ -4023,7 +4023,7 @@ ao_parse: + break; + case TCP_NOTSENT_LOWAT: + WRITE_ONCE(tp->notsent_lowat, val); +- sk->sk_write_space(sk); ++ READ_ONCE(sk->sk_write_space)(sk); + break; + case TCP_INQ: + if (val > 1 || val < 0) +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -725,7 +725,7 @@ int tcp_bpf_update_proto(struct sock *sk + WRITE_ONCE(sk->sk_prot->unhash, psock->saved_unhash); + tcp_update_ulp(sk, psock->sk_proto, psock->saved_write_space); + } else { +- sk->sk_write_space = psock->saved_write_space; ++ WRITE_ONCE(sk->sk_write_space, psock->saved_write_space); + /* Pairs with lockless read in sk_clone_lock() */ + sock_replace_proto(sk, psock->sk_proto); + } +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5034,7 +5034,7 @@ static void tcp_data_queue_ofo(struct so + + if (unlikely(tcp_try_rmem_schedule(sk, skb, skb->truesize))) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPOFODROP); +- sk->sk_data_ready(sk); ++ READ_ONCE(sk->sk_data_ready)(sk); + tcp_drop_reason(sk, skb, SKB_DROP_REASON_PROTO_MEM); + return; + } +@@ -5241,7 +5241,7 @@ err: + void tcp_data_ready(struct sock *sk) + { + if (tcp_epollin_ready(sk, sk->sk_rcvlowat) || sock_flag(sk, SOCK_DONE)) +- sk->sk_data_ready(sk); ++ READ_ONCE(sk->sk_data_ready)(sk); + } + + static void tcp_data_queue(struct sock *sk, struct sk_buff *skb) +@@ -5297,7 +5297,7 @@ queue_and_out: + inet_csk(sk)->icsk_ack.pending |= + (ICSK_ACK_NOMEM | ICSK_ACK_NOW); + inet_csk_schedule_ack(sk); +- sk->sk_data_ready(sk); ++ READ_ONCE(sk->sk_data_ready)(sk); + + if (skb_queue_len(&sk->sk_receive_queue) && skb->len) { + reason = SKB_DROP_REASON_PROTO_MEM; +@@ -5735,7 +5735,9 @@ static void tcp_new_space(struct sock *s + tp->snd_cwnd_stamp = tcp_jiffies32; + } + +- INDIRECT_CALL_1(sk->sk_write_space, sk_stream_write_space, sk); ++ INDIRECT_CALL_1(READ_ONCE(sk->sk_write_space), ++ sk_stream_write_space, ++ sk); + } + + /* Caller made space either from: +@@ -5941,7 +5943,7 @@ static void tcp_urg(struct sock *sk, str + BUG(); + WRITE_ONCE(tp->urg_data, TCP_URG_VALID | tmp); + if (!sock_flag(sk, SOCK_DEAD)) +- sk->sk_data_ready(sk); ++ READ_ONCE(sk->sk_data_ready)(sk); + } + } + } +@@ -7341,7 +7343,7 @@ int tcp_conn_request(struct request_sock + sock_put(fastopen_sk); + goto drop_and_free; + } +- sk->sk_data_ready(sk); ++ READ_ONCE(sk->sk_data_ready)(sk); + bh_unlock_sock(fastopen_sk); + sock_put(fastopen_sk); + } else { +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -928,7 +928,7 @@ enum skb_drop_reason tcp_child_process(s + reason = tcp_rcv_state_process(child, skb); + /* Wakeup parent, send SIGIO */ + if (state == TCP_SYN_RECV && child->sk_state != state) +- parent->sk_data_ready(parent); ++ READ_ONCE(parent->sk_data_ready)(parent); + } else { + /* Alas, it is possible again, because we do lookup + * in main socket hash table and lock on listening +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1622,7 +1622,8 @@ int __udp_enqueue_schedule_skb(struct so + spin_unlock(&list->lock); + + if (!sock_flag(sk, SOCK_DEAD)) +- INDIRECT_CALL_1(sk->sk_data_ready, sock_def_readable, sk); ++ INDIRECT_CALL_1(READ_ONCE(sk->sk_data_ready), ++ sock_def_readable, sk); + + busylock_release(busy); + return 0; +--- a/net/ipv4/udp_bpf.c ++++ b/net/ipv4/udp_bpf.c +@@ -158,7 +158,7 @@ int udp_bpf_update_proto(struct sock *sk + int family = sk->sk_family == AF_INET ? UDP_BPF_IPV4 : UDP_BPF_IPV6; + + if (restore) { +- sk->sk_write_space = psock->saved_write_space; ++ WRITE_ONCE(sk->sk_write_space, psock->saved_write_space); + sock_replace_proto(sk, psock->sk_proto); + return 0; + } +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1707,7 +1707,7 @@ restart: + __skb_queue_tail(&other->sk_receive_queue, skb); + spin_unlock(&other->sk_receive_queue.lock); + unix_state_unlock(other); +- other->sk_data_ready(other); ++ READ_ONCE(other->sk_data_ready)(other); + sock_put(other); + return 0; + +@@ -2175,7 +2175,7 @@ restart_locked: + scm_stat_add(other, skb); + skb_queue_tail(&other->sk_receive_queue, skb); + unix_state_unlock(other); +- other->sk_data_ready(other); ++ READ_ONCE(other->sk_data_ready)(other); + sock_put(other); + scm_destroy(&scm); + return len; +@@ -2243,7 +2243,7 @@ static int queue_oob(struct socket *sock + + sk_send_sigurg(other); + unix_state_unlock(other); +- other->sk_data_ready(other); ++ READ_ONCE(other->sk_data_ready)(other); + + return err; + } +@@ -2354,7 +2354,7 @@ static int unix_stream_sendmsg(struct so + scm_stat_add(other, skb); + skb_queue_tail(&other->sk_receive_queue, skb); + unix_state_unlock(other); +- other->sk_data_ready(other); ++ READ_ONCE(other->sk_data_ready)(other); + sent += size; + } + diff --git a/queue-6.12/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch b/queue-6.12/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch new file mode 100644 index 0000000000..bd4bc215cc --- /dev/null +++ b/queue-6.12/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch @@ -0,0 +1,109 @@ +From stable+bounces-235814-greg=kroah.com@vger.kernel.org Sun Apr 12 14:54:58 2026 +From: Sasha Levin +Date: Sun, 12 Apr 2026 08:54:51 -0400 +Subject: Revert "mptcp: add needs_id for netlink appending addr" +To: stable@vger.kernel.org +Cc: "Matthieu Baerts (NGI0)" , Geliang Tang , Jakub Kicinski , Sasha Levin +Message-ID: <20260412125451.2218427-1-sashal@kernel.org> + +From: "Matthieu Baerts (NGI0)" + +[ Upstream commit 8e2760eaab778494fc1fa257031e0e1799647f46 ] + +This commit was originally adding the ability to add MPTCP endpoints +with ID 0 by accident. The in-kernel PM, handling MPTCP endpoints at the +net namespace level, is not supposed to handle endpoints with such ID, +because this ID 0 is reserved to the initial subflow, as mentioned in +the MPTCPv1 protocol [1], a per-connection setting. + +Note that 'ip mptcp endpoint add id 0' stops early with an error, but +other tools might still request the in-kernel PM to create MPTCP +endpoints with this restricted ID 0. + +In other words, it was wrong to call the mptcp_pm_has_addr_attr_id +helper to check whether the address ID attribute is set: if it was set +to 0, a new MPTCP endpoint would be created with ID 0, which is not +expected, and might cause various issues later. + +Fixes: 584f38942626 ("mptcp: add needs_id for netlink appending addr") +Cc: stable@vger.kernel.org +Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.2-9 [1] +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260407-net-mptcp-revert-pm-needs-id-v2-1-7a25cbc324f8@kernel.org +Signed-off-by: Jakub Kicinski +[ applied changes to net/mptcp/pm_netlink.c instead of renamed net/mptcp/pm_kernel.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 24 +++++------------------- + 1 file changed, 5 insertions(+), 19 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1076,7 +1076,7 @@ static void __mptcp_pm_release_addr_entr + + static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet, + struct mptcp_pm_addr_entry *entry, +- bool needs_id, bool replace) ++ bool replace) + { + struct mptcp_pm_addr_entry *cur, *del_entry = NULL; + unsigned int addr_max; +@@ -1135,7 +1135,7 @@ static int mptcp_pm_nl_append_new_local_ + } + } + +- if (!entry->addr.id && needs_id) { ++ if (!entry->addr.id) { + find_next: + entry->addr.id = find_next_zero_bit(pernet->id_bitmap, + MPTCP_PM_MAX_ADDR_ID + 1, +@@ -1146,7 +1146,7 @@ find_next: + } + } + +- if (!entry->addr.id && needs_id) ++ if (!entry->addr.id) + goto out; + + __set_bit(entry->addr.id, pernet->id_bitmap); +@@ -1279,7 +1279,7 @@ int mptcp_pm_nl_get_local_id(struct mptc + entry->ifindex = 0; + entry->flags = MPTCP_PM_ADDR_FLAG_IMPLICIT; + entry->lsk = NULL; +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, false); + if (ret < 0) + kfree(entry); + +@@ -1498,18 +1498,6 @@ next: + return 0; + } + +-static bool mptcp_pm_has_addr_attr_id(const struct nlattr *attr, +- struct genl_info *info) +-{ +- struct nlattr *tb[MPTCP_PM_ADDR_ATTR_MAX + 1]; +- +- if (!nla_parse_nested_deprecated(tb, MPTCP_PM_ADDR_ATTR_MAX, attr, +- mptcp_pm_address_nl_policy, info->extack) && +- tb[MPTCP_PM_ADDR_ATTR_ID]) +- return true; +- return false; +-} +- + int mptcp_pm_nl_add_addr_doit(struct sk_buff *skb, struct genl_info *info) + { + struct nlattr *attr = info->attrs[MPTCP_PM_ENDPOINT_ADDR]; +@@ -1551,9 +1539,7 @@ int mptcp_pm_nl_add_addr_doit(struct sk_ + goto out_free; + } + } +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, +- !mptcp_pm_has_addr_attr_id(attr, info), +- true); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true); + if (ret < 0) { + GENL_SET_ERR_MSG_FMT(info, "too many addresses or duplicate one: %d", ret); + goto out_free; diff --git a/queue-6.12/sched_ext-fix-stale-direct-dispatch-state-in-ddsp_dsq_id.patch b/queue-6.12/sched_ext-fix-stale-direct-dispatch-state-in-ddsp_dsq_id.patch new file mode 100644 index 0000000000..c73ad0a262 --- /dev/null +++ b/queue-6.12/sched_ext-fix-stale-direct-dispatch-state-in-ddsp_dsq_id.patch @@ -0,0 +1,179 @@ +From stable+bounces-233913-greg=kroah.com@vger.kernel.org Wed Apr 8 15:47:08 2026 +From: Sasha Levin +Date: Wed, 8 Apr 2026 09:44:09 -0400 +Subject: sched_ext: Fix stale direct dispatch state in ddsp_dsq_id +To: stable@vger.kernel.org +Cc: Andrea Righi , Daniel Hodges , Patrick Somaru , Tejun Heo , Sasha Levin +Message-ID: <20260408134409.1100876-1-sashal@kernel.org> + +From: Andrea Righi + +[ Upstream commit 7e0ffb72de8aa3b25989c2d980e81b829c577010 ] + +@p->scx.ddsp_dsq_id can be left set (non-SCX_DSQ_INVALID) triggering a +spurious warning in mark_direct_dispatch() when the next wakeup's +ops.select_cpu() calls scx_bpf_dsq_insert(), such as: + + WARNING: kernel/sched/ext.c:1273 at scx_dsq_insert_commit+0xcd/0x140 + +The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), +which is not reached in all paths that consume or cancel a direct dispatch +verdict. + +Fix it by clearing it at the right places: + + - direct_dispatch(): cache the direct dispatch state in local variables + and clear it before dispatch_enqueue() on the synchronous path. For + the deferred path, the direct dispatch state must remain set until + process_ddsp_deferred_locals() consumes them. + + - process_ddsp_deferred_locals(): cache the dispatch state in local + variables and clear it before calling dispatch_to_local_dsq(), which + may migrate the task to another rq. + + - do_enqueue_task(): clear the dispatch state on the enqueue path + (local/global/bypass fallbacks), where the direct dispatch verdict is + ignored. + + - dequeue_task_scx(): clear the dispatch state after dispatch_dequeue() + to handle both the deferred dispatch cancellation and the holding_cpu + race, covering all cases where a pending direct dispatch is + cancelled. + + - scx_disable_task(): clear the direct dispatch state when + transitioning a task out of the current scheduler. Waking tasks may + have had the direct dispatch state set by the outgoing scheduler's + ops.select_cpu() and then been queued on a wake_list via + ttwu_queue_wakelist(), when SCX_OPS_ALLOW_QUEUED_WAKEUP is set. Such + tasks are not on the runqueue and are not iterated by scx_bypass(), + so their direct dispatch state won't be cleared. Without this clear, + any subsequent SCX scheduler that tries to direct dispatch the task + will trigger the WARN_ON_ONCE() in mark_direct_dispatch(). + +Fixes: 5b26f7b920f7 ("sched_ext: Allow SCX_DSQ_LOCAL_ON for direct dispatches") +Cc: stable@vger.kernel.org # v6.12+ +Cc: Daniel Hodges +Cc: Patrick Somaru +Signed-off-by: Andrea Righi +Signed-off-by: Tejun Heo +[ adapted function signatures and code paths ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 48 ++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 36 insertions(+), 12 deletions(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -1782,15 +1782,6 @@ static void dispatch_enqueue(struct scx_ + p->scx.dsq = dsq; + + /* +- * scx.ddsp_dsq_id and scx.ddsp_enq_flags are only relevant on the +- * direct dispatch path, but we clear them here because the direct +- * dispatch verdict may be overridden on the enqueue path during e.g. +- * bypass. +- */ +- p->scx.ddsp_dsq_id = SCX_DSQ_INVALID; +- p->scx.ddsp_enq_flags = 0; +- +- /* + * We're transitioning out of QUEUEING or DISPATCHING. store_release to + * match waiters' load_acquire. + */ +@@ -1930,11 +1921,33 @@ static void mark_direct_dispatch(struct + p->scx.ddsp_enq_flags = enq_flags; + } + ++/* ++ * Clear @p direct dispatch state when leaving the scheduler. ++ * ++ * Direct dispatch state must be cleared in the following cases: ++ * - direct_dispatch(): cleared on the synchronous enqueue path, deferred ++ * dispatch keeps the state until consumed ++ * - process_ddsp_deferred_locals(): cleared after consuming deferred state, ++ * - do_enqueue_task(): cleared on enqueue fallbacks where the dispatch ++ * verdict is ignored (local/global/bypass) ++ * - dequeue_task_scx(): cleared after dispatch_dequeue(), covering deferred ++ * cancellation and holding_cpu races ++ * - scx_disable_task(): cleared for queued wakeup tasks, which are excluded by ++ * the scx_bypass() loop, so that stale state is not reused by a subsequent ++ * scheduler instance ++ */ ++static inline void clear_direct_dispatch(struct task_struct *p) ++{ ++ p->scx.ddsp_dsq_id = SCX_DSQ_INVALID; ++ p->scx.ddsp_enq_flags = 0; ++} ++ + static void direct_dispatch(struct task_struct *p, u64 enq_flags) + { + struct rq *rq = task_rq(p); + struct scx_dispatch_q *dsq = + find_dsq_for_dispatch(rq, p->scx.ddsp_dsq_id, p); ++ u64 ddsp_enq_flags; + + touch_core_sched_dispatch(rq, p); + +@@ -1975,7 +1988,10 @@ static void direct_dispatch(struct task_ + return; + } + +- dispatch_enqueue(dsq, p, p->scx.ddsp_enq_flags | SCX_ENQ_CLEAR_OPSS); ++ ddsp_enq_flags = p->scx.ddsp_enq_flags; ++ clear_direct_dispatch(p); ++ ++ dispatch_enqueue(dsq, p, ddsp_enq_flags | SCX_ENQ_CLEAR_OPSS); + } + + static bool scx_rq_online(struct rq *rq) +@@ -2060,12 +2076,14 @@ local: + touch_core_sched(rq, p); + p->scx.slice = SCX_SLICE_DFL; + local_norefill: ++ clear_direct_dispatch(p); + dispatch_enqueue(&rq->scx.local_dsq, p, enq_flags); + return; + + global: + touch_core_sched(rq, p); /* see the comment in local: */ + p->scx.slice = SCX_SLICE_DFL; ++ clear_direct_dispatch(p); + dispatch_enqueue(find_global_dsq(p), p, enq_flags); + } + +@@ -2225,6 +2243,7 @@ static bool dequeue_task_scx(struct rq * + sub_nr_running(rq, 1); + + dispatch_dequeue(rq, p); ++ clear_direct_dispatch(p); + return true; + } + +@@ -2905,12 +2924,15 @@ static void process_ddsp_deferred_locals + while ((p = list_first_entry_or_null(&rq->scx.ddsp_deferred_locals, + struct task_struct, scx.dsq_list.node))) { + struct scx_dispatch_q *dsq; ++ u64 dsq_id = p->scx.ddsp_dsq_id; ++ u64 enq_flags = p->scx.ddsp_enq_flags; + + list_del_init(&p->scx.dsq_list.node); ++ clear_direct_dispatch(p); + +- dsq = find_dsq_for_dispatch(rq, p->scx.ddsp_dsq_id, p); ++ dsq = find_dsq_for_dispatch(rq, dsq_id, p); + if (!WARN_ON_ONCE(dsq->id != SCX_DSQ_LOCAL)) +- dispatch_to_local_dsq(rq, dsq, p, p->scx.ddsp_enq_flags); ++ dispatch_to_local_dsq(rq, dsq, p, enq_flags); + } + } + +@@ -3707,6 +3729,8 @@ static void scx_ops_disable_task(struct + lockdep_assert_rq_held(task_rq(p)); + WARN_ON_ONCE(scx_get_task_state(p) != SCX_TASK_ENABLED); + ++ clear_direct_dispatch(p); ++ + if (SCX_HAS_OP(disable)) + SCX_CALL_OP_TASK(SCX_KF_REST, disable, p); + scx_set_task_state(p, SCX_TASK_READY); diff --git a/queue-6.12/series b/queue-6.12/series index 0ad51ccfbf..8d78718007 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -21,3 +21,10 @@ btrfs-fix-incorrect-return-value-after-changing-leaf.patch blktrace-fix-__this_cpu_read-write-in-preemptible-co.patch nfc-nci-complete-pending-data-exchange-on-device-clo.patch arm64-dts-renesas-white-hawk-cpu-common-add-pin-control-for-dsi-edp-irq.patch +misc-fastrpc-check-qcom_scm_assign_mem-return-in-rpmsg_probe.patch +sched_ext-fix-stale-direct-dispatch-state-in-ddsp_dsq_id.patch +revert-mptcp-add-needs_id-for-netlink-appending-addr.patch +net-annotate-data-races-around-sk-sk_-data_ready-write_space.patch +mptcp-fix-soft-lockup-in-mptcp_recvmsg.patch +loongarch-remove-unnecessary-checks-for-orc-unwinder.patch +loongarch-handle-percpu-handler-address-for-orc-unwinder.patch