From: Sasha Levin Date: Mon, 25 May 2026 15:33:30 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v5.10.258~61 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc6ea6c076bd4c4684e43622b671ff46150534f3;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch b/queue-5.10/net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch new file mode 100644 index 0000000000..215518e3f4 --- /dev/null +++ b/queue-5.10/net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch @@ -0,0 +1,51 @@ +From 1834e864b53093eaed20538810146ff0736be0a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 13:57:16 +0200 +Subject: net: dsa: sja1105: fix kasan out-of-bounds warning in + sja1105_table_delete_entry() + +From: Vladimir Oltean + +[ Upstream commit 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 ] + +There are actually 2 problems: +- deleting the last element doesn't require the memmove of elements + [i + 1, end) over it. Actually, element i+1 is out of bounds. +- The memmove itself should move size - i - 1 elements, because the last + element is out of bounds. + +The out-of-bounds element still remains out of bounds after being +accessed, so the problem is only that we touch it, not that it becomes +in active use. But I suppose it can lead to issues if the out-of-bounds +element is part of an unmapped page. + +Fixes: 6666cebc5e30 ("net: dsa: sja1105: Add support for VLAN operations") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250318115716.2124395-4-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_static_config.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_static_config.c b/drivers/net/dsa/sja1105/sja1105_static_config.c +index 139b7b4fbd0d5..a348705174fa5 100644 +--- a/drivers/net/dsa/sja1105/sja1105_static_config.c ++++ b/drivers/net/dsa/sja1105/sja1105_static_config.c +@@ -1439,8 +1439,10 @@ int sja1105_table_delete_entry(struct sja1105_table *table, int i) + if (i > table->entry_count) + return -ERANGE; + +- memmove(entries + i * entry_size, entries + (i + 1) * entry_size, +- (table->entry_count - i) * entry_size); ++ if (i + 1 < table->entry_count) { ++ memmove(entries + i * entry_size, entries + (i + 1) * entry_size, ++ (table->entry_count - i - 1) * entry_size); ++ } + + table->entry_count--; + +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 07a3e8f738..86f1c0855e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -528,3 +528,4 @@ net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch s390-debug-reject-zero-length-input-before-trimming-.patch selftests-lib.mk-also-install-config-and-settings.patch revert-x86-vdso-fix-output-operand-size-of-rdpid.patch +net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch diff --git a/queue-5.15/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-.patch b/queue-5.15/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-.patch new file mode 100644 index 0000000000..1c3a97b214 --- /dev/null +++ b/queue-5.15/kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-.patch @@ -0,0 +1,91 @@ +From eeb417a5f448b68e4744682ab647e2db8a736188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 17:14:27 +0800 +Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory + accesses + +From: Sean Christopherson + +commit ef01cac401f18647d62720cf773d7bb0541827da upstream. + +Acquire a lock on kvm->srcu when userspace is getting MP state to handle a +rather extreme edge case where "accepting" APIC events, i.e. processing +pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU +is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP +state will trigger a nested VM-Exit by way of ->check_nested_events(), and +emuating the nested VM-Exit can access guest memory. + +The splat was originally hit by syzkaller on a Google-internal kernel, and +reproduced on an upstream kernel by hacking the triple_fault_event_test +selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a +memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. + + ============================= + WARNING: suspicious RCU usage + 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted + ----------------------------- + include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + 1 lock held by triple_fault_ev/1256: + #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] + + stack backtrace: + CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl+0x7f/0x90 + lockdep_rcu_suspicious+0x144/0x190 + kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] + kvm_vcpu_read_guest+0x3e/0x90 [kvm] + read_and_check_msr_entry+0x2e/0x180 [kvm_intel] + __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] + kvm_check_nested_events+0x1b/0x30 [kvm] + kvm_apic_accept_events+0x33/0x100 [kvm] + kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] + kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] + __x64_sys_ioctl+0x8b/0xb0 + do_syscall_64+0x6c/0x170 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250401150504.829812-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +[ Based on kernel 5.15 available functions, using srcu_read_lock/srcu_read_unlock instead of +kvm_vcpu_srcu_read_lock/kvm_vcpu_srcu_read_unlock ] +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index a22cd6c0eb0d4..bbfc8ccf4fcd9 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -10617,6 +10617,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu, + if (kvm_mpx_supported()) + kvm_load_guest_fpu(vcpu); + ++ vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu); ++ + r = kvm_apic_accept_events(vcpu); + if (r < 0) + goto out; +@@ -10630,6 +10632,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu, + mp_state->mp_state = vcpu->arch.mp_state; + + out: ++ srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx); ++ + if (kvm_mpx_supported()) + kvm_put_guest_fpu(vcpu); + vcpu_put(vcpu); +-- +2.53.0 + diff --git a/queue-5.15/net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch b/queue-5.15/net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch new file mode 100644 index 0000000000..c59ed11ec0 --- /dev/null +++ b/queue-5.15/net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch @@ -0,0 +1,52 @@ +From 80e54a7e0738675e793e695aff4c8c87adbf2c87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 11:18:40 +0800 +Subject: net: dsa: sja1105: fix kasan out-of-bounds warning in + sja1105_table_delete_entry() + +From: Vladimir Oltean + +[ Upstream commit 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 ] + +There are actually 2 problems: +- deleting the last element doesn't require the memmove of elements + [i + 1, end) over it. Actually, element i+1 is out of bounds. +- The memmove itself should move size - i - 1 elements, because the last + element is out of bounds. + +The out-of-bounds element still remains out of bounds after being +accessed, so the problem is only that we touch it, not that it becomes +in active use. But I suppose it can lead to issues if the out-of-bounds +element is part of an unmapped page. + +Fixes: 6666cebc5e30 ("net: dsa: sja1105: Add support for VLAN operations") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250318115716.2124395-4-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_static_config.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_static_config.c b/drivers/net/dsa/sja1105/sja1105_static_config.c +index baba204ad62f6..2ac91fe2a79bc 100644 +--- a/drivers/net/dsa/sja1105/sja1105_static_config.c ++++ b/drivers/net/dsa/sja1105/sja1105_static_config.c +@@ -1921,8 +1921,10 @@ int sja1105_table_delete_entry(struct sja1105_table *table, int i) + if (i > table->entry_count) + return -ERANGE; + +- memmove(entries + i * entry_size, entries + (i + 1) * entry_size, +- (table->entry_count - i) * entry_size); ++ if (i + 1 < table->entry_count) { ++ memmove(entries + i * entry_size, entries + (i + 1) * entry_size, ++ (table->entry_count - i - 1) * entry_size); ++ } + + table->entry_count--; + +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 4dc6405915..c8a17212b9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -675,3 +675,6 @@ net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch io_uring-prevent-opcode-speculation.patch s390-debug-reject-zero-length-input-before-trimming-.patch revert-x86-vdso-fix-output-operand-size-of-rdpid.patch +net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch +wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch +kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-.patch diff --git a/queue-5.15/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch b/queue-5.15/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch new file mode 100644 index 0000000000..124a39d40b --- /dev/null +++ b/queue-5.15/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch @@ -0,0 +1,48 @@ +From cb6b65960bc1236949c73f9d152343ce627ba612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 14:03:36 +0800 +Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper + +From: Deepanshu Kartikey + +[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ] + +When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the +station exists but not whether it is actually a TDLS station. This +allows the operation to proceed for non-TDLS stations, causing +unintended side effects like modifying channel context and HT +protection before failing. + +Add a check for sta->sta.tdls early in the ENABLE_LINK case, before +any side effects occur, to ensure the operation is only allowed for +actual TDLS peers. + +Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b +Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Deepanshu Kartikey +Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index c2d7479c119af..d25dfeb347f24 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -1380,7 +1380,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, + + mutex_lock(&local->sta_mtx); + sta = sta_info_get(sdata, peer); +- if (!sta) { ++ if (!sta || !sta->sta.tdls) { + mutex_unlock(&local->sta_mtx); + ret = -ENOLINK; + break; +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index e2ffbe3cbd..2d89ee749e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -832,3 +832,4 @@ io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch io_uring-prevent-opcode-speculation.patch s390-debug-reject-zero-length-input-before-trimming-.patch +wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch diff --git a/queue-6.1/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch b/queue-6.1/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch new file mode 100644 index 0000000000..5180a8081f --- /dev/null +++ b/queue-6.1/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch @@ -0,0 +1,48 @@ +From c9cadc7f98fa5ef27d2684efa3ce9e4e72da49fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 13:48:54 +0800 +Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper + +From: Deepanshu Kartikey + +[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ] + +When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the +station exists but not whether it is actually a TDLS station. This +allows the operation to proceed for non-TDLS stations, causing +unintended side effects like modifying channel context and HT +protection before failing. + +Add a check for sta->sta.tdls early in the ENABLE_LINK case, before +any side effects occur, to ensure the operation is only allowed for +actual TDLS peers. + +Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b +Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Deepanshu Kartikey +Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index 1f07b598a6a17..57bd4fc8d2375 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -1382,7 +1382,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, + + mutex_lock(&local->sta_mtx); + sta = sta_info_get(sdata, peer); +- if (!sta) { ++ if (!sta || !sta->sta.tdls) { + mutex_unlock(&local->sta_mtx); + ret = -ENOLINK; + break; +-- +2.53.0 + diff --git a/queue-6.12/bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch b/queue-6.12/bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch new file mode 100644 index 0000000000..afd13c65cd --- /dev/null +++ b/queue-6.12/bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch @@ -0,0 +1,66 @@ +From 1cf6917bdd1d2678c63ceae22e40b5903121fa79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 23:30:00 -0700 +Subject: bridge: mrp: reject zero test interval to avoid OOM panic + +From: Xiang Mei + +[ Upstream commit fa6e24963342de4370e3a3c9af41e38277b74cf3 ] + +br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied +interval value from netlink without validation. When interval is 0, +usecs_to_jiffies(0) yields 0, causing the delayed work +(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule +itself with zero delay. This creates a tight loop on system_percpu_wq +that allocates and transmits MRP test frames at maximum rate, exhausting +all system memory and causing a kernel panic via OOM deadlock. + +The same zero-interval issue applies to br_mrp_start_in_test_parse() +for interconnect test frames. + +Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both +IFLA_BRIDGE_MRP_START_TEST_INTERVAL and +IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the +netlink attribute parsing layer before the value ever reaches the +workqueue scheduling code. This is consistent with how other bridge +subsystems (br_fdb, br_mst) enforce range constraints on netlink +attributes. + +Fixes: 20f6a05ef635 ("bridge: mrp: Rework the MRP netlink interface") +Fixes: 7ab1748e4ce6 ("bridge: mrp: Extend MRP netlink interface for configuring MRP interconnect") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260328063000.1845376-1-xmei5@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_mrp_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c +index ce6f63c77cc0a..86f0e75d6e345 100644 +--- a/net/bridge/br_mrp_netlink.c ++++ b/net/bridge/br_mrp_netlink.c +@@ -196,7 +196,7 @@ static const struct nla_policy + br_mrp_start_test_policy[IFLA_BRIDGE_MRP_START_TEST_MAX + 1] = { + [IFLA_BRIDGE_MRP_START_TEST_UNSPEC] = { .type = NLA_REJECT }, + [IFLA_BRIDGE_MRP_START_TEST_RING_ID] = { .type = NLA_U32 }, +- [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = { .type = NLA_U32 }, ++ [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1), + [IFLA_BRIDGE_MRP_START_TEST_MAX_MISS] = { .type = NLA_U32 }, + [IFLA_BRIDGE_MRP_START_TEST_PERIOD] = { .type = NLA_U32 }, + [IFLA_BRIDGE_MRP_START_TEST_MONITOR] = { .type = NLA_U32 }, +@@ -316,7 +316,7 @@ static const struct nla_policy + br_mrp_start_in_test_policy[IFLA_BRIDGE_MRP_START_IN_TEST_MAX + 1] = { + [IFLA_BRIDGE_MRP_START_IN_TEST_UNSPEC] = { .type = NLA_REJECT }, + [IFLA_BRIDGE_MRP_START_IN_TEST_IN_ID] = { .type = NLA_U32 }, +- [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = { .type = NLA_U32 }, ++ [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1), + [IFLA_BRIDGE_MRP_START_IN_TEST_MAX_MISS] = { .type = NLA_U32 }, + [IFLA_BRIDGE_MRP_START_IN_TEST_PERIOD] = { .type = NLA_U32 }, + }; +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index f136b34c99..b7ea8babb3 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -9,3 +9,5 @@ revert-perf-cgroup-update-metric-leader-in-evlist__e.patch revert-perf-tool_pmu-fix-aggregation-on-duration_tim.patch revert-perf-python-add-parse_events-function.patch revert-perf-tool_pmu-factor-tool-events-into-their-o.patch +bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch +spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch diff --git a/queue-6.12/spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch b/queue-6.12/spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch new file mode 100644 index 0000000000..9cff2b022c --- /dev/null +++ b/queue-6.12/spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch @@ -0,0 +1,38 @@ +From a4fd8a4cee6e9673f6f408b806b6635f68590a61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 01:20:17 +0300 +Subject: spi: spi-dw-dma: fix print error log when wait finish transaction + +From: Vladimir Yakovlev + +[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ] + +If an error occurs, the device may not have a current message. In this +case, the system will crash. + +In this case, it's better to use dev from the struct ctlr (struct spi_controller*). + +Signed-off-by: Vladimir Yakovlev +Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c +index f4c209e5f52ba..4104e1bc2d5bd 100644 +--- a/drivers/spi/spi-dw-dma.c ++++ b/drivers/spi/spi-dw-dma.c +@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed) + msecs_to_jiffies(ms)); + + if (ms == 0) { +- dev_err(&dws->host->cur_msg->spi->dev, ++ dev_err(&dws->host->dev, + "DMA transaction timed out\n"); + return -ETIMEDOUT; + } +-- +2.53.0 + diff --git a/queue-6.18/bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch b/queue-6.18/bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch new file mode 100644 index 0000000000..3af1512d16 --- /dev/null +++ b/queue-6.18/bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch @@ -0,0 +1,66 @@ +From 46344eb8ef1bc2f1314123b7ec47e04b484c5a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2026 23:30:00 -0700 +Subject: bridge: mrp: reject zero test interval to avoid OOM panic + +From: Xiang Mei + +[ Upstream commit fa6e24963342de4370e3a3c9af41e38277b74cf3 ] + +br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied +interval value from netlink without validation. When interval is 0, +usecs_to_jiffies(0) yields 0, causing the delayed work +(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule +itself with zero delay. This creates a tight loop on system_percpu_wq +that allocates and transmits MRP test frames at maximum rate, exhausting +all system memory and causing a kernel panic via OOM deadlock. + +The same zero-interval issue applies to br_mrp_start_in_test_parse() +for interconnect test frames. + +Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both +IFLA_BRIDGE_MRP_START_TEST_INTERVAL and +IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the +netlink attribute parsing layer before the value ever reaches the +workqueue scheduling code. This is consistent with how other bridge +subsystems (br_fdb, br_mst) enforce range constraints on netlink +attributes. + +Fixes: 20f6a05ef635 ("bridge: mrp: Rework the MRP netlink interface") +Fixes: 7ab1748e4ce6 ("bridge: mrp: Extend MRP netlink interface for configuring MRP interconnect") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260328063000.1845376-1-xmei5@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_mrp_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c +index ce6f63c77cc0a..86f0e75d6e345 100644 +--- a/net/bridge/br_mrp_netlink.c ++++ b/net/bridge/br_mrp_netlink.c +@@ -196,7 +196,7 @@ static const struct nla_policy + br_mrp_start_test_policy[IFLA_BRIDGE_MRP_START_TEST_MAX + 1] = { + [IFLA_BRIDGE_MRP_START_TEST_UNSPEC] = { .type = NLA_REJECT }, + [IFLA_BRIDGE_MRP_START_TEST_RING_ID] = { .type = NLA_U32 }, +- [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = { .type = NLA_U32 }, ++ [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1), + [IFLA_BRIDGE_MRP_START_TEST_MAX_MISS] = { .type = NLA_U32 }, + [IFLA_BRIDGE_MRP_START_TEST_PERIOD] = { .type = NLA_U32 }, + [IFLA_BRIDGE_MRP_START_TEST_MONITOR] = { .type = NLA_U32 }, +@@ -316,7 +316,7 @@ static const struct nla_policy + br_mrp_start_in_test_policy[IFLA_BRIDGE_MRP_START_IN_TEST_MAX + 1] = { + [IFLA_BRIDGE_MRP_START_IN_TEST_UNSPEC] = { .type = NLA_REJECT }, + [IFLA_BRIDGE_MRP_START_IN_TEST_IN_ID] = { .type = NLA_U32 }, +- [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = { .type = NLA_U32 }, ++ [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1), + [IFLA_BRIDGE_MRP_START_IN_TEST_MAX_MISS] = { .type = NLA_U32 }, + [IFLA_BRIDGE_MRP_START_IN_TEST_PERIOD] = { .type = NLA_U32 }, + }; +-- +2.53.0 + diff --git a/queue-6.18/cxl-mbox-validate-payload-size-before-accessing-cont.patch b/queue-6.18/cxl-mbox-validate-payload-size-before-accessing-cont.patch new file mode 100644 index 0000000000..8b775538db --- /dev/null +++ b/queue-6.18/cxl-mbox-validate-payload-size-before-accessing-cont.patch @@ -0,0 +1,119 @@ +From f9a9b1d1d6c4aa248e092aec50813a5c8cd1f592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Feb 2026 16:16:17 -0800 +Subject: cxl/mbox: validate payload size before accessing contents in + cxl_payload_from_user_allowed() + +From: Davidlohr Bueso + +[ Upstream commit 60b5d1f68338aff2c5af0113f04aefa7169c50c2 ] + +cxl_payload_from_user_allowed() casts and dereferences the input +payload without first verifying its size. When a raw mailbox command +is sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG, +which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer, +triggering a KASAN splat: + +BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683 +Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258 + +CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x650 mm/kasan/report.c:482 + kasan_report+0xce/0x100 mm/kasan/report.c:595 + memcmp+0x176/0x1d0 lib/string.c:683 + uuid_equal include/linux/uuid.h:73 [inline] + cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline] + cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline] + cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline] + cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643 + __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline] + cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fdaf331ba79 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79 +RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003 +RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768 + + +Add 'in_size' parameter to cxl_payload_from_user_allowed() and validate +the payload is large enough. + +Fixes: 6179045ccc0c ("cxl/mbox: Block immediate mode in SET_PARTITION_INFO command") +Fixes: 206f9fa9d555 ("cxl/mbox: Add Clear Log mailbox command") +Signed-off-by: Davidlohr Bueso +Reviewed-by: Alison Schofield +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20260220001618.963490-2-dave@stgolabs.net +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/mbox.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c +index fa6dd0c94656f..e7a6452bf5445 100644 +--- a/drivers/cxl/core/mbox.c ++++ b/drivers/cxl/core/mbox.c +@@ -311,6 +311,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode) + * cxl_payload_from_user_allowed() - Check contents of in_payload. + * @opcode: The mailbox command opcode. + * @payload_in: Pointer to the input payload passed in from user space. ++ * @in_size: Size of @payload_in in bytes. + * + * Return: + * * true - payload_in passes check for @opcode. +@@ -325,12 +326,15 @@ static bool cxl_mem_raw_command_allowed(u16 opcode) + * + * The specific checks are determined by the opcode. + */ +-static bool cxl_payload_from_user_allowed(u16 opcode, void *payload_in) ++static bool cxl_payload_from_user_allowed(u16 opcode, void *payload_in, ++ size_t in_size) + { + switch (opcode) { + case CXL_MBOX_OP_SET_PARTITION_INFO: { + struct cxl_mbox_set_partition_info *pi = payload_in; + ++ if (in_size < sizeof(*pi)) ++ return false; + if (pi->flags & CXL_SET_PARTITION_IMMEDIATE_FLAG) + return false; + break; +@@ -338,6 +342,8 @@ static bool cxl_payload_from_user_allowed(u16 opcode, void *payload_in) + case CXL_MBOX_OP_CLEAR_LOG: { + const uuid_t *uuid = (uuid_t *)payload_in; + ++ if (in_size < sizeof(uuid_t)) ++ return false; + /* + * Restrict the ‘Clear log’ action to only apply to + * Vendor debug logs. +@@ -365,7 +371,8 @@ static int cxl_mbox_cmd_ctor(struct cxl_mbox_cmd *mbox_cmd, + if (IS_ERR(mbox_cmd->payload_in)) + return PTR_ERR(mbox_cmd->payload_in); + +- if (!cxl_payload_from_user_allowed(opcode, mbox_cmd->payload_in)) { ++ if (!cxl_payload_from_user_allowed(opcode, mbox_cmd->payload_in, ++ in_size)) { + dev_dbg(cxl_mbox->host, "%s: input payload not allowed\n", + cxl_mem_opcode_to_name(opcode)); + kvfree(mbox_cmd->payload_in); +-- +2.53.0 + diff --git a/queue-6.18/sched-deadline-fix-missing-enqueue_replenish-during-.patch b/queue-6.18/sched-deadline-fix-missing-enqueue_replenish-during-.patch new file mode 100644 index 0000000000..4d74fb23dc --- /dev/null +++ b/queue-6.18/sched-deadline-fix-missing-enqueue_replenish-during-.patch @@ -0,0 +1,110 @@ +From 4d97f44585dc6ff65f2e729f113dc126a90818eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 16:45:40 +0100 +Subject: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting + +From: Juri Lelli + +[ Upstream commit d658686a1331db3bb108ca079d76deb3208ed949 ] + +Running stress-ng --schedpolicy 0 on an RT kernel on a big machine +might lead to the following WARNINGs (edited). + + sched: DL de-boosted task PID 22725: REPLENISH flag missing + + WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8 + ... (running_bw underflow) + Call trace: + dequeue_task_dl+0x15c/0x1f8 (P) + dequeue_task+0x80/0x168 + deactivate_task+0x24/0x50 + push_dl_task+0x264/0x2e0 + dl_task_timer+0x1b0/0x228 + __hrtimer_run_queues+0x188/0x378 + hrtimer_interrupt+0xfc/0x260 + ... + +The problem is that when a SCHED_DEADLINE task (lock holder) is +changed to a lower priority class via sched_setscheduler(), it may +fail to properly inherit the parameters of potential DEADLINE donors +if it didn't already inherit them in the past (shorter deadline than +donor's at that time). This might lead to bandwidth accounting +corruption, as enqueue_task_dl() won't recognize the lock holder as +boosted. + +The scenario occurs when: +1. A DEADLINE task (donor) blocks on a PI mutex held by another + DEADLINE task (holder), but the holder doesn't inherit parameters + (e.g., it already has a shorter deadline) +2. sched_setscheduler() changes the holder from DEADLINE to a lower + class while still holding the mutex +3. The holder should now inherit DEADLINE parameters from the donor + and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen + +Fix the issue by introducing __setscheduler_dl_pi(), which detects when +a DEADLINE (proper or boosted) task gets setscheduled to a lower +priority class. In case, the function makes the task inherit DEADLINE +parameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to +ensure proper bandwidth accounting during the next enqueue operation. + +Fixes: 2279f540ea7d ("sched/deadline: Fix priority inheritance with multiple scheduling classes") +Reported-by: Bruno Goncalves +Signed-off-by: Juri Lelli +Signed-off-by: Peter Zijlstra (Intel) +Link: https://patch.msgid.link/20260302-upstream-fix-deadline-piboost-b4-v3-1-6ba32184a9e0@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/sched/syscalls.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c +index d2bcedc10152f..77b663a5dfb2b 100644 +--- a/kernel/sched/syscalls.c ++++ b/kernel/sched/syscalls.c +@@ -322,6 +322,35 @@ static bool check_same_owner(struct task_struct *p) + uid_eq(cred->euid, pcred->uid)); + } + ++#ifdef CONFIG_RT_MUTEXES ++static inline void __setscheduler_dl_pi(int newprio, int policy, ++ struct task_struct *p, ++ struct sched_change_ctx *scope) ++{ ++ /* ++ * In case a DEADLINE task (either proper or boosted) gets ++ * setscheduled to a lower priority class, check if it neeeds to ++ * inherit parameters from a potential pi_task. In that case make ++ * sure replenishment happens with the next enqueue. ++ */ ++ ++ if (dl_prio(newprio) && !dl_policy(policy)) { ++ struct task_struct *pi_task = rt_mutex_get_top_task(p); ++ ++ if (pi_task) { ++ p->dl.pi_se = pi_task->dl.pi_se; ++ scope->flags |= ENQUEUE_REPLENISH; ++ } ++ } ++} ++#else /* !CONFIG_RT_MUTEXES */ ++static inline void __setscheduler_dl_pi(int newprio, int policy, ++ struct task_struct *p, ++ struct sched_change_ctx *scope) ++{ ++} ++#endif /* !CONFIG_RT_MUTEXES */ ++ + #ifdef CONFIG_UCLAMP_TASK + + static int uclamp_validate(struct task_struct *p, +@@ -693,6 +722,7 @@ int __sched_setscheduler(struct task_struct *p, + __setscheduler_params(p, attr); + p->sched_class = next_class; + p->prio = newprio; ++ __setscheduler_dl_pi(newprio, policy, p, scope); + } + __setscheduler_uclamp(p, attr); + check_class_changing(rq, p, prev_class); +-- +2.53.0 + diff --git a/queue-6.18/sched-employ-sched_change-guards.patch b/queue-6.18/sched-employ-sched_change-guards.patch new file mode 100644 index 0000000000..c2b28b3f05 --- /dev/null +++ b/queue-6.18/sched-employ-sched_change-guards.patch @@ -0,0 +1,501 @@ +From 2671015f90f26ed10a4fb3a32279a09e72b84eac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2024 13:43:43 +0100 +Subject: sched: Employ sched_change guards + +From: Peter Zijlstra + +[ Upstream commit e9139f765ac7048cadc9981e962acdf8b08eabf3 ] + +As proposed a long while ago -- and half done by scx -- wrap the +scheduler's 'change' pattern in a guard helper. + +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Juri Lelli +Acked-by: Tejun Heo +Acked-by: Vincent Guittot +Stable-dep-of: d658686a1331 ("sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting") +Signed-off-by: Sasha Levin +--- + include/linux/cleanup.h | 5 ++ + kernel/sched/core.c | 159 +++++++++++++++------------------------- + kernel/sched/ext.c | 39 +++++----- + kernel/sched/sched.h | 33 ++++++--- + kernel/sched/syscalls.c | 65 ++++++---------- + 5 files changed, 131 insertions(+), 170 deletions(-) + +diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h +index 19c7e475d3a4d..a1194e44b5276 100644 +--- a/include/linux/cleanup.h ++++ b/include/linux/cleanup.h +@@ -341,6 +341,11 @@ _label: \ + #define __DEFINE_CLASS_IS_CONDITIONAL(_name, _is_cond) \ + static __maybe_unused const bool class_##_name##_is_conditional = _is_cond + ++#define DEFINE_CLASS_IS_UNCONDITIONAL(_name) \ ++ __DEFINE_CLASS_IS_CONDITIONAL(_name, false); \ ++ static inline void * class_##_name##_lock_ptr(class_##_name##_t *_T) \ ++ { return (void *)1; } ++ + #define __GUARD_IS_ERR(_ptr) \ + ({ \ + unsigned long _rc = (__force unsigned long)(_ptr); \ +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index 0d93f60fed20a..46fc94f2338e8 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7332,7 +7332,7 @@ void rt_mutex_post_schedule(void) + */ + void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task) + { +- int prio, oldprio, queued, running, queue_flag = ++ int prio, oldprio, queue_flag = + DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK; + const struct sched_class *prev_class, *next_class; + struct rq_flags rf; +@@ -7397,52 +7397,42 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task) + if (prev_class != next_class && p->se.sched_delayed) + dequeue_task(rq, p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK); + +- queued = task_on_rq_queued(p); +- running = task_current_donor(rq, p); +- if (queued) +- dequeue_task(rq, p, queue_flag); +- if (running) +- put_prev_task(rq, p); +- +- /* +- * Boosting condition are: +- * 1. -rt task is running and holds mutex A +- * --> -dl task blocks on mutex A +- * +- * 2. -dl task is running and holds mutex A +- * --> -dl task blocks on mutex A and could preempt the +- * running task +- */ +- if (dl_prio(prio)) { +- if (!dl_prio(p->normal_prio) || +- (pi_task && dl_prio(pi_task->prio) && +- dl_entity_preempt(&pi_task->dl, &p->dl))) { +- p->dl.pi_se = pi_task->dl.pi_se; +- queue_flag |= ENQUEUE_REPLENISH; ++ scoped_guard (sched_change, p, queue_flag) { ++ /* ++ * Boosting condition are: ++ * 1. -rt task is running and holds mutex A ++ * --> -dl task blocks on mutex A ++ * ++ * 2. -dl task is running and holds mutex A ++ * --> -dl task blocks on mutex A and could preempt the ++ * running task ++ */ ++ if (dl_prio(prio)) { ++ if (!dl_prio(p->normal_prio) || ++ (pi_task && dl_prio(pi_task->prio) && ++ dl_entity_preempt(&pi_task->dl, &p->dl))) { ++ p->dl.pi_se = pi_task->dl.pi_se; ++ scope->flags |= ENQUEUE_REPLENISH; ++ } else { ++ p->dl.pi_se = &p->dl; ++ } ++ } else if (rt_prio(prio)) { ++ if (dl_prio(oldprio)) ++ p->dl.pi_se = &p->dl; ++ if (oldprio < prio) ++ scope->flags |= ENQUEUE_HEAD; + } else { +- p->dl.pi_se = &p->dl; ++ if (dl_prio(oldprio)) ++ p->dl.pi_se = &p->dl; ++ if (rt_prio(oldprio)) ++ p->rt.timeout = 0; + } +- } else if (rt_prio(prio)) { +- if (dl_prio(oldprio)) +- p->dl.pi_se = &p->dl; +- if (oldprio < prio) +- queue_flag |= ENQUEUE_HEAD; +- } else { +- if (dl_prio(oldprio)) +- p->dl.pi_se = &p->dl; +- if (rt_prio(oldprio)) +- p->rt.timeout = 0; +- } + +- p->sched_class = next_class; +- p->prio = prio; ++ p->sched_class = next_class; ++ p->prio = prio; + +- check_class_changing(rq, p, prev_class); +- +- if (queued) +- enqueue_task(rq, p, queue_flag); +- if (running) +- set_next_task(rq, p); ++ check_class_changing(rq, p, prev_class); ++ } + + check_class_changed(rq, p, prev_class, oldprio); + out_unlock: +@@ -8090,26 +8080,9 @@ int migrate_task_to(struct task_struct *p, int target_cpu) + */ + void sched_setnuma(struct task_struct *p, int nid) + { +- bool queued, running; +- struct rq_flags rf; +- struct rq *rq; +- +- rq = task_rq_lock(p, &rf); +- queued = task_on_rq_queued(p); +- running = task_current_donor(rq, p); +- +- if (queued) +- dequeue_task(rq, p, DEQUEUE_SAVE); +- if (running) +- put_prev_task(rq, p); +- +- p->numa_preferred_nid = nid; +- +- if (queued) +- enqueue_task(rq, p, ENQUEUE_RESTORE | ENQUEUE_NOCLOCK); +- if (running) +- set_next_task(rq, p); +- task_rq_unlock(rq, p, &rf); ++ guard(task_rq_lock)(p); ++ scoped_guard (sched_change, p, DEQUEUE_SAVE) ++ p->numa_preferred_nid = nid; + } + #endif /* CONFIG_NUMA_BALANCING */ + +@@ -9215,8 +9188,9 @@ static void sched_change_group(struct task_struct *tsk) + */ + void sched_move_task(struct task_struct *tsk, bool for_autogroup) + { +- int queued, running, queue_flags = ++ unsigned int queue_flags = + DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK; ++ bool resched = false; + struct rq *rq; + + CLASS(task_rq_lock, rq_guard)(tsk); +@@ -9224,29 +9198,16 @@ void sched_move_task(struct task_struct *tsk, bool for_autogroup) + + update_rq_clock(rq); + +- running = task_current_donor(rq, tsk); +- queued = task_on_rq_queued(tsk); +- +- if (queued) +- dequeue_task(rq, tsk, queue_flags); +- if (running) +- put_prev_task(rq, tsk); +- +- sched_change_group(tsk); +- if (!for_autogroup) +- scx_cgroup_move_task(tsk); ++ scoped_guard (sched_change, tsk, queue_flags) { ++ sched_change_group(tsk); ++ if (!for_autogroup) ++ scx_cgroup_move_task(tsk); ++ if (scope->running) ++ resched = true; ++ } + +- if (queued) +- enqueue_task(rq, tsk, queue_flags); +- if (running) { +- set_next_task(rq, tsk); +- /* +- * After changing group, the running task may have joined a +- * throttled one but it's still the running task. Trigger a +- * resched to make sure that task can still run. +- */ ++ if (resched) + resched_curr(rq); +- } + } + + static struct cgroup_subsys_state * +@@ -10902,37 +10863,39 @@ void sched_mm_cid_fork(struct task_struct *t) + } + #endif /* CONFIG_SCHED_MM_CID */ + +-#ifdef CONFIG_SCHED_CLASS_EXT +-void sched_deq_and_put_task(struct task_struct *p, int queue_flags, +- struct sched_enq_and_set_ctx *ctx) ++static DEFINE_PER_CPU(struct sched_change_ctx, sched_change_ctx); ++ ++struct sched_change_ctx *sched_change_begin(struct task_struct *p, unsigned int flags) + { ++ struct sched_change_ctx *ctx = this_cpu_ptr(&sched_change_ctx); + struct rq *rq = task_rq(p); + + lockdep_assert_rq_held(rq); + +- *ctx = (struct sched_enq_and_set_ctx){ ++ *ctx = (struct sched_change_ctx){ + .p = p, +- .queue_flags = queue_flags, ++ .flags = flags, + .queued = task_on_rq_queued(p), +- .running = task_current(rq, p), ++ .running = task_current_donor(rq, p), + }; + +- update_rq_clock(rq); + if (ctx->queued) +- dequeue_task(rq, p, queue_flags | DEQUEUE_NOCLOCK); ++ dequeue_task(rq, p, flags); + if (ctx->running) + put_prev_task(rq, p); ++ ++ return ctx; + } + +-void sched_enq_and_set_task(struct sched_enq_and_set_ctx *ctx) ++void sched_change_end(struct sched_change_ctx *ctx) + { +- struct rq *rq = task_rq(ctx->p); ++ struct task_struct *p = ctx->p; ++ struct rq *rq = task_rq(p); + + lockdep_assert_rq_held(rq); + + if (ctx->queued) +- enqueue_task(rq, ctx->p, ctx->queue_flags | ENQUEUE_NOCLOCK); ++ enqueue_task(rq, p, ctx->flags | ENQUEUE_NOCLOCK); + if (ctx->running) +- set_next_task(rq, ctx->p); ++ set_next_task(rq, p); + } +-#endif /* CONFIG_SCHED_CLASS_EXT */ +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index 35c0b31924d37..3029e5b8f9a57 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -3866,11 +3866,10 @@ static void scx_bypass(bool bypass) + */ + list_for_each_entry_safe_reverse(p, n, &rq->scx.runnable_list, + scx.runnable_node) { +- struct sched_enq_and_set_ctx ctx; +- + /* cycling deq/enq is enough, see the function comment */ +- sched_deq_and_put_task(p, DEQUEUE_SAVE | DEQUEUE_MOVE, &ctx); +- sched_enq_and_set_task(&ctx); ++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_MOVE) { ++ /* nothing */ ; ++ } + } + + /* resched to restore ticks and idle state */ +@@ -4021,17 +4020,16 @@ static void scx_disable_workfn(struct kthread_work *work) + while ((p = scx_task_iter_next_locked(&sti))) { + const struct sched_class *old_class = p->sched_class; + const struct sched_class *new_class = scx_setscheduler_class(p); +- struct sched_enq_and_set_ctx ctx; + +- if (old_class != new_class && p->se.sched_delayed) +- dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED); ++ update_rq_clock(task_rq(p)); + +- sched_deq_and_put_task(p, DEQUEUE_SAVE | DEQUEUE_MOVE, &ctx); +- +- p->sched_class = new_class; +- check_class_changing(task_rq(p), p, old_class); ++ if (old_class != new_class && p->se.sched_delayed) ++ dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK); + +- sched_enq_and_set_task(&ctx); ++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK) { ++ p->sched_class = new_class; ++ check_class_changing(task_rq(p), p, old_class); ++ } + + check_class_changed(task_rq(p), p, old_class, p->prio); + scx_exit_task(p); +@@ -4845,21 +4843,20 @@ static void scx_enable_workfn(struct kthread_work *work) + while ((p = scx_task_iter_next_locked(&sti))) { + const struct sched_class *old_class = p->sched_class; + const struct sched_class *new_class = scx_setscheduler_class(p); +- struct sched_enq_and_set_ctx ctx; + + if (!tryget_task_struct(p)) + continue; + +- if (old_class != new_class && p->se.sched_delayed) +- dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED); +- +- sched_deq_and_put_task(p, DEQUEUE_SAVE | DEQUEUE_MOVE, &ctx); ++ update_rq_clock(task_rq(p)); + +- p->scx.slice = SCX_SLICE_DFL; +- p->sched_class = new_class; +- check_class_changing(task_rq(p), p, old_class); ++ if (old_class != new_class && p->se.sched_delayed) ++ dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK); + +- sched_enq_and_set_task(&ctx); ++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK) { ++ p->scx.slice = SCX_SLICE_DFL; ++ p->sched_class = new_class; ++ check_class_changing(task_rq(p), p, old_class); ++ } + + check_class_changed(task_rq(p), p, old_class, p->prio); + put_task_struct(p); +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index f750dea7b7876..668841022dbf2 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -3891,23 +3891,38 @@ extern void check_class_changed(struct rq *rq, struct task_struct *p, + extern struct balance_callback *splice_balance_callbacks(struct rq *rq); + extern void balance_callbacks(struct rq *rq, struct balance_callback *head); + +-#ifdef CONFIG_SCHED_CLASS_EXT + /* +- * Used by SCX in the enable/disable paths to move tasks between sched_classes +- * and establish invariants. ++ * The 'sched_change' pattern is the safe, easy and slow way of changing a ++ * task's scheduling properties. It dequeues a task, such that the scheduler ++ * is fully unaware of it; at which point its properties can be modified; ++ * after which it is enqueued again. ++ * ++ * Typically this must be called while holding task_rq_lock, since most/all ++ * properties are serialized under those locks. There is currently one ++ * exception to this rule in sched/ext which only holds rq->lock. ++ */ ++ ++/* ++ * This structure is a temporary, used to preserve/convey the queueing state ++ * of the task between sched_change_begin() and sched_change_end(). Ensuring ++ * the task's queueing state is idempotent across the operation. + */ +-struct sched_enq_and_set_ctx { ++struct sched_change_ctx { + struct task_struct *p; +- int queue_flags; ++ int flags; + bool queued; + bool running; + }; + +-void sched_deq_and_put_task(struct task_struct *p, int queue_flags, +- struct sched_enq_and_set_ctx *ctx); +-void sched_enq_and_set_task(struct sched_enq_and_set_ctx *ctx); ++struct sched_change_ctx *sched_change_begin(struct task_struct *p, unsigned int flags); ++void sched_change_end(struct sched_change_ctx *ctx); + +-#endif /* CONFIG_SCHED_CLASS_EXT */ ++DEFINE_CLASS(sched_change, struct sched_change_ctx *, ++ sched_change_end(_T), ++ sched_change_begin(p, flags), ++ struct task_struct *p, unsigned int flags) ++ ++DEFINE_CLASS_IS_UNCONDITIONAL(sched_change) + + #include "ext.h" + +diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c +index 6805a63d47af7..d2bcedc10152f 100644 +--- a/kernel/sched/syscalls.c ++++ b/kernel/sched/syscalls.c +@@ -64,7 +64,6 @@ static int effective_prio(struct task_struct *p) + + void set_user_nice(struct task_struct *p, long nice) + { +- bool queued, running; + struct rq *rq; + int old_prio; + +@@ -90,22 +89,12 @@ void set_user_nice(struct task_struct *p, long nice) + return; + } + +- queued = task_on_rq_queued(p); +- running = task_current_donor(rq, p); +- if (queued) +- dequeue_task(rq, p, DEQUEUE_SAVE | DEQUEUE_NOCLOCK); +- if (running) +- put_prev_task(rq, p); +- +- p->static_prio = NICE_TO_PRIO(nice); +- set_load_weight(p, true); +- old_prio = p->prio; +- p->prio = effective_prio(p); +- +- if (queued) +- enqueue_task(rq, p, ENQUEUE_RESTORE | ENQUEUE_NOCLOCK); +- if (running) +- set_next_task(rq, p); ++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_NOCLOCK) { ++ p->static_prio = NICE_TO_PRIO(nice); ++ set_load_weight(p, true); ++ old_prio = p->prio; ++ p->prio = effective_prio(p); ++ } + + /* + * If the task increased its priority or is running and +@@ -515,7 +504,7 @@ int __sched_setscheduler(struct task_struct *p, + bool user, bool pi) + { + int oldpolicy = -1, policy = attr->sched_policy; +- int retval, oldprio, newprio, queued, running; ++ int retval, oldprio, newprio; + const struct sched_class *prev_class, *next_class; + struct balance_callback *head; + struct rq_flags rf; +@@ -698,33 +687,25 @@ int __sched_setscheduler(struct task_struct *p, + if (prev_class != next_class && p->se.sched_delayed) + dequeue_task(rq, p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK); + +- queued = task_on_rq_queued(p); +- running = task_current_donor(rq, p); +- if (queued) +- dequeue_task(rq, p, queue_flags); +- if (running) +- put_prev_task(rq, p); +- +- if (!(attr->sched_flags & SCHED_FLAG_KEEP_PARAMS)) { +- __setscheduler_params(p, attr); +- p->sched_class = next_class; +- p->prio = newprio; +- } +- __setscheduler_uclamp(p, attr); +- check_class_changing(rq, p, prev_class); ++ scoped_guard (sched_change, p, queue_flags) { + +- if (queued) { +- /* +- * We enqueue to tail when the priority of a task is +- * increased (user space view). +- */ +- if (oldprio < p->prio) +- queue_flags |= ENQUEUE_HEAD; ++ if (!(attr->sched_flags & SCHED_FLAG_KEEP_PARAMS)) { ++ __setscheduler_params(p, attr); ++ p->sched_class = next_class; ++ p->prio = newprio; ++ } ++ __setscheduler_uclamp(p, attr); ++ check_class_changing(rq, p, prev_class); + +- enqueue_task(rq, p, queue_flags); ++ if (scope->queued) { ++ /* ++ * We enqueue to tail when the priority of a task is ++ * increased (user space view). ++ */ ++ if (oldprio < p->prio) ++ scope->flags |= ENQUEUE_HEAD; ++ } + } +- if (running) +- set_next_task(rq, p); + + check_class_changed(rq, p, prev_class, oldprio); + +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 083cb74b53..d35c0223a6 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -2,3 +2,8 @@ drm-xe-hdcp-add-null-check-for-media_gt-in-intel_hdc.patch iommu-amd-fix-illegal-cap-mmio-access-in-iommu-debug.patch iommu-amd-remove-latent-out-of-bounds-access-in-iomm.patch fuse-fix-uninit-value-in-fuse_dentry_revalidate.patch +cxl-mbox-validate-payload-size-before-accessing-cont.patch +sched-employ-sched_change-guards.patch +sched-deadline-fix-missing-enqueue_replenish-during-.patch +bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch +spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch diff --git a/queue-6.18/spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch b/queue-6.18/spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch new file mode 100644 index 0000000000..1fb7fc9361 --- /dev/null +++ b/queue-6.18/spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch @@ -0,0 +1,38 @@ +From 6a23c01f04705cad26c3406e3a3e528f7d9e95a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 01:20:17 +0300 +Subject: spi: spi-dw-dma: fix print error log when wait finish transaction + +From: Vladimir Yakovlev + +[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ] + +If an error occurs, the device may not have a current message. In this +case, the system will crash. + +In this case, it's better to use dev from the struct ctlr (struct spi_controller*). + +Signed-off-by: Vladimir Yakovlev +Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c +index b5bed02b7e500..31063f9270924 100644 +--- a/drivers/spi/spi-dw-dma.c ++++ b/drivers/spi/spi-dw-dma.c +@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed) + msecs_to_jiffies(ms)); + + if (ms == 0) { +- dev_err(&dws->host->cur_msg->spi->dev, ++ dev_err(&dws->host->dev, + "DMA transaction timed out\n"); + return -ETIMEDOUT; + } +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index fdd5fdb2a4..a6d241119c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -6,3 +6,4 @@ spi-spidev-fix-lock-inversion-between-spi_lock-and-b.patch driver-core-generalize-driver_override-in-struct-dev.patch driver-core-platform-use-generic-driver_override-inf.patch s390-debug-reject-zero-length-input-before-trimming-.patch +wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch diff --git a/queue-6.6/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch b/queue-6.6/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch new file mode 100644 index 0000000000..fd40c943ac --- /dev/null +++ b/queue-6.6/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch @@ -0,0 +1,48 @@ +From 78c2afb430701a0b3638e4a316ecf262417d7225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 13:48:35 +0800 +Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper + +From: Deepanshu Kartikey + +[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ] + +When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the +station exists but not whether it is actually a TDLS station. This +allows the operation to proceed for non-TDLS stations, causing +unintended side effects like modifying channel context and HT +protection before failing. + +Add a check for sta->sta.tdls early in the ENABLE_LINK case, before +any side effects occur, to ensure the operation is only allowed for +actual TDLS peers. + +Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b +Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Deepanshu Kartikey +Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index 0fd353fec9fc6..c3622f779d120 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -1481,7 +1481,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, + + mutex_lock(&local->sta_mtx); + sta = sta_info_get(sdata, peer); +- if (!sta) { ++ if (!sta || !sta->sta.tdls) { + mutex_unlock(&local->sta_mtx); + ret = -ENOLINK; + break; +-- +2.53.0 +