From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 16 Oct 2025 13:25:11 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v5.15.195~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e95d36b519f9be3ff7cd874ccd7a6cde27af347;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch
	nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch
	nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch
	selftests-mptcp-join-validate-c-flag-def-limit.patch
---

diff --git a/queue-5.15/mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch b/queue-5.15/mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch
new file mode 100644
index 0000000000..2552fb63eb
--- /dev/null
+++ b/queue-5.15/mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch
@@ -0,0 +1,73 @@
+From 6a204d4b14c99232e05d35305c27ebce1c009840 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Thu, 14 Aug 2025 14:22:45 -0300
+Subject: mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 6a204d4b14c99232e05d35305c27ebce1c009840 upstream.
+
+Commit 524c48072e56 ("mm/page_alloc: rename ALLOC_HIGH to
+ALLOC_MIN_RESERVE") is the start of a series that explains how __GFP_HIGH,
+which implies ALLOC_MIN_RESERVE, is going to be used instead of
+__GFP_ATOMIC for high atomic reserves.
+
+Commit eb2e2b425c69 ("mm/page_alloc: explicitly record high-order atomic
+allocations in alloc_flags") introduced ALLOC_HIGHATOMIC for such
+allocations of order higher than 0.  It still used __GFP_ATOMIC, though.
+
+Then, commit 1ebbb21811b7 ("mm/page_alloc: explicitly define how
+__GFP_HIGH non-blocking allocations accesses reserves") just turned that
+check for !__GFP_DIRECT_RECLAIM, ignoring that high atomic reserves were
+expected to test for __GFP_HIGH.
+
+This leads to high atomic reserves being added for high-order GFP_NOWAIT
+allocations and others that clear __GFP_DIRECT_RECLAIM, which is
+unexpected.  Later, those reserves lead to 0-order allocations going to
+the slow path and starting reclaim.
+
+From /proc/pagetypeinfo, without the patch:
+
+Node    0, zone      DMA, type   HighAtomic      0      0      0      0      0      0      0      0      0      0      0
+Node    0, zone    DMA32, type   HighAtomic      1      8     10      9      7      3      0      0      0      0      0
+Node    0, zone   Normal, type   HighAtomic     64     20     12      5      0      0      0      0      0      0      0
+
+With the patch:
+
+Node    0, zone      DMA, type   HighAtomic      0      0      0      0      0      0      0      0      0      0      0
+Node    0, zone    DMA32, type   HighAtomic      0      0      0      0      0      0      0      0      0      0      0
+Node    0, zone   Normal, type   HighAtomic      0      0      0      0      0      0      0      0      0      0      0
+
+Link: https://lkml.kernel.org/r/20250814172245.1259625-1-cascardo@igalia.com
+Fixes: 1ebbb21811b7 ("mm/page_alloc: explicitly define how __GFP_HIGH non-blocking allocations accesses reserves")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Tested-by: Helen Koike <koike@igalia.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: NeilBrown <neilb@suse.de>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: Brendan Jackman <jackmanb@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_alloc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -4743,7 +4743,7 @@ gfp_to_alloc_flags(gfp_t gfp_mask, unsig
+ 		if (!(gfp_mask & __GFP_NOMEMALLOC)) {
+ 			alloc_flags |= ALLOC_NON_BLOCK;
+ 
+-			if (order > 0)
++			if (order > 0 && (alloc_flags & ALLOC_MIN_RESERVE))
+ 				alloc_flags |= ALLOC_HIGHATOMIC;
+ 		}
+ 
diff --git a/queue-5.15/nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch b/queue-5.15/nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch
new file mode 100644
index 0000000000..9ddcfa53ac
--- /dev/null
+++ b/queue-5.15/nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch
@@ -0,0 +1,41 @@
+From ab1c282c010c4f327bd7addc3c0035fd8e3c1721 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 6 Aug 2025 03:10:01 +0200
+Subject: NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit ab1c282c010c4f327bd7addc3c0035fd8e3c1721 upstream.
+
+Commit 5304877936c0 ("NFSD: Fix strncpy() fortify warning") replaced
+strncpy(,, sizeof(..)) with strlcpy(,, sizeof(..) - 1), but strlcpy()
+already guaranteed NUL-termination of the destination buffer and
+subtracting one byte potentially truncated the source string.
+
+The incorrect size was then carried over in commit 72f78ae00a8e ("NFSD:
+move from strlcpy with unused retval to strscpy") when switching from
+strlcpy() to strscpy().
+
+Fix this off-by-one error by using the full size of the destination
+buffer again.
+
+Cc: stable@vger.kernel.org
+Fixes: 5304877936c0 ("NFSD: Fix strncpy() fortify warning")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1335,7 +1335,7 @@ try_again:
+ 		return 0;
+ 	}
+ 	if (work) {
+-		strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1);
++		strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr));
+ 		refcount_set(&work->nsui_refcnt, 2);
+ 		work->nsui_busy = true;
+ 		list_add_tail(&work->nsui_list, &nn->nfsd_ssc_mount_list);
diff --git a/queue-5.15/nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch b/queue-5.15/nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch
new file mode 100644
index 0000000000..5e522db3ea
--- /dev/null
+++ b/queue-5.15/nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch
@@ -0,0 +1,50 @@
+From a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev@redhat.com>
+Date: Thu, 21 Aug 2025 16:31:46 -0400
+Subject: nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+commit a082e4b4d08a4a0e656d90c2c05da85f23e6d0c9 upstream.
+
+When v3 NLM request finds a conflicting delegation, it triggers
+a delegation recall and nfsd_open fails with EAGAIN. nfsd_open
+then translates EAGAIN into nfserr_jukebox. In nlm_fopen, instead
+of returning nlm_failed for when there is a conflicting delegation,
+drop this NLM request so that the client retries. Once delegation
+is recalled and if a local lock is claimed, a retry would lead to
+nfsd returning a nlm_lck_blocked error or a successful nlm lock.
+
+Fixes: d343fce148a4 ("[PATCH] knfsd: Allow lockd to drop replies as appropriate")
+Cc: stable@vger.kernel.org # v6.6
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/lockd.c |   15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/nfsd/lockd.c
++++ b/fs/nfsd/lockd.c
+@@ -48,6 +48,21 @@ nlm_fopen(struct svc_rqst *rqstp, struct
+ 	switch (nfserr) {
+ 	case nfs_ok:
+ 		return 0;
++	case nfserr_jukebox:
++		/* this error can indicate a presence of a conflicting
++		 * delegation to an NLM lock request. Options are:
++		 * (1) For now, drop this request and make the client
++		 * retry. When delegation is returned, client's lock retry
++		 * will complete.
++		 * (2) NLM4_DENIED as per "spec" signals to the client
++		 * that the lock is unavailable now but client can retry.
++		 * Linux client implementation does not. It treats
++		 * NLM4_DENIED same as NLM4_FAILED and errors the request.
++		 * (3) For the future, treat this as blocked lock and try
++		 * to callback when the delegation is returned but might
++		 * not have a proper lock request to block on.
++		 */
++		fallthrough;
+ 	case nfserr_dropit:
+ 		return nlm_drop_reply;
+ 	case nfserr_stale:
diff --git a/queue-5.15/selftests-mptcp-join-validate-c-flag-def-limit.patch b/queue-5.15/selftests-mptcp-join-validate-c-flag-def-limit.patch
new file mode 100644
index 0000000000..4a8ba6b617
--- /dev/null
+++ b/queue-5.15/selftests-mptcp-join-validate-c-flag-def-limit.patch
@@ -0,0 +1,59 @@
+From 008385efd05e04d8dff299382df2e8be0f91d8a0 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Thu, 25 Sep 2025 12:32:37 +0200
+Subject: selftests: mptcp: join: validate C-flag + def limit
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 008385efd05e04d8dff299382df2e8be0f91d8a0 upstream.
+
+The previous commit adds an exception for the C-flag case. The
+'mptcp_join.sh' selftest is extended to validate this case.
+
+In this subtest, there is a typical CDN deployment with a client where
+MPTCP endpoints have been 'automatically' configured:
+
+- the server set net.mptcp.allow_join_initial_addr_port=0
+
+- the client has multiple 'subflow' endpoints, and the default limits:
+  not accepting ADD_ADDRs.
+
+Without the parent patch, the client is not able to establish new
+subflows using its 'subflow' endpoints. The parent commit fixes that.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250925-net-next-mptcp-c-flag-laminar-v1-2-ad126cc47c6b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -1005,6 +1005,17 @@ chk_link_usage()
+ 	else
+ 		echo "[ ok ]"
+ 	fi
++
++	# default limits, server deny join id 0 + signal
++	if reset_with_allow_join_id0 "default limits, server deny join id 0" 0 1; then
++		pm_nl_set_limits $ns1 0 2
++		pm_nl_set_limits $ns2 0 2
++		pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++		pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++		pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++		run_tests $ns1 $ns2 10.0.1.1
++		chk_join_nr 2 2 2
++	fi
+ }
+ 
+ subflows_tests()
diff --git a/queue-5.15/series b/queue-5.15/series
index 1a98edbfde..c85f8e0645 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -213,3 +213,7 @@ spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
 spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
 x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch
 x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch
+selftests-mptcp-join-validate-c-flag-def-limit.patch
+mm-page_alloc-only-set-alloc_highatomic-for-__gpf_high-allocations.patch
+nfsd-fix-destination-buffer-size-in-nfsd4_ssc_setup_dul.patch
+nfsd-nfserr_jukebox-in-nlm_fopen-should-lead-to-a-retry.patch