From d0c62bf5f2f635b6aac47b14df2d02d27bbd421a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 13:33:35 +0100 Subject: [PATCH] 6.1-stable patches added patches: acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch clk-mediatek-fix-of_iomap-memory-leak.patch devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch ksmbd-set-attr_ctime-flags-when-setting-mtime.patch mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch net-dsa-free-routing-table-on-probe-failure.patch net-stmmac-fix-accessing-freed-irq-affinity_hint.patch nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch --- ...nchronous-memory-error-not-recovered.patch | 64 +++++++ ...lk-mediatek-fix-of_iomap-memory-leak.patch | 55 ++++++ ...t-pointer-in-devl_rate_nodes_destroy.patch | 129 ++++++++++++++ ...-attr_ctime-flags-when-setting-mtime.patch | 105 ++++++++++++ ...race-in-mptcp_pm_nl_flush_addrs_doit.patch | 82 +++++++++ ...-free-routing-table-on-probe-failure.patch | 160 ++++++++++++++++++ ...ix-accessing-freed-irq-affinity_hint.patch | 61 +++++++ ...the-return-code-of-svc_proc_register.patch | 95 +++++++++++ queue-6.1/series | 10 ++ ...g-lock-in-cfg80211_check_and_end_cac.patch | 95 +++++++++++ ...-condition-in-af_xdp-generic-rx-path.patch | 115 +++++++++++++ 11 files changed, 971 insertions(+) create mode 100644 queue-6.1/acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch create mode 100644 queue-6.1/clk-mediatek-fix-of_iomap-memory-leak.patch create mode 100644 queue-6.1/devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch create mode 100644 queue-6.1/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch create mode 100644 queue-6.1/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch create mode 100644 queue-6.1/net-dsa-free-routing-table-on-probe-failure.patch create mode 100644 queue-6.1/net-stmmac-fix-accessing-freed-irq-affinity_hint.patch create mode 100644 queue-6.1/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch create mode 100644 queue-6.1/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch create mode 100644 queue-6.1/xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch diff --git a/queue-6.1/acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch b/queue-6.1/acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch new file mode 100644 index 0000000000..998b8a1ed1 --- /dev/null +++ b/queue-6.1/acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch @@ -0,0 +1,64 @@ +From stable+bounces-215915-greg=kroah.com@vger.kernel.org Thu Feb 12 07:39:29 2026 +From: Rajani Kantha <681739313@139.com> +Date: Thu, 12 Feb 2026 14:36:05 +0800 +Subject: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered +To: xueshuai@linux.alibaba.com, jarkko@kernel.org, Jonathan.Cameron@huawei.com, yazen.ghannam@amd.com, jane.chu@oracle.com, guohanjun@huawei.com, stable@vger.kernel.org +Message-ID: <20260212063605.2284-1-681739313@139.com> + +From: Shuai Xue + +[ Upstream commit 79a5ae3c4c5eb7e38e0ebe4d6bf602d296080060 ] + +If a synchronous error is detected as a result of user-space process +triggering a 2-bit uncorrected error, the CPU will take a synchronous +error exception such as Synchronous External Abort (SEA) on Arm64. The +kernel will queue a memory_failure() work which poisons the related +page, unmaps the page, and then sends a SIGBUS to the process, so that +a system wide panic can be avoided. + +However, no memory_failure() work will be queued when abnormal +synchronous errors occur. These errors can include situations like +invalid PA, unexpected severity, no memory failure config support, +invalid GUID section, etc. In such a case, the user-space process will +trigger SEA again. This loop can potentially exceed the platform +firmware threshold or even trigger a kernel hard lockup, leading to a +system reboot. + +Fix it by performing a force kill if no memory_failure() work is queued +for synchronous errors. + +Signed-off-by: Shuai Xue +Reviewed-by: Jarkko Sakkinen +Reviewed-by: Jonathan Cameron +Reviewed-by: Yazen Ghannam +Reviewed-by: Jane Chu +Reviewed-by: Hanjun Guo +Link: https://patch.msgid.link/20250714114212.31660-2-xueshuai@linux.alibaba.com +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +[ Using pr_err instead of dev_err due to ghes doesn't have member "dev"] +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/apei/ghes.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -684,6 +684,16 @@ static bool ghes_do_proc(struct ghes *gh + } + } + ++ /* ++ * If no memory failure work is queued for abnormal synchronous ++ * errors, do a force kill. ++ */ ++ if (sync && !queued) { ++ pr_err(GHES_PFX "%s:%d: synchronous unrecoverable error (SIGBUS)\n", ++ current->comm, task_pid_nr(current)); ++ force_sig(SIGBUS); ++ } ++ + return queued; + } + diff --git a/queue-6.1/clk-mediatek-fix-of_iomap-memory-leak.patch b/queue-6.1/clk-mediatek-fix-of_iomap-memory-leak.patch new file mode 100644 index 0000000000..d397f35bf4 --- /dev/null +++ b/queue-6.1/clk-mediatek-fix-of_iomap-memory-leak.patch @@ -0,0 +1,55 @@ +From stable+bounces-215733-greg=kroah.com@vger.kernel.org Wed Feb 11 02:24:25 2026 +From: Li hongliang <1468888505@139.com> +Date: Wed, 11 Feb 2026 09:23:51 +0800 +Subject: clk: mediatek: fix of_iomap memory leak +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, u201911157@hust.edu.cn +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, mturquette@baylibre.com, sboyd@kernel.org, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, miles.chen@mediatek.com, wenst@chromium.org, chun-jie.chen@mediatek.com, ikjn@chromium.org, weiyi.lu@mediatek.com, linux-clk@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, dzm91@hust.edu.cn +Message-ID: <20260211012351.2076922-1-1468888505@139.com> + +From: Bosi Zhang + +[ Upstream commit 3db7285e044144fd88a356f5b641b9cd4b231a77 ] + +Smatch reports: +drivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn: + 'base' from of_iomap() not released on lines: 496. + +This problem was also found in linux-next. In mtk_clk_simple_probe(), +base is not released when handling errors +if clk_data is not existed, which may cause a leak. +So free_base should be added here to release base. + +Fixes: c58cd0e40ffa ("clk: mediatek: Add mtk_clk_simple_probe() to simplify clock providers") +Signed-off-by: Bosi Zhang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230422084331.47198-1-u201911157@hust.edu.cn +Signed-off-by: Stephen Boyd +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/mediatek/clk-mtk.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/clk/mediatek/clk-mtk.c ++++ b/drivers/clk/mediatek/clk-mtk.c +@@ -505,8 +505,10 @@ int mtk_clk_simple_probe(struct platform + num_clks += mcd->num_mux_clks; + + clk_data = mtk_alloc_clk_data(num_clks); +- if (!clk_data) +- return -ENOMEM; ++ if (!clk_data) { ++ r = -ENOMEM; ++ goto free_base; ++ } + + if (mcd->fixed_clks) { + r = mtk_clk_register_fixed_clks(mcd->fixed_clks, +@@ -594,6 +596,7 @@ unregister_fixed_clks: + mcd->num_fixed_clks, clk_data); + free_data: + mtk_free_clk_data(clk_data); ++free_base: + if (mcd->shared_io && base) + iounmap(base); + diff --git a/queue-6.1/devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch b/queue-6.1/devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch new file mode 100644 index 0000000000..a5e1b656b8 --- /dev/null +++ b/queue-6.1/devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch @@ -0,0 +1,129 @@ +From stable+bounces-215594-greg=kroah.com@vger.kernel.org Tue Feb 10 04:02:55 2026 +From: Li hongliang <1468888505@139.com> +Date: Tue, 10 Feb 2026 11:02:34 +0800 +Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, shayd@nvidia.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, jiri@nvidia.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, dlinkin@nvidia.com, vladbu@nvidia.com, netdev@vger.kernel.org, cjubran@nvidia.com, tariqt@nvidia.com +Message-ID: <20260210030234.1532584-1-1468888505@139.com> + +From: Shay Drory + +[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ] + +The function devl_rate_nodes_destroy is documented to "Unset parent for +all rate objects". However, it was only calling the driver-specific +`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing +the parent's refcount, without actually setting the +`devlink_rate->parent` pointer to NULL. + +This leaves a dangling pointer in the `devlink_rate` struct, which cause +refcount error in netdevsim[1] and mlx5[2]. In addition, this is +inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, +where the parent pointer is correctly cleared. + +This patch fixes the issue by explicitly setting `devlink_rate->parent` +to NULL after notifying the driver, thus fulfilling the function's +documented behavior for all rate objects. + +[1] +repro steps: +echo 1 > /sys/bus/netdevsim/new_device +devlink dev eswitch set netdevsim/netdevsim1 mode switchdev +echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs +devlink port function rate add netdevsim/netdevsim1/test_node +devlink port function rate set netdevsim/netdevsim1/128 parent test_node +echo 1 > /sys/bus/netdevsim/del_device + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + __nsim_dev_port_del+0x6c/0x70 [netdevsim] + nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] + nsim_drv_remove+0x2b/0xb0 [netdevsim] + device_release_driver_internal+0x194/0x1f0 + bus_remove_device+0xc6/0x130 + device_del+0x159/0x3c0 + device_unregister+0x1a/0x60 + del_device_store+0x111/0x170 [netdevsim] + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x55/0x10f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +devlink dev eswitch set pci/0000:08:00.0 mode switchdev +devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 +devlink port function rate add pci/0000:08:00.0/group1 +devlink port function rate set pci/0000:08:00.0/32768 parent group1 +modprobe -r mlx5_ib mlx5_fwctl mlx5_core + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] + mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] + mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] + mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] + notifier_call_chain+0x33/0xa0 + blocking_notifier_call_chain+0x3b/0x50 + mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] + mlx5_eswitch_disable+0x63/0x90 [mlx5_core] + mlx5_unload+0x1d/0x170 [mlx5_core] + mlx5_uninit_one+0xa2/0x130 [mlx5_core] + remove_one+0x78/0xd0 [mlx5_core] + pci_device_remove+0x39/0xa0 + device_release_driver_internal+0x194/0x1f0 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x53/0x1f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects") +Signed-off-by: Shay Drory +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +[ Routine devl_rate_nodes_destroy is moved to net/devlink/rate.c by commit + 7cc7194e85ca ("devlink: push rate related code into separate file") after linux-6.6. + This fix applies the same update to its original location in net/devlink/leftover.c. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + net/devlink/leftover.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/devlink/leftover.c ++++ b/net/devlink/leftover.c +@@ -10274,13 +10274,15 @@ void devl_rate_nodes_destroy(struct devl + if (!devlink_rate->parent) + continue; + +- refcount_dec(&devlink_rate->parent->refcnt); + if (devlink_rate_is_leaf(devlink_rate)) + ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); + else if (devlink_rate_is_node(devlink_rate)) + ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); ++ ++ refcount_dec(&devlink_rate->parent->refcnt); ++ devlink_rate->parent = NULL; + } + list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) { + if (devlink_rate_is_node(devlink_rate)) { diff --git a/queue-6.1/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch b/queue-6.1/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch new file mode 100644 index 0000000000..9d31008575 --- /dev/null +++ b/queue-6.1/ksmbd-set-attr_ctime-flags-when-setting-mtime.patch @@ -0,0 +1,105 @@ +From stable+bounces-215750-greg=kroah.com@vger.kernel.org Wed Feb 11 06:54:55 2026 +From: Li hongliang <1468888505@139.com> +Date: Wed, 11 Feb 2026 13:54:37 +0800 +Subject: ksmbd: set ATTR_CTIME flags when setting mtime +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, linkinjeon@kernel.org +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, ddiss@suse.de, linux-cifs@vger.kernel.org, stfrench@microsoft.com +Message-ID: <20260211055437.2798668-1-1468888505@139.com> + +From: Namjae Jeon + +[ Upstream commit 21e46a79bbe6c4e1aa73b3ed998130f2ff07b128 ] + +David reported that the new warning from setattr_copy_mgtime is coming +like the following. + +[ 113.215316] ------------[ cut here ]------------ +[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200 +[ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234 +[ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 +[ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] +[ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200 +[ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0 +[ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202 +[ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003 +[ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0 +[ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa +[ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38 +[ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000 +[ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000 +[ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0 +[ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 113.234797] Call Trace: +[ 113.235116] +[ 113.235393] ? __warn+0x73/0xd0 +[ 113.235802] ? setattr_copy+0x1ee/0x200 +[ 113.236299] ? report_bug+0xf3/0x1e0 +[ 113.236757] ? handle_bug+0x4d/0x90 +[ 113.237202] ? exc_invalid_op+0x13/0x60 +[ 113.237689] ? asm_exc_invalid_op+0x16/0x20 +[ 113.238185] ? setattr_copy+0x1ee/0x200 +[ 113.238692] btrfs_setattr+0x80/0x820 [btrfs] +[ 113.239285] ? get_stack_info_noinstr+0x12/0xf0 +[ 113.239857] ? __module_address+0x22/0xa0 +[ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd] +[ 113.240993] ? __module_text_address+0x9/0x50 +[ 113.241545] ? __module_address+0x22/0xa0 +[ 113.242033] ? unwind_next_frame+0x10e/0x920 +[ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10 +[ 113.243268] notify_change+0x2c2/0x4e0 +[ 113.243746] ? stack_depot_save_flags+0x27/0x730 +[ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd] +[ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd] +[ 113.245613] ? process_scheduled_works+0xbe/0x310 +[ 113.246181] ? worker_thread+0x100/0x240 +[ 113.246696] ? kthread+0xc8/0x100 +[ 113.247126] ? ret_from_fork+0x2b/0x40 +[ 113.247606] ? ret_from_fork_asm+0x1a/0x30 +[ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd] + +ksmbd is trying to set the atime and mtime via notify_change without also +setting the ctime. so This patch add ATTR_CTIME flags when setting mtime +to avoid a warning. + +Reported-by: David Disseldorp +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -5739,15 +5739,13 @@ static int set_file_basic_info(struct ks + attrs.ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET); + } + +- attrs.ia_valid |= ATTR_CTIME; + if (file_info->ChangeTime) +- attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime); +- else +- attrs.ia_ctime = inode->i_ctime; ++ inode_set_ctime_to_ts(inode, ++ ksmbd_NTtimeToUnix(file_info->ChangeTime)); + + if (file_info->LastWriteTime) { + attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime); +- attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET); ++ attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET | ATTR_CTIME); + } + + if (file_info->Attributes) { +@@ -5789,8 +5787,6 @@ static int set_file_basic_info(struct ks + return -EACCES; + + inode_lock(inode); +- inode->i_ctime = attrs.ia_ctime; +- attrs.ia_valid &= ~ATTR_CTIME; + rc = notify_change(user_ns, dentry, &attrs, NULL); + inode_unlock(inode); + } diff --git a/queue-6.1/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch b/queue-6.1/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch new file mode 100644 index 0000000000..1d93d783da --- /dev/null +++ b/queue-6.1/mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch @@ -0,0 +1,82 @@ +From stable+bounces-215983-greg=kroah.com@vger.kernel.org Thu Feb 12 18:41:08 2026 +From: "Matthieu Baerts (NGI0)" +Date: Thu, 12 Feb 2026 18:40:52 +0100 +Subject: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: MPTCP Upstream , Eric Dumazet , syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com, Eulgyu Kim , Mat Martineau , "Matthieu Baerts (NGI0)" , Jakub Kicinski +Message-ID: <20260212174051.1839592-2-matttbe@kernel.org> + +From: Eric Dumazet + +commit e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d upstream. + +syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id() +and/or mptcp_pm_nl_is_backup() + +Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit() +which is not RCU ready. + +list_splice_init_rcu() can not be called here while holding pernet->lock +spinlock. + +Many thanks to Eulgyu Kim for providing a repro and testing our patches. + +Fixes: 141694df6573 ("mptcp: remove address when netlink flushes addrs") +Signed-off-by: Eric Dumazet +Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/ +Reported-by: Eulgyu Kim +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/611 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org +Signed-off-by: Jakub Kicinski +[ Conflicts because the code has been moved from pm_netlink.c to + pm_kernel.c later on in commit 8617e85e04bd ("mptcp: pm: split + in-kernel PM specific code"). The same modifications can be applied + in pm_netlink.c with one exception, because 'pernet->local_addr_list' + has been renamed to 'pernet->endp_list' in commit 35e71e43a56d + ("mptcp: pm: in-kernel: rename 'local_addr_list' to 'endp_list'"). The + previous name is then still being used in this version. + Also, another conflict is caused by commit 7bcf4d8022f9 ("mptcp: pm: + rename helpers linked to 'flush'") which is not in this version: + mptcp_nl_remove_addrs_list() has been renamed to + mptcp_nl_flush_addrs_list(). The previous name has then been kept. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -1855,16 +1855,26 @@ static void __reset_counters(struct pm_n + static int mptcp_nl_cmd_flush_addrs(struct sk_buff *skb, struct genl_info *info) + { + struct pm_nl_pernet *pernet = genl_info_pm_nl(info); +- LIST_HEAD(free_list); ++ struct list_head free_list; + + spin_lock_bh(&pernet->lock); +- list_splice_init(&pernet->local_addr_list, &free_list); ++ free_list = pernet->local_addr_list; ++ INIT_LIST_HEAD_RCU(&pernet->local_addr_list); + __reset_counters(pernet); + pernet->next_id = 1; + bitmap_zero(pernet->id_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); + spin_unlock_bh(&pernet->lock); +- mptcp_nl_remove_addrs_list(sock_net(skb->sk), &free_list); ++ ++ if (free_list.next == &pernet->local_addr_list) ++ return 0; ++ + synchronize_rcu(); ++ ++ /* Adjust the pointers to free_list instead of pernet->local_addr_list */ ++ free_list.prev->next = &free_list; ++ free_list.next->prev = &free_list; ++ ++ mptcp_nl_remove_addrs_list(sock_net(skb->sk), &free_list); + __flush_addrs(&free_list); + return 0; + } diff --git a/queue-6.1/net-dsa-free-routing-table-on-probe-failure.patch b/queue-6.1/net-dsa-free-routing-table-on-probe-failure.patch new file mode 100644 index 0000000000..9d822d1ead --- /dev/null +++ b/queue-6.1/net-dsa-free-routing-table-on-probe-failure.patch @@ -0,0 +1,160 @@ +From lanbincn@139.com Thu Feb 12 11:53:39 2026 +From: Bin Lan +Date: Thu, 12 Feb 2026 10:53:04 +0000 +Subject: net: dsa: free routing table on probe failure +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: Vladimir Oltean , Jakub Kicinski , Bin Lan +Message-ID: <20260212105304.4210-1-lanbincn@139.com> + +From: Vladimir Oltean + +[ Upstream commit 8bf108d7161ffc6880ad13a0cc109de3cf631727 ] + +If complete = true in dsa_tree_setup(), it means that we are the last +switch of the tree which is successfully probing, and we should be +setting up all switches from our probe path. + +After "complete" becomes true, dsa_tree_setup_cpu_ports() or any +subsequent function may fail. If that happens, the entire tree setup is +in limbo: the first N-1 switches have successfully finished probing +(doing nothing but having allocated persistent memory in the tree's +dst->ports, and maybe dst->rtable), and switch N failed to probe, ending +the tree setup process before anything is tangible from the user's PoV. + +If switch N fails to probe, its memory (ports) will be freed and removed +from dst->ports. However, the dst->rtable elements pointing to its ports, +as created by dsa_link_touch(), will remain there, and will lead to +use-after-free if dereferenced. + +If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely +possible because that is where ds->ops->setup() is, we get a kasan +report like this: + +================================================================== +BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568 +Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42 + +Call trace: + __asan_report_load8_noabort+0x20/0x30 + mv88e6xxx_setup_upstream_port+0x240/0x568 + mv88e6xxx_setup+0xebc/0x1eb0 + dsa_register_switch+0x1af4/0x2ae0 + mv88e6xxx_register_switch+0x1b8/0x2a8 + mv88e6xxx_probe+0xc4c/0xf60 + mdio_probe+0x78/0xb8 + really_probe+0x2b8/0x5a8 + __driver_probe_device+0x164/0x298 + driver_probe_device+0x78/0x258 + __device_attach_driver+0x274/0x350 + +Allocated by task 42: + __kasan_kmalloc+0x84/0xa0 + __kmalloc_cache_noprof+0x298/0x490 + dsa_switch_touch_ports+0x174/0x3d8 + dsa_register_switch+0x800/0x2ae0 + mv88e6xxx_register_switch+0x1b8/0x2a8 + mv88e6xxx_probe+0xc4c/0xf60 + mdio_probe+0x78/0xb8 + really_probe+0x2b8/0x5a8 + __driver_probe_device+0x164/0x298 + driver_probe_device+0x78/0x258 + __device_attach_driver+0x274/0x350 + +Freed by task 42: + __kasan_slab_free+0x48/0x68 + kfree+0x138/0x418 + dsa_register_switch+0x2694/0x2ae0 + mv88e6xxx_register_switch+0x1b8/0x2a8 + mv88e6xxx_probe+0xc4c/0xf60 + mdio_probe+0x78/0xb8 + really_probe+0x2b8/0x5a8 + __driver_probe_device+0x164/0x298 + driver_probe_device+0x78/0x258 + __device_attach_driver+0x274/0x350 + +The simplest way to fix the bug is to delete the routing table in its +entirety. dsa_tree_setup_routing_table() has no problem in regenerating +it even if we deleted links between ports other than those of switch N, +because dsa_link_touch() first checks whether the port pair already +exists in dst->rtable, allocating if not. + +The deletion of the routing table in its entirety already exists in +dsa_tree_teardown(), so refactor that into a function that can also be +called from the tree setup error path. + +In my analysis of the commit to blame, it is the one which added +dsa_link elements to dst->rtable. Prior to that, each switch had its own +ds->rtable which is freed when the switch fails to probe. But the tree +is potentially persistent memory. + +Fixes: c5f51765a1f6 ("net: dsa: list DSA links in the fabric") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20250414213001.2957964-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +[ Backport the fix to net/dsa/dsa2.c in v6.1.y for dsa2.c was +renamed back into dsa.c by commit +47d2ce03dcfb ("net: dsa: rename dsa2.c back into dsa.c and create its header") +since v6.2. ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/dsa2.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/net/dsa/dsa2.c ++++ b/net/dsa/dsa2.c +@@ -1148,6 +1148,16 @@ static void dsa_tree_teardown_lags(struc + kfree(dst->lags); + } + ++static void dsa_tree_teardown_routing_table(struct dsa_switch_tree *dst) ++{ ++ struct dsa_link *dl, *next; ++ ++ list_for_each_entry_safe(dl, next, &dst->rtable, list) { ++ list_del(&dl->list); ++ kfree(dl); ++ } ++} ++ + static int dsa_tree_setup(struct dsa_switch_tree *dst) + { + bool complete; +@@ -1165,7 +1175,7 @@ static int dsa_tree_setup(struct dsa_swi + + err = dsa_tree_setup_cpu_ports(dst); + if (err) +- return err; ++ goto teardown_rtable; + + err = dsa_tree_setup_switches(dst); + if (err) +@@ -1197,14 +1207,14 @@ teardown_switches: + dsa_tree_teardown_switches(dst); + teardown_cpu_ports: + dsa_tree_teardown_cpu_ports(dst); ++teardown_rtable: ++ dsa_tree_teardown_routing_table(dst); + + return err; + } + + static void dsa_tree_teardown(struct dsa_switch_tree *dst) + { +- struct dsa_link *dl, *next; +- + if (!dst->setup) + return; + +@@ -1218,10 +1228,7 @@ static void dsa_tree_teardown(struct dsa + + dsa_tree_teardown_cpu_ports(dst); + +- list_for_each_entry_safe(dl, next, &dst->rtable, list) { +- list_del(&dl->list); +- kfree(dl); +- } ++ dsa_tree_teardown_routing_table(dst); + + pr_info("DSA: tree %d torn down\n", dst->index); + diff --git a/queue-6.1/net-stmmac-fix-accessing-freed-irq-affinity_hint.patch b/queue-6.1/net-stmmac-fix-accessing-freed-irq-affinity_hint.patch new file mode 100644 index 0000000000..ce9b96f482 --- /dev/null +++ b/queue-6.1/net-stmmac-fix-accessing-freed-irq-affinity_hint.patch @@ -0,0 +1,61 @@ +From stable+bounces-215916-greg=kroah.com@vger.kernel.org Thu Feb 12 07:51:32 2026 +From: Rajani Kantha <681739313@139.com> +Date: Thu, 12 Feb 2026 14:51:14 +0800 +Subject: net: stmmac: Fix accessing freed irq affinity_hint +To: dqfext@gmail.com, jacob.e.keller@intel.com, kuba@kernel.org, stable@vger.kernel.org +Message-ID: <20260212065114.2532-1-681739313@139.com> + +From: Qingfang Deng + +[ Upstream commit c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef ] + +The cpumask should not be a local variable, since its pointer is saved +to irq_desc and may be accessed from procfs. +To fix it, use the persistent mask cpumask_of(cpu#). + +Cc: stable@vger.kernel.org +Fixes: 8deec94c6040 ("net: stmmac: set IRQ affinity hint for multi MSI vectors") +Signed-off-by: Qingfang Deng +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20250318032424.112067-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -3518,7 +3518,6 @@ static int stmmac_request_irq_multi_msi( + { + struct stmmac_priv *priv = netdev_priv(dev); + enum request_irq_err irq_err; +- cpumask_t cpu_mask; + int irq_idx = 0; + char *int_name; + int ret; +@@ -3630,9 +3629,8 @@ static int stmmac_request_irq_multi_msi( + irq_idx = i; + goto irq_error; + } +- cpumask_clear(&cpu_mask); +- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask); +- irq_set_affinity_hint(priv->rx_irq[i], &cpu_mask); ++ irq_set_affinity_hint(priv->rx_irq[i], ++ cpumask_of(i % num_online_cpus())); + } + + /* Request Tx MSI irq */ +@@ -3655,9 +3653,8 @@ static int stmmac_request_irq_multi_msi( + irq_idx = i; + goto irq_error; + } +- cpumask_clear(&cpu_mask); +- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask); +- irq_set_affinity_hint(priv->tx_irq[i], &cpu_mask); ++ irq_set_affinity_hint(priv->tx_irq[i], ++ cpumask_of(i % num_online_cpus())); + } + + return 0; diff --git a/queue-6.1/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch b/queue-6.1/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch new file mode 100644 index 0000000000..9a19376d9f --- /dev/null +++ b/queue-6.1/nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch @@ -0,0 +1,95 @@ +From stable+bounces-215737-greg=kroah.com@vger.kernel.org Wed Feb 11 04:06:17 2026 +From: Jianqiang kang +Date: Wed, 11 Feb 2026 11:05:45 +0800 +Subject: nfsd: don't ignore the return code of svc_proc_register() +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, jlayton@kernel.org +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, chuck.lever@oracle.com, neilb@suse.de, kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com, linux-nfs@vger.kernel.org +Message-ID: <20260211030545.2704021-1-jianqkang@sina.cn> + +From: Jeff Layton + +[ Upstream commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b ] + +Currently, nfsd_proc_stat_init() ignores the return value of +svc_proc_register(). If the procfile creation fails, then the kernel +will WARN when it tries to remove the entry later. + +Fix nfsd_proc_stat_init() to return the same type of pointer as +svc_proc_register(), and fix up nfsd_net_init() to check that and fail +the nfsd_net construction if it occurs. + +svc_proc_register() can fail if the dentry can't be allocated, or if an +identical dentry already exists. The second case is pretty unlikely in +the nfsd_net construction codepath, so if this happens, return -ENOMEM. + +Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ +Cc: stable@vger.kernel.org # v6.9 +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +[ Update the cleanup path to use nfsd_stat_counters_destroy. This ensures + the teardown logic is correctly paired with nfsd_stat_counters_init, as + required by the current NFSD implementation.] +Signed-off-by: Jianqiang kang +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 9 ++++++++- + fs/nfsd/stats.c | 4 ++-- + fs/nfsd/stats.h | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1460,17 +1460,24 @@ static __net_init int nfsd_init_net(stru + retval = nfsd_stat_counters_init(nn); + if (retval) + goto out_repcache_error; ++ + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); + nn->nfsd_svcstats.program = &nfsd_program; ++ if (!nfsd_proc_stat_init(net)) { ++ retval = -ENOMEM; ++ goto out_proc_error; ++ } ++ + nn->nfsd_versions = NULL; + nn->nfsd4_minorversions = NULL; + nfsd4_init_leases_net(nn); + get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); + seqlock_init(&nn->writeverf_lock); +- nfsd_proc_stat_init(net); + + return 0; + ++out_proc_error: ++ nfsd_stat_counters_destroy(nn); + out_repcache_error: + nfsd_idmap_shutdown(net); + out_idmap_error: +--- a/fs/nfsd/stats.c ++++ b/fs/nfsd/stats.c +@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct n + nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM); + } + +-void nfsd_proc_stat_init(struct net *net) ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) + { + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + +- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); ++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + } + + void nfsd_proc_stat_shutdown(struct net *net) +--- a/fs/nfsd/stats.h ++++ b/fs/nfsd/stats.h +@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct p + void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num); + int nfsd_stat_counters_init(struct nfsd_net *nn); + void nfsd_stat_counters_destroy(struct nfsd_net *nn); +-void nfsd_proc_stat_init(struct net *net); ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); + void nfsd_proc_stat_shutdown(struct net *net); + + static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) diff --git a/queue-6.1/series b/queue-6.1/series index 2041c58e74..cb14d800bc 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -44,3 +44,13 @@ mptcp-ensure-context-reset-on-disconnect.patch selftests-mptcp-check-no-dup-close-events-after-error.patch selftests-mptcp-check-subflow-errors-in-close-events.patch selftests-mptcp-join-fix-local-endp-not-being-tracked.patch +xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch +devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch +clk-mediatek-fix-of_iomap-memory-leak.patch +nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch +ksmbd-set-attr_ctime-flags-when-setting-mtime.patch +acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch +net-stmmac-fix-accessing-freed-irq-affinity_hint.patch +net-dsa-free-routing-table-on-probe-failure.patch +mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch +wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch diff --git a/queue-6.1/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch b/queue-6.1/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch new file mode 100644 index 0000000000..4333064898 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch @@ -0,0 +1,95 @@ +From stable+bounces-216034-greg=kroah.com@vger.kernel.org Fri Feb 13 09:27:49 2026 +From: Bin Lan +Date: Fri, 13 Feb 2026 08:26:24 +0000 +Subject: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: Alexander Wetzel , Johannes Berg , Bin Lan +Message-ID: <20260213082624.4190-1-lanbincn@139.com> + +From: Alexander Wetzel + +[ Upstream commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 ] + +Callers of wdev_chandef() must hold the wiphy mutex. + +But the worker cfg80211_propagate_cac_done_wk() never takes the lock. +Which triggers the warning below with the mesh_peer_connected_dfs +test from hostapd and not (yet) released mac80211 code changes: + +WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 +Modules linked in: +CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf +Workqueue: cfg80211 cfg80211_propagate_cac_done_wk +Stack: + 00000000 00000001 ffffff00 6093267c + 00000000 6002ec30 6d577c50 60037608 + 00000000 67e8d108 6063717b 00000000 +Call Trace: + [<6002ec30>] ? _printk+0x0/0x98 + [<6003c2b3>] show_stack+0x10e/0x11a + [<6002ec30>] ? _printk+0x0/0x98 + [<60037608>] dump_stack_lvl+0x71/0xb8 + [<6063717b>] ? wdev_chandef+0x60/0x165 + [<6003766d>] dump_stack+0x1e/0x20 + [<6005d1b7>] __warn+0x101/0x20f + [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d + [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec + [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 + [<600b11a2>] ? mark_held_locks+0x5a/0x6e + [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d + [<60052e53>] ? unblock_signals+0x3a/0xe7 + [<60052f2d>] ? um_set_signals+0x2d/0x43 + [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 + [<607508b2>] ? lock_is_held_type+0x207/0x21f + [<6063717b>] wdev_chandef+0x60/0x165 + [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f + [<60052f00>] ? um_set_signals+0x0/0x43 + [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a + [<6007e460>] process_scheduled_works+0x3bc/0x60e + [<6007d0ec>] ? move_linked_works+0x4d/0x81 + [<6007d120>] ? assign_work+0x0/0xaa + [<6007f81f>] worker_thread+0x220/0x2dc + [<600786ef>] ? set_pf_worker+0x0/0x57 + [<60087c96>] ? to_kthread+0x0/0x43 + [<6008ab3c>] kthread+0x2d3/0x2e2 + [<6007f5ff>] ? worker_thread+0x0/0x2dc + [<6006c05b>] ? calculate_sigpending+0x0/0x56 + [<6003b37d>] new_thread_handler+0x4a/0x64 +irq event stamp: 614611 +hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf +hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf +softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 +softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985 + +Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC") +Signed-off-by: Alexander Wetzel +Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de +Signed-off-by: Johannes Berg +[ Use wiphy_lock() and wiphy_unlock() instead of guard() in v6.1.y. ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/reg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -4241,6 +4241,9 @@ EXPORT_SYMBOL(regulatory_pre_cac_allowed + static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev) + { + struct wireless_dev *wdev; ++ ++ wiphy_lock(&rdev->wiphy); ++ + /* If we finished CAC or received radar, we should end any + * CAC running on the same channels. + * the check !cfg80211_chandef_dfs_usable contain 2 options: +@@ -4264,6 +4267,8 @@ static void cfg80211_check_and_end_cac(s + if (!cfg80211_chandef_dfs_usable(&rdev->wiphy, chandef)) + rdev_end_cac(rdev, wdev->netdev); + } ++ ++ wiphy_unlock(&rdev->wiphy); + } + + void regulatory_propagate_dfs_state(struct wiphy *wiphy, diff --git a/queue-6.1/xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch b/queue-6.1/xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch new file mode 100644 index 0000000000..312d0d3876 --- /dev/null +++ b/queue-6.1/xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch @@ -0,0 +1,115 @@ +From stable+bounces-215625-greg=kroah.com@vger.kernel.org Tue Feb 10 10:14:03 2026 +From: Jianqiang kang +Date: Tue, 10 Feb 2026 17:12:51 +0800 +Subject: xsk: Fix race condition in AF_XDP generic RX path +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, e.kubanski@partner.samsung.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, bjorn@kernel.org, magnus.karlsson@intel.com, maciej.fijalkowski@intel.com, jonathan.lemon@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com, i.maximets@samsung.com, netdev@vger.kernel.org, bpf@vger.kernel.org +Message-ID: <20260210091251.1690056-1-jianqkang@sina.cn> + +From: "e.kubanski" + +[ Upstream commit a1356ac7749cafc4e27aa62c0c4604b5dca4983e ] + +Move rx_lock from xsk_socket to xsk_buff_pool. +Fix synchronization for shared umem mode in +generic RX path where multiple sockets share +single xsk_buff_pool. + +RX queue is exclusive to xsk_socket, while FILL +queue can be shared between multiple sockets. +This could result in race condition where two +CPU cores access RX path of two different sockets +sharing the same umem. + +Protect both queues by acquiring spinlock in shared +xsk_buff_pool. + +Lock contention may be minimized in the future by some +per-thread FQ buffering. + +It's safe and necessary to move spin_lock_bh(rx_lock) +after xsk_rcv_check(): +* xs->pool and spinlock_init is synchronized by + xsk_bind() -> xsk_is_bound() memory barriers. +* xsk_rcv_check() may return true at the moment + of xsk_release() or xsk_unbind_dev(), + however this will not cause any data races or + race conditions. xsk_unbind_dev() removes xdp + socket from all maps and waits for completion + of all outstanding rx operations. Packets in + RX path will either complete safely or drop. + +Signed-off-by: Eryk Kubanski +Fixes: bf0bdd1343efb ("xdp: fix race on generic receive path") +Acked-by: Magnus Karlsson +Link: https://patch.msgid.link/20250416101908.10919-1-e.kubanski@partner.samsung.com +Signed-off-by: Jakub Kicinski +[ Conflict is resolved when backporting this fix. ] +Signed-off-by: Jianqiang kang +Signed-off-by: Greg Kroah-Hartman +--- + include/net/xdp_sock.h | 2 -- + include/net/xsk_buff_pool.h | 2 ++ + net/xdp/xsk.c | 6 +++--- + net/xdp/xsk_buff_pool.c | 1 + + 4 files changed, 6 insertions(+), 5 deletions(-) + +--- a/include/net/xdp_sock.h ++++ b/include/net/xdp_sock.h +@@ -59,8 +59,6 @@ struct xdp_sock { + + struct xsk_queue *tx ____cacheline_aligned_in_smp; + struct list_head tx_list; +- /* Protects generic receive. */ +- spinlock_t rx_lock; + + /* Statistics */ + u64 rx_dropped; +--- a/include/net/xsk_buff_pool.h ++++ b/include/net/xsk_buff_pool.h +@@ -48,6 +48,8 @@ struct xsk_buff_pool { + refcount_t users; + struct xdp_umem *umem; + struct work_struct work; ++ /* Protects generic receive in shared and non-shared umem mode. */ ++ spinlock_t rx_lock; + struct list_head free_list; + u32 heads_cnt; + u16 queue_id; +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -237,13 +237,14 @@ int xsk_generic_rcv(struct xdp_sock *xs, + { + int err; + +- spin_lock_bh(&xs->rx_lock); + err = xsk_rcv_check(xs, xdp); + if (!err) { ++ spin_lock_bh(&xs->pool->rx_lock); + err = __xsk_rcv(xs, xdp); + xsk_flush(xs); ++ spin_unlock_bh(&xs->pool->rx_lock); + } +- spin_unlock_bh(&xs->rx_lock); ++ + return err; + } + +@@ -1448,7 +1449,6 @@ static int xsk_create(struct net *net, s + xs = xdp_sk(sk); + xs->state = XSK_READY; + mutex_init(&xs->mutex); +- spin_lock_init(&xs->rx_lock); + + INIT_LIST_HEAD(&xs->map_list); + spin_lock_init(&xs->map_list_lock); +--- a/net/xdp/xsk_buff_pool.c ++++ b/net/xdp/xsk_buff_pool.c +@@ -85,6 +85,7 @@ struct xsk_buff_pool *xp_create_and_assi + XDP_PACKET_HEADROOM; + pool->umem = umem; + pool->addrs = umem->addrs; ++ spin_lock_init(&pool->rx_lock); + INIT_LIST_HEAD(&pool->free_list); + INIT_LIST_HEAD(&pool->xsk_tx_list); + spin_lock_init(&pool->xsk_tx_list_lock); -- 2.47.3