From: Greg Kroah-Hartman Date: Thu, 20 Nov 2025 16:32:38 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.117~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=781e26e61b4bed258330b1040dd5b0dc606d5b84;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch btrfs-do-not-update-last_log_commit-when-logging-inode-due-to-a-new-name.patch btrfs-release-root-after-error-in-data_reloc_print_warning_inode.patch btrfs-scrub-put-bio-after-errors-in-scrub_raid56_parity_stripe.patch btrfs-zoned-fix-conventional-zone-capacity-calculation.patch cifs-client-fix-memory-leak-in-smb3_fs_context_parse_param.patch codetag-debug-handle-existing-codetag_empty-in-mark_objexts_empty-for-slabobj_ext.patch crash-fix-crashkernel-resource-shrink.patch crypto-hisilicon-qm-fix-device-reference-leak-in-qm_get_qos_value.patch drm-amdgpu-disable-peer-to-peer-access-for-dcc-enabled-gc12-vram-surfaces.patch drm-amdkfd-relax-checks-for-over-allocation-of-save-area.patch edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch fs-proc-fix-uaf-in-proc_readdir_de.patch ftrace-fix-bpf-fexit-with-livepatch.patch ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch loongarch-use-physical-addresses-for-csr_merrentry-csr_tlbrentry.patch mm-mm_init-fix-hash-table-order-logging-in-alloc_large_system_hash.patch mm-shmem-fix-thp-allocation-and-fallback-loop.patch mmc-dw_mmc-rockchip-fix-wrong-internal-phase-calculate.patch mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch nilfs2-avoid-having-an-active-sc_timer-before-freeing-sci.patch pm-hibernate-emit-an-error-when-image-writing-fails.patch pm-hibernate-use-atomic64_t-for-compressed_size-variable.patch pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch pmdomain-samsung-plug-potential-memleak-during-probe.patch selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch selftests-mptcp-connect-trunc-read-all-recv-data.patch selftests-mptcp-join-endpoints-longer-transfer.patch selftests-mptcp-join-properly-kill-background-tasks.patch selftests-mptcp-join-rm-set-backup-flag.patch selftests-mptcp-join-userspace-longer-transfer.patch selftests-tracing-run-sample-events-to-clear-page-cache-events.patch selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch smb-client-fix-cifs_pick_channel-when-channel-needs-reconnect.patch spi-try-to-get-acpi-gpio-irq-earlier.patch wifi-mac80211-reject-address-change-while-connecting.patch x86-microcode-amd-add-zen5-model-0x44-stepping-0x1-minrev.patch --- diff --git a/queue-6.12/alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch b/queue-6.12/alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch new file mode 100644 index 0000000000..db1dc9e9c9 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch @@ -0,0 +1,53 @@ +From 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 9 Nov 2025 10:12:07 +0100 +Subject: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer + +From: Takashi Iwai + +commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf upstream. + +The PCM stream data in USB-audio driver is transferred over USB URB +packet buffers, and each packet size is determined dynamically. The +packet sizes are limited by some factors such as wMaxPacketSize USB +descriptor. OTOH, in the current code, the actually used packet sizes +are determined only by the rate and the PPS, which may be bigger than +the size limit above. This results in a buffer overflow, as reported +by syzbot. + +Basically when the limit is smaller than the calculated packet size, +it implies that something is wrong, most likely a weird USB +descriptor. So the best option would be just to return an error at +the parameter setup time before doing any further operations. + +This patch introduces such a sanity check, and returns -EINVAL when +the packet size is greater than maxpacksize. The comparison with +ep->packsize[1] alone should suffice since it's always equal or +greater than ep->packsize[0]. + +Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7 +Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com +Cc: Lizhi Xu +Cc: +Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/endpoint.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -1386,6 +1386,11 @@ int snd_usb_endpoint_set_params(struct s + ep->sample_rem = ep->cur_rate % ep->pps; + ep->packsize[0] = ep->cur_rate / ep->pps; + ep->packsize[1] = (ep->cur_rate + (ep->pps - 1)) / ep->pps; ++ if (ep->packsize[1] > ep->maxpacksize) { ++ usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n", ++ ep->maxpacksize, ep->cur_rate, ep->pps); ++ return -EINVAL; ++ } + + /* calculate the frequency in 16.16 format */ + ep->freqm = ep->freqn; diff --git a/queue-6.12/btrfs-do-not-update-last_log_commit-when-logging-inode-due-to-a-new-name.patch b/queue-6.12/btrfs-do-not-update-last_log_commit-when-logging-inode-due-to-a-new-name.patch new file mode 100644 index 0000000000..feb5aea845 --- /dev/null +++ b/queue-6.12/btrfs-do-not-update-last_log_commit-when-logging-inode-due-to-a-new-name.patch @@ -0,0 +1,108 @@ +From bfe3d755ef7cec71aac6ecda34a107624735aac7 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 29 Oct 2025 13:05:32 +0000 +Subject: btrfs: do not update last_log_commit when logging inode due to a new name + +From: Filipe Manana + +commit bfe3d755ef7cec71aac6ecda34a107624735aac7 upstream. + +When logging that a new name exists, we skip updating the inode's +last_log_commit field to prevent a later explicit fsync against the inode +from doing nothing (as updating last_log_commit makes btrfs_inode_in_log() +return true). We are detecting, at btrfs_log_inode(), that logging a new +name is happening by checking the logging mode is not LOG_INODE_EXISTS, +but that is not enough because we may log parent directories when logging +a new name of a file in LOG_INODE_ALL mode - we need to check that the +logging_new_name field of the log context too. + +An example scenario where this results in an explicit fsync against a +directory not persisting changes to the directory is the following: + + $ mkfs.btrfs -f /dev/sdc + $ mount /dev/sdc /mnt + + $ touch /mnt/foo + + $ sync + + $ mkdir /mnt/dir + + # Write some data to our file and fsync it. + $ xfs_io -c "pwrite -S 0xab 0 64K" -c "fsync" /mnt/foo + + # Add a new link to our file. Since the file was logged before, we + # update it in the log tree by calling btrfs_log_new_name(). + $ ln /mnt/foo /mnt/dir/bar + + # fsync the root directory - we expect it to persist the dentry for + # the new directory "dir". + $ xfs_io -c "fsync" /mnt + + + +After mounting the fs the entry for directory "dir" does not exists, +despite the explicit fsync on the root directory. + +Here's why this happens: + +1) When we fsync the file we log the inode, so that it's present in the + log tree; + +2) When adding the new link we enter btrfs_log_new_name(), and since the + inode is in the log tree we proceed to updating the inode in the log + tree; + +3) We first set the inode's last_unlink_trans to the current transaction + (early in btrfs_log_new_name()); + +4) We then eventually enter btrfs_log_inode_parent(), and after logging + the file's inode, we call btrfs_log_all_parents() because the inode's + last_unlink_trans matches the current transaction's ID (updated in the + previous step); + +5) So btrfs_log_all_parents() logs the root directory by calling + btrfs_log_inode() for the root's inode with a log mode of LOG_INODE_ALL + so that new dentries are logged; + +6) At btrfs_log_inode(), because the log mode is LOG_INODE_ALL, we + update root inode's last_log_commit to the last transaction that + changed the inode (->last_sub_trans field of the inode), which + corresponds to the current transaction's ID; + +7) Then later when user space explicitly calls fsync against the root + directory, we enter btrfs_sync_file(), which calls skip_inode_logging() + and that returns true, since its call to btrfs_inode_in_log() returns + true and there are no ordered extents (it's a directory, never has + ordered extents). This results in btrfs_sync_file() returning without + syncing the log or committing the current transaction, so all the + updates we did when logging the new name, including logging the root + directory, are not persisted. + +So fix this by but updating the inode's last_log_commit if we are sure +we are not logging a new name (if ctx->logging_new_name is false). + +A test case for fstests will follow soon. + +Reported-by: Vyacheslav Kovalevsky +Link: https://lore.kernel.org/linux-btrfs/03c5d7ec-5b3d-49d1-95bc-8970a7f82d87@gmail.com/ +Fixes: 130341be7ffa ("btrfs: always update the logged transaction when logging new names") +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -6795,7 +6795,7 @@ log_extents: + * a power failure unless the log was synced as part of an fsync + * against any other unrelated inode. + */ +- if (inode_only != LOG_INODE_EXISTS) ++ if (!ctx->logging_new_name && inode_only != LOG_INODE_EXISTS) + inode->last_log_commit = inode->last_sub_trans; + spin_unlock(&inode->lock); + diff --git a/queue-6.12/btrfs-release-root-after-error-in-data_reloc_print_warning_inode.patch b/queue-6.12/btrfs-release-root-after-error-in-data_reloc_print_warning_inode.patch new file mode 100644 index 0000000000..c6778b10e2 --- /dev/null +++ b/queue-6.12/btrfs-release-root-after-error-in-data_reloc_print_warning_inode.patch @@ -0,0 +1,41 @@ +From c367af440e03eba7beb0c9f3fe540f9bcb69134a Mon Sep 17 00:00:00 2001 +From: Zilin Guan +Date: Wed, 5 Nov 2025 02:37:22 +0000 +Subject: btrfs: release root after error in data_reloc_print_warning_inode() + +From: Zilin Guan + +commit c367af440e03eba7beb0c9f3fe540f9bcb69134a upstream. + +data_reloc_print_warning_inode() calls btrfs_get_fs_root() to obtain +local_root, but fails to release its reference when paths_from_inode() +returns an error. This causes a potential memory leak. + +Add a missing btrfs_put_root() call in the error path to properly +decrease the reference count of local_root. + +Fixes: b9a9a85059cde ("btrfs: output affected files when relocation fails") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo +Signed-off-by: Zilin Guan +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -174,8 +174,10 @@ static int data_reloc_print_warning_inod + return ret; + } + ret = paths_from_inode(inum, ipath); +- if (ret < 0) ++ if (ret < 0) { ++ btrfs_put_root(local_root); + goto err; ++ } + + /* + * We deliberately ignore the bit ipath might have been too small to diff --git a/queue-6.12/btrfs-scrub-put-bio-after-errors-in-scrub_raid56_parity_stripe.patch b/queue-6.12/btrfs-scrub-put-bio-after-errors-in-scrub_raid56_parity_stripe.patch new file mode 100644 index 0000000000..ce5993ba69 --- /dev/null +++ b/queue-6.12/btrfs-scrub-put-bio-after-errors-in-scrub_raid56_parity_stripe.patch @@ -0,0 +1,45 @@ +From 5fea61aa1ca70c4b3738eebad9ce2d7e7938ebbd Mon Sep 17 00:00:00 2001 +From: Zilin Guan +Date: Wed, 5 Nov 2025 03:53:21 +0000 +Subject: btrfs: scrub: put bio after errors in scrub_raid56_parity_stripe() + +From: Zilin Guan + +commit 5fea61aa1ca70c4b3738eebad9ce2d7e7938ebbd upstream. + +scrub_raid56_parity_stripe() allocates a bio with bio_alloc(), but +fails to release it on some error paths, leading to a potential +memory leak. + +Add the missing bio_put() calls to properly drop the bio reference +in those error cases. + +Fixes: 1009254bf22a3 ("btrfs: scrub: use scrub_stripe to implement RAID56 P/Q scrub") +CC: stable@vger.kernel.org # 6.6+ +Reviewed-by: Qu Wenruo +Signed-off-by: Zilin Guan +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/scrub.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2091,6 +2091,7 @@ static int scrub_raid56_parity_stripe(st + ret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, full_stripe_start, + &length, &bioc, NULL, NULL); + if (ret < 0) { ++ bio_put(bio); + btrfs_put_bioc(bioc); + btrfs_bio_counter_dec(fs_info); + goto out; +@@ -2100,6 +2101,7 @@ static int scrub_raid56_parity_stripe(st + btrfs_put_bioc(bioc); + if (!rbio) { + ret = -ENOMEM; ++ bio_put(bio); + btrfs_bio_counter_dec(fs_info); + goto out; + } diff --git a/queue-6.12/btrfs-zoned-fix-conventional-zone-capacity-calculation.patch b/queue-6.12/btrfs-zoned-fix-conventional-zone-capacity-calculation.patch new file mode 100644 index 0000000000..07c3e4c917 --- /dev/null +++ b/queue-6.12/btrfs-zoned-fix-conventional-zone-capacity-calculation.patch @@ -0,0 +1,50 @@ +From 94f54924b96d3565c6b559294b3401b5496c21ac Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Fri, 12 Sep 2025 15:43:21 +0900 +Subject: btrfs: zoned: fix conventional zone capacity calculation + +From: Naohiro Aota + +commit 94f54924b96d3565c6b559294b3401b5496c21ac upstream. + +When a block group contains both conventional zone and sequential zone, the +capacity of the block group is wrongly set to the block group's full +length. The capacity should be calculated in btrfs_load_block_group_* using +the last allocation offset. + +Fixes: 568220fa9657 ("btrfs: zoned: support RAID0/1/10 on top of raid stripe tree") +CC: stable@vger.kernel.org # v6.12+ +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -1300,6 +1300,7 @@ static int btrfs_load_zone_info(struct b + if (!btrfs_dev_is_sequential(device, info->physical)) { + up_read(&dev_replace->rwsem); + info->alloc_offset = WP_CONVENTIONAL; ++ info->capacity = device->zone_info->zone_size; + return 0; + } + +@@ -1598,8 +1599,6 @@ int btrfs_load_block_group_zone_info(str + set_bit(BLOCK_GROUP_FLAG_SEQUENTIAL_ZONE, &cache->runtime_flags); + + if (num_conventional > 0) { +- /* Zone capacity is always zone size in emulation */ +- cache->zone_capacity = cache->length; + ret = calculate_alloc_pointer(cache, &last_alloc, new); + if (ret) { + btrfs_err(fs_info, +@@ -1608,6 +1607,7 @@ int btrfs_load_block_group_zone_info(str + goto out; + } else if (map->num_stripes == num_conventional) { + cache->alloc_offset = last_alloc; ++ cache->zone_capacity = cache->length; + set_bit(BLOCK_GROUP_FLAG_ZONE_IS_ACTIVE, &cache->runtime_flags); + goto out; + } diff --git a/queue-6.12/cifs-client-fix-memory-leak-in-smb3_fs_context_parse_param.patch b/queue-6.12/cifs-client-fix-memory-leak-in-smb3_fs_context_parse_param.patch new file mode 100644 index 0000000000..1236525a54 --- /dev/null +++ b/queue-6.12/cifs-client-fix-memory-leak-in-smb3_fs_context_parse_param.patch @@ -0,0 +1,58 @@ +From e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Fri, 7 Nov 2025 22:01:39 +0800 +Subject: cifs: client: fix memory leak in smb3_fs_context_parse_param + +From: Edward Adam Davis + +commit e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 upstream. + +The user calls fsconfig twice, but when the program exits, free() only +frees ctx->source for the second fsconfig, not the first. +Regarding fc->source, there is no code in the fs context related to its +memory reclamation. + +To fix this memory leak, release the source memory corresponding to ctx +or fc before each parsing. + +syzbot reported: +BUG: memory leak +unreferenced object 0xffff888128afa360 (size 96): + backtrace (crc 79c9c7ba): + kstrdup+0x3c/0x80 mm/util.c:84 + smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 + +BUG: memory leak +unreferenced object 0xffff888112c7d900 (size 96): + backtrace (crc 79c9c7ba): + smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 + smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 + +Reported-by: syzbot+72afd4c236e6bc3f4bac@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=72afd4c236e6bc3f4bac +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Edward Adam Davis +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/fs_context.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1380,12 +1380,14 @@ static int smb3_fs_context_parse_param(s + cifs_errorf(fc, "Unknown error parsing devname\n"); + goto cifs_parse_mount_err; + } ++ kfree(ctx->source); + ctx->source = smb3_fs_context_fullpath(ctx, '/'); + if (IS_ERR(ctx->source)) { + ctx->source = NULL; + cifs_errorf(fc, "OOM when copying UNC string\n"); + goto cifs_parse_mount_err; + } ++ kfree(fc->source); + fc->source = kstrdup(ctx->source, GFP_KERNEL); + if (fc->source == NULL) { + cifs_errorf(fc, "OOM when copying UNC string\n"); diff --git a/queue-6.12/codetag-debug-handle-existing-codetag_empty-in-mark_objexts_empty-for-slabobj_ext.patch b/queue-6.12/codetag-debug-handle-existing-codetag_empty-in-mark_objexts_empty-for-slabobj_ext.patch new file mode 100644 index 0000000000..146f27b0fd --- /dev/null +++ b/queue-6.12/codetag-debug-handle-existing-codetag_empty-in-mark_objexts_empty-for-slabobj_ext.patch @@ -0,0 +1,146 @@ +From 1abbdf3d57aa964e572940d67c9ec5dc87710738 Mon Sep 17 00:00:00 2001 +From: Hao Ge +Date: Wed, 29 Oct 2025 09:43:17 +0800 +Subject: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hao Ge + +commit 1abbdf3d57aa964e572940d67c9ec5dc87710738 upstream. + +When alloc_slab_obj_exts() fails and then later succeeds in allocating a +slab extension vector, it calls handle_failed_objexts_alloc() to mark all +objects in the vector as empty. As a result all objects in this slab +(slabA) will have their extensions set to CODETAG_EMPTY. + +Later on if this slabA is used to allocate a slabobj_ext vector for +another slab (slabB), we end up with the slabB->obj_exts pointing to a +slabobj_ext vector that itself has a non-NULL slabobj_ext equal to +CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to +free slabB->obj_exts vector. + +free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will +generate a warning because it expects slabobj_ext vectors to have a NULL +obj_ext, not CODETAG_EMPTY. + +Modify mark_objexts_empty() to skip the warning and setting the obj_ext +value if it's already set to CODETAG_EMPTY. + + +To quickly detect this WARN, I modified the code from +WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); + +We then obtained this message: + +[21630.898561] ------------[ cut here ]------------ +[21630.898596] kernel BUG at mm/slub.c:2050! +[21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP +[21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 +vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap +vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace +netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs +blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel +udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib +nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct +nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 +nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink +virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper +drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi +net_failover virtio_console failover virtio_mmio dm_mirror +dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci +virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 +aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] +[21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: +loaded Tainted: G        W           6.18.0-rc1+ #74 PREEMPT(voluntary) +[21630.910495] Tainted: [W]=WARN +[21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown +2/2/2022 +[21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS +BTYPE=--) +[21630.912392] pc : __free_slab+0x228/0x250 +[21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : +ffff8000a02f73e0 +[21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: +ffff0000c0011c40 +[21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: +ffff000102199b40 +[21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: +ffff0000c0011c40 +[21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: +0000000000000000 +[21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: +0000000000000000 +[21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: +ffff70001405ee66 +[21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : +ffff800080a295dc +[21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : +0000000000003000 +[21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : +0000000000000007 +[21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : +0000000000000001 +[21630.921810] Call trace: +[21630.922130]  __free_slab+0x228/0x250 (P) +[21630.922669]  free_slab+0x38/0x118 +[21630.923079]  free_to_partial_list+0x1d4/0x340 +[21630.923591]  __slab_free+0x24c/0x348 +[21630.924024]  ___cache_free+0xf0/0x110 +[21630.924468]  qlist_free_all+0x78/0x130 +[21630.924922]  kasan_quarantine_reduce+0x114/0x148 +[21630.925525]  __kasan_slab_alloc+0x7c/0xb0 +[21630.926006]  kmem_cache_alloc_noprof+0x164/0x5c8 +[21630.926699]  __alloc_object+0x44/0x1f8 +[21630.927153]  __create_object+0x34/0xc8 +[21630.927604]  kmemleak_alloc+0xb8/0xd8 +[21630.928052]  kmem_cache_alloc_noprof+0x368/0x5c8 +[21630.928606]  getname_flags.part.0+0xa4/0x610 +[21630.929112]  getname_flags+0x80/0xd8 +[21630.929557]  vfs_fstatat+0xc8/0xe0 +[21630.929975]  __do_sys_newfstatat+0xa0/0x100 +[21630.930469]  __arm64_sys_newfstatat+0x90/0xd8 +[21630.931046]  invoke_syscall+0xd4/0x258 +[21630.931685]  el0_svc_common.constprop.0+0xb4/0x240 +[21630.932467]  do_el0_svc+0x48/0x68 +[21630.932972]  el0_svc+0x40/0xe0 +[21630.933472]  el0t_64_sync_handler+0xa0/0xe8 +[21630.934151]  el0t_64_sync+0x1ac/0x1b0 +[21630.934923] Code: aa1803e0 97ffef2b a9446bf9 17ffff9c (d4210000) +[21630.936461] SMP: stopping secondary CPUs +[21630.939550] Starting crashdump kernel... +[21630.940108] Bye! + +Link: https://lkml.kernel.org/r/20251029014317.1533488-1-hao.ge@linux.dev +Fixes: 09c46563ff6d ("codetag: debug: introduce OBJEXTS_ALLOC_FAIL to mark failed slab_ext allocations") +Signed-off-by: Hao Ge +Reviewed-by: Suren Baghdasaryan +Cc: Christoph Lameter (Ampere) +Cc: David Rientjes +Cc: gehao +Cc: Roman Gushchin +Cc: Shakeel Butt +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1935,7 +1935,11 @@ static inline void mark_objexts_empty(st + if (slab_exts) { + unsigned int offs = obj_to_index(obj_exts_slab->slab_cache, + obj_exts_slab, obj_exts); +- /* codetag should be NULL */ ++ ++ if (unlikely(is_codetag_empty(&slab_exts[offs].ref))) ++ return; ++ ++ /* codetag should be NULL here */ + WARN_ON(slab_exts[offs].ref.ct); + set_codetag_empty(&slab_exts[offs].ref); + } diff --git a/queue-6.12/crash-fix-crashkernel-resource-shrink.patch b/queue-6.12/crash-fix-crashkernel-resource-shrink.patch new file mode 100644 index 0000000000..697084b6bd --- /dev/null +++ b/queue-6.12/crash-fix-crashkernel-resource-shrink.patch @@ -0,0 +1,84 @@ +From 00fbff75c5acb4755f06f08bd1071879c63940c5 Mon Sep 17 00:00:00 2001 +From: Sourabh Jain +Date: Sun, 2 Nov 2025 01:07:41 +0530 +Subject: crash: fix crashkernel resource shrink + +From: Sourabh Jain + +commit 00fbff75c5acb4755f06f08bd1071879c63940c5 upstream. + +When crashkernel is configured with a high reservation, shrinking its +value below the low crashkernel reservation causes two issues: + +1. Invalid crashkernel resource objects +2. Kernel crash if crashkernel shrinking is done twice + +For example, with crashkernel=200M,high, the kernel reserves 200MB of high +memory and some default low memory (say 256MB). The reservation appears +as: + +cat /proc/iomem | grep -i crash +af000000-beffffff : Crash kernel +433000000-43f7fffff : Crash kernel + +If crashkernel is then shrunk to 50MB (echo 52428800 > +/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: +af000000-beffffff : Crash kernel + +Instead, it should show 50MB: +af000000-b21fffff : Crash kernel + +Further shrinking crashkernel to 40MB causes a kernel crash with the +following trace (x86): + +BUG: kernel NULL pointer dereference, address: 0000000000000038 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP NOPTI + +Call Trace: +? __die_body.cold+0x19/0x27 +? page_fault_oops+0x15a/0x2f0 +? search_module_extables+0x19/0x60 +? search_bpf_extables+0x5f/0x80 +? exc_page_fault+0x7e/0x180 +? asm_exc_page_fault+0x26/0x30 +? __release_resource+0xd/0xb0 +release_resource+0x26/0x40 +__crash_shrink_memory+0xe5/0x110 +crash_shrink_memory+0x12a/0x190 +kexec_crash_size_store+0x41/0x80 +kernfs_fop_write_iter+0x141/0x1f0 +vfs_write+0x294/0x460 +ksys_write+0x6d/0xf0 + + +This happens because __crash_shrink_memory()/kernel/crash_core.c +incorrectly updates the crashk_res resource object even when +crashk_low_res should be updated. + +Fix this by ensuring the correct crashkernel resource object is updated +when shrinking crashkernel memory. + +Link: https://lkml.kernel.org/r/20251101193741.289252-1-sourabhjain@linux.ibm.com +Fixes: 16c6006af4d4 ("kexec: enable kexec_crash_size to support two crash kernel regions") +Signed-off-by: Sourabh Jain +Acked-by: Baoquan He +Cc: Zhen Lei +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/crash_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/crash_core.c ++++ b/kernel/crash_core.c +@@ -352,7 +352,7 @@ static int __crash_shrink_memory(struct + old_res->start = 0; + old_res->end = 0; + } else { +- crashk_res.end = ram_res->start - 1; ++ old_res->end = ram_res->start - 1; + } + + crash_free_reserved_phys_range(ram_res->start, ram_res->end); diff --git a/queue-6.12/crypto-hisilicon-qm-fix-device-reference-leak-in-qm_get_qos_value.patch b/queue-6.12/crypto-hisilicon-qm-fix-device-reference-leak-in-qm_get_qos_value.patch new file mode 100644 index 0000000000..2bb516c7fb --- /dev/null +++ b/queue-6.12/crypto-hisilicon-qm-fix-device-reference-leak-in-qm_get_qos_value.patch @@ -0,0 +1,43 @@ +From 59b0afd01b2ce353ab422ea9c8375b03db313a21 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 23:09:34 +0800 +Subject: crypto: hisilicon/qm - Fix device reference leak in qm_get_qos_value + +From: Miaoqian Lin + +commit 59b0afd01b2ce353ab422ea9c8375b03db313a21 upstream. + +The qm_get_qos_value() function calls bus_find_device_by_name() which +increases the device reference count, but fails to call put_device() +to balance the reference count and lead to a device reference leak. + +Add put_device() calls in both the error path and success path to +properly balance the reference count. + +Found via static analysis. + +Fixes: 22d7a6c39cab ("crypto: hisilicon/qm - add pci bdf number check") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Longfang Liu +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/hisilicon/qm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/crypto/hisilicon/qm.c ++++ b/drivers/crypto/hisilicon/qm.c +@@ -3688,10 +3688,12 @@ static ssize_t qm_get_qos_value(struct h + pdev = container_of(dev, struct pci_dev, dev); + if (pci_physfn(pdev) != qm->pdev) { + pci_err(qm->pdev, "the pdev input does not match the pf!\n"); ++ put_device(dev); + return -EINVAL; + } + + *fun_index = pdev->devfn; ++ put_device(dev); + + return 0; + } diff --git a/queue-6.12/drm-amdgpu-disable-peer-to-peer-access-for-dcc-enabled-gc12-vram-surfaces.patch b/queue-6.12/drm-amdgpu-disable-peer-to-peer-access-for-dcc-enabled-gc12-vram-surfaces.patch new file mode 100644 index 0000000000..55075e72bb --- /dev/null +++ b/queue-6.12/drm-amdgpu-disable-peer-to-peer-access-for-dcc-enabled-gc12-vram-surfaces.patch @@ -0,0 +1,67 @@ +From 22a36e660d014925114feb09a2680bb3c2d1e279 Mon Sep 17 00:00:00 2001 +From: Vitaly Prosyak +Date: Thu, 6 Nov 2025 12:35:53 -0500 +Subject: drm/amdgpu: disable peer-to-peer access for DCC-enabled GC12 VRAM surfaces +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vitaly Prosyak + +commit 22a36e660d014925114feb09a2680bb3c2d1e279 upstream. + +Certain multi-GPU configurations (especially GFX12) may hit +data corruption when a DCC-compressed VRAM surface is shared across GPUs +using peer-to-peer (P2P) DMA transfers. + +Such surfaces rely on device-local metadata and cannot be safely accessed +through a remote GPU’s page tables. Attempting to import a DCC-enabled +surface through P2P leads to incorrect rendering or GPU faults. + +This change disables P2P for DCC-enabled VRAM buffers that are contiguous +and allocated on GFX12+ hardware. In these cases, the importer falls back +to the standard system-memory path, avoiding invalid access to compressed +surfaces. + +Future work could consider optional migration (VRAM→System→VRAM) if a +performance regression is observed when `attach->peer2peer = false`. + +Tested on: + - Dual RX 9700 XT (Navi4x) setup + - GNOME and Wayland compositor scenarios + - Confirmed no corruption after disabling P2P under these conditions +v2: Remove check TTM_PL_VRAM & TTM_PL_FLAG_CONTIGUOUS. +v3: simplify for upsteam and fix ip version check (Alex) + +Suggested-by: Christian König +Signed-off-by: Vitaly Prosyak +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 9dff2bb709e6fbd97e263fd12bf12802d2b5a0cf) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +@@ -81,6 +81,18 @@ static int amdgpu_dma_buf_attach(struct + struct amdgpu_bo *bo = gem_to_amdgpu_bo(obj); + struct amdgpu_device *adev = amdgpu_ttm_adev(bo->tbo.bdev); + ++ /* ++ * Disable peer-to-peer access for DCC-enabled VRAM surfaces on GFX12+. ++ * Such buffers cannot be safely accessed over P2P due to device-local ++ * compression metadata. Fallback to system-memory path instead. ++ * Device supports GFX12 (GC 12.x or newer) ++ * BO was created with the AMDGPU_GEM_CREATE_GFX12_DCC flag ++ * ++ */ ++ if (amdgpu_ip_version(adev, GC_HWIP, 0) >= IP_VERSION(12, 0, 0) && ++ bo->flags & AMDGPU_GEM_CREATE_GFX12_DCC) ++ attach->peer2peer = false; ++ + if (!amdgpu_dmabuf_is_xgmi_accessible(attach_adev, bo) && + pci_p2pdma_distance(adev->pdev, attach->dev, false) < 0) + attach->peer2peer = false; diff --git a/queue-6.12/drm-amdkfd-relax-checks-for-over-allocation-of-save-area.patch b/queue-6.12/drm-amdkfd-relax-checks-for-over-allocation-of-save-area.patch new file mode 100644 index 0000000000..234b77f7d4 --- /dev/null +++ b/queue-6.12/drm-amdkfd-relax-checks-for-over-allocation-of-save-area.patch @@ -0,0 +1,59 @@ +From d15deafab5d722afb9e2f83c5edcdef9d9d98bd1 Mon Sep 17 00:00:00 2001 +From: Jonathan Kim +Date: Thu, 6 Nov 2025 10:17:06 -0500 +Subject: drm/amdkfd: relax checks for over allocation of save area + +From: Jonathan Kim + +commit d15deafab5d722afb9e2f83c5edcdef9d9d98bd1 upstream. + +Over allocation of save area is not fatal, only under allocation is. +ROCm has various components that independently claim authority over save +area size. + +Unless KFD decides to claim single authority, relax size checks. + +Signed-off-by: Jonathan Kim +Reviewed-by: Philip Yang +Signed-off-by: Alex Deucher +(cherry picked from commit 15bd4958fe38e763bc17b607ba55155254a01f55) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c +@@ -297,16 +297,16 @@ int kfd_queue_acquire_buffers(struct kfd + goto out_err_unreserve; + } + +- if (properties->ctx_save_restore_area_size != topo_dev->node_props.cwsr_size) { +- pr_debug("queue cwsr size 0x%x not equal to node cwsr size 0x%x\n", ++ if (properties->ctx_save_restore_area_size < topo_dev->node_props.cwsr_size) { ++ pr_debug("queue cwsr size 0x%x not sufficient for node cwsr size 0x%x\n", + properties->ctx_save_restore_area_size, + topo_dev->node_props.cwsr_size); + err = -EINVAL; + goto out_err_unreserve; + } + +- total_cwsr_size = (topo_dev->node_props.cwsr_size + topo_dev->node_props.debug_memory_size) +- * NUM_XCC(pdd->dev->xcc_mask); ++ total_cwsr_size = (properties->ctx_save_restore_area_size + ++ topo_dev->node_props.debug_memory_size) * NUM_XCC(pdd->dev->xcc_mask); + total_cwsr_size = ALIGN(total_cwsr_size, PAGE_SIZE); + + err = kfd_queue_buffer_get(vm, (void *)properties->ctx_save_restore_area_address, +@@ -352,8 +352,8 @@ int kfd_queue_release_buffers(struct kfd + topo_dev = kfd_topology_device_by_id(pdd->dev->id); + if (!topo_dev) + return -EINVAL; +- total_cwsr_size = (topo_dev->node_props.cwsr_size + topo_dev->node_props.debug_memory_size) +- * NUM_XCC(pdd->dev->xcc_mask); ++ total_cwsr_size = (properties->ctx_save_restore_area_size + ++ topo_dev->node_props.debug_memory_size) * NUM_XCC(pdd->dev->xcc_mask); + total_cwsr_size = ALIGN(total_cwsr_size, PAGE_SIZE); + + kfd_queue_buffer_svm_put(pdd, properties->ctx_save_restore_area_address, total_cwsr_size); diff --git a/queue-6.12/edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch b/queue-6.12/edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch new file mode 100644 index 0000000000..d6d29adbc3 --- /dev/null +++ b/queue-6.12/edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch @@ -0,0 +1,55 @@ +From fd3ecda38fe0cb713d167b5477d25f6b350f0514 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Tue, 11 Nov 2025 16:08:01 +0800 +Subject: EDAC/altera: Handle OCRAM ECC enable after warm reset + +From: Niravkumar L Rabara + +commit fd3ecda38fe0cb713d167b5477d25f6b350f0514 upstream. + +The OCRAM ECC is always enabled either by the BootROM or by the Secure Device +Manager (SDM) during a power-on reset on SoCFPGA. + +However, during a warm reset, the OCRAM content is retained to preserve data, +while the control and status registers are reset to their default values. As +a result, ECC must be explicitly re-enabled after a warm reset. + +Fixes: 17e47dc6db4f ("EDAC/altera: Add Stratix10 OCRAM ECC support") +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Dinh Nguyen +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251111080801.1279401-1-niravkumarlaxmidas.rabara@altera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/altera_edac.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/edac/altera_edac.c ++++ b/drivers/edac/altera_edac.c +@@ -1184,10 +1184,22 @@ altr_check_ocram_deps_init(struct altr_e + if (ret) + return ret; + +- /* Verify OCRAM has been initialized */ ++ /* ++ * Verify that OCRAM has been initialized. ++ * During a warm reset, OCRAM contents are retained, but the control ++ * and status registers are reset to their default values. Therefore, ++ * ECC must be explicitly re-enabled in the control register. ++ * Error condition: if INITCOMPLETEA is clear and ECC_EN is already set. ++ */ + if (!ecc_test_bits(ALTR_A10_ECC_INITCOMPLETEA, +- (base + ALTR_A10_ECC_INITSTAT_OFST))) +- return -ENODEV; ++ (base + ALTR_A10_ECC_INITSTAT_OFST))) { ++ if (!ecc_test_bits(ALTR_A10_ECC_EN, ++ (base + ALTR_A10_ECC_CTRL_OFST))) ++ ecc_set_bits(ALTR_A10_ECC_EN, ++ (base + ALTR_A10_ECC_CTRL_OFST)); ++ else ++ return -ENODEV; ++ } + + /* Enable IRQ on Single Bit Error */ + writel(ALTR_A10_ECC_SERRINTEN, (base + ALTR_A10_ECC_ERRINTENS_OFST)); diff --git a/queue-6.12/edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch b/queue-6.12/edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch new file mode 100644 index 0000000000..474b5c9727 --- /dev/null +++ b/queue-6.12/edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch @@ -0,0 +1,49 @@ +From 281326be67252ac5794d1383f67526606b1d6b13 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Tue, 11 Nov 2025 16:13:33 +0800 +Subject: EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection + +From: Niravkumar L Rabara + +commit 281326be67252ac5794d1383f67526606b1d6b13 upstream. + +The current single-bit error injection mechanism flips bits directly in ECC RAM +by performing write and read operations. When the ECC RAM is actively used by +the Ethernet or USB controller, this approach sometimes trigger a false +double-bit error. + +Switch both Ethernet and USB EDAC devices to use the INTTEST register +(altr_edac_a10_device_inject_fops) for single-bit error injection, similar to +the existing double-bit error injection method. + +Fixes: 064acbd4f4ab ("EDAC, altera: Add Stratix10 peripheral support") +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Dinh Nguyen +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251111081333.1279635-1-niravkumarlaxmidas.rabara@altera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/altera_edac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/edac/altera_edac.c ++++ b/drivers/edac/altera_edac.c +@@ -1369,7 +1369,7 @@ static const struct edac_device_prv_data + .ue_set_mask = ALTR_A10_ECC_TDERRA, + .set_err_ofst = ALTR_A10_ECC_INTTEST_OFST, + .ecc_irq_handler = altr_edac_a10_ecc_irq, +- .inject_fops = &altr_edac_a10_device_inject2_fops, ++ .inject_fops = &altr_edac_a10_device_inject_fops, + }; + + #endif /* CONFIG_EDAC_ALTERA_ETHERNET */ +@@ -1459,7 +1459,7 @@ static const struct edac_device_prv_data + .ue_set_mask = ALTR_A10_ECC_TDERRA, + .set_err_ofst = ALTR_A10_ECC_INTTEST_OFST, + .ecc_irq_handler = altr_edac_a10_ecc_irq, +- .inject_fops = &altr_edac_a10_device_inject2_fops, ++ .inject_fops = &altr_edac_a10_device_inject_fops, + }; + + #endif /* CONFIG_EDAC_ALTERA_USB */ diff --git a/queue-6.12/fs-proc-fix-uaf-in-proc_readdir_de.patch b/queue-6.12/fs-proc-fix-uaf-in-proc_readdir_de.patch new file mode 100644 index 0000000000..7e70ec5366 --- /dev/null +++ b/queue-6.12/fs-proc-fix-uaf-in-proc_readdir_de.patch @@ -0,0 +1,105 @@ +From 895b4c0c79b092d732544011c3cecaf7322c36a1 Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Sat, 25 Oct 2025 10:42:33 +0800 +Subject: fs/proc: fix uaf in proc_readdir_de() + +From: Wei Yang + +commit 895b4c0c79b092d732544011c3cecaf7322c36a1 upstream. + +Pde is erased from subdir rbtree through rb_erase(), but not set the node +to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() +set the erased node to EMPTY, then pde_subdir_next() will return NULL to +avoid uaf access. + +We found an uaf issue while using stress-ng testing, need to run testcase +getdent and tun in the same time. The steps of the issue is as follows: + +1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current + pde is tun3; + +2) in the [time windows] unregister netdevice tun3 and tun2, and erase + them from rbtree. erase tun3 first, and then erase tun2. the + pde(tun2) will be released to slab; + +3) continue to getdent process, then pde_subdir_next() will return + pde(tun2) which is released, it will case uaf access. + +CPU 0 | CPU 1 +------------------------------------------------------------------------- +traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 +sys_getdents64() | + iterate_dir() | + proc_readdir() | + proc_readdir_de() | snmp6_unregister_dev() + pde_get(de); | proc_remove() + read_unlock(&proc_subdir_lock); | remove_proc_subtree() + | write_lock(&proc_subdir_lock); + [time window] | rb_erase(&root->subdir_node, &parent->subdir); + | write_unlock(&proc_subdir_lock); + read_lock(&proc_subdir_lock); | + next = pde_subdir_next(de); | + pde_put(de); | + de = next; //UAF | + +rbtree of dev_snmp6 + | + pde(tun3) + / \ + NULL pde(tun2) + +Link: https://lkml.kernel.org/r/20251025024233.158363-1-albin_yang@163.com +Signed-off-by: Wei Yang +Cc: Al Viro +Cc: Christian Brauner +Cc: wangzijie +Cc: Alexey Dobriyan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -694,6 +694,12 @@ void pde_put(struct proc_dir_entry *pde) + } + } + ++static void pde_erase(struct proc_dir_entry *pde, struct proc_dir_entry *parent) ++{ ++ rb_erase(&pde->subdir_node, &parent->subdir); ++ RB_CLEAR_NODE(&pde->subdir_node); ++} ++ + /* + * Remove a /proc entry and free it if it's not currently in use. + */ +@@ -716,7 +722,7 @@ void remove_proc_entry(const char *name, + WARN(1, "removing permanent /proc entry '%s'", de->name); + de = NULL; + } else { +- rb_erase(&de->subdir_node, &parent->subdir); ++ pde_erase(de, parent); + if (S_ISDIR(de->mode)) + parent->nlink--; + } +@@ -760,7 +766,7 @@ int remove_proc_subtree(const char *name + root->parent->name, root->name); + return -EINVAL; + } +- rb_erase(&root->subdir_node, &parent->subdir); ++ pde_erase(root, parent); + + de = root; + while (1) { +@@ -772,7 +778,7 @@ int remove_proc_subtree(const char *name + next->parent->name, next->name); + return -EINVAL; + } +- rb_erase(&next->subdir_node, &de->subdir); ++ pde_erase(next, de); + de = next; + continue; + } diff --git a/queue-6.12/ftrace-fix-bpf-fexit-with-livepatch.patch b/queue-6.12/ftrace-fix-bpf-fexit-with-livepatch.patch new file mode 100644 index 0000000000..c26646d621 --- /dev/null +++ b/queue-6.12/ftrace-fix-bpf-fexit-with-livepatch.patch @@ -0,0 +1,111 @@ +From 56b3c85e153b84f27e6cff39623ba40a1ad299d3 Mon Sep 17 00:00:00 2001 +From: Song Liu +Date: Mon, 27 Oct 2025 10:50:21 -0700 +Subject: ftrace: Fix BPF fexit with livepatch + +From: Song Liu + +commit 56b3c85e153b84f27e6cff39623ba40a1ad299d3 upstream. + +When livepatch is attached to the same function as bpf trampoline with +a fexit program, bpf trampoline code calls register_ftrace_direct() +twice. The first time will fail with -EAGAIN, and the second time it +will succeed. This requires register_ftrace_direct() to unregister +the address on the first attempt. Otherwise, the bpf trampoline cannot +attach. Here is an easy way to reproduce this issue: + + insmod samples/livepatch/livepatch-sample.ko + bpftrace -e 'fexit:cmdline_proc_show {}' + ERROR: Unable to attach probe: fexit:vmlinux:cmdline_proc_show... + +Fix this by cleaning up the hash when register_ftrace_function_nolock hits +errors. + +Also, move the code that resets ops->func and ops->trampoline to the error +path of register_ftrace_direct(); and add a helper function reset_direct() +in register_ftrace_direct() and unregister_ftrace_direct(). + +Fixes: d05cb470663a ("ftrace: Fix modification of direct_function hash while in use") +Cc: stable@vger.kernel.org # v6.6+ +Reported-by: Andrey Grodzovsky +Closes: https://lore.kernel.org/live-patching/c5058315a39d4615b333e485893345be@crowdstrike.com/ +Cc: Steven Rostedt (Google) +Cc: Masami Hiramatsu (Google) +Acked-and-tested-by: Andrey Grodzovsky +Signed-off-by: Song Liu +Reviewed-by: Jiri Olsa +Link: https://lore.kernel.org/r/20251027175023.1521602-2-song@kernel.org +Signed-off-by: Alexei Starovoitov +Acked-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/trampoline.c | 5 ----- + kernel/trace/ftrace.c | 20 ++++++++++++++------ + 2 files changed, 14 insertions(+), 11 deletions(-) + +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -479,11 +479,6 @@ again: + * BPF_TRAMP_F_SHARE_IPMODIFY is set, we can generate the + * trampoline again, and retry register. + */ +- /* reset fops->func and fops->trampoline for re-register */ +- tr->fops->func = NULL; +- tr->fops->trampoline = 0; +- +- /* free im memory and reallocate later */ + bpf_tramp_image_free(im); + goto again; + } +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5894,6 +5894,17 @@ static void register_ftrace_direct_cb(st + free_ftrace_hash(fhp); + } + ++static void reset_direct(struct ftrace_ops *ops, unsigned long addr) ++{ ++ struct ftrace_hash *hash = ops->func_hash->filter_hash; ++ ++ remove_direct_functions_hash(hash, addr); ++ ++ /* cleanup for possible another register call */ ++ ops->func = NULL; ++ ops->trampoline = 0; ++} ++ + /** + * register_ftrace_direct - Call a custom trampoline directly + * for multiple functions registered in @ops +@@ -5989,6 +6000,8 @@ int register_ftrace_direct(struct ftrace + ops->direct_call = addr; + + err = register_ftrace_function_nolock(ops); ++ if (err) ++ reset_direct(ops, addr); + + out_unlock: + mutex_unlock(&direct_mutex); +@@ -6021,7 +6034,6 @@ EXPORT_SYMBOL_GPL(register_ftrace_direct + int unregister_ftrace_direct(struct ftrace_ops *ops, unsigned long addr, + bool free_filters) + { +- struct ftrace_hash *hash = ops->func_hash->filter_hash; + int err; + + if (check_direct_multi(ops)) +@@ -6031,13 +6043,9 @@ int unregister_ftrace_direct(struct ftra + + mutex_lock(&direct_mutex); + err = unregister_ftrace_function(ops); +- remove_direct_functions_hash(hash, addr); ++ reset_direct(ops, addr); + mutex_unlock(&direct_mutex); + +- /* cleanup for possible another register call */ +- ops->func = NULL; +- ops->trampoline = 0; +- + if (free_filters) + ftrace_free_filter(ops); + return err; diff --git a/queue-6.12/ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch b/queue-6.12/ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch new file mode 100644 index 0000000000..c279f53662 --- /dev/null +++ b/queue-6.12/ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch @@ -0,0 +1,83 @@ +From ac1499fcd40fe06479e9b933347b837ccabc2a40 Mon Sep 17 00:00:00 2001 +From: Chuang Wang +Date: Tue, 11 Nov 2025 14:43:24 +0800 +Subject: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe + +From: Chuang Wang + +commit ac1499fcd40fe06479e9b933347b837ccabc2a40 upstream. + +The sit driver's packet transmission path calls: sit_tunnel_xmit() -> +update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called +to delete entries exceeding FNHE_RECLAIM_DEPTH+random. + +The race window is between fnhe_remove_oldest() selecting fnheX for +deletion and the subsequent kfree_rcu(). During this time, the +concurrent path's __mkroute_output() -> find_exception() can fetch the +soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a +new dst using a dst_hold(). When the original fnheX is freed via RCU, +the dst reference remains permanently leaked. + +CPU 0 CPU 1 +__mkroute_output() + find_exception() [fnheX] + update_or_create_fnhe() + fnhe_remove_oldest() [fnheX] + rt_bind_exception() [bind dst] + RCU callback [fnheX freed, dst leak] + +This issue manifests as a device reference count leak and a warning in +dmesg when unregistering the net device: + + unregister_netdevice: waiting for sitX to become free. Usage count = N + +Ido Schimmel provided the simple test validation method [1]. + +The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). +Since rt_bind_exception() checks this field, setting it to zero prevents +the stale fnhe from being reused and bound to a new dst just before it +is freed. + +[1] +ip netns add ns1 +ip -n ns1 link set dev lo up +ip -n ns1 address add 192.0.2.1/32 dev lo +ip -n ns1 link add name dummy1 up type dummy +ip -n ns1 route add 192.0.2.2/32 dev dummy1 +ip -n ns1 link add name gretap1 up arp off type gretap \ + local 192.0.2.1 remote 192.0.2.2 +ip -n ns1 route add 198.51.0.0/16 dev gretap1 +taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ + -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & +taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ + -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & +sleep 10 +ip netns pids ns1 | xargs kill +ip netns del ns1 + +Cc: stable@vger.kernel.org +Fixes: 67d6d681e15b ("ipv4: make exception cache less predictible") +Signed-off-by: Chuang Wang +Reviewed-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20251111064328.24440-1-nashuiliang@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -605,6 +605,11 @@ static void fnhe_remove_oldest(struct fn + oldest_p = fnhe_p; + } + } ++ ++ /* Clear oldest->fnhe_daddr to prevent this fnhe from being ++ * rebound with new dsts in rt_bind_exception(). ++ */ ++ oldest->fnhe_daddr = 0; + fnhe_flush_routes(oldest); + *oldest_p = oldest->fnhe_next; + kfree_rcu(oldest, rcu); diff --git a/queue-6.12/loongarch-use-physical-addresses-for-csr_merrentry-csr_tlbrentry.patch b/queue-6.12/loongarch-use-physical-addresses-for-csr_merrentry-csr_tlbrentry.patch new file mode 100644 index 0000000000..08effc4d07 --- /dev/null +++ b/queue-6.12/loongarch-use-physical-addresses-for-csr_merrentry-csr_tlbrentry.patch @@ -0,0 +1,34 @@ +From 4e67526840fc55917581b90f6a4b65849a616dd8 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sun, 9 Nov 2025 16:02:00 +0800 +Subject: LoongArch: Use physical addresses for CSR_MERRENTRY/CSR_TLBRENTRY + +From: Huacai Chen + +commit 4e67526840fc55917581b90f6a4b65849a616dd8 upstream. + +Now we use virtual addresses to fill CSR_MERRENTRY/CSR_TLBRENTRY, but +hardware hope physical addresses. Now it works well because the high +bits are ignored above PA_BITS (48 bits), but explicitly use physical +addresses can avoid potential bugs. So fix it. + +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/traps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/kernel/traps.c ++++ b/arch/loongarch/kernel/traps.c +@@ -1123,8 +1123,8 @@ static void configure_exception_vector(v + tlbrentry = (unsigned long)exception_handlers + 80*VECSIZE; + + csr_write64(eentry, LOONGARCH_CSR_EENTRY); +- csr_write64(eentry, LOONGARCH_CSR_MERRENTRY); +- csr_write64(tlbrentry, LOONGARCH_CSR_TLBRENTRY); ++ csr_write64(__pa(eentry), LOONGARCH_CSR_MERRENTRY); ++ csr_write64(__pa(tlbrentry), LOONGARCH_CSR_TLBRENTRY); + } + + void per_cpu_trap_init(int cpu) diff --git a/queue-6.12/mm-mm_init-fix-hash-table-order-logging-in-alloc_large_system_hash.patch b/queue-6.12/mm-mm_init-fix-hash-table-order-logging-in-alloc_large_system_hash.patch new file mode 100644 index 0000000000..28d1a1e172 --- /dev/null +++ b/queue-6.12/mm-mm_init-fix-hash-table-order-logging-in-alloc_large_system_hash.patch @@ -0,0 +1,48 @@ +From 0d6c356dd6547adac2b06b461528e3573f52d953 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Tue, 28 Oct 2025 12:10:12 -0700 +Subject: mm/mm_init: fix hash table order logging in alloc_large_system_hash() + +From: Isaac J. Manjarres + +commit 0d6c356dd6547adac2b06b461528e3573f52d953 upstream. + +When emitting the order of the allocation for a hash table, +alloc_large_system_hash() unconditionally subtracts PAGE_SHIFT from log +base 2 of the allocation size. This is not correct if the allocation size +is smaller than a page, and yields a negative value for the order as seen +below: + +TCP established hash table entries: 32 (order: -4, 256 bytes, linear) TCP +bind hash table entries: 32 (order: -2, 1024 bytes, linear) + +Use get_order() to compute the order when emitting the hash table +information to correctly handle cases where the allocation size is smaller +than a page: + +TCP established hash table entries: 32 (order: 0, 256 bytes, linear) TCP +bind hash table entries: 32 (order: 0, 1024 bytes, linear) + +Link: https://lkml.kernel.org/r/20251028191020.413002-1-isaacmanjarres@google.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Isaac J. Manjarres +Reviewed-by: Mike Rapoport (Microsoft) +Reviewed-by: David Hildenbrand +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/mm_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/mm_init.c ++++ b/mm/mm_init.c +@@ -2428,7 +2428,7 @@ void *__init alloc_large_system_hash(con + panic("Failed to allocate %s hash table\n", tablename); + + pr_info("%s hash table entries: %ld (order: %d, %lu bytes, %s)\n", +- tablename, 1UL << log2qty, ilog2(size) - PAGE_SHIFT, size, ++ tablename, 1UL << log2qty, get_order(size), size, + virt ? (huge ? "vmalloc hugepage" : "vmalloc") : "linear"); + + if (_hash_shift) diff --git a/queue-6.12/mm-shmem-fix-thp-allocation-and-fallback-loop.patch b/queue-6.12/mm-shmem-fix-thp-allocation-and-fallback-loop.patch new file mode 100644 index 0000000000..559879cebf --- /dev/null +++ b/queue-6.12/mm-shmem-fix-thp-allocation-and-fallback-loop.patch @@ -0,0 +1,68 @@ +From fc745ff317566ec299e16346ebb9eacc8fe5b9d2 Mon Sep 17 00:00:00 2001 +From: Kairui Song +Date: Wed, 22 Oct 2025 18:57:19 +0800 +Subject: mm/shmem: fix THP allocation and fallback loop + +From: Kairui Song + +commit fc745ff317566ec299e16346ebb9eacc8fe5b9d2 upstream. + +The order check and fallback loop is updating the index value on every +loop. This will cause the index to be wrongly aligned by a larger value +while the loop shrinks the order. + +This may result in inserting and returning a folio of the wrong index and +cause data corruption with some userspace workloads [1]. + +[kasong@tencent.com: introduce a temporary variable to improve code] + Link: https://lkml.kernel.org/r/20251023065913.36925-1-ryncsn@gmail.com + Link: https://lore.kernel.org/linux-mm/CAMgjq7DqgAmj25nDUwwu1U2cSGSn8n4-Hqpgottedy0S6YYeUw@mail.gmail.com/ [1] +Link: https://lkml.kernel.org/r/20251022105719.18321-1-ryncsn@gmail.com +Link: https://lore.kernel.org/linux-mm/CAMgjq7DqgAmj25nDUwwu1U2cSGSn8n4-Hqpgottedy0S6YYeUw@mail.gmail.com/ [1] +Fixes: e7a2ab7b3bb5 ("mm: shmem: add mTHP support for anonymous shmem") +Closes: https://lore.kernel.org/linux-mm/CAMgjq7DqgAmj25nDUwwu1U2cSGSn8n4-Hqpgottedy0S6YYeUw@mail.gmail.com/ +Signed-off-by: Kairui Song +Acked-by: David Hildenbrand +Acked-by: Zi Yan +Reviewed-by: Baolin Wang +Reviewed-by: Barry Song +Reviewed-by: Lorenzo Stoakes +Cc: Dev Jain +Cc: Hugh Dickins +Cc: Liam Howlett +Cc: Matthew Wilcox (Oracle) +Cc: Nico Pache +Cc: Ryan Roberts +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/shmem.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1785,6 +1785,7 @@ static struct folio *shmem_alloc_and_add + struct shmem_inode_info *info = SHMEM_I(inode); + unsigned long suitable_orders = 0; + struct folio *folio = NULL; ++ pgoff_t aligned_index; + long pages; + int error, order; + +@@ -1798,10 +1799,12 @@ static struct folio *shmem_alloc_and_add + order = highest_order(suitable_orders); + while (suitable_orders) { + pages = 1UL << order; +- index = round_down(index, pages); +- folio = shmem_alloc_folio(gfp, order, info, index); +- if (folio) ++ aligned_index = round_down(index, pages); ++ folio = shmem_alloc_folio(gfp, order, info, aligned_index); ++ if (folio) { ++ index = aligned_index; + goto allocated; ++ } + + if (pages == HPAGE_PMD_NR) + count_vm_event(THP_FILE_FALLBACK); diff --git a/queue-6.12/mmc-dw_mmc-rockchip-fix-wrong-internal-phase-calculate.patch b/queue-6.12/mmc-dw_mmc-rockchip-fix-wrong-internal-phase-calculate.patch new file mode 100644 index 0000000000..de54015779 --- /dev/null +++ b/queue-6.12/mmc-dw_mmc-rockchip-fix-wrong-internal-phase-calculate.patch @@ -0,0 +1,43 @@ +From 739f04f4a46237536aff07ff223c231da53ed8ce Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Tue, 4 Nov 2025 11:51:23 +0800 +Subject: mmc: dw_mmc-rockchip: Fix wrong internal phase calculate + +From: Shawn Lin + +commit 739f04f4a46237536aff07ff223c231da53ed8ce upstream. + +ciu clock is 2 times of io clock, but the sample clk used is +derived from io clock provided to the card. So we should use +io clock to calculate the phase. + +Fixes: 59903441f5e4 ("mmc: dw_mmc-rockchip: Add internal phase support") +Signed-off-by: Shawn Lin +Acked-by: Heiko Stuebner +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc-rockchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/dw_mmc-rockchip.c ++++ b/drivers/mmc/host/dw_mmc-rockchip.c +@@ -43,7 +43,7 @@ struct dw_mci_rockchip_priv_data { + */ + static int rockchip_mmc_get_internal_phase(struct dw_mci *host, bool sample) + { +- unsigned long rate = clk_get_rate(host->ciu_clk); ++ unsigned long rate = clk_get_rate(host->ciu_clk) / RK3288_CLKGEN_DIV; + u32 raw_value; + u16 degrees; + u32 delay_num = 0; +@@ -86,7 +86,7 @@ static int rockchip_mmc_get_phase(struct + + static int rockchip_mmc_set_internal_phase(struct dw_mci *host, bool sample, int degrees) + { +- unsigned long rate = clk_get_rate(host->ciu_clk); ++ unsigned long rate = clk_get_rate(host->ciu_clk) / RK3288_CLKGEN_DIV; + u8 nineties, remainder; + u8 delay_num; + u32 raw_value; diff --git a/queue-6.12/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch b/queue-6.12/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch new file mode 100644 index 0000000000..1ba999592e --- /dev/null +++ b/queue-6.12/mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch @@ -0,0 +1,34 @@ +From a28352cf2d2f8380e7aca8cb61682396dca7a991 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Mon, 20 Oct 2025 09:49:41 +0800 +Subject: mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4 + +From: Shawn Lin + +commit a28352cf2d2f8380e7aca8cb61682396dca7a991 upstream. + +strbin signal delay under 0x8 configuration is not stable after massive +test. The recommandation of it should be 0x4. + +Signed-off-by: Shawn Lin +Tested-by: Alexey Charkov +Tested-by: Hugh Cole-Baker +Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-dwcmshc.c ++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c +@@ -94,7 +94,7 @@ + #define DLL_TXCLK_TAPNUM_DEFAULT 0x10 + #define DLL_TXCLK_TAPNUM_90_DEGREES 0xA + #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24) +-#define DLL_STRBIN_TAPNUM_DEFAULT 0x8 ++#define DLL_STRBIN_TAPNUM_DEFAULT 0x4 + #define DLL_STRBIN_TAPNUM_FROM_SW BIT(24) + #define DLL_STRBIN_DELAY_NUM_SEL BIT(26) + #define DLL_STRBIN_DELAY_NUM_OFFSET 16 diff --git a/queue-6.12/nilfs2-avoid-having-an-active-sc_timer-before-freeing-sci.patch b/queue-6.12/nilfs2-avoid-having-an-active-sc_timer-before-freeing-sci.patch new file mode 100644 index 0000000000..a14f1183ca --- /dev/null +++ b/queue-6.12/nilfs2-avoid-having-an-active-sc_timer-before-freeing-sci.patch @@ -0,0 +1,60 @@ +From 9a6b60cb147d53968753a34805211d2e5e08c027 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Thu, 30 Oct 2025 07:51:52 +0900 +Subject: nilfs2: avoid having an active sc_timer before freeing sci + +From: Edward Adam Davis + +commit 9a6b60cb147d53968753a34805211d2e5e08c027 upstream. + +Because kthread_stop did not stop sc_task properly and returned -EINTR, +the sc_timer was not properly closed, ultimately causing the problem [1] +reported by syzbot when freeing sci due to the sc_timer not being closed. + +Because the thread sc_task main function nilfs_segctor_thread() returns 0 +when it succeeds, when the return value of kthread_stop() is not 0 in +nilfs_segctor_destroy(), we believe that it has not properly closed +sc_timer. + +We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and +set the value of sc_task to NULL under the protection of lock +sc_state_lock, so as to avoid the issue caused by sc_timer not being +properly shutdowned. + +[1] +ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout +Call trace: + nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] + nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 + nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509 + +Link: https://lkml.kernel.org/r/20251029225226.16044-1-konishi.ryusuke@gmail.com +Fixes: 3f66cc261ccb ("nilfs2: use kthread_create and kthread_stop for the log writer thread") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+24d8b70f039151f65590@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590 +Tested-by: syzbot+24d8b70f039151f65590@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Cc: [6.12+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2787,7 +2787,12 @@ static void nilfs_segctor_destroy(struct + + if (sci->sc_task) { + wake_up(&sci->sc_wait_daemon); +- kthread_stop(sci->sc_task); ++ if (kthread_stop(sci->sc_task)) { ++ spin_lock(&sci->sc_state_lock); ++ sci->sc_task = NULL; ++ timer_shutdown_sync(&sci->sc_timer); ++ spin_unlock(&sci->sc_state_lock); ++ } + } + + spin_lock(&sci->sc_state_lock); diff --git a/queue-6.12/pm-hibernate-emit-an-error-when-image-writing-fails.patch b/queue-6.12/pm-hibernate-emit-an-error-when-image-writing-fails.patch new file mode 100644 index 0000000000..38d13a3726 --- /dev/null +++ b/queue-6.12/pm-hibernate-emit-an-error-when-image-writing-fails.patch @@ -0,0 +1,52 @@ +From 62b9ca1706e1bbb60d945a58de7c7b5826f6b2a2 Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Wed, 5 Nov 2025 22:51:05 -0600 +Subject: PM: hibernate: Emit an error when image writing fails + +From: Mario Limonciello (AMD) + +commit 62b9ca1706e1bbb60d945a58de7c7b5826f6b2a2 upstream. + +If image writing fails, a return code is passed up to the caller, but +none of the callers log anything to the log and so the only record +of it is the return code that userspace gets. + +Adjust the logging so that the image size and speed of writing is +only emitted on success and if there is an error, it's saved to the +logs. + +Fixes: a06c6f5d3cc9 ("PM: hibernate: Move to crypto APIs for LZO compression") +Reported-by: Askar Safin +Closes: https://lore.kernel.org/linux-pm/20251105180506.137448-1-safinaskar@gmail.com/ +Signed-off-by: Mario Limonciello (AMD) +Tested-by: Askar Safin +Cc: 6.9+ # 6.9+ +[ rjw: Added missing braces after "else", changelog edits ] +Link: https://patch.msgid.link/20251106045158.3198061-2-superm1@kernel.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/swap.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -882,11 +882,14 @@ out_finish: + stop = ktime_get(); + if (!ret) + ret = err2; +- if (!ret) ++ if (!ret) { ++ swsusp_show_speed(start, stop, nr_to_write, "Wrote"); ++ pr_info("Image size after compression: %d kbytes\n", ++ (atomic_read(&compressed_size) / 1024)); + pr_info("Image saving done\n"); +- swsusp_show_speed(start, stop, nr_to_write, "Wrote"); +- pr_info("Image size after compression: %d kbytes\n", +- (atomic_read(&compressed_size) / 1024)); ++ } else { ++ pr_err("Image saving failed: %d\n", ret); ++ } + + out_clean: + hib_finish_batch(&hb); diff --git a/queue-6.12/pm-hibernate-use-atomic64_t-for-compressed_size-variable.patch b/queue-6.12/pm-hibernate-use-atomic64_t-for-compressed_size-variable.patch new file mode 100644 index 0000000000..86d71b5f16 --- /dev/null +++ b/queue-6.12/pm-hibernate-use-atomic64_t-for-compressed_size-variable.patch @@ -0,0 +1,66 @@ +From 66ededc694f1d06a71ca35a3c8e3689e9b85b3ce Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Wed, 5 Nov 2025 22:51:06 -0600 +Subject: PM: hibernate: Use atomic64_t for compressed_size variable + +From: Mario Limonciello (AMD) + +commit 66ededc694f1d06a71ca35a3c8e3689e9b85b3ce upstream. + +`compressed_size` can overflow, showing nonsensical values. + +Change from `atomic_t` to `atomic64_t` to prevent overflow. + +Fixes: a06c6f5d3cc9 ("PM: hibernate: Move to crypto APIs for LZO compression") +Reported-by: Askar Safin +Closes: https://lore.kernel.org/linux-pm/20251105180506.137448-1-safinaskar@gmail.com/ +Signed-off-by: Mario Limonciello (AMD) +Tested-by: Askar Safin +Cc: 6.9+ # 6.9+ +Link: https://patch.msgid.link/20251106045158.3198061-3-superm1@kernel.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/swap.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -648,7 +648,7 @@ struct cmp_data { + }; + + /* Indicates the image size after compression */ +-static atomic_t compressed_size = ATOMIC_INIT(0); ++static atomic64_t compressed_size = ATOMIC_INIT(0); + + /* + * Compression function that runs in its own thread. +@@ -676,7 +676,7 @@ static int compress_threadfn(void *data) + &cmp_len); + d->cmp_len = cmp_len; + +- atomic_set(&compressed_size, atomic_read(&compressed_size) + d->cmp_len); ++ atomic64_add(d->cmp_len, &compressed_size); + atomic_set_release(&d->stop, 1); + wake_up(&d->done); + } +@@ -708,7 +708,7 @@ static int save_compressed_image(struct + + hib_init_batch(&hb); + +- atomic_set(&compressed_size, 0); ++ atomic64_set(&compressed_size, 0); + + /* + * We'll limit the number of threads for compression to limit memory +@@ -884,8 +884,8 @@ out_finish: + ret = err2; + if (!ret) { + swsusp_show_speed(start, stop, nr_to_write, "Wrote"); +- pr_info("Image size after compression: %d kbytes\n", +- (atomic_read(&compressed_size) / 1024)); ++ pr_info("Image size after compression: %lld kbytes\n", ++ (atomic64_read(&compressed_size) / 1024)); + pr_info("Image saving done\n"); + } else { + pr_err("Image saving failed: %d\n", ret); diff --git a/queue-6.12/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch b/queue-6.12/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch new file mode 100644 index 0000000000..34b0e99d14 --- /dev/null +++ b/queue-6.12/pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch @@ -0,0 +1,77 @@ +From 7458f72cc28f9eb0de811effcb5376d0ec19094a Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Fri, 17 Oct 2025 12:03:20 +0100 +Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure + +From: Sudeep Holla + +commit 7458f72cc28f9eb0de811effcb5376d0ec19094a upstream. + +If of_genpd_add_provider_onecell() fails during probe, the previously +created generic power domains are not removed, leading to a memory leak +and potential kernel crash later in genpd_debug_add(). + +Add proper error handling to unwind the initialized domains before +returning from probe to ensure all resources are correctly released on +failure. + +Example crash trace observed without this fix: + + | Unable to handle kernel paging request at virtual address fffffffffffffc70 + | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT + | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform + | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + | pc : genpd_debug_add+0x2c/0x160 + | lr : genpd_debug_init+0x74/0x98 + | Call trace: + | genpd_debug_add+0x2c/0x160 (P) + | genpd_debug_init+0x74/0x98 + | do_one_initcall+0xd0/0x2d8 + | do_initcall_level+0xa0/0x140 + | do_initcalls+0x60/0xa8 + | do_basic_setup+0x28/0x40 + | kernel_init_freeable+0xe8/0x170 + | kernel_init+0x2c/0x140 + | ret_from_fork+0x10/0x20 + +Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd") +Signed-off-by: Sudeep Holla +Reviewed-by: Peng Fan +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/arm/scmi_pm_domain.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/pmdomain/arm/scmi_pm_domain.c ++++ b/drivers/pmdomain/arm/scmi_pm_domain.c +@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene + + static int scmi_pm_domain_probe(struct scmi_device *sdev) + { +- int num_domains, i; ++ int num_domains, i, ret; + struct device *dev = &sdev->dev; + struct device_node *np = dev->of_node; + struct scmi_pm_domain *scmi_pd; +@@ -113,9 +113,18 @@ static int scmi_pm_domain_probe(struct s + scmi_pd_data->domains = domains; + scmi_pd_data->num_domains = num_domains; + ++ ret = of_genpd_add_provider_onecell(np, scmi_pd_data); ++ if (ret) ++ goto err_rm_genpds; ++ + dev_set_drvdata(dev, scmi_pd_data); + +- return of_genpd_add_provider_onecell(np, scmi_pd_data); ++ return 0; ++err_rm_genpds: ++ for (i = num_domains - 1; i >= 0; i--) ++ pm_genpd_remove(domains[i]); ++ ++ return ret; + } + + static void scmi_pm_domain_remove(struct scmi_device *sdev) diff --git a/queue-6.12/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch b/queue-6.12/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch new file mode 100644 index 0000000000..58ea89c3ee --- /dev/null +++ b/queue-6.12/pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch @@ -0,0 +1,33 @@ +From bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 28 Oct 2025 11:16:20 +0800 +Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove + +From: Miaoqian Lin + +commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 upstream. + +of_get_child_by_name() returns a node pointer with refcount incremented, we +should use of_node_put() on it when not needed anymore. Add the missing +of_node_put() to avoid refcount leak. + +Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/imx/gpc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pmdomain/imx/gpc.c ++++ b/drivers/pmdomain/imx/gpc.c +@@ -537,6 +537,8 @@ static void imx_gpc_remove(struct platfo + return; + } + } ++ ++ of_node_put(pgc_node); + } + + static struct platform_driver imx_gpc_driver = { diff --git a/queue-6.12/pmdomain-samsung-plug-potential-memleak-during-probe.patch b/queue-6.12/pmdomain-samsung-plug-potential-memleak-during-probe.patch new file mode 100644 index 0000000000..24e4398b44 --- /dev/null +++ b/queue-6.12/pmdomain-samsung-plug-potential-memleak-during-probe.patch @@ -0,0 +1,67 @@ +From 90c82941adf1986364e0f82c35cf59f2bf5f6a1d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= +Date: Thu, 16 Oct 2025 16:58:37 +0100 +Subject: pmdomain: samsung: plug potential memleak during probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Draszik + +commit 90c82941adf1986364e0f82c35cf59f2bf5f6a1d upstream. + +of_genpd_add_provider_simple() could fail, in which case this code +leaks the domain name, pd->pd.name. + +Use devm_kstrdup_const() to plug this leak. As a side-effect, we can +simplify existing error handling. + +Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver") +Cc: stable@vger.kernel.org +Reviewed-by: Peter Griffin +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: André Draszik +Tested-by: Marek Szyprowski +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/samsung/exynos-pm-domains.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/pmdomain/samsung/exynos-pm-domains.c ++++ b/drivers/pmdomain/samsung/exynos-pm-domains.c +@@ -92,13 +92,14 @@ static const struct of_device_id exynos_ + { }, + }; + +-static const char *exynos_get_domain_name(struct device_node *node) ++static const char *exynos_get_domain_name(struct device *dev, ++ struct device_node *node) + { + const char *name; + + if (of_property_read_string(node, "label", &name) < 0) + name = kbasename(node->full_name); +- return kstrdup_const(name, GFP_KERNEL); ++ return devm_kstrdup_const(dev, name, GFP_KERNEL); + } + + static int exynos_pd_probe(struct platform_device *pdev) +@@ -115,15 +116,13 @@ static int exynos_pd_probe(struct platfo + if (!pd) + return -ENOMEM; + +- pd->pd.name = exynos_get_domain_name(np); ++ pd->pd.name = exynos_get_domain_name(dev, np); + if (!pd->pd.name) + return -ENOMEM; + + pd->base = of_iomap(np, 0); +- if (!pd->base) { +- kfree_const(pd->pd.name); ++ if (!pd->base) + return -ENODEV; +- } + + pd->pd.power_off = exynos_pd_power_off; + pd->pd.power_on = exynos_pd_power_on; diff --git a/queue-6.12/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch b/queue-6.12/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch new file mode 100644 index 0000000000..e98f60b22e --- /dev/null +++ b/queue-6.12/selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch @@ -0,0 +1,40 @@ +From 63c643aa7b7287fdbb0167063785f89ece3f000f Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 10 Nov 2025 19:23:40 +0100 +Subject: selftests: mptcp: connect: fix fallback note due to OoO + +From: Matthieu Baerts (NGI0) + +commit 63c643aa7b7287fdbb0167063785f89ece3f000f upstream. + +The "fallback due to TCP OoO" was never printed because the stat_ooo_now +variable was checked twice: once in the parent if-statement, and one in +the child one. The second condition was then always true then, and the +'else' branch was never taken. + +The idea is that when there are more ACK + MP_CAPABLE than expected, the +test either fails if there was no out of order packets, or a notice is +printed. + +Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh +@@ -493,7 +493,7 @@ do_transfer() + "than expected (${expect_synrx})" + retc=1 + fi +- if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ] && [ ${stat_ooo_now} -eq 0 ]; then ++ if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then + if [ ${stat_ooo_now} -eq 0 ]; then + mptcp_lib_pr_fail "lower MPC ACK rx (${stat_ackrx_now_l})" \ + "than expected (${expect_ackrx})" diff --git a/queue-6.12/selftests-mptcp-connect-trunc-read-all-recv-data.patch b/queue-6.12/selftests-mptcp-connect-trunc-read-all-recv-data.patch new file mode 100644 index 0000000000..7e5dbda5e1 --- /dev/null +++ b/queue-6.12/selftests-mptcp-connect-trunc-read-all-recv-data.patch @@ -0,0 +1,82 @@ +From ee79980f7a428ec299f6261bea4c1084dcbc9631 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 10 Nov 2025 19:23:44 +0100 +Subject: selftests: mptcp: connect: trunc: read all recv data + +From: Matthieu Baerts (NGI0) + +commit ee79980f7a428ec299f6261bea4c1084dcbc9631 upstream. + +MPTCP Join "fastclose server" selftest is sometimes failing because the +client output file doesn't have the expected size, e.g. 296B instead of +1024B. + +When looking at a packet trace when this happens, the server sent the +expected 1024B in two parts -- 100B, then 924B -- then the MP_FASTCLOSE. +It is then strange to see the client only receiving 296B, which would +mean it only got a part of the second packet. The problem is then not on +the networking side, but rather on the data reception side. + +When mptcp_connect is launched with '-f -1', it means the connection +might stop before having sent everything, because a reset has been +received. When this happens, the program was directly stopped. But it is +also possible there are still some data to read, simply because the +previous 'read' step was done with a buffer smaller than the pending +data, see do_rnd_read(). In this case, it is important to read what's +left in the kernel buffers before stopping without error like before. + +SIGPIPE is now ignored, not to quit the app before having read +everything. + +Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-5-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_connect.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c +@@ -696,8 +696,14 @@ static int copyfd_io_poll(int infd, int + + bw = do_rnd_write(peerfd, winfo->buf + winfo->off, winfo->len); + if (bw < 0) { +- if (cfg_rcv_trunc) +- return 0; ++ /* expected reset, continue to read */ ++ if (cfg_rcv_trunc && ++ (errno == ECONNRESET || ++ errno == EPIPE)) { ++ fds.events &= ~POLLOUT; ++ continue; ++ } ++ + perror("write"); + return 111; + } +@@ -723,8 +729,10 @@ static int copyfd_io_poll(int infd, int + } + + if (fds.revents & (POLLERR | POLLNVAL)) { +- if (cfg_rcv_trunc) +- return 0; ++ if (cfg_rcv_trunc) { ++ fds.events &= ~(POLLERR | POLLNVAL); ++ continue; ++ } + fprintf(stderr, "Unexpected revents: " + "POLLERR/POLLNVAL(%x)\n", fds.revents); + return 5; +@@ -1419,7 +1427,7 @@ static void parse_opts(int argc, char ** + */ + if (cfg_truncate < 0) { + cfg_rcv_trunc = true; +- signal(SIGPIPE, handle_signal); ++ signal(SIGPIPE, SIG_IGN); + } + break; + case 'j': diff --git a/queue-6.12/selftests-mptcp-join-endpoints-longer-transfer.patch b/queue-6.12/selftests-mptcp-join-endpoints-longer-transfer.patch new file mode 100644 index 0000000000..8bba27ff3a --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-endpoints-longer-transfer.patch @@ -0,0 +1,73 @@ +From 6457595db9870298ee30b6d75287b8548e33fe19 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 10 Nov 2025 19:23:42 +0100 +Subject: selftests: mptcp: join: endpoints: longer transfer + +From: Matthieu Baerts (NGI0) + +commit 6457595db9870298ee30b6d75287b8548e33fe19 upstream. + +In rare cases, when the test environment is very slow, some userspace +tests can fail because some expected events have not been seen. + +Because the tests are expecting a long on-going connection, and they are +not waiting for the end of the transfer, it is fine to make the +connection longer. This connection will be killed at the end, after the +verifications, so making it longer doesn't change anything, apart from +avoid it to end before the end of the verifications + +To play it safe, all endpoints tests not waiting for the end of the +transfer are now sharing a longer file (128KB) at slow speed. + +Fixes: 69c6ce7b6eca ("selftests: mptcp: add implicit endpoint test case") +Cc: stable@vger.kernel.org +Fixes: e274f7154008 ("selftests: mptcp: add subflow limits test-cases") +Fixes: b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") +Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints") +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-3-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3728,7 +3728,7 @@ endpoint_tests() + pm_nl_set_limits $ns1 2 2 + pm_nl_set_limits $ns2 2 2 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal +- { speed=slow \ ++ { test_linkfail=128 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + +@@ -3755,7 +3755,7 @@ endpoint_tests() + pm_nl_set_limits $ns2 0 3 + pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow + pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow +- { test_linkfail=4 speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + +@@ -3833,7 +3833,7 @@ endpoint_tests() + # broadcast IP: no packet for this address will be received on ns1 + pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal + pm_nl_add_endpoint $ns1 10.0.1.1 id 42 flags signal +- { test_linkfail=4 speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + +@@ -3906,7 +3906,7 @@ endpoint_tests() + # broadcast IP: no packet for this address will be received on ns1 + pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal + pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow +- { test_linkfail=4 speed=20 \ ++ { test_linkfail=128 speed=20 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + diff --git a/queue-6.12/selftests-mptcp-join-properly-kill-background-tasks.patch b/queue-6.12/selftests-mptcp-join-properly-kill-background-tasks.patch new file mode 100644 index 0000000000..db7db165e2 --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-properly-kill-background-tasks.patch @@ -0,0 +1,142 @@ +From 852b644acbce1529307a4bb283752c4e77b5cda7 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 10 Nov 2025 19:23:45 +0100 +Subject: selftests: mptcp: join: properly kill background tasks + +From: Matthieu Baerts (NGI0) + +commit 852b644acbce1529307a4bb283752c4e77b5cda7 upstream. + +The 'run_tests' function is executed in the background, but killing its +associated PID would not kill the children tasks running in the +background. + +To properly kill all background tasks, 'kill -- -PID' could be used, but +this requires kill from procps-ng. Instead, all children tasks are +listed using 'ps', and 'kill' is called with all PIDs of this group. + +Fixes: 31ee4ad86afd ("selftests: mptcp: join: stop transfer when check is done (part 1)") +Cc: stable@vger.kernel.org +Fixes: 04b57c9e096a ("selftests: mptcp: join: stop transfer when check is done (part 2)") +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-6-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 +++++++++--------- + tools/testing/selftests/net/mptcp/mptcp_lib.sh | 21 +++++++++++++++++++++ + 2 files changed, 30 insertions(+), 9 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3616,7 +3616,7 @@ userspace_tests() + chk_mptcp_info subflows 0 subflows 0 + chk_subflows_total 1 1 + kill_events_pids +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + fi + + # userspace pm create destroy subflow +@@ -3644,7 +3644,7 @@ userspace_tests() + chk_mptcp_info subflows 0 subflows 0 + chk_subflows_total 1 1 + kill_events_pids +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + fi + + # userspace pm create id 0 subflow +@@ -3665,7 +3665,7 @@ userspace_tests() + chk_mptcp_info subflows 1 subflows 1 + chk_subflows_total 2 2 + kill_events_pids +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + fi + + # userspace pm remove initial subflow +@@ -3689,7 +3689,7 @@ userspace_tests() + chk_mptcp_info subflows 1 subflows 1 + chk_subflows_total 1 1 + kill_events_pids +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + fi + + # userspace pm send RM_ADDR for ID 0 +@@ -3715,7 +3715,7 @@ userspace_tests() + chk_mptcp_info subflows 1 subflows 1 + chk_subflows_total 1 1 + kill_events_pids +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + fi + } + +@@ -3745,7 +3745,7 @@ endpoint_tests() + pm_nl_add_endpoint $ns2 10.0.2.2 flags signal + pm_nl_check_endpoint "modif is allowed" \ + $ns2 10.0.2.2 id 1 flags signal +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + fi + + if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT && +@@ -3800,7 +3800,7 @@ endpoint_tests() + chk_mptcp_info subflows 3 subflows 3 + done + +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + + kill_events_pids + chk_evt_nr ns1 MPTCP_LIB_EVENT_LISTENER_CREATED 1 +@@ -3874,7 +3874,7 @@ endpoint_tests() + wait_mpj $ns2 + chk_subflow_nr "after re-re-add ID 0" 3 + chk_mptcp_info subflows 3 subflows 3 +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + + kill_events_pids + chk_evt_nr ns1 MPTCP_LIB_EVENT_LISTENER_CREATED 1 +@@ -3922,7 +3922,7 @@ endpoint_tests() + wait_mpj $ns2 + pm_nl_add_endpoint $ns1 10.0.3.1 id 2 flags signal + wait_mpj $ns2 +- mptcp_lib_kill_wait $tests_pid ++ mptcp_lib_kill_group_wait $tests_pid + + join_syn_tx=3 join_connect_err=1 \ + chk_join_nr 2 2 2 +--- a/tools/testing/selftests/net/mptcp/mptcp_lib.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh +@@ -327,6 +327,27 @@ mptcp_lib_kill_wait() { + wait "${1}" 2>/dev/null + } + ++# $1: PID ++mptcp_lib_pid_list_children() { ++ local curr="${1}" ++ # evoke 'ps' only once ++ local pids="${2:-"$(ps o pid,ppid)"}" ++ ++ echo "${curr}" ++ ++ local pid ++ for pid in $(echo "${pids}" | awk "\$2 == ${curr} { print \$1 }"); do ++ mptcp_lib_pid_list_children "${pid}" "${pids}" ++ done ++} ++ ++# $1: PID ++mptcp_lib_kill_group_wait() { ++ # Some users might not have procps-ng: cannot use "kill -- -PID" ++ mptcp_lib_pid_list_children "${1}" | xargs -r kill &>/dev/null ++ wait "${1}" 2>/dev/null ++} ++ + # $1: IP address + mptcp_lib_is_v6() { + [ -z "${1##*:*}" ] diff --git a/queue-6.12/selftests-mptcp-join-rm-set-backup-flag.patch b/queue-6.12/selftests-mptcp-join-rm-set-backup-flag.patch new file mode 100644 index 0000000000..5ce8d5318f --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-rm-set-backup-flag.patch @@ -0,0 +1,165 @@ +From aea73bae662a0e184393d6d7d0feb18d2577b9b9 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 10 Nov 2025 19:23:41 +0100 +Subject: selftests: mptcp: join: rm: set backup flag + +From: Matthieu Baerts (NGI0) + +commit aea73bae662a0e184393d6d7d0feb18d2577b9b9 upstream. + +Some of these 'remove' tests rarely fail because a subflow has been +reset instead of cleanly removed. This can happen when one extra subflow +which has never carried data is being closed (FIN) on one side, while +the other is sending data for the first time. + +To avoid such subflows to be used right at the end, the backup flag has +been added. With that, data will be only carried on the initial subflow. + +Fixes: d2c4333a801c ("selftests: mptcp: add testcases for removing addrs") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-2-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 54 ++++++++++++------------ + 1 file changed, 27 insertions(+), 27 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -2321,7 +2321,7 @@ remove_tests() + if reset "remove single subflow"; then + pm_nl_set_limits $ns1 0 1 + pm_nl_set_limits $ns2 0 1 +- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup + addr_nr_ns2=-1 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 1 1 1 +@@ -2334,8 +2334,8 @@ remove_tests() + if reset "remove multiple subflows"; then + pm_nl_set_limits $ns1 0 2 + pm_nl_set_limits $ns2 0 2 +- pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow +- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup + addr_nr_ns2=-2 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 2 2 2 +@@ -2346,7 +2346,7 @@ remove_tests() + # single address, remove + if reset "remove single address"; then + pm_nl_set_limits $ns1 0 1 +- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup + pm_nl_set_limits $ns2 1 1 + addr_nr_ns1=-1 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 +@@ -2359,9 +2359,9 @@ remove_tests() + # subflow and signal, remove + if reset "remove subflow and signal"; then + pm_nl_set_limits $ns1 0 2 +- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup + pm_nl_set_limits $ns2 1 2 +- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup + addr_nr_ns1=-1 addr_nr_ns2=-1 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 2 2 2 +@@ -2373,10 +2373,10 @@ remove_tests() + # subflows and signal, remove + if reset "remove subflows and signal"; then + pm_nl_set_limits $ns1 0 3 +- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup + pm_nl_set_limits $ns2 1 3 +- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow +- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup ++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup + addr_nr_ns1=-1 addr_nr_ns2=-2 speed=10 \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 3 3 3 +@@ -2388,9 +2388,9 @@ remove_tests() + # addresses remove + if reset "remove addresses"; then + pm_nl_set_limits $ns1 3 3 +- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250 +- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal +- pm_nl_add_endpoint $ns1 10.0.4.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250 ++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup ++ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup + pm_nl_set_limits $ns2 3 3 + addr_nr_ns1=-3 speed=10 \ + run_tests $ns1 $ns2 10.0.1.1 +@@ -2403,10 +2403,10 @@ remove_tests() + # invalid addresses remove + if reset "remove invalid addresses"; then + pm_nl_set_limits $ns1 3 3 +- pm_nl_add_endpoint $ns1 10.0.12.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup + # broadcast IP: no packet for this address will be received on ns1 +- pm_nl_add_endpoint $ns1 224.0.0.1 flags signal +- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal ++ pm_nl_add_endpoint $ns1 224.0.0.1 flags signal,backup ++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup + pm_nl_set_limits $ns2 2 2 + addr_nr_ns1=-3 speed=10 \ + run_tests $ns1 $ns2 10.0.1.1 +@@ -2420,10 +2420,10 @@ remove_tests() + # subflows and signal, flush + if reset "flush subflows and signal"; then + pm_nl_set_limits $ns1 0 3 +- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup + pm_nl_set_limits $ns2 1 3 +- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow +- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup ++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup + addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 3 3 3 +@@ -2436,9 +2436,9 @@ remove_tests() + if reset "flush subflows"; then + pm_nl_set_limits $ns1 3 3 + pm_nl_set_limits $ns2 3 3 +- pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow id 150 +- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow +- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow ++ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup id 150 ++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup ++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup + addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 + chk_join_nr 3 3 3 +@@ -2455,9 +2455,9 @@ remove_tests() + # addresses flush + if reset "flush addresses"; then + pm_nl_set_limits $ns1 3 3 +- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250 +- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal +- pm_nl_add_endpoint $ns1 10.0.4.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250 ++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup ++ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup + pm_nl_set_limits $ns2 3 3 + addr_nr_ns1=-8 addr_nr_ns2=-8 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 +@@ -2470,9 +2470,9 @@ remove_tests() + # invalid addresses flush + if reset "flush invalid addresses"; then + pm_nl_set_limits $ns1 3 3 +- pm_nl_add_endpoint $ns1 10.0.12.1 flags signal +- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal +- pm_nl_add_endpoint $ns1 10.0.14.1 flags signal ++ pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup ++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup ++ pm_nl_add_endpoint $ns1 10.0.14.1 flags signal,backup + pm_nl_set_limits $ns2 3 3 + addr_nr_ns1=-8 speed=slow \ + run_tests $ns1 $ns2 10.0.1.1 diff --git a/queue-6.12/selftests-mptcp-join-userspace-longer-transfer.patch b/queue-6.12/selftests-mptcp-join-userspace-longer-transfer.patch new file mode 100644 index 0000000000..208b1d37ac --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-userspace-longer-transfer.patch @@ -0,0 +1,82 @@ +From 290493078b96ce2ce3e60f55c23654acb678042a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 10 Nov 2025 19:23:43 +0100 +Subject: selftests: mptcp: join: userspace: longer transfer + +From: Matthieu Baerts (NGI0) + +commit 290493078b96ce2ce3e60f55c23654acb678042a upstream. + +In rare cases, when the test environment is very slow, some userspace +tests can fail because some expected events have not been seen. + +Because the tests are expecting a long on-going connection, and they are +not waiting for the end of the transfer, it is fine to make the +connection longer. This connection will be killed at the end, after the +verifications, so making it longer doesn't change anything, apart from +avoid it to end before the end of the verifications + +To play it safe, all userspace tests not waiting for the end of the +transfer are now sharing a longer file (128KB) at slow speed. + +Fixes: 4369c198e599 ("selftests: mptcp: test userspace pm out of transfer") +Cc: stable@vger.kernel.org +Fixes: b2e2248f365a ("selftests: mptcp: userspace pm create id 0 subflow") +Fixes: e3b47e460b4b ("selftests: mptcp: userspace pm remove initial subflow") +Fixes: b9fb176081fb ("selftests: mptcp: userspace pm send RM_ADDR for ID 0") +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-4-a4332c714e10@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3591,7 +3591,7 @@ userspace_tests() + continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then + set_userspace_pm $ns1 + pm_nl_set_limits $ns2 2 2 +- { speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + wait_mpj $ns1 +@@ -3624,7 +3624,7 @@ userspace_tests() + continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then + set_userspace_pm $ns2 + pm_nl_set_limits $ns1 0 1 +- { speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + wait_mpj $ns2 +@@ -3652,7 +3652,7 @@ userspace_tests() + continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then + set_userspace_pm $ns2 + pm_nl_set_limits $ns1 0 1 +- { speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + wait_mpj $ns2 +@@ -3673,7 +3673,7 @@ userspace_tests() + continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then + set_userspace_pm $ns2 + pm_nl_set_limits $ns1 0 1 +- { speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + wait_mpj $ns2 +@@ -3697,7 +3697,7 @@ userspace_tests() + continue_if mptcp_lib_has_file '/proc/sys/net/mptcp/pm_type'; then + set_userspace_pm $ns1 + pm_nl_set_limits $ns2 1 1 +- { speed=5 \ ++ { test_linkfail=128 speed=5 \ + run_tests $ns1 $ns2 10.0.1.1 & } 2>/dev/null + local tests_pid=$! + wait_mpj $ns1 diff --git a/queue-6.12/selftests-tracing-run-sample-events-to-clear-page-cache-events.patch b/queue-6.12/selftests-tracing-run-sample-events-to-clear-page-cache-events.patch new file mode 100644 index 0000000000..80861a0952 --- /dev/null +++ b/queue-6.12/selftests-tracing-run-sample-events-to-clear-page-cache-events.patch @@ -0,0 +1,47 @@ +From dd4adb986a86727ed8f56c48b6d0695f1e211e65 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 28 Oct 2025 12:27:24 -0400 +Subject: selftests/tracing: Run sample events to clear page cache events + +From: Steven Rostedt + +commit dd4adb986a86727ed8f56c48b6d0695f1e211e65 upstream. + +The tracing selftest "event-filter-function.tc" was failing because it +first runs the "sample_events" function that triggers the kmem_cache_free +event and it looks at what function was used during a call to "ls". + +But the first time it calls this, it could trigger events that are used to +pull pages into the page cache. + +The rest of the test uses the function it finds during that call to see if +it will be called in subsequent "sample_events" calls. But if there's no +need to pull pages into the page cache, it will not trigger that function +and the test will fail. + +Call the "sample_events" twice to trigger all the page cache work before +it calls it to find a function to use in subsequent checks. + +Cc: stable@vger.kernel.org +Fixes: eb50d0f250e96 ("selftests/ftrace: Choose target function for filter test from samples") +Signed-off-by: Steven Rostedt (Google) +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc ++++ b/tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc +@@ -20,6 +20,10 @@ sample_events() { + echo 0 > tracing_on + echo 0 > events/enable + ++# Clear functions caused by page cache; run sample_events twice ++sample_events ++sample_events ++ + echo "Get the most frequently calling function" + echo > trace + sample_events diff --git a/queue-6.12/selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch b/queue-6.12/selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch new file mode 100644 index 0000000000..bbc3161c38 --- /dev/null +++ b/queue-6.12/selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch @@ -0,0 +1,48 @@ +From 216158f063fe24fb003bd7da0cd92cd6e2c4d48b Mon Sep 17 00:00:00 2001 +From: Ankit Khushwaha +Date: Thu, 6 Nov 2025 15:25:32 +0530 +Subject: selftests/user_events: fix type cast for write_index packed member in perf_test + +From: Ankit Khushwaha + +commit 216158f063fe24fb003bd7da0cd92cd6e2c4d48b upstream. + +Accessing 'reg.write_index' directly triggers a -Waddress-of-packed-member +warning due to potential unaligned pointer access: + +perf_test.c:239:38: warning: taking address of packed member 'write_index' +of class or structure 'user_reg' may result in an unaligned pointer value +[-Waddress-of-packed-member] + 239 | ASSERT_NE(-1, write(self->data_fd, ®.write_index, + | ^~~~~~~~~~~~~~~ + +Since write(2) works with any alignment. Casting '®.write_index' +explicitly to 'void *' to suppress this warning. + +Link: https://lkml.kernel.org/r/20251106095532.15185-1-ankitkhushwaha.linux@gmail.com +Fixes: 42187bdc3ca4 ("selftests/user_events: Add perf self-test for empty arguments events") +Signed-off-by: Ankit Khushwaha +Cc: Beau Belgrave +Cc: "Masami Hiramatsu (Google)" +Cc: Steven Rostedt +Cc: sunliming +Cc: Wei Yang +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/user_events/perf_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/user_events/perf_test.c ++++ b/tools/testing/selftests/user_events/perf_test.c +@@ -236,7 +236,7 @@ TEST_F(user, perf_empty_events) { + ASSERT_EQ(1 << reg.enable_bit, self->check); + + /* Ensure write shows up at correct offset */ +- ASSERT_NE(-1, write(self->data_fd, ®.write_index, ++ ASSERT_NE(-1, write(self->data_fd, (void *)®.write_index, + sizeof(reg.write_index))); + val = (void *)(((char *)perf_page) + perf_page->data_offset); + ASSERT_EQ(PERF_RECORD_SAMPLE, *val); diff --git a/queue-6.12/series b/queue-6.12/series index 64d3985617..3ee926f183 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -117,3 +117,42 @@ strparser-fix-signed-unsigned-mismatch-bug.patch dma-mapping-benchmark-restore-padding-to-ensure-uabi-remained-consistent.patch loongarch-use-correct-accessor-to-read-fwpc-mwpc.patch loongarch-let-pte-pmd-_modify-record-the-status-of-_page_dirty.patch +ipv4-route-prevent-rt_bind_exception-from-rebinding-stale-fnhe.patch +nilfs2-avoid-having-an-active-sc_timer-before-freeing-sci.patch +selftests-tracing-run-sample-events-to-clear-page-cache-events.patch +wifi-mac80211-reject-address-change-while-connecting.patch +fs-proc-fix-uaf-in-proc_readdir_de.patch +mm-mm_init-fix-hash-table-order-logging-in-alloc_large_system_hash.patch +mm-shmem-fix-thp-allocation-and-fallback-loop.patch +mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch +mmc-dw_mmc-rockchip-fix-wrong-internal-phase-calculate.patch +alsa-usb-audio-fix-potential-overflow-of-pcm-transfer-buffer.patch +cifs-client-fix-memory-leak-in-smb3_fs_context_parse_param.patch +codetag-debug-handle-existing-codetag_empty-in-mark_objexts_empty-for-slabobj_ext.patch +crash-fix-crashkernel-resource-shrink.patch +crypto-hisilicon-qm-fix-device-reference-leak-in-qm_get_qos_value.patch +smb-client-fix-cifs_pick_channel-when-channel-needs-reconnect.patch +spi-try-to-get-acpi-gpio-irq-earlier.patch +x86-microcode-amd-add-zen5-model-0x44-stepping-0x1-minrev.patch +selftests-user_events-fix-type-cast-for-write_index-packed-member-in-perf_test.patch +ftrace-fix-bpf-fexit-with-livepatch.patch +loongarch-use-physical-addresses-for-csr_merrentry-csr_tlbrentry.patch +edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch +edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch +pm-hibernate-emit-an-error-when-image-writing-fails.patch +pm-hibernate-use-atomic64_t-for-compressed_size-variable.patch +btrfs-zoned-fix-conventional-zone-capacity-calculation.patch +btrfs-scrub-put-bio-after-errors-in-scrub_raid56_parity_stripe.patch +btrfs-do-not-update-last_log_commit-when-logging-inode-due-to-a-new-name.patch +btrfs-release-root-after-error-in-data_reloc_print_warning_inode.patch +drm-amdkfd-relax-checks-for-over-allocation-of-save-area.patch +drm-amdgpu-disable-peer-to-peer-access-for-dcc-enabled-gc12-vram-surfaces.patch +pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch +pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch +pmdomain-samsung-plug-potential-memleak-during-probe.patch +selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch +selftests-mptcp-join-rm-set-backup-flag.patch +selftests-mptcp-join-endpoints-longer-transfer.patch +selftests-mptcp-connect-trunc-read-all-recv-data.patch +selftests-mptcp-join-userspace-longer-transfer.patch +selftests-mptcp-join-properly-kill-background-tasks.patch diff --git a/queue-6.12/smb-client-fix-cifs_pick_channel-when-channel-needs-reconnect.patch b/queue-6.12/smb-client-fix-cifs_pick_channel-when-channel-needs-reconnect.patch new file mode 100644 index 0000000000..05558152a5 --- /dev/null +++ b/queue-6.12/smb-client-fix-cifs_pick_channel-when-channel-needs-reconnect.patch @@ -0,0 +1,39 @@ +From 79280191c2fd7f24899bbd640003b5389d3c109c Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Fri, 7 Nov 2025 18:59:53 -0300 +Subject: smb: client: fix cifs_pick_channel when channel needs reconnect + +From: Henrique Carvalho + +commit 79280191c2fd7f24899bbd640003b5389d3c109c upstream. + +cifs_pick_channel iterates candidate channels using cur. The +reconnect-state test mistakenly used a different variable. + +This checked the wrong slot and would cause us to skip a healthy channel +and to dispatch on one that needs reconnect, occasionally failing +operations when a channel was down. + +Fix by replacing for the correct variable. + +Fixes: fc43a8ac396d ("cifs: cifs_pick_channel should try selecting active channels") +Cc: stable@vger.kernel.org +Reviewed-by: Shyam Prasad N +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -1050,7 +1050,7 @@ struct TCP_Server_Info *cifs_pick_channe + if (!server || server->terminate) + continue; + +- if (CIFS_CHAN_NEEDS_RECONNECT(ses, i)) ++ if (CIFS_CHAN_NEEDS_RECONNECT(ses, cur)) + continue; + + /* diff --git a/queue-6.12/spi-try-to-get-acpi-gpio-irq-earlier.patch b/queue-6.12/spi-try-to-get-acpi-gpio-irq-earlier.patch new file mode 100644 index 0000000000..6b26537108 --- /dev/null +++ b/queue-6.12/spi-try-to-get-acpi-gpio-irq-earlier.patch @@ -0,0 +1,55 @@ +From 3cd2018e15b3d66d2187d92867e265f45ad79e6f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 2 Nov 2025 20:09:21 +0100 +Subject: spi: Try to get ACPI GPIO IRQ earlier + +From: Hans de Goede + +commit 3cd2018e15b3d66d2187d92867e265f45ad79e6f upstream. + +Since commit d24cfee7f63d ("spi: Fix acpi deferred irq probe"), the +acpi_dev_gpio_irq_get() call gets delayed till spi_probe() is called +on the SPI device. + +If there is no driver for the SPI device then the move to spi_probe() +results in acpi_dev_gpio_irq_get() never getting called. This may +cause problems by leaving the GPIO pin floating because this call is +responsible for setting up the GPIO pin direction and/or bias according +to the values from the ACPI tables. + +Re-add the removed acpi_dev_gpio_irq_get() in acpi_register_spi_device() +to ensure the GPIO pin is always correctly setup, while keeping the +acpi_dev_gpio_irq_get() call added to spi_probe() to deal with +-EPROBE_DEFER returns caused by the GPIO controller not having a driver +yet. + +Link: https://bbs.archlinux.org/viewtopic.php?id=302348 +Fixes: d24cfee7f63d ("spi: Fix acpi deferred irq probe") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Link: https://patch.msgid.link/20251102190921.30068-1-hansg@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2879,6 +2879,16 @@ static acpi_status acpi_register_spi_dev + acpi_set_modalias(adev, acpi_device_hid(adev), spi->modalias, + sizeof(spi->modalias)); + ++ /* ++ * This gets re-tried in spi_probe() for -EPROBE_DEFER handling in case ++ * the GPIO controller does not have a driver yet. This needs to be done ++ * here too, because this call sets the GPIO direction and/or bias. ++ * Setting these needs to be done even if there is no driver, in which ++ * case spi_probe() will never get called. ++ */ ++ if (spi->irq < 0) ++ spi->irq = acpi_dev_gpio_irq_get(adev, 0); ++ + acpi_device_set_enumerated(adev); + + adev->power.flags.ignore_parent = true; diff --git a/queue-6.12/wifi-mac80211-reject-address-change-while-connecting.patch b/queue-6.12/wifi-mac80211-reject-address-change-while-connecting.patch new file mode 100644 index 0000000000..911fb02955 --- /dev/null +++ b/queue-6.12/wifi-mac80211-reject-address-change-while-connecting.patch @@ -0,0 +1,60 @@ +From a9da90e618cd0669a22bcc06a96209db5dd96e9b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 5 Nov 2025 15:41:19 +0100 +Subject: wifi: mac80211: reject address change while connecting + +From: Johannes Berg + +commit a9da90e618cd0669a22bcc06a96209db5dd96e9b upstream. + +While connecting, the MAC address can already no longer be +changed. The change is already rejected if netif_carrier_ok(), +but of course that's not true yet while connecting. Check for +auth_data or assoc_data, so the MAC address cannot be changed. + +Also more comprehensively check that there are no stations on +the interface being changed - if any peer station is added it +will know about our address already, so we cannot change it. + +Cc: stable@vger.kernel.org +Fixes: 3c06e91b40db ("wifi: mac80211: Support POWERED_ADDR_CHANGE feature") +Link: https://patch.msgid.link/20251105154119.f9f6c1df81bb.I9bb3760ede650fb96588be0d09a5a7bdec21b217@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/iface.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -224,6 +224,10 @@ static int ieee80211_can_powered_addr_ch + if (netif_carrier_ok(sdata->dev)) + return -EBUSY; + ++ /* if any stations are set known (so they know this vif too), reject */ ++ if (sta_info_get_by_idx(sdata, 0)) ++ return -EBUSY; ++ + /* First check no ROC work is happening on this iface */ + list_for_each_entry(roc, &local->roc_list, list) { + if (roc->sdata != sdata) +@@ -243,12 +247,16 @@ static int ieee80211_can_powered_addr_ch + ret = -EBUSY; + } + ++ /* ++ * More interface types could be added here but changing the ++ * address while powered makes the most sense in client modes. ++ */ + switch (sdata->vif.type) { + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: +- /* More interface types could be added here but changing the +- * address while powered makes the most sense in client modes. +- */ ++ /* refuse while connecting */ ++ if (sdata->u.mgd.auth_data || sdata->u.mgd.assoc_data) ++ return -EBUSY; + break; + default: + ret = -EOPNOTSUPP; diff --git a/queue-6.12/x86-microcode-amd-add-zen5-model-0x44-stepping-0x1-minrev.patch b/queue-6.12/x86-microcode-amd-add-zen5-model-0x44-stepping-0x1-minrev.patch new file mode 100644 index 0000000000..a8176fd385 --- /dev/null +++ b/queue-6.12/x86-microcode-amd-add-zen5-model-0x44-stepping-0x1-minrev.patch @@ -0,0 +1,32 @@ +From dd14022a7ce96963aa923e35cf4bcc8c32f95840 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Fri, 14 Nov 2025 14:01:14 +0100 +Subject: x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev + +From: Borislav Petkov (AMD) + +commit dd14022a7ce96963aa923e35cf4bcc8c32f95840 upstream. + +Add the minimum Entrysign revision for that model+stepping to the list +of minimum revisions. + +Fixes: 50cef76d5cb0 ("x86/microcode/AMD: Load only SHA256-checksummed patches") +Reported-by: Andrew Cooper +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/e94dd76b-4911-482f-8500-5c848a3df026@citrix.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -212,6 +212,7 @@ static bool need_sha_check(u32 cur_rev) + case 0xb1010: return cur_rev <= 0xb101046; break; + case 0xb2040: return cur_rev <= 0xb204031; break; + case 0xb4040: return cur_rev <= 0xb404031; break; ++ case 0xb4041: return cur_rev <= 0xb404101; break; + case 0xb6000: return cur_rev <= 0xb600031; break; + case 0xb6080: return cur_rev <= 0xb608031; break; + case 0xb7000: return cur_rev <= 0xb700031; break;