From: Greg Kroah-Hartman Date: Mon, 21 Apr 2025 14:19:01 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.135~128 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=92ac85c5778c4b5e1cadab3dfe70c4625075a734;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: bluetooth-l2cap-process-valid-commands-in-too-long-frame.patch bluetooth-vhci-avoid-needless-snprintf-calls.patch btrfs-correctly-escape-subvol-in-btrfs_show_options.patch cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch crypto-caam-qi-fix-drv_ctx-refcount-bug.patch hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch isofs-prevent-the-use-of-too-small-fid.patch ksmbd-fix-dangling-pointer-in-krb_authenticate.patch ksmbd-fix-the-warning-from-__kernel_write_iter.patch ksmbd-fix-use-after-free-in-smb_break_all_levii_oplock.patch ksmbd-prevent-integer-overflow-in-calculation-of-deadtime.patch loop-loop_set_fd-send-uevents-for-partitions.patch loop-properly-send-kobj_changed-uevent-for-disk-device.patch mm-fix-apply_to_existing_page_range.patch mm-fix-filemap_get_folios_contig-returning-batches-of-identical-folios.patch mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch ovl-don-t-allow-datadir-only.patch perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch rdma-cma-fix-workqueue-crash-in-cma_netevent_work_handler.patch revert-smb-client-fix-netns-refcount-imbalance-causing-leaks-and-use-after-free.patch revert-smb-client-fix-tcp-timers-deadlock-after-rmmod.patch riscv-avoid-fortify-warning-in-syscall_get_arguments.patch scsi-megaraid_sas-block-zero-length-ata-vpd-inquiry.patch scsi-ufs-exynos-ensure-consistent-phy-reference-counts.patch selftests-mm-generate-a-temporary-mountpoint-for-cgroup-filesystem.patch smb3-client-fix-open-hardlink-on-deferred-close-file-error.patch string-add-load_unaligned_zeropad-code-path-to-sized_strscpy.patch tracing-fix-filter-string-testing.patch virtiofs-add-filesystem-context-source-name-check.patch x86-boot-sev-avoid-shared-ghcb-page-for-early-memory-acceptance.patch x86-cpu-amd-fix-workaround-for-erratum-1054.patch x86-microcode-amd-extend-the-sha-check-to-zen5-block-loading-of-any-unreleased-standalone-zen5-microcode-patches.patch --- diff --git a/queue-6.6/bluetooth-l2cap-process-valid-commands-in-too-long-frame.patch b/queue-6.6/bluetooth-l2cap-process-valid-commands-in-too-long-frame.patch new file mode 100644 index 0000000000..8c38510ef5 --- /dev/null +++ b/queue-6.6/bluetooth-l2cap-process-valid-commands-in-too-long-frame.patch @@ -0,0 +1,106 @@ +From e2e49e214145a8f6ece6ecd52fec63ebc2b27ce9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= +Date: Mon, 14 Apr 2025 11:08:15 +0200 +Subject: Bluetooth: l2cap: Process valid commands in too long frame +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frédéric Danis + +commit e2e49e214145a8f6ece6ecd52fec63ebc2b27ce9 upstream. + +This is required for passing PTS test cases: +- L2CAP/COS/CED/BI-14-C + Multiple Signaling Command in one PDU, Data Truncated, BR/EDR, + Connection Request +- L2CAP/COS/CED/BI-15-C + Multiple Signaling Command in one PDU, Data Truncated, BR/EDR, + Disconnection Request + +The test procedure defined in L2CAP.TS.p39 for both tests is: +1. The Lower Tester sends a C-frame to the IUT with PDU Length set + to 8 and Channel ID set to the correct signaling channel for the + logical link. The Information payload contains one L2CAP_ECHO_REQ + packet with Data Length set to 0 with 0 octets of echo data and + one command packet and Data Length set as specified in Table 4.6 + and the correct command data. +2. The IUT sends an L2CAP_ECHO_RSP PDU to the Lower Tester. +3. Perform alternative 3A, 3B, 3C, or 3D depending on the IUT’s + response. + Alternative 3A (IUT terminates the link): + 3A.1 The IUT terminates the link. + 3A.2 The test ends with a Pass verdict. + Alternative 3B (IUT discards the frame): + 3B.1 The IUT does not send a reply to the Lower Tester. + Alternative 3C (IUT rejects PDU): + 3C.1 The IUT sends an L2CAP_COMMAND_REJECT_RSP PDU to the + Lower Tester. + Alternative 3D (Any other IUT response): + 3D.1 The Upper Tester issues a warning and the test ends. +4. The Lower Tester sends a C-frame to the IUT with PDU Length set + to 4 and Channel ID set to the correct signaling channel for the + logical link. The Information payload contains Data Length set to + 0 with an L2CAP_ECHO_REQ packet with 0 octets of echo data. +5. The IUT sends an L2CAP_ECHO_RSP PDU to the Lower Tester. + +With expected outcome: + In Steps 2 and 5, the IUT responds with an L2CAP_ECHO_RSP. + In Step 3A.1, the IUT terminates the link. + In Step 3B.1, the IUT does not send a reply to the Lower Tester. + In Step 3C.1, the IUT rejects the PDU. + In Step 3D.1, the IUT sends any valid response. + +Currently PTS fails with the following logs: + Failed to receive ECHO RESPONSE. + +And HCI logs: +> ACL Data RX: Handle 11 flags 0x02 dlen 20 + L2CAP: Information Response (0x0b) ident 2 len 12 + Type: Fixed channels supported (0x0003) + Result: Success (0x0000) + Channels: 0x000000000000002e + L2CAP Signaling (BR/EDR) + Connectionless reception + AMP Manager Protocol + L2CAP Signaling (LE) +> ACL Data RX: Handle 11 flags 0x02 dlen 13 + frame too long + 08 01 00 00 08 02 01 00 aa ......... + +Cc: stable@vger.kernel.org +Signed-off-by: Frédéric Danis +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -7510,8 +7510,24 @@ void l2cap_recv_acldata(struct hci_conn + if (skb->len > len) { + BT_ERR("Frame is too long (len %u, expected len %d)", + skb->len, len); ++ /* PTS test cases L2CAP/COS/CED/BI-14-C and BI-15-C ++ * (Multiple Signaling Command in one PDU, Data ++ * Truncated, BR/EDR) send a C-frame to the IUT with ++ * PDU Length set to 8 and Channel ID set to the ++ * correct signaling channel for the logical link. ++ * The Information payload contains one L2CAP_ECHO_REQ ++ * packet with Data Length set to 0 with 0 octets of ++ * echo data and one invalid command packet due to ++ * data truncated in PDU but present in HCI packet. ++ * ++ * Shorter the socket buffer to the PDU length to ++ * allow to process valid commands from the PDU before ++ * setting the socket unreliable. ++ */ ++ skb->len = len; ++ l2cap_recv_frame(conn, skb); + l2cap_conn_unreliable(conn, ECOMM); +- goto drop; ++ goto unlock; + } + + /* Append fragment into frame (with header) */ diff --git a/queue-6.6/bluetooth-vhci-avoid-needless-snprintf-calls.patch b/queue-6.6/bluetooth-vhci-avoid-needless-snprintf-calls.patch new file mode 100644 index 0000000000..f04f0b52a5 --- /dev/null +++ b/queue-6.6/bluetooth-vhci-avoid-needless-snprintf-calls.patch @@ -0,0 +1,55 @@ +From 875db86e1ec75fe633f1e85ed2f92c731cdbf760 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 15 Apr 2025 09:15:19 -0700 +Subject: Bluetooth: vhci: Avoid needless snprintf() calls + +From: Kees Cook + +commit 875db86e1ec75fe633f1e85ed2f92c731cdbf760 upstream. + +Avoid double-copying of string literals. Use a "const char *" for each +string instead of copying from .rodata into stack and then into the skb. +We can go directly from .rodata to the skb. + +This also works around a Clang bug (that has since been fixed[1]). + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202401250927.1poZERd6-lkp@intel.com/ +Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support") +Link: https://github.com/llvm/llvm-project/commit/ea2e66aa8b6e363b89df66dc44275a0d7ecd70ce [1] +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Nathan Chancellor +Reviewed-by: Josh Poimboeuf +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_vhci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -289,18 +289,18 @@ static void vhci_coredump(struct hci_dev + + static void vhci_coredump_hdr(struct hci_dev *hdev, struct sk_buff *skb) + { +- char buf[80]; ++ const char *buf; + +- snprintf(buf, sizeof(buf), "Controller Name: vhci_ctrl\n"); ++ buf = "Controller Name: vhci_ctrl\n"; + skb_put_data(skb, buf, strlen(buf)); + +- snprintf(buf, sizeof(buf), "Firmware Version: vhci_fw\n"); ++ buf = "Firmware Version: vhci_fw\n"; + skb_put_data(skb, buf, strlen(buf)); + +- snprintf(buf, sizeof(buf), "Driver: vhci_drv\n"); ++ buf = "Driver: vhci_drv\n"; + skb_put_data(skb, buf, strlen(buf)); + +- snprintf(buf, sizeof(buf), "Vendor: vhci\n"); ++ buf = "Vendor: vhci\n"; + skb_put_data(skb, buf, strlen(buf)); + } + diff --git a/queue-6.6/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch b/queue-6.6/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch new file mode 100644 index 0000000000..6328526e36 --- /dev/null +++ b/queue-6.6/btrfs-correctly-escape-subvol-in-btrfs_show_options.patch @@ -0,0 +1,41 @@ +From dc08c58696f8555e4a802f1f23c894a330d80ab7 Mon Sep 17 00:00:00 2001 +From: Johannes Kimmel +Date: Wed, 19 Mar 2025 22:49:00 +0100 +Subject: btrfs: correctly escape subvol in btrfs_show_options() + +From: Johannes Kimmel + +commit dc08c58696f8555e4a802f1f23c894a330d80ab7 upstream. + +Currently, displaying the btrfs subvol mount option doesn't escape ','. +This makes parsing /proc/self/mounts and /proc/self/mountinfo +ambiguous for subvolume names that contain commas. The text after the +comma could be mistaken for another option (think "subvol=foo,ro", where +ro is actually part of the subvolumes name). + +Replace the manual escape characters list with a call to +seq_show_option(). Thanks to Calvin Walton for suggesting this approach. + +Fixes: c8d3fe028f64 ("Btrfs: show subvol= and subvolid= in /proc/mounts") +CC: stable@vger.kernel.org # 5.4+ +Suggested-by: Calvin Walton +Signed-off-by: Johannes Kimmel +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1336,8 +1336,7 @@ static int btrfs_show_options(struct seq + subvol_name = btrfs_get_subvol_name_from_objectid(info, + BTRFS_I(d_inode(dentry))->root->root_key.objectid); + if (!IS_ERR(subvol_name)) { +- seq_puts(seq, ",subvol="); +- seq_escape(seq, subvol_name, " \t\n\\"); ++ seq_show_option(seq, "subvol", subvol_name); + kfree(subvol_name); + } + return 0; diff --git a/queue-6.6/cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch b/queue-6.6/cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch new file mode 100644 index 0000000000..b505105b9f --- /dev/null +++ b/queue-6.6/cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch @@ -0,0 +1,106 @@ +From 7491cdf46b5cbdf123fc84fbe0a07e9e3d7b7620 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 16 Apr 2025 16:12:37 +0200 +Subject: cpufreq: Avoid using inconsistent policy->min and policy->max + +From: Rafael J. Wysocki + +commit 7491cdf46b5cbdf123fc84fbe0a07e9e3d7b7620 upstream. + +Since cpufreq_driver_resolve_freq() can run in parallel with +cpufreq_set_policy() and there is no synchronization between them, +the former may access policy->min and policy->max while the latter +is updating them and it may see intermediate values of them due +to the way the update is carried out. Also the compiler is free +to apply any optimizations it wants both to the stores in +cpufreq_set_policy() and to the loads in cpufreq_driver_resolve_freq() +which may result in additional inconsistencies. + +To address this, use WRITE_ONCE() when updating policy->min and +policy->max in cpufreq_set_policy() and use READ_ONCE() for reading +them in cpufreq_driver_resolve_freq(). Moreover, rearrange the update +in cpufreq_set_policy() to avoid storing intermediate values in +policy->min and policy->max with the help of the observation that +their new values are expected to be properly ordered upfront. + +Also modify cpufreq_driver_resolve_freq() to take the possible reverse +ordering of policy->min and policy->max, which may happen depending on +the ordering of operations when this function and cpufreq_set_policy() +run concurrently, into account by always honoring the max when it +turns out to be less than the min (in case it comes from thermal +throttling or similar). + +Fixes: 151717690694 ("cpufreq: Make policy min/max hard requirements") +Cc: 5.16+ # 5.16+ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Acked-by: Viresh Kumar +Link: https://patch.msgid.link/5907080.DvuYhMxLoT@rjwysocki.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -538,8 +538,6 @@ static unsigned int __resolve_freq(struc + { + unsigned int idx; + +- target_freq = clamp_val(target_freq, policy->min, policy->max); +- + if (!policy->freq_table) + return target_freq; + +@@ -563,7 +561,22 @@ static unsigned int __resolve_freq(struc + unsigned int cpufreq_driver_resolve_freq(struct cpufreq_policy *policy, + unsigned int target_freq) + { +- return __resolve_freq(policy, target_freq, CPUFREQ_RELATION_LE); ++ unsigned int min = READ_ONCE(policy->min); ++ unsigned int max = READ_ONCE(policy->max); ++ ++ /* ++ * If this function runs in parallel with cpufreq_set_policy(), it may ++ * read policy->min before the update and policy->max after the update ++ * or the other way around, so there is no ordering guarantee. ++ * ++ * Resolve this by always honoring the max (in case it comes from ++ * thermal throttling or similar). ++ */ ++ if (unlikely(min > max)) ++ min = max; ++ ++ return __resolve_freq(policy, clamp_val(target_freq, min, max), ++ CPUFREQ_RELATION_LE); + } + EXPORT_SYMBOL_GPL(cpufreq_driver_resolve_freq); + +@@ -2335,6 +2348,7 @@ int __cpufreq_driver_target(struct cpufr + if (cpufreq_disabled()) + return -ENODEV; + ++ target_freq = clamp_val(target_freq, policy->min, policy->max); + target_freq = __resolve_freq(policy, target_freq, relation); + + pr_debug("target for CPU %u: %u kHz, relation %u, requested %u kHz\n", +@@ -2625,11 +2639,15 @@ static int cpufreq_set_policy(struct cpu + * Resolve policy min/max to available frequencies. It ensures + * no frequency resolution will neither overshoot the requested maximum + * nor undershoot the requested minimum. ++ * ++ * Avoid storing intermediate values in policy->max or policy->min and ++ * compiler optimizations around them because they may be accessed ++ * concurrently by cpufreq_driver_resolve_freq() during the update. + */ +- policy->min = new_data.min; +- policy->max = new_data.max; +- policy->min = __resolve_freq(policy, policy->min, CPUFREQ_RELATION_L); +- policy->max = __resolve_freq(policy, policy->max, CPUFREQ_RELATION_H); ++ WRITE_ONCE(policy->max, __resolve_freq(policy, new_data.max, CPUFREQ_RELATION_H)); ++ new_data.min = __resolve_freq(policy, new_data.min, CPUFREQ_RELATION_L); ++ WRITE_ONCE(policy->min, new_data.min > policy->max ? policy->max : new_data.min); ++ + trace_cpu_frequency_limits(policy); + + policy->cached_target_freq = UINT_MAX; diff --git a/queue-6.6/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch b/queue-6.6/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch new file mode 100644 index 0000000000..eeb5bff5be --- /dev/null +++ b/queue-6.6/crypto-caam-qi-fix-drv_ctx-refcount-bug.patch @@ -0,0 +1,45 @@ +From b7b39df7e710b0068356e4c696af07aa10e2cd3d Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 8 Apr 2025 13:17:20 +0800 +Subject: crypto: caam/qi - Fix drv_ctx refcount bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Herbert Xu + +commit b7b39df7e710b0068356e4c696af07aa10e2cd3d upstream. + +Ensure refcount is raised before request is enqueued since it could +be dequeued before the call returns. + +Reported-by: Sean Anderson +Cc: +Fixes: 11144416a755 ("crypto: caam/qi - optimize frame queue cleanup") +Signed-off-by: Herbert Xu +Reviewed-by: Horia Geantă +Tested-by: Sean Anderson +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/caam/qi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/crypto/caam/qi.c ++++ b/drivers/crypto/caam/qi.c +@@ -122,12 +122,12 @@ int caam_qi_enqueue(struct device *qidev + qm_fd_addr_set64(&fd, addr); + + do { ++ refcount_inc(&req->drv_ctx->refcnt); + ret = qman_enqueue(req->drv_ctx->req_fq, &fd); +- if (likely(!ret)) { +- refcount_inc(&req->drv_ctx->refcnt); ++ if (likely(!ret)) + return 0; +- } + ++ refcount_dec(&req->drv_ctx->refcnt); + if (ret != -EBUSY) + break; + num_retries++; diff --git a/queue-6.6/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch b/queue-6.6/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch new file mode 100644 index 0000000000..bc0d1e5f04 --- /dev/null +++ b/queue-6.6/hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch @@ -0,0 +1,89 @@ +From bb5e07cb927724e0b47be371fa081141cfb14414 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Sat, 19 Oct 2024 22:13:03 +0300 +Subject: hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key + +From: Vasiliy Kovalev + +commit bb5e07cb927724e0b47be371fa081141cfb14414 upstream. + +Syzbot reported an issue in hfs subsystem: + +BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline] +BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline] +BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 +Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102 + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 + memcpy_from_page include/linux/highmem.h:423 [inline] + hfs_bnode_read fs/hfs/bnode.c:35 [inline] + hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70 + hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159 + hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118 + hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232 + vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 + do_mkdirat+0x264/0x3a0 fs/namei.c:4280 + __do_sys_mkdir fs/namei.c:4300 [inline] + __se_sys_mkdir fs/namei.c:4298 [inline] + __x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fbdd6057a99 + +Add a check for key length in hfs_bnode_read_key to prevent +out-of-bounds memory access. If the key length is invalid, the +key buffer is cleared, improving stability and reliability. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683 +Cc: stable@vger.kernel.org +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org +Reviewed-by: Cengiz Can +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/bnode.c | 6 ++++++ + fs/hfsplus/bnode.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode + else + key_len = tree->max_key_len + 1; + ++ if (key_len > sizeof(hfs_btree_key) || key_len < 1) { ++ memset(key, 0, sizeof(hfs_btree_key)); ++ pr_err("hfs: Invalid key length: %d\n", key_len); ++ return; ++ } ++ + hfs_bnode_read(node, key, off, key_len); + } + +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode + else + key_len = tree->max_key_len + 2; + ++ if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) { ++ memset(key, 0, sizeof(hfsplus_btree_key)); ++ pr_err("hfsplus: Invalid key length: %d\n", key_len); ++ return; ++ } ++ + hfs_bnode_read(node, key, off, key_len); + } + diff --git a/queue-6.6/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch b/queue-6.6/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch new file mode 100644 index 0000000000..2e2533e809 --- /dev/null +++ b/queue-6.6/i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch @@ -0,0 +1,106 @@ +From 424eafe65647a8d6c690284536e711977153195a Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 7 Apr 2025 17:33:34 -0300 +Subject: i2c: cros-ec-tunnel: defer probe if parent EC is not present + +From: Thadeu Lima de Souza Cascardo + +commit 424eafe65647a8d6c690284536e711977153195a upstream. + +When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent +device will not be found, leading to NULL pointer dereference. + +That can also be reproduced by unbinding the controller driver and then +loading i2c-cros-ec-tunnel module (or binding the device). + +[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 +[ 271.998215] #PF: supervisor read access in kernel mode +[ 272.003351] #PF: error_code(0x0000) - not-present page +[ 272.008485] PGD 0 P4D 0 +[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI +[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 +[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC +[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021 +[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel] +[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 +[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 +[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 +[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 +[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 +[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 +[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 +[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 +[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 +[ 272.129155] Call Trace: +[ 272.131606] +[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110 +[ 272.137985] platform_probe+0x69/0xa0 +[ 272.141652] really_probe+0x152/0x310 +[ 272.145318] __driver_probe_device+0x77/0x110 +[ 272.149678] driver_probe_device+0x1e/0x190 +[ 272.153864] __driver_attach+0x10b/0x1e0 +[ 272.157790] ? driver_attach+0x20/0x20 +[ 272.161542] bus_for_each_dev+0x107/0x150 +[ 272.165553] bus_add_driver+0x15d/0x270 +[ 272.169392] driver_register+0x65/0x110 +[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] +[ 272.182617] do_one_initcall+0x110/0x350 +[ 272.186543] ? security_kernfs_init_security+0x49/0xd0 +[ 272.191682] ? __kernfs_new_node+0x1b9/0x240 +[ 272.195954] ? security_kernfs_init_security+0x49/0xd0 +[ 272.201093] ? __kernfs_new_node+0x1b9/0x240 +[ 272.205365] ? kernfs_link_sibling+0x105/0x130 +[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0 +[ 272.214773] ? kernfs_activate+0x57/0x70 +[ 272.218699] ? kernfs_add_one+0x118/0x160 +[ 272.222710] ? __kernfs_create_file+0x71/0xa0 +[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110 +[ 272.232033] ? internal_create_group+0x453/0x4a0 +[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0 +[ 272.241355] ? __free_frozen_pages+0x1dc/0x420 +[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0 +[ 272.250505] ? load_module+0x1509/0x16f0 +[ 272.254431] do_init_module+0x60/0x230 +[ 272.258181] __se_sys_finit_module+0x27a/0x370 +[ 272.262627] do_syscall_64+0x6a/0xf0 +[ 272.266206] ? do_syscall_64+0x76/0xf0 +[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90 +[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d +[ 272.279887] RIP: 0033:0x7b9309168d39 +[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 +[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39 +[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003 +[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150 +[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000 +[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77 +[ 272.345428] +[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+) +[ 272.364585] gsmi: Log Shutdown Reason 0x03 + +Returning -EPROBE_DEFER will allow the device to be bound once the +controller is bound, in the case of built-in drivers. + +Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: # v3.16+ +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c ++++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c +@@ -247,6 +247,9 @@ static int ec_i2c_probe(struct platform_ + u32 remote_bus; + int err; + ++ if (!ec) ++ return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n"); ++ + if (!ec->cmd_xfer) { + dev_err(dev, "Missing sendrecv\n"); + return -EINVAL; diff --git a/queue-6.6/isofs-prevent-the-use-of-too-small-fid.patch b/queue-6.6/isofs-prevent-the-use-of-too-small-fid.patch new file mode 100644 index 0000000000..039485a101 --- /dev/null +++ b/queue-6.6/isofs-prevent-the-use-of-too-small-fid.patch @@ -0,0 +1,95 @@ +From 0405d4b63d082861f4eaff9d39c78ee9dc34f845 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Fri, 4 Apr 2025 13:31:29 +0800 +Subject: isofs: Prevent the use of too small fid + +From: Edward Adam Davis + +commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845 upstream. + +syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] + +The handle_bytes value passed in by the reproducing program is equal to 12. +In handle_to_path(), only 12 bytes of memory are allocated for the structure +file_handle->f_handle member, which causes an out-of-bounds access when +accessing the member parent_block of the structure isofs_fid in isofs, +because accessing parent_block requires at least 16 bytes of f_handle. +Here, fh_len is used to indirectly confirm that the value of handle_bytes +is greater than 3 before accessing parent_block. + +[1] +BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 +Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 +CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Call trace: + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0x198/0x550 mm/kasan/report.c:521 + kasan_report+0xd8/0x138 mm/kasan/report.c:634 + __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 + isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 + exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 + do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 + handle_to_path fs/fhandle.c:385 [inline] + do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 + __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] + __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] + __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 + +Allocated by task 6466: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x40/0x78 mm/kasan/common.c:68 + kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __do_kmalloc_node mm/slub.c:4294 [inline] + __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 + kmalloc_noprof include/linux/slab.h:905 [inline] + handle_to_path fs/fhandle.c:357 [inline] + do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 + __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] + __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] + __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 + __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] + invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 + el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 + do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 + el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 + el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 + el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 + +Reported-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=4d7cd7dd0ce1aa8d5c65 +Tested-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Edward Adam Davis +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/tencent_9C8CB8A7E7C6C512C7065DC98B6EDF6EC606@qq.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -180,7 +180,7 @@ static struct dentry *isofs_fh_to_parent + return NULL; + + return isofs_export_iget(sb, +- fh_len > 2 ? ifid->parent_block : 0, ++ fh_len > 3 ? ifid->parent_block : 0, + ifid->parent_offset, + fh_len > 4 ? ifid->parent_generation : 0); + } diff --git a/queue-6.6/ksmbd-fix-dangling-pointer-in-krb_authenticate.patch b/queue-6.6/ksmbd-fix-dangling-pointer-in-krb_authenticate.patch new file mode 100644 index 0000000000..eb178b8556 --- /dev/null +++ b/queue-6.6/ksmbd-fix-dangling-pointer-in-krb_authenticate.patch @@ -0,0 +1,38 @@ +From 1e440d5b25b7efccb3defe542a73c51005799a5f Mon Sep 17 00:00:00 2001 +From: Sean Heelan +Date: Mon, 7 Apr 2025 11:26:50 +0000 +Subject: ksmbd: Fix dangling pointer in krb_authenticate + +From: Sean Heelan + +commit 1e440d5b25b7efccb3defe542a73c51005799a5f upstream. + +krb_authenticate frees sess->user and does not set the pointer +to NULL. It calls ksmbd_krb5_authenticate to reinitialise +sess->user but that function may return without doing so. If +that happens then smb2_sess_setup, which calls krb_authenticate, +will be accessing free'd memory when it later uses sess->user. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Heelan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1599,8 +1599,10 @@ static int krb5_authenticate(struct ksmb + if (prev_sess_id && prev_sess_id != sess->id) + destroy_previous_session(conn, sess->user, prev_sess_id); + +- if (sess->state == SMB2_SESSION_VALID) ++ if (sess->state == SMB2_SESSION_VALID) { + ksmbd_free_user(sess->user); ++ sess->user = NULL; ++ } + + retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, + out_blob, &out_len); diff --git a/queue-6.6/ksmbd-fix-the-warning-from-__kernel_write_iter.patch b/queue-6.6/ksmbd-fix-the-warning-from-__kernel_write_iter.patch new file mode 100644 index 0000000000..6cc0ffd4be --- /dev/null +++ b/queue-6.6/ksmbd-fix-the-warning-from-__kernel_write_iter.patch @@ -0,0 +1,36 @@ +From b37f2f332b40ad1c27f18682a495850f2f04db0a Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 15 Apr 2025 09:31:08 +0900 +Subject: ksmbd: fix the warning from __kernel_write_iter + +From: Namjae Jeon + +commit b37f2f332b40ad1c27f18682a495850f2f04db0a upstream. + +[ 2110.972290] ------------[ cut here ]------------ +[ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280 + +This patch doesn't allow writing to directory. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -496,7 +496,8 @@ int ksmbd_vfs_write(struct ksmbd_work *w + int err = 0; + + if (work->conn->connection_type) { +- if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) { ++ if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE)) || ++ S_ISDIR(file_inode(fp->filp)->i_mode)) { + pr_err("no right to write(%pD)\n", fp->filp); + err = -EACCES; + goto out; diff --git a/queue-6.6/ksmbd-fix-use-after-free-in-smb_break_all_levii_oplock.patch b/queue-6.6/ksmbd-fix-use-after-free-in-smb_break_all_levii_oplock.patch new file mode 100644 index 0000000000..3c91e70533 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-in-smb_break_all_levii_oplock.patch @@ -0,0 +1,129 @@ +From 18b4fac5ef17f77fed9417d22210ceafd6525fc7 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 15 Apr 2025 09:30:21 +0900 +Subject: ksmbd: fix use-after-free in smb_break_all_levII_oplock() + +From: Namjae Jeon + +commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 upstream. + +There is a room in smb_break_all_levII_oplock that can cause racy issues +when unlocking in the middle of the loop. This patch use read lock +to protect whole loop. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/oplock.c | 29 +++++++++-------------------- + fs/smb/server/oplock.h | 1 - + 2 files changed, 9 insertions(+), 21 deletions(-) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -129,14 +129,6 @@ static void free_opinfo(struct oplock_in + kfree(opinfo); + } + +-static inline void opinfo_free_rcu(struct rcu_head *rcu_head) +-{ +- struct oplock_info *opinfo; +- +- opinfo = container_of(rcu_head, struct oplock_info, rcu_head); +- free_opinfo(opinfo); +-} +- + struct oplock_info *opinfo_get(struct ksmbd_file *fp) + { + struct oplock_info *opinfo; +@@ -157,8 +149,8 @@ static struct oplock_info *opinfo_get_li + if (list_empty(&ci->m_op_list)) + return NULL; + +- rcu_read_lock(); +- opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info, ++ down_read(&ci->m_lock); ++ opinfo = list_first_entry(&ci->m_op_list, struct oplock_info, + op_entry); + if (opinfo) { + if (opinfo->conn == NULL || +@@ -171,8 +163,7 @@ static struct oplock_info *opinfo_get_li + } + } + } +- +- rcu_read_unlock(); ++ up_read(&ci->m_lock); + + return opinfo; + } +@@ -185,7 +176,7 @@ void opinfo_put(struct oplock_info *opin + if (!atomic_dec_and_test(&opinfo->refcount)) + return; + +- call_rcu(&opinfo->rcu_head, opinfo_free_rcu); ++ free_opinfo(opinfo); + } + + static void opinfo_add(struct oplock_info *opinfo) +@@ -193,7 +184,7 @@ static void opinfo_add(struct oplock_inf + struct ksmbd_inode *ci = opinfo->o_fp->f_ci; + + down_write(&ci->m_lock); +- list_add_rcu(&opinfo->op_entry, &ci->m_op_list); ++ list_add(&opinfo->op_entry, &ci->m_op_list); + up_write(&ci->m_lock); + } + +@@ -207,7 +198,7 @@ static void opinfo_del(struct oplock_inf + write_unlock(&lease_list_lock); + } + down_write(&ci->m_lock); +- list_del_rcu(&opinfo->op_entry); ++ list_del(&opinfo->op_entry); + up_write(&ci->m_lock); + } + +@@ -1347,8 +1338,8 @@ void smb_break_all_levII_oplock(struct k + ci = fp->f_ci; + op = opinfo_get(fp); + +- rcu_read_lock(); +- list_for_each_entry_rcu(brk_op, &ci->m_op_list, op_entry) { ++ down_read(&ci->m_lock); ++ list_for_each_entry(brk_op, &ci->m_op_list, op_entry) { + if (brk_op->conn == NULL) + continue; + +@@ -1358,7 +1349,6 @@ void smb_break_all_levII_oplock(struct k + if (ksmbd_conn_releasing(brk_op->conn)) + continue; + +- rcu_read_unlock(); + if (brk_op->is_lease && (brk_op->o_lease->state & + (~(SMB2_LEASE_READ_CACHING_LE | + SMB2_LEASE_HANDLE_CACHING_LE)))) { +@@ -1388,9 +1378,8 @@ void smb_break_all_levII_oplock(struct k + oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE, NULL); + next: + opinfo_put(brk_op); +- rcu_read_lock(); + } +- rcu_read_unlock(); ++ up_read(&ci->m_lock); + + if (op) + opinfo_put(op); +--- a/fs/smb/server/oplock.h ++++ b/fs/smb/server/oplock.h +@@ -78,7 +78,6 @@ struct oplock_info { + struct list_head lease_entry; + wait_queue_head_t oplock_q; /* Other server threads */ + wait_queue_head_t oplock_brk; /* oplock breaking wait */ +- struct rcu_head rcu_head; + }; + + struct lease_break_info { diff --git a/queue-6.6/ksmbd-prevent-integer-overflow-in-calculation-of-deadtime.patch b/queue-6.6/ksmbd-prevent-integer-overflow-in-calculation-of-deadtime.patch new file mode 100644 index 0000000000..69d609dbed --- /dev/null +++ b/queue-6.6/ksmbd-prevent-integer-overflow-in-calculation-of-deadtime.patch @@ -0,0 +1,48 @@ +From a93ff742820f75bf8bb3fcf21d9f25ca6eb3d4c6 Mon Sep 17 00:00:00 2001 +From: Denis Arefev +Date: Wed, 9 Apr 2025 12:04:49 +0300 +Subject: ksmbd: Prevent integer overflow in calculation of deadtime + +From: Denis Arefev + +commit a93ff742820f75bf8bb3fcf21d9f25ca6eb3d4c6 upstream. + +The user can set any value for 'deadtime'. This affects the arithmetic +expression 'req->deadtime * SMB_ECHO_INTERVAL', which is subject to +overflow. The added check makes the server behavior more predictable. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Cc: stable@vger.kernel.org +Signed-off-by: Denis Arefev +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/transport_ipc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/transport_ipc.c ++++ b/fs/smb/server/transport_ipc.c +@@ -296,7 +296,11 @@ static int ipc_server_config_on_startup( + server_conf.signing = req->signing; + server_conf.tcp_port = req->tcp_port; + server_conf.ipc_timeout = req->ipc_timeout * HZ; +- server_conf.deadtime = req->deadtime * SMB_ECHO_INTERVAL; ++ if (check_mul_overflow(req->deadtime, SMB_ECHO_INTERVAL, ++ &server_conf.deadtime)) { ++ ret = -EINVAL; ++ goto out; ++ } + server_conf.share_fake_fscaps = req->share_fake_fscaps; + ksmbd_init_domain(req->sub_auth); + +@@ -322,6 +326,7 @@ static int ipc_server_config_on_startup( + ret |= ksmbd_set_work_group(req->work_group); + ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req), + req->ifc_list_sz); ++out: + if (ret) { + pr_err("Server configuration error: %s %s %s\n", + req->netbios_name, req->server_string, diff --git a/queue-6.6/loop-loop_set_fd-send-uevents-for-partitions.patch b/queue-6.6/loop-loop_set_fd-send-uevents-for-partitions.patch new file mode 100644 index 0000000000..e9596d5fb4 --- /dev/null +++ b/queue-6.6/loop-loop_set_fd-send-uevents-for-partitions.patch @@ -0,0 +1,54 @@ +From 0dba7a05b9e47d8b546399117b0ddf2426dc6042 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 15 Apr 2025 16:55:06 +0200 +Subject: loop: LOOP_SET_FD: send uevents for partitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 0dba7a05b9e47d8b546399117b0ddf2426dc6042 upstream. + +Remove the suppression of the uevents before scanning for partitions. +The partitions inherit their suppression settings from their parent device, +which lead to the uevents being dropped. + +This is similar to the same changes for LOOP_CONFIGURE done in +commit bb430b694226 ("loop: LOOP_CONFIGURE: send uevents for partitions"). + +Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v3-1-60ff69ac6088@linutronix.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -624,12 +624,12 @@ static int loop_change_fd(struct loop_de + * dependency. + */ + fput(old_file); ++ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); + if (partscan) + loop_reread_partitions(lo); + + error = 0; + done: +- dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); + kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); + return error; + +@@ -637,6 +637,7 @@ out_err: + loop_global_unlock(lo, is_loop); + out_putf: + fput(file); ++ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); + goto done; + } + diff --git a/queue-6.6/loop-properly-send-kobj_changed-uevent-for-disk-device.patch b/queue-6.6/loop-properly-send-kobj_changed-uevent-for-disk-device.patch new file mode 100644 index 0000000000..0e16c3a606 --- /dev/null +++ b/queue-6.6/loop-properly-send-kobj_changed-uevent-for-disk-device.patch @@ -0,0 +1,59 @@ +From e7bc0010ceb403d025100698586c8e760921d471 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Tue, 15 Apr 2025 10:51:47 +0200 +Subject: loop: properly send KOBJ_CHANGED uevent for disk device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit e7bc0010ceb403d025100698586c8e760921d471 upstream. + +The original commit message and the wording "uncork" in the code comment +indicate that it is expected that the suppressed event instances are +automatically sent after unsuppressing. +This is not the case, instead they are discarded. +In effect this means that no "changed" events are emitted on the device +itself by default. +While each discovered partition does trigger a changed event on the +device, devices without partitions don't have any event emitted. + +This makes udev miss the device creation and prompted workarounds in +userspace. See the linked util-linux/losetup bug. + +Explicitly emit the events and drop the confusingly worded comments. + +Link: https://github.com/util-linux/util-linux/issues/2434 +Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v2-1-0c4e6a923b2a@linutronix.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -629,8 +629,8 @@ static int loop_change_fd(struct loop_de + + error = 0; + done: +- /* enable and uncork uevent now that we are done */ + dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); ++ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); + return error; + + out_err: +@@ -1104,8 +1104,8 @@ static int loop_configure(struct loop_de + if (partscan) + clear_bit(GD_SUPPRESS_PART_SCAN, &lo->lo_disk->state); + +- /* enable and uncork uevent now that we are done */ + dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0); ++ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); + + loop_global_unlock(lo, is_loop); + if (partscan) diff --git a/queue-6.6/mm-fix-apply_to_existing_page_range.patch b/queue-6.6/mm-fix-apply_to_existing_page_range.patch new file mode 100644 index 0000000000..ba1fc3ad32 --- /dev/null +++ b/queue-6.6/mm-fix-apply_to_existing_page_range.patch @@ -0,0 +1,54 @@ +From a995199384347261bb3f21b2e171fa7f988bd2f8 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Wed, 9 Apr 2025 12:40:43 +0300 +Subject: mm: fix apply_to_existing_page_range() + +From: Kirill A. Shutemov + +commit a995199384347261bb3f21b2e171fa7f988bd2f8 upstream. + +In the case of apply_to_existing_page_range(), apply_to_pte_range() is +reached with 'create' set to false. When !create, the loop over the PTE +page table is broken. + +apply_to_pte_range() will only move to the next PTE entry if 'create' is +true or if the current entry is not pte_none(). + +This means that the user of apply_to_existing_page_range() will not have +'fn' called for any entries after the first pte_none() in the PTE page +table. + +Fix the loop logic in apply_to_pte_range(). + +There are no known runtime issues from this, but the fix is trivial enough +for stable@ even without a known buggy user. + +Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.intel.com +Signed-off-by: Kirill A. Shutemov +Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper") +Cc: Daniel Axtens +Cc: David Hildenbrand +Cc: Vlastimil Babka +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2600,11 +2600,11 @@ static int apply_to_pte_range(struct mm_ + if (fn) { + do { + if (create || !pte_none(ptep_get(pte))) { +- err = fn(pte++, addr, data); ++ err = fn(pte, addr, data); + if (err) + break; + } +- } while (addr += PAGE_SIZE, addr != end); ++ } while (pte++, addr += PAGE_SIZE, addr != end); + } + *mask |= PGTBL_PTE_MODIFIED; + diff --git a/queue-6.6/mm-fix-filemap_get_folios_contig-returning-batches-of-identical-folios.patch b/queue-6.6/mm-fix-filemap_get_folios_contig-returning-batches-of-identical-folios.patch new file mode 100644 index 0000000000..fe3325f174 --- /dev/null +++ b/queue-6.6/mm-fix-filemap_get_folios_contig-returning-batches-of-identical-folios.patch @@ -0,0 +1,48 @@ +From 8ab1b16023961dc640023b10436d282f905835ad Mon Sep 17 00:00:00 2001 +From: "Vishal Moola (Oracle)" +Date: Thu, 3 Apr 2025 16:54:17 -0700 +Subject: mm: fix filemap_get_folios_contig returning batches of identical folios + +From: Vishal Moola (Oracle) + +commit 8ab1b16023961dc640023b10436d282f905835ad upstream. + +filemap_get_folios_contig() is supposed to return distinct folios found +within [start, end]. Large folios in the Xarray become multi-index +entries. xas_next() can iterate through the sub-indexes before finding a +sibling entry and breaking out of the loop. + +This can result in a returned folio_batch containing an indeterminate +number of duplicate folios, which forces the callers to skeptically handle +the returned batch. This is inefficient and incurs a large maintenance +overhead. + +We can fix this by calling xas_advance() after we have successfully adding +a folio to the batch to ensure our Xarray is positioned such that it will +correctly find the next folio - similar to filemap_get_read_batch(). + +Link: https://lkml.kernel.org/r/Z-8s1-kiIDkzgRbc@fedora +Fixes: 35b471467f88 ("filemap: add filemap_get_folios_contig()") +Signed-off-by: Vishal Moola (Oracle) +Reported-by: Qu Wenruo +Closes: https://lkml.kernel.org/r/b714e4de-2583-4035-b829-72cfb5eb6fc6@gmx.com +Tested-by: Qu Wenruo +Cc: Matthew Wilcox (Oracle) +Cc: Vivek Kasireddy +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2256,6 +2256,7 @@ unsigned filemap_get_folios_contig(struc + *start = folio->index + nr; + goto out; + } ++ xas_advance(&xas, folio_next_index(folio) - 1); + continue; + put_folio: + folio_put(folio); diff --git a/queue-6.6/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch b/queue-6.6/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch new file mode 100644 index 0000000000..0500eefff6 --- /dev/null +++ b/queue-6.6/mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch @@ -0,0 +1,51 @@ +From 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa Mon Sep 17 00:00:00 2001 +From: Baoquan He +Date: Thu, 10 Apr 2025 11:57:14 +0800 +Subject: mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() + +From: Baoquan He + +commit 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa upstream. + +Not like fault_in_readable() or fault_in_writeable(), in +fault_in_safe_writeable() local variable 'start' is increased page by page +to loop till the whole address range is handled. However, it mistakenly +calculates the size of the handled range with 'uaddr - start'. + +Fix it here. + +Andreas said: + +: In gfs2, fault_in_iov_iter_writeable() is used in +: gfs2_file_direct_read() and gfs2_file_read_iter(), so this potentially +: affects buffered as well as direct reads. This bug could cause those +: gfs2 functions to spin in a loop. + +Link: https://lkml.kernel.org/r/20250410035717.473207-1-bhe@redhat.com +Link: https://lkml.kernel.org/r/20250410035717.473207-2-bhe@redhat.com +Signed-off-by: Baoquan He +Fixes: fe673d3f5bf1 ("mm: gup: make fault_in_safe_writeable() use fixup_user_fault()") +Reviewed-by: Oscar Salvador +Acked-by: David Hildenbrand +Cc: Andreas Gruenbacher +Cc: Yanjun.Zhu +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1871,8 +1871,8 @@ size_t fault_in_safe_writeable(const cha + } while (start != end); + mmap_read_unlock(mm); + +- if (size > (unsigned long)uaddr - start) +- return size - ((unsigned long)uaddr - start); ++ if (size > start - (unsigned long)uaddr) ++ return size - (start - (unsigned long)uaddr); + return 0; + } + EXPORT_SYMBOL(fault_in_safe_writeable); diff --git a/queue-6.6/ovl-don-t-allow-datadir-only.patch b/queue-6.6/ovl-don-t-allow-datadir-only.patch new file mode 100644 index 0000000000..41e8814667 --- /dev/null +++ b/queue-6.6/ovl-don-t-allow-datadir-only.patch @@ -0,0 +1,44 @@ +From eb3a04a8516ee9b5174379306f94279fc90424c4 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 10 Feb 2025 15:11:22 +0100 +Subject: ovl: don't allow datadir only + +From: Miklos Szeredi + +commit eb3a04a8516ee9b5174379306f94279fc90424c4 upstream. + +In theory overlayfs could support upper layer directly referring to a data +layer, but there's no current use case for this. + +Originally, when data-only layers were introduced, this wasn't allowed, +only introduced by the "datadir+" feature, but without actually handling +this case, resulting in an Oops. + +Fix by disallowing datadir without lowerdir. + +Reported-by: Giuseppe Scrivano +Fixes: 24e16e385f22 ("ovl: add support for appending lowerdirs one by one") +Cc: # v6.7 +Reviewed-by: Amir Goldstein +Reviewed-by: Alexander Larsson +Reviewed-by: Christian Brauner +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1180,6 +1180,11 @@ static struct ovl_entry *ovl_get_lowerst + return ERR_PTR(-EINVAL); + } + ++ if (ctx->nr == ctx->nr_data) { ++ pr_err("at least one non-data lowerdir is required\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ + err = -EINVAL; + for (i = 0; i < ctx->nr; i++) { + l = &ctx->lower[i]; diff --git a/queue-6.6/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch b/queue-6.6/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch new file mode 100644 index 0000000000..c65f72278c --- /dev/null +++ b/queue-6.6/perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch @@ -0,0 +1,78 @@ +From 71dcc11c2cd9e434c34a63154ecadca21c135ddd Mon Sep 17 00:00:00 2001 +From: Dapeng Mi +Date: Tue, 15 Apr 2025 10:41:35 +0000 +Subject: perf/x86/intel: Allow to update user space GPRs from PEBS records + +From: Dapeng Mi + +commit 71dcc11c2cd9e434c34a63154ecadca21c135ddd upstream. + +Currently when a user samples user space GPRs (--user-regs option) with +PEBS, the user space GPRs actually always come from software PMI +instead of from PEBS hardware. This leads to the sampled GPRs to +possibly be inaccurate for single PEBS record case because of the +skid between counter overflow and GPRs sampling on PMI. + +For the large PEBS case, it is even worse. If user sets the +exclude_kernel attribute, large PEBS would be used to sample user space +GPRs, but since PEBS GPRs group is not really enabled, it leads to all +samples in the large PEBS record to share the same piece of user space +GPRs, like this reproducer shows: + + $ perf record -e branches:pu --user-regs=ip,ax -c 100000 ./foo + $ perf report -D | grep "AX" + + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + .... AX 0x000000003a0d4ead + +So enable GPRs group for user space GPRs sampling and prioritize reading +GPRs from PEBS. If the PEBS sampled GPRs is not user space GPRs (single +PEBS record case), perf_sample_regs_user() modifies them to user space +GPRs. + +[ mingo: Clarified the changelog. ] + +Fixes: c22497f5838c ("perf/x86/intel: Support adaptive PEBS v4") +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250415104135.318169-2-dapeng1.mi@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1203,8 +1203,10 @@ static u64 pebs_update_adaptive_cfg(stru + * + precise_ip < 2 for the non event IP + * + For RTM TSX weight we need GPRs for the abort code. + */ +- gprs = (sample_type & PERF_SAMPLE_REGS_INTR) && +- (attr->sample_regs_intr & PEBS_GP_REGS); ++ gprs = ((sample_type & PERF_SAMPLE_REGS_INTR) && ++ (attr->sample_regs_intr & PEBS_GP_REGS)) || ++ ((sample_type & PERF_SAMPLE_REGS_USER) && ++ (attr->sample_regs_user & PEBS_GP_REGS)); + + tsx_weight = (sample_type & PERF_SAMPLE_WEIGHT_TYPE) && + ((attr->config & INTEL_ARCH_EVENT_MASK) == +@@ -1856,7 +1858,7 @@ static void setup_pebs_adaptive_sample_d + regs->flags &= ~PERF_EFLAGS_EXACT; + } + +- if (sample_type & PERF_SAMPLE_REGS_INTR) ++ if (sample_type & (PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER)) + adaptive_pebs_save_regs(regs, gprs); + } + diff --git a/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch b/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch new file mode 100644 index 0000000000..d093172b0e --- /dev/null +++ b/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch @@ -0,0 +1,76 @@ +From 32c7f1150225694d95a51110a93be25db03bb5db Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 16 Apr 2025 07:24:25 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX + +From: Kan Liang + +commit 32c7f1150225694d95a51110a93be25db03bb5db upstream. + +There was a mistake in the ICX uncore spec too. The counter increments +for every 32 bytes rather than 4 bytes. + +The same as SNR, there are 1 ioclk and 8 IIO bandwidth in free running +counters. Reuse the snr_uncore_iio_freerunning_events(). + +Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support") +Reported-by: Tang Jun +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250416142426.3933977-2-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 33 +-------------------------------- + 1 file changed, 1 insertion(+), 32 deletions(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5476,37 +5476,6 @@ static struct freerunning_counters icx_i + [ICX_IIO_MSR_BW_IN] = { 0xaa0, 0x1, 0x10, 8, 48, icx_iio_bw_freerunning_box_offsets }, + }; + +-static struct uncore_event_desc icx_uncore_iio_freerunning_events[] = { +- /* Free-Running IIO CLOCKS Counter */ +- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), +- /* Free-Running IIO BANDWIDTH IN Counters */ +- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), +- { /* end: all zeroes */ }, +-}; +- + static struct intel_uncore_type icx_uncore_iio_free_running = { + .name = "iio_free_running", + .num_counters = 9, +@@ -5514,7 +5483,7 @@ static struct intel_uncore_type icx_unco + .num_freerunning_types = ICX_IIO_FREERUNNING_TYPE_MAX, + .freerunning = icx_iio_freerunning, + .ops = &skx_uncore_iio_freerunning_ops, +- .event_descs = icx_uncore_iio_freerunning_events, ++ .event_descs = snr_uncore_iio_freerunning_events, + .format_group = &skx_uncore_iio_freerunning_format_group, + }; + diff --git a/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch b/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch new file mode 100644 index 0000000000..9fee9038c7 --- /dev/null +++ b/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch @@ -0,0 +1,71 @@ +From 96a720db59ab330c8562b2437153faa45dac705f Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 16 Apr 2025 07:24:24 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR + +From: Kan Liang + +commit 96a720db59ab330c8562b2437153faa45dac705f upstream. + +There was a mistake in the SNR uncore spec. The counter increments for +every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes +which was documented in the spec. + +The event list has been updated: + + "EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN", + "BriefDescription": "Free running counter that increments for every 32 + bytes of data sent from the IO agent to the SOC", + +Update the scale of the IIO bandwidth in free running counters as well. + +Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server") +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -4882,28 +4882,28 @@ static struct uncore_event_desc snr_unco + INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), + /* Free-Running IIO BANDWIDTH IN Counters */ + INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), + INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), ++ INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"), + INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), + { /* end: all zeroes */ }, + }; diff --git a/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch b/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch new file mode 100644 index 0000000000..0795ef7b94 --- /dev/null +++ b/queue-6.6/perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch @@ -0,0 +1,101 @@ +From 506f981ab40f0b03a11a640cfd77f48b09aff330 Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Wed, 16 Apr 2025 07:24:26 -0700 +Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR + +From: Kan Liang + +commit 506f981ab40f0b03a11a640cfd77f48b09aff330 upstream. + +The scale of IIO bandwidth in free running counters is inherited from +the ICX. The counter increments for every 32 bytes rather than 4 bytes. + +The IIO bandwidth out free running counters don't increment with a +consistent size. The increment depends on the requested size. It's +impossible to find a fixed increment. Remove it from the event_descs. + +Fixes: 0378c93a92e2 ("perf/x86/intel/uncore: Support IIO free-running counters on Sapphire Rapids server") +Reported-by: Tang Jun +Signed-off-by: Kan Liang +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250416142426.3933977-3-kan.liang@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/uncore_snbep.c | 58 ----------------------------------- + 1 file changed, 1 insertion(+), 57 deletions(-) + +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -6210,69 +6210,13 @@ static struct freerunning_counters spr_i + [SPR_IIO_MSR_BW_OUT] = { 0x3808, 0x1, 0x10, 8, 48 }, + }; + +-static struct uncore_event_desc spr_uncore_iio_freerunning_events[] = { +- /* Free-Running IIO CLOCKS Counter */ +- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"), +- /* Free-Running IIO BANDWIDTH IN Counters */ +- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"), +- /* Free-Running IIO BANDWIDTH OUT Counters */ +- INTEL_UNCORE_EVENT_DESC(bw_out_port0, "event=0xff,umask=0x30"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port0.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port0.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port1, "event=0xff,umask=0x31"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port1.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port1.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port2, "event=0xff,umask=0x32"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port2.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port2.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port3, "event=0xff,umask=0x33"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port3.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port3.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port4, "event=0xff,umask=0x34"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port4.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port4.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port5, "event=0xff,umask=0x35"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port5.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port5.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port6, "event=0xff,umask=0x36"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port6.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port6.unit, "MiB"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port7, "event=0xff,umask=0x37"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port7.scale, "3.814697266e-6"), +- INTEL_UNCORE_EVENT_DESC(bw_out_port7.unit, "MiB"), +- { /* end: all zeroes */ }, +-}; +- + static struct intel_uncore_type spr_uncore_iio_free_running = { + .name = "iio_free_running", + .num_counters = 17, + .num_freerunning_types = SPR_IIO_FREERUNNING_TYPE_MAX, + .freerunning = spr_iio_freerunning, + .ops = &skx_uncore_iio_freerunning_ops, +- .event_descs = spr_uncore_iio_freerunning_events, ++ .event_descs = snr_uncore_iio_freerunning_events, + .format_group = &skx_uncore_iio_freerunning_format_group, + }; + diff --git a/queue-6.6/rdma-cma-fix-workqueue-crash-in-cma_netevent_work_handler.patch b/queue-6.6/rdma-cma-fix-workqueue-crash-in-cma_netevent_work_handler.patch new file mode 100644 index 0000000000..ebe4a7db39 --- /dev/null +++ b/queue-6.6/rdma-cma-fix-workqueue-crash-in-cma_netevent_work_handler.patch @@ -0,0 +1,141 @@ +From 45f5dcdd049719fb999393b30679605f16ebce14 Mon Sep 17 00:00:00 2001 +From: Sharath Srinivasan +Date: Wed, 26 Mar 2025 14:05:32 -0700 +Subject: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sharath Srinivasan + +commit 45f5dcdd049719fb999393b30679605f16ebce14 upstream. + +struct rdma_cm_id has member "struct work_struct net_work" +that is reused for enqueuing cma_netevent_work_handler()s +onto cma_wq. + +Below crash[1] can occur if more than one call to +cma_netevent_callback() occurs in quick succession, +which further enqueues cma_netevent_work_handler()s for the +same rdma_cm_id, overwriting any previously queued work-item(s) +that was just scheduled to run i.e. there is no guarantee +the queued work item may run between two successive calls +to cma_netevent_callback() and the 2nd INIT_WORK would overwrite +the 1st work item (for the same rdma_cm_id), despite grabbing +id_table_lock during enqueue. + +Also drgn analysis [2] indicates the work item was likely overwritten. + +Fix this by moving the INIT_WORK() to __rdma_create_id(), +so that it doesn't race with any existing queue_work() or +its worker thread. + +[1] Trimmed crash stack: +============================================= +BUG: kernel NULL pointer dereference, address: 0000000000000008 +kworker/u256:6 ... 6.12.0-0... +Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm) +RIP: 0010:process_one_work+0xba/0x31a +Call Trace: + worker_thread+0x266/0x3a0 + kthread+0xcf/0x100 + ret_from_fork+0x31/0x50 + ret_from_fork_asm+0x1a/0x30 +============================================= + +[2] drgn crash analysis: + +>>> trace = prog.crashed_thread().stack_trace() +>>> trace +(0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15) +(1) __crash_kexec (kernel/crash_core.c:122:4) +(2) panic (kernel/panic.c:399:3) +(3) oops_end (arch/x86/kernel/dumpstack.c:382:3) +... +(8) process_one_work (kernel/workqueue.c:3168:2) +(9) process_scheduled_works (kernel/workqueue.c:3310:3) +(10) worker_thread (kernel/workqueue.c:3391:4) +(11) kthread (kernel/kthread.c:389:9) + +Line workqueue.c:3168 for this kernel version is in process_one_work(): +3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); + +>>> trace[8]["work"] +*(struct work_struct *)0xffff92577d0a21d8 = { + .data = (atomic_long_t){ + .counter = (s64)536870912, <=== Note + }, + .entry = (struct list_head){ + .next = (struct list_head *)0xffff924d075924c0, + .prev = (struct list_head *)0xffff924d075924c0, + }, + .func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280, +} + +Suspicion is that pwq is NULL: +>>> trace[8]["pwq"] +(struct pool_workqueue *) + +In process_one_work(), pwq is assigned from: +struct pool_workqueue *pwq = get_work_pwq(work); + +and get_work_pwq() is: +static struct pool_workqueue *get_work_pwq(struct work_struct *work) +{ + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) + return work_struct_pwq(data); + else + return NULL; +} + +WORK_STRUCT_PWQ is 0x4: +>>> print(repr(prog['WORK_STRUCT_PWQ'])) +Object(prog, 'enum work_flags', value=4) + +But work->data is 536870912 which is 0x20000000. +So, get_work_pwq() returns NULL and we crash in process_one_work(): +3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN); +============================================= + +Fixes: 925d046e7e52 ("RDMA/core: Add a netevent notifier to cma") +Cc: stable@vger.kernel.org +Co-developed-by: HÃ¥kon Bugge +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Sharath Srinivasan +Reviewed-by: Patrisious Haddad +Link: https://patch.msgid.link/bf0082f9-5b25-4593-92c6-d130aa8ba439@oracle.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -72,6 +72,8 @@ static const char * const cma_events[] = + static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid, + enum ib_gid_type gid_type); + ++static void cma_netevent_work_handler(struct work_struct *_work); ++ + const char *__attribute_const__ rdma_event_msg(enum rdma_cm_event_type event) + { + size_t index = event; +@@ -1017,6 +1019,7 @@ __rdma_create_id(struct net *net, rdma_c + get_random_bytes(&id_priv->seq_num, sizeof id_priv->seq_num); + id_priv->id.route.addr.dev_addr.net = get_net(net); + id_priv->seq_num &= 0x00ffffff; ++ INIT_WORK(&id_priv->id.net_work, cma_netevent_work_handler); + + rdma_restrack_new(&id_priv->res, RDMA_RESTRACK_CM_ID); + if (parent) +@@ -5211,7 +5214,6 @@ static int cma_netevent_callback(struct + if (!memcmp(current_id->id.route.addr.dev_addr.dst_dev_addr, + neigh->ha, ETH_ALEN)) + continue; +- INIT_WORK(¤t_id->id.net_work, cma_netevent_work_handler); + cma_id_get(current_id); + queue_work(cma_wq, ¤t_id->id.net_work); + } diff --git a/queue-6.6/revert-smb-client-fix-netns-refcount-imbalance-causing-leaks-and-use-after-free.patch b/queue-6.6/revert-smb-client-fix-netns-refcount-imbalance-causing-leaks-and-use-after-free.patch new file mode 100644 index 0000000000..946915f3ab --- /dev/null +++ b/queue-6.6/revert-smb-client-fix-netns-refcount-imbalance-causing-leaks-and-use-after-free.patch @@ -0,0 +1,79 @@ +From c707193a17128fae2802d10cbad7239cc57f0c95 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 2 Apr 2025 13:26:47 -0700 +Subject: Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free" + +From: Kuniyuki Iwashima + +commit c707193a17128fae2802d10cbad7239cc57f0c95 upstream. + +This reverts commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef. + +The commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after +rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also +introduces a real issue, TCP sockets leak, which will be explained in +detail in the next revert. + +Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0] + +Thus, we are reverting the commit and its follow-up commit 4e7f1644f2ac +("smb: client: Fix netns refcount imbalance causing leaks and +use-after-free"). + +Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0] +Fixes: 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free") +Signed-off-by: Kuniyuki Iwashima +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -316,7 +316,6 @@ cifs_abort_connection(struct TCP_Server_ + server->ssocket->flags); + sock_release(server->ssocket); + server->ssocket = NULL; +- put_net(cifs_net_ns(server)); + } + server->sequence_number = 0; + server->session_estab = false; +@@ -3150,12 +3149,8 @@ generic_ip_connect(struct TCP_Server_Inf + /* + * Grab netns reference for the socket. + * +- * This reference will be released in several situations: +- * - In the failure path before the cifsd thread is started. +- * - In the all place where server->socket is released, it is +- * also set to NULL. +- * - Ultimately in clean_demultiplex_info(), during the final +- * teardown. ++ * It'll be released here, on error, or in clean_demultiplex_info() upon server ++ * teardown. + */ + get_net(net); + +@@ -3171,8 +3166,10 @@ generic_ip_connect(struct TCP_Server_Inf + } + + rc = bind_socket(server); +- if (rc < 0) ++ if (rc < 0) { ++ put_net(cifs_net_ns(server)); + return rc; ++ } + + /* + * Eventually check for other socket options to change from +@@ -3218,6 +3215,9 @@ generic_ip_connect(struct TCP_Server_Inf + if (sport == htons(RFC1001_PORT)) + rc = ip_rfc1001_connect(server); + ++ if (rc < 0) ++ put_net(cifs_net_ns(server)); ++ + return rc; + } + diff --git a/queue-6.6/revert-smb-client-fix-tcp-timers-deadlock-after-rmmod.patch b/queue-6.6/revert-smb-client-fix-tcp-timers-deadlock-after-rmmod.patch new file mode 100644 index 0000000000..c474fd2eb9 --- /dev/null +++ b/queue-6.6/revert-smb-client-fix-tcp-timers-deadlock-after-rmmod.patch @@ -0,0 +1,195 @@ +From 95d2b9f693ff2a1180a23d7d59acc0c4e72f4c41 Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Wed, 2 Apr 2025 13:26:48 -0700 +Subject: Revert "smb: client: fix TCP timers deadlock after rmmod" + +From: Kuniyuki Iwashima + +commit 95d2b9f693ff2a1180a23d7d59acc0c4e72f4c41 upstream. + +This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801. + +Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after +rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is +mentioned as CVE-2024-54680, but is actually did not fix anything; +The issue can be reproduced on top of it. [0] + +Also, it reverted the change by commit ef7134c7fc48 ("smb: client: +Fix use-after-free of network namespace.") and introduced a real +issue by reviving the kernel TCP socket. + +When a reconnect happens for a CIFS connection, the socket state +transitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync() +in tcp_close() stops all timers for the socket. + +If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1 +forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans. + +Usually, FIN can be retransmitted by the peer, but if the peer aborts +the connection, the issue comes into reality. + +I warned about this privately by pointing out the exact report [1], +but the bogus fix was finally merged. + +So, we should not stop the timers to finally kill the connection on +our side in that case, meaning we must not use a kernel socket for +TCP whose sk->sk_net_refcnt is 0. + +The kernel socket does not have a reference to its netns to make it +possible to tear down netns without cleaning up every resource in it. + +For example, tunnel devices use a UDP socket internally, but we can +destroy netns without removing such devices and let it complete +during exit. Otherwise, netns would be leaked when the last application +died. + +However, this is problematic for TCP sockets because TCP has timers to +close the connection gracefully even after the socket is close()d. The +lifetime of the socket and its netns is different from the lifetime of +the underlying connection. + +If the socket user does not maintain the netns lifetime, the timer could +be fired after the socket is close()d and its netns is freed up, resulting +in use-after-free. + +Actually, we have seen so many similar issues and converted such sockets +to have a reference to netns. + +That's why I converted the CIFS client socket to have a reference to +netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope +of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right +fix**. + +Regarding the LOCKDEP issue, we can prevent the module unload by +bumping the module refcount when switching the LOCKDDEP key in +sock_lock_init_class_and_name(). [2] + +For a while, let's revert the bogus fix. + +Note that now we can use sk_net_refcnt_upgrade() for the socket +conversion, but I'll do so later separately to make backport easy. + +Link: https://lore.kernel.org/all/20250402020807.28583-1-kuniyu@amazon.com/ #[0] +Link: https://lore.kernel.org/netdev/c08bd5378da647a2a4c16698125d180a@huawei.com/ #[1] +Link: https://lore.kernel.org/lkml/20250402005841.19846-1-kuniyu@amazon.com/ #[2] +Fixes: e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") +Signed-off-by: Kuniyuki Iwashima +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 36 ++++++++++-------------------------- + 1 file changed, 10 insertions(+), 26 deletions(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -1003,13 +1003,9 @@ clean_demultiplex_info(struct TCP_Server + msleep(125); + if (cifs_rdma_enabled(server)) + smbd_destroy(server); +- + if (server->ssocket) { + sock_release(server->ssocket); + server->ssocket = NULL; +- +- /* Release netns reference for the socket. */ +- put_net(cifs_net_ns(server)); + } + + if (!list_empty(&server->pending_mid_q)) { +@@ -1058,7 +1054,6 @@ clean_demultiplex_info(struct TCP_Server + */ + } + +- /* Release netns reference for this server. */ + put_net(cifs_net_ns(server)); + kfree(server->leaf_fullpath); + kfree(server->hostname); +@@ -1730,8 +1725,6 @@ cifs_get_tcp_session(struct smb3_fs_cont + + tcp_ses->ops = ctx->ops; + tcp_ses->vals = ctx->vals; +- +- /* Grab netns reference for this server. */ + cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns)); + + tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId); +@@ -1863,7 +1856,6 @@ smbd_connected: + out_err_crypto_release: + cifs_crypto_secmech_release(tcp_ses); + +- /* Release netns reference for this server. */ + put_net(cifs_net_ns(tcp_ses)); + + out_err: +@@ -1872,10 +1864,8 @@ out_err: + cifs_put_tcp_session(tcp_ses->primary_server, false); + kfree(tcp_ses->hostname); + kfree(tcp_ses->leaf_fullpath); +- if (tcp_ses->ssocket) { ++ if (tcp_ses->ssocket) + sock_release(tcp_ses->ssocket); +- put_net(cifs_net_ns(tcp_ses)); +- } + kfree(tcp_ses); + } + return ERR_PTR(rc); +@@ -3139,20 +3129,20 @@ generic_ip_connect(struct TCP_Server_Inf + socket = server->ssocket; + } else { + struct net *net = cifs_net_ns(server); ++ struct sock *sk; + +- rc = sock_create_kern(net, sfamily, SOCK_STREAM, IPPROTO_TCP, &server->ssocket); ++ rc = __sock_create(net, sfamily, SOCK_STREAM, ++ IPPROTO_TCP, &server->ssocket, 1); + if (rc < 0) { + cifs_server_dbg(VFS, "Error %d creating socket\n", rc); + return rc; + } + +- /* +- * Grab netns reference for the socket. +- * +- * It'll be released here, on error, or in clean_demultiplex_info() upon server +- * teardown. +- */ +- get_net(net); ++ sk = server->ssocket->sk; ++ __netns_tracker_free(net, &sk->ns_tracker, false); ++ sk->sk_net_refcnt = 1; ++ get_net_track(net, &sk->ns_tracker, GFP_KERNEL); ++ sock_inuse_add(net, 1); + + /* BB other socket options to set KEEPALIVE, NODELAY? */ + cifs_dbg(FYI, "Socket created\n"); +@@ -3166,10 +3156,8 @@ generic_ip_connect(struct TCP_Server_Inf + } + + rc = bind_socket(server); +- if (rc < 0) { +- put_net(cifs_net_ns(server)); ++ if (rc < 0) + return rc; +- } + + /* + * Eventually check for other socket options to change from +@@ -3206,7 +3194,6 @@ generic_ip_connect(struct TCP_Server_Inf + if (rc < 0) { + cifs_dbg(FYI, "Error %d connecting to server\n", rc); + trace_smb3_connect_err(server->hostname, server->conn_id, &server->dstaddr, rc); +- put_net(cifs_net_ns(server)); + sock_release(socket); + server->ssocket = NULL; + return rc; +@@ -3215,9 +3202,6 @@ generic_ip_connect(struct TCP_Server_Inf + if (sport == htons(RFC1001_PORT)) + rc = ip_rfc1001_connect(server); + +- if (rc < 0) +- put_net(cifs_net_ns(server)); +- + return rc; + } + diff --git a/queue-6.6/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch b/queue-6.6/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch new file mode 100644 index 0000000000..6f122c39bf --- /dev/null +++ b/queue-6.6/riscv-avoid-fortify-warning-in-syscall_get_arguments.patch @@ -0,0 +1,67 @@ +From adf53771a3123df99ca26e38818760fbcf5c05d0 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 9 Apr 2025 14:24:46 -0700 +Subject: riscv: Avoid fortify warning in syscall_get_arguments() + +From: Nathan Chancellor + +commit adf53771a3123df99ca26e38818760fbcf5c05d0 upstream. + +When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning +because of the memcpy() in syscall_get_arguments(): + + In file included from include/linux/string.h:392, + from include/linux/bitmap.h:13, + from include/linux/cpumask.h:12, + from arch/riscv/include/asm/processor.h:55, + from include/linux/sched.h:13, + from kernel/ptrace.c:13: + In function 'fortify_memcpy_chk', + inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2: + include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning] + 580 | __read_overflow2_field(q_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +The fortified memcpy() routine enforces that the source is not overread +and the destination is not overwritten if the size of either field and +the size of the copy are known at compile time. The memcpy() in +syscall_get_arguments() intentionally overreads from a1 to a5 in +'struct pt_regs' but this is bigger than the size of a1. + +Normally, this could be solved by wrapping a1 through a5 with +struct_group() but there was already a struct_group() applied to these +members in commit bba547810c66 ("riscv: tracing: Fix +__write_overflow_field in ftrace_partial_regs()"). + +Just avoid memcpy() altogether and write the copying of args from regs +manually, which clears up the warning at the expense of three extra +lines of code. + +Signed-off-by: Nathan Chancellor +Reviewed-by: Dmitry V. Levin +Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250409-riscv-avoid-fortify-warning-syscall_get_arguments-v1-1-7853436d4755@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/syscall.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/syscall.h ++++ b/arch/riscv/include/asm/syscall.h +@@ -62,8 +62,11 @@ static inline void syscall_get_arguments + unsigned long *args) + { + args[0] = regs->orig_a0; +- args++; +- memcpy(args, ®s->a1, 5 * sizeof(args[0])); ++ args[1] = regs->a1; ++ args[2] = regs->a2; ++ args[3] = regs->a3; ++ args[4] = regs->a4; ++ args[5] = regs->a5; + } + + static inline int syscall_get_arch(struct task_struct *task) diff --git a/queue-6.6/scsi-megaraid_sas-block-zero-length-ata-vpd-inquiry.patch b/queue-6.6/scsi-megaraid_sas-block-zero-length-ata-vpd-inquiry.patch new file mode 100644 index 0000000000..0106f941c8 --- /dev/null +++ b/queue-6.6/scsi-megaraid_sas-block-zero-length-ata-vpd-inquiry.patch @@ -0,0 +1,69 @@ +From aad9945623ab4029ae7789609fb6166c97976c62 Mon Sep 17 00:00:00 2001 +From: Chandrakanth Patil +Date: Thu, 3 Apr 2025 01:07:34 +0530 +Subject: scsi: megaraid_sas: Block zero-length ATA VPD inquiry + +From: Chandrakanth Patil + +commit aad9945623ab4029ae7789609fb6166c97976c62 upstream. + +A firmware bug was observed where ATA VPD inquiry commands with a +zero-length data payload were not handled and failed with a non-standard +status code of 0xf0. + +Avoid sending ATA VPD inquiry commands without data payload by setting +the device no_vpd_size flag to 1. In addition, if the firmware returns a +status code of 0xf0, set scsi_cmnd->result to CHECK_CONDITION to +facilitate proper error handling. + +Suggested-by: Martin K. Petersen +Signed-off-by: Chandrakanth Patil +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250402193735.5098-1-chandrakanth.patil@broadcom.com +Tested-by: Ryan Lahfa +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 9 +++++++-- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 ++++- + 2 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -2101,6 +2101,9 @@ static int megasas_slave_configure(struc + /* This sdev property may change post OCR */ + megasas_set_dynamic_target_properties(sdev, is_target_prop); + ++ if (!MEGASAS_IS_LOGICAL(sdev)) ++ sdev->no_vpd_size = 1; ++ + mutex_unlock(&instance->reset_mutex); + + return 0; +@@ -3660,8 +3663,10 @@ megasas_complete_cmd(struct megasas_inst + + case MFI_STAT_SCSI_IO_FAILED: + case MFI_STAT_LD_INIT_IN_PROGRESS: +- cmd->scmd->result = +- (DID_ERROR << 16) | hdr->scsi_status; ++ if (hdr->scsi_status == 0xf0) ++ cmd->scmd->result = (DID_ERROR << 16) | SAM_STAT_CHECK_CONDITION; ++ else ++ cmd->scmd->result = (DID_ERROR << 16) | hdr->scsi_status; + break; + + case MFI_STAT_SCSI_DONE_WITH_ERROR: +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -2043,7 +2043,10 @@ map_cmd_status(struct fusion_context *fu + + case MFI_STAT_SCSI_IO_FAILED: + case MFI_STAT_LD_INIT_IN_PROGRESS: +- scmd->result = (DID_ERROR << 16) | ext_status; ++ if (ext_status == 0xf0) ++ scmd->result = (DID_ERROR << 16) | SAM_STAT_CHECK_CONDITION; ++ else ++ scmd->result = (DID_ERROR << 16) | ext_status; + break; + + case MFI_STAT_SCSI_DONE_WITH_ERROR: diff --git a/queue-6.6/scsi-ufs-exynos-ensure-consistent-phy-reference-counts.patch b/queue-6.6/scsi-ufs-exynos-ensure-consistent-phy-reference-counts.patch new file mode 100644 index 0000000000..29cb2ea5ff --- /dev/null +++ b/queue-6.6/scsi-ufs-exynos-ensure-consistent-phy-reference-counts.patch @@ -0,0 +1,43 @@ +From 7f05fd9a3b6fb3a9abc5a748307d11831c03175f Mon Sep 17 00:00:00 2001 +From: Peter Griffin +Date: Wed, 19 Mar 2025 15:30:21 +0000 +Subject: scsi: ufs: exynos: Ensure consistent phy reference counts + +From: Peter Griffin + +commit 7f05fd9a3b6fb3a9abc5a748307d11831c03175f upstream. + +ufshcd_link_startup() can call ufshcd_vops_link_startup_notify() +multiple times when retrying. This causes the phy reference count to +keep increasing and the phy to not properly re-initialize. + +If the phy has already been previously powered on, first issue a +phy_power_off() and phy_exit(), before re-initializing and powering on +again. + +Signed-off-by: Peter Griffin +Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-4-96722cc2ba1b@linaro.org +Fixes: 3d73b200f989 ("scsi: ufs: ufs-exynos: Change ufs phy control sequence") +Cc: stable@vger.kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufs-exynos.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/ufs/host/ufs-exynos.c ++++ b/drivers/ufs/host/ufs-exynos.c +@@ -901,6 +901,12 @@ static int exynos_ufs_phy_init(struct ex + } + + phy_set_bus_width(generic_phy, ufs->avail_ln_rx); ++ ++ if (generic_phy->power_count) { ++ phy_power_off(generic_phy); ++ phy_exit(generic_phy); ++ } ++ + ret = phy_init(generic_phy); + if (ret) { + dev_err(hba->dev, "%s: phy init failed, ret = %d\n", diff --git a/queue-6.6/selftests-mm-generate-a-temporary-mountpoint-for-cgroup-filesystem.patch b/queue-6.6/selftests-mm-generate-a-temporary-mountpoint-for-cgroup-filesystem.patch new file mode 100644 index 0000000000..5e01343950 --- /dev/null +++ b/queue-6.6/selftests-mm-generate-a-temporary-mountpoint-for-cgroup-filesystem.patch @@ -0,0 +1,72 @@ +From 9c02223e2d9df5cb37c51aedb78f3960294e09b5 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Fri, 4 Apr 2025 17:42:32 +0100 +Subject: selftests/mm: generate a temporary mountpoint for cgroup filesystem + +From: Mark Brown + +commit 9c02223e2d9df5cb37c51aedb78f3960294e09b5 upstream. + +Currently if the filesystem for the cgroups version it wants to use is not +mounted charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh tests +will attempt to mount it on the hard coded path /dev/cgroup/memory, +deleting that directory when the test finishes. This will fail if there +is not a preexisting directory at that path, and since the directory is +deleted subsequent runs of the test will fail. Instead of relying on this +hard coded directory name use mktemp to generate a temporary directory to +use as a mountpoint, fixing both the assumption and the disruption caused +by deleting a preexisting directory. + +This means that if the relevant cgroup filesystem is not already mounted +then we rely on having coreutils (which provides mktemp) installed. I +suspect that many current users are relying on having things automounted +by default, and given that the script relies on bash it's probably not an +unreasonable requirement. + +Link: https://lkml.kernel.org/r/20250404-kselftest-mm-cgroup2-detection-v1-1-3dba6d32ba8c@kernel.org +Fixes: 209376ed2a84 ("selftests/vm: make charge_reserved_hugetlb.sh work with existing cgroup setting") +Signed-off-by: Mark Brown +Cc: Aishwarya TCV +Cc: Mark Brown +Cc: Mina Almasry +Cc: Shuah Khan +Cc: Waiman Long +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 4 ++-- + tools/testing/selftests/mm/hugetlb_reparenting_test.sh | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/mm/charge_reserved_hugetlb.sh ++++ b/tools/testing/selftests/mm/charge_reserved_hugetlb.sh +@@ -27,7 +27,7 @@ fi + if [[ $cgroup2 ]]; then + cgroup_path=$(mount -t cgroup2 | head -1 | awk '{print $3}') + if [[ -z "$cgroup_path" ]]; then +- cgroup_path=/dev/cgroup/memory ++ cgroup_path=$(mktemp -d) + mount -t cgroup2 none $cgroup_path + do_umount=1 + fi +@@ -35,7 +35,7 @@ if [[ $cgroup2 ]]; then + else + cgroup_path=$(mount -t cgroup | grep ",hugetlb" | awk '{print $3}') + if [[ -z "$cgroup_path" ]]; then +- cgroup_path=/dev/cgroup/memory ++ cgroup_path=$(mktemp -d) + mount -t cgroup memory,hugetlb $cgroup_path + do_umount=1 + fi +--- a/tools/testing/selftests/mm/hugetlb_reparenting_test.sh ++++ b/tools/testing/selftests/mm/hugetlb_reparenting_test.sh +@@ -22,7 +22,7 @@ fi + if [[ $cgroup2 ]]; then + CGROUP_ROOT=$(mount -t cgroup2 | head -1 | awk '{print $3}') + if [[ -z "$CGROUP_ROOT" ]]; then +- CGROUP_ROOT=/dev/cgroup/memory ++ CGROUP_ROOT=$(mktemp -d) + mount -t cgroup2 none $CGROUP_ROOT + do_umount=1 + fi diff --git a/queue-6.6/series b/queue-6.6/series index a5ba091c61..677ced7984 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -307,3 +307,39 @@ nfs-add-missing-selections-of-config_crc32.patch nfsd-decrease-sc_count-directly-if-fail-to-queue-dl_.patch i2c-atr-fix-wrong-include.patch ftrace-fix-incorrect-hash-size-in-register_ftrace_di.patch +bluetooth-l2cap-process-valid-commands-in-too-long-frame.patch +bluetooth-vhci-avoid-needless-snprintf-calls.patch +btrfs-correctly-escape-subvol-in-btrfs_show_options.patch +cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch +crypto-caam-qi-fix-drv_ctx-refcount-bug.patch +hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch +i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch +isofs-prevent-the-use-of-too-small-fid.patch +loop-properly-send-kobj_changed-uevent-for-disk-device.patch +loop-loop_set_fd-send-uevents-for-partitions.patch +mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch +mm-fix-filemap_get_folios_contig-returning-batches-of-identical-folios.patch +mm-fix-apply_to_existing_page_range.patch +ovl-don-t-allow-datadir-only.patch +ksmbd-fix-dangling-pointer-in-krb_authenticate.patch +ksmbd-fix-use-after-free-in-smb_break_all_levii_oplock.patch +ksmbd-prevent-integer-overflow-in-calculation-of-deadtime.patch +ksmbd-fix-the-warning-from-__kernel_write_iter.patch +revert-smb-client-fix-netns-refcount-imbalance-causing-leaks-and-use-after-free.patch +revert-smb-client-fix-tcp-timers-deadlock-after-rmmod.patch +riscv-avoid-fortify-warning-in-syscall_get_arguments.patch +selftests-mm-generate-a-temporary-mountpoint-for-cgroup-filesystem.patch +smb3-client-fix-open-hardlink-on-deferred-close-file-error.patch +string-add-load_unaligned_zeropad-code-path-to-sized_strscpy.patch +tracing-fix-filter-string-testing.patch +virtiofs-add-filesystem-context-source-name-check.patch +x86-microcode-amd-extend-the-sha-check-to-zen5-block-loading-of-any-unreleased-standalone-zen5-microcode-patches.patch +x86-cpu-amd-fix-workaround-for-erratum-1054.patch +x86-boot-sev-avoid-shared-ghcb-page-for-early-memory-acceptance.patch +scsi-megaraid_sas-block-zero-length-ata-vpd-inquiry.patch +scsi-ufs-exynos-ensure-consistent-phy-reference-counts.patch +rdma-cma-fix-workqueue-crash-in-cma_netevent_work_handler.patch +perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch +perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch +perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch +perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch diff --git a/queue-6.6/smb3-client-fix-open-hardlink-on-deferred-close-file-error.patch b/queue-6.6/smb3-client-fix-open-hardlink-on-deferred-close-file-error.patch new file mode 100644 index 0000000000..8a682902bc --- /dev/null +++ b/queue-6.6/smb3-client-fix-open-hardlink-on-deferred-close-file-error.patch @@ -0,0 +1,107 @@ +From 262b73ef442e68e53220b9d6fc5a0d08b557fa42 Mon Sep 17 00:00:00 2001 +From: Chunjie Zhu +Date: Sat, 12 Apr 2025 21:15:55 -0500 +Subject: smb3 client: fix open hardlink on deferred close file error + +From: Chunjie Zhu + +commit 262b73ef442e68e53220b9d6fc5a0d08b557fa42 upstream. + +The following Python script results in unexpected behaviour when run on +a CIFS filesystem against a Windows Server: + + # Create file + fd = os.open('test', os.O_WRONLY|os.O_CREAT) + os.write(fd, b'foo') + os.close(fd) + + # Open and close the file to leave a pending deferred close + fd = os.open('test', os.O_RDONLY|os.O_DIRECT) + os.close(fd) + + # Try to open the file via a hard link + os.link('test', 'new') + newfd = os.open('new', os.O_RDONLY|os.O_DIRECT) + +The final open returns EINVAL due to the server returning +STATUS_INVALID_PARAMETER. The root cause of this is that the client +caches lease keys per inode, but the spec requires them to be related to +the filename which causes problems when hard links are involved: + +From MS-SMB2 section 3.3.5.9.11: + +"The server MUST attempt to locate a Lease by performing a lookup in the +LeaseTable.LeaseList using the LeaseKey in the +SMB2_CREATE_REQUEST_LEASE_V2 as the lookup key. If a lease is found, +Lease.FileDeleteOnClose is FALSE, and Lease.Filename does not match the +file name for the incoming request, the request MUST be failed with +STATUS_INVALID_PARAMETER" + +On client side, we first check the context of file open, if it hits above +conditions, we first close all opening files which are belong to the same +inode, then we do open the hard link file. + +Cc: stable@vger.kernel.org +Signed-off-by: Chunjie Zhu +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsproto.h | 2 ++ + fs/smb/client/file.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +--- a/fs/smb/client/cifsproto.h ++++ b/fs/smb/client/cifsproto.h +@@ -158,6 +158,8 @@ extern int cifs_get_writable_path(struct + extern struct cifsFileInfo *find_readable_file(struct cifsInodeInfo *, bool); + extern int cifs_get_readable_path(struct cifs_tcon *tcon, const char *name, + struct cifsFileInfo **ret_file); ++extern int cifs_get_hardlink_path(struct cifs_tcon *tcon, struct inode *inode, ++ struct file *file); + extern unsigned int smbCalcSize(void *buf); + extern int decode_negTokenInit(unsigned char *security_blob, int length, + struct TCP_Server_Info *server); +--- a/fs/smb/client/file.c ++++ b/fs/smb/client/file.c +@@ -816,6 +816,11 @@ int cifs_open(struct inode *inode, struc + } else { + _cifsFileInfo_put(cfile, true, false); + } ++ } else { ++ /* hard link on the defeered close file */ ++ rc = cifs_get_hardlink_path(tcon, inode, file); ++ if (rc) ++ cifs_close_deferred_file(CIFS_I(inode)); + } + + if (server->oplocks) +@@ -1878,6 +1883,29 @@ cifs_move_llist(struct list_head *source + list_move(li, dest); + } + ++int ++cifs_get_hardlink_path(struct cifs_tcon *tcon, struct inode *inode, ++ struct file *file) ++{ ++ struct cifsFileInfo *open_file = NULL; ++ struct cifsInodeInfo *cinode = CIFS_I(inode); ++ int rc = 0; ++ ++ spin_lock(&tcon->open_file_lock); ++ spin_lock(&cinode->open_file_lock); ++ ++ list_for_each_entry(open_file, &cinode->openFileList, flist) { ++ if (file->f_flags == open_file->f_flags) { ++ rc = -EINVAL; ++ break; ++ } ++ } ++ ++ spin_unlock(&cinode->open_file_lock); ++ spin_unlock(&tcon->open_file_lock); ++ return rc; ++} ++ + void + cifs_free_llist(struct list_head *llist) + { diff --git a/queue-6.6/string-add-load_unaligned_zeropad-code-path-to-sized_strscpy.patch b/queue-6.6/string-add-load_unaligned_zeropad-code-path-to-sized_strscpy.patch new file mode 100644 index 0000000000..d4d2c9d773 --- /dev/null +++ b/queue-6.6/string-add-load_unaligned_zeropad-code-path-to-sized_strscpy.patch @@ -0,0 +1,70 @@ +From d94c12bd97d567de342fd32599e7cd9e50bfa140 Mon Sep 17 00:00:00 2001 +From: Peter Collingbourne +Date: Wed, 2 Apr 2025 17:06:59 -0700 +Subject: string: Add load_unaligned_zeropad() code path to sized_strscpy() + +From: Peter Collingbourne + +commit d94c12bd97d567de342fd32599e7cd9e50bfa140 upstream. + +The call to read_word_at_a_time() in sized_strscpy() is problematic +with MTE because it may trigger a tag check fault when reading +across a tag granule (16 bytes) boundary. To make this code +MTE compatible, let's start using load_unaligned_zeropad() +on architectures where it is available (i.e. architectures that +define CONFIG_DCACHE_WORD_ACCESS). Because load_unaligned_zeropad() +takes care of page boundaries as well as tag granule boundaries, +also disable the code preventing crossing page boundaries when using +load_unaligned_zeropad(). + +Signed-off-by: Peter Collingbourne +Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fdf755548 +Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS") +Cc: stable@vger.kernel.org +Reviewed-by: Catalin Marinas +Link: https://lore.kernel.org/r/20250403000703.2584581-2-pcc@google.com +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + lib/string.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/lib/string.c ++++ b/lib/string.c +@@ -128,6 +128,7 @@ ssize_t strscpy(char *dest, const char * + if (count == 0 || WARN_ON_ONCE(count > INT_MAX)) + return -E2BIG; + ++#ifndef CONFIG_DCACHE_WORD_ACCESS + #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + /* + * If src is unaligned, don't cross a page boundary, +@@ -143,11 +144,13 @@ ssize_t strscpy(char *dest, const char * + if (((long) dest | (long) src) & (sizeof(long) - 1)) + max = 0; + #endif ++#endif + + /* +- * read_word_at_a_time() below may read uninitialized bytes after the +- * trailing zero and use them in comparisons. Disable this optimization +- * under KMSAN to prevent false positive reports. ++ * load_unaligned_zeropad() or read_word_at_a_time() below may read ++ * uninitialized bytes after the trailing zero and use them in ++ * comparisons. Disable this optimization under KMSAN to prevent ++ * false positive reports. + */ + if (IS_ENABLED(CONFIG_KMSAN)) + max = 0; +@@ -155,7 +158,11 @@ ssize_t strscpy(char *dest, const char * + while (max >= sizeof(unsigned long)) { + unsigned long c, data; + ++#ifdef CONFIG_DCACHE_WORD_ACCESS ++ c = load_unaligned_zeropad(src+res); ++#else + c = read_word_at_a_time(src+res); ++#endif + if (has_zero(c, &data, &constants)) { + data = prep_zero_mask(c, data, &constants); + data = create_zero_mask(data); diff --git a/queue-6.6/tracing-fix-filter-string-testing.patch b/queue-6.6/tracing-fix-filter-string-testing.patch new file mode 100644 index 0000000000..cee1d42491 --- /dev/null +++ b/queue-6.6/tracing-fix-filter-string-testing.patch @@ -0,0 +1,62 @@ +From a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 17 Apr 2025 18:30:03 -0400 +Subject: tracing: Fix filter string testing + +From: Steven Rostedt + +commit a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 upstream. + +The filter string testing uses strncpy_from_kernel/user_nofault() to +retrieve the string to test the filter against. The if() statement was +incorrect as it considered 0 as a fault, when it is only negative that it +faulted. + +Running the following commands: + + # cd /sys/kernel/tracing + # echo "filename.ustring ~ \"/proc*\"" > events/syscalls/sys_enter_openat/filter + # echo 1 > events/syscalls/sys_enter_openat/enable + # ls /proc/$$/maps + # cat trace + +Would produce nothing, but with the fix it will produce something like: + + ls-1192 [007] ..... 8169.828333: sys_openat(dfd: ffffffffffffff9c, filename: 7efc18359904, flags: 80000, mode: 0) + +Link: https://lore.kernel.org/all/CAEf4BzbVPQ=BjWztmEwBPRKHUwNfKBkS3kce-Rzka6zvbQeVpg@mail.gmail.com/ + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Andrew Morton +Link: https://lore.kernel.org/20250417183003.505835fb@gandalf.local.home +Fixes: 77360f9bbc7e5 ("tracing: Add test for user space strings when filtering on string pointers") +Reported-by: Andrii Nakryiko +Reported-by: Mykyta Yatsenko +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -808,7 +808,7 @@ static __always_inline char *test_string + kstr = ubuf->buffer; + + /* For safety, do not trust the string pointer */ +- if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE)) ++ if (strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE) < 0) + return NULL; + return kstr; + } +@@ -827,7 +827,7 @@ static __always_inline char *test_ustrin + + /* user space address? */ + ustr = (char __user *)str; +- if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE)) ++ if (strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE) < 0) + return NULL; + + return kstr; diff --git a/queue-6.6/virtiofs-add-filesystem-context-source-name-check.patch b/queue-6.6/virtiofs-add-filesystem-context-source-name-check.patch new file mode 100644 index 0000000000..1bed63951d --- /dev/null +++ b/queue-6.6/virtiofs-add-filesystem-context-source-name-check.patch @@ -0,0 +1,35 @@ +From a94fd938df2b1628da66b498aa0eeb89593bc7a2 Mon Sep 17 00:00:00 2001 +From: Xiangsheng Hou +Date: Mon, 7 Apr 2025 19:50:49 +0800 +Subject: virtiofs: add filesystem context source name check + +From: Xiangsheng Hou + +commit a94fd938df2b1628da66b498aa0eeb89593bc7a2 upstream. + +In certain scenarios, for example, during fuzz testing, the source +name may be NULL, which could lead to a kernel panic. Therefore, an +extra check for the source name should be added. + +Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem") +Cc: # all LTS kernels +Signed-off-by: Xiangsheng Hou +Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/virtio_fs.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/fuse/virtio_fs.c ++++ b/fs/fuse/virtio_fs.c +@@ -1430,6 +1430,9 @@ static int virtio_fs_get_tree(struct fs_ + unsigned int virtqueue_size; + int err = -EIO; + ++ if (!fsc->source) ++ return invalf(fsc, "No source specified"); ++ + /* This gets a reference on virtio_fs object. This ptr gets installed + * in fc->iq->priv. Once fuse_conn is going away, it calls ->put() + * to drop the reference to this object. diff --git a/queue-6.6/x86-boot-sev-avoid-shared-ghcb-page-for-early-memory-acceptance.patch b/queue-6.6/x86-boot-sev-avoid-shared-ghcb-page-for-early-memory-acceptance.patch new file mode 100644 index 0000000000..ba60ba2d06 --- /dev/null +++ b/queue-6.6/x86-boot-sev-avoid-shared-ghcb-page-for-early-memory-acceptance.patch @@ -0,0 +1,192 @@ +From d54d610243a4508183978871e5faff5502786cd4 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 17 Apr 2025 22:21:21 +0200 +Subject: x86/boot/sev: Avoid shared GHCB page for early memory acceptance + +From: Ard Biesheuvel + +commit d54d610243a4508183978871e5faff5502786cd4 upstream. + +Communicating with the hypervisor using the shared GHCB page requires +clearing the C bit in the mapping of that page. When executing in the +context of the EFI boot services, the page tables are owned by the +firmware, and this manipulation is not possible. + +So switch to a different API for accepting memory in SEV-SNP guests, one +which is actually supported at the point during boot where the EFI stub +may need to accept memory, but the SEV-SNP init code has not executed +yet. + +For simplicity, also switch the memory acceptance carried out by the +decompressor when not booting via EFI - this only involves the +allocation for the decompressed kernel, and is generally only called +after kexec, as normal boot will jump straight into the kernel from the +EFI stub. + +Fixes: 6c3211796326 ("x86/sev: Add SNP-specific unaccepted memory support") +Tested-by: Tom Lendacky +Co-developed-by: Tom Lendacky +Signed-off-by: Tom Lendacky +Signed-off-by: Ard Biesheuvel +Signed-off-by: Ingo Molnar +Cc: +Cc: Dionna Amalie Glaze +Cc: Kevin Loughlin +Cc: Kirill A. Shutemov +Cc: Linus Torvalds +Cc: linux-efi@vger.kernel.org +Link: https://lore.kernel.org/r/20250404082921.2767593-8-ardb+git@google.com # discussion thread #1 +Link: https://lore.kernel.org/r/20250410132850.3708703-2-ardb+git@google.com # discussion thread #2 +Link: https://lore.kernel.org/r/20250417202120.1002102-2-ardb+git@google.com # final submission +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/mem.c | 5 ++- + arch/x86/boot/compressed/sev.c | 67 +++++++++-------------------------------- + arch/x86/boot/compressed/sev.h | 2 + + 3 files changed, 21 insertions(+), 53 deletions(-) + +--- a/arch/x86/boot/compressed/mem.c ++++ b/arch/x86/boot/compressed/mem.c +@@ -34,11 +34,14 @@ static bool early_is_tdx_guest(void) + + void arch_accept_memory(phys_addr_t start, phys_addr_t end) + { ++ static bool sevsnp; ++ + /* Platform-specific memory-acceptance call goes here */ + if (early_is_tdx_guest()) { + if (!tdx_accept_memory(start, end)) + panic("TDX: Failed to accept memory\n"); +- } else if (sev_snp_enabled()) { ++ } else if (sevsnp || (sev_get_status() & MSR_AMD64_SEV_SNP_ENABLED)) { ++ sevsnp = true; + snp_accept_memory(start, end); + } else { + error("Cannot accept memory: unknown platform\n"); +--- a/arch/x86/boot/compressed/sev.c ++++ b/arch/x86/boot/compressed/sev.c +@@ -135,10 +135,7 @@ bool sev_snp_enabled(void) + + static void __page_state_change(unsigned long paddr, enum psc_op op) + { +- u64 val; +- +- if (!sev_snp_enabled()) +- return; ++ u64 val, msr; + + /* + * If private -> shared then invalidate the page before requesting the +@@ -147,6 +144,9 @@ static void __page_state_change(unsigned + if (op == SNP_PAGE_STATE_SHARED && pvalidate(paddr, RMP_PG_SIZE_4K, 0)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE); + ++ /* Save the current GHCB MSR value */ ++ msr = sev_es_rd_ghcb_msr(); ++ + /* Issue VMGEXIT to change the page state in RMP table. */ + sev_es_wr_ghcb_msr(GHCB_MSR_PSC_REQ_GFN(paddr >> PAGE_SHIFT, op)); + VMGEXIT(); +@@ -156,6 +156,9 @@ static void __page_state_change(unsigned + if ((GHCB_RESP_CODE(val) != GHCB_MSR_PSC_RESP) || GHCB_MSR_PSC_RESP_VAL(val)) + sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC); + ++ /* Restore the GHCB MSR value */ ++ sev_es_wr_ghcb_msr(msr); ++ + /* + * Now that page state is changed in the RMP table, validate it so that it is + * consistent with the RMP entry. +@@ -166,11 +169,17 @@ static void __page_state_change(unsigned + + void snp_set_page_private(unsigned long paddr) + { ++ if (!sev_snp_enabled()) ++ return; ++ + __page_state_change(paddr, SNP_PAGE_STATE_PRIVATE); + } + + void snp_set_page_shared(unsigned long paddr) + { ++ if (!sev_snp_enabled()) ++ return; ++ + __page_state_change(paddr, SNP_PAGE_STATE_SHARED); + } + +@@ -194,56 +203,10 @@ static bool early_setup_ghcb(void) + return true; + } + +-static phys_addr_t __snp_accept_memory(struct snp_psc_desc *desc, +- phys_addr_t pa, phys_addr_t pa_end) +-{ +- struct psc_hdr *hdr; +- struct psc_entry *e; +- unsigned int i; +- +- hdr = &desc->hdr; +- memset(hdr, 0, sizeof(*hdr)); +- +- e = desc->entries; +- +- i = 0; +- while (pa < pa_end && i < VMGEXIT_PSC_MAX_ENTRY) { +- hdr->end_entry = i; +- +- e->gfn = pa >> PAGE_SHIFT; +- e->operation = SNP_PAGE_STATE_PRIVATE; +- if (IS_ALIGNED(pa, PMD_SIZE) && (pa_end - pa) >= PMD_SIZE) { +- e->pagesize = RMP_PG_SIZE_2M; +- pa += PMD_SIZE; +- } else { +- e->pagesize = RMP_PG_SIZE_4K; +- pa += PAGE_SIZE; +- } +- +- e++; +- i++; +- } +- +- if (vmgexit_psc(boot_ghcb, desc)) +- sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC); +- +- pvalidate_pages(desc); +- +- return pa; +-} +- + void snp_accept_memory(phys_addr_t start, phys_addr_t end) + { +- struct snp_psc_desc desc = {}; +- unsigned int i; +- phys_addr_t pa; +- +- if (!boot_ghcb && !early_setup_ghcb()) +- sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC); +- +- pa = start; +- while (pa < end) +- pa = __snp_accept_memory(&desc, pa, end); ++ for (phys_addr_t pa = start; pa < end; pa += PAGE_SIZE) ++ __page_state_change(pa, SNP_PAGE_STATE_PRIVATE); + } + + void sev_es_shutdown_ghcb(void) +--- a/arch/x86/boot/compressed/sev.h ++++ b/arch/x86/boot/compressed/sev.h +@@ -12,11 +12,13 @@ + + bool sev_snp_enabled(void); + void snp_accept_memory(phys_addr_t start, phys_addr_t end); ++u64 sev_get_status(void); + + #else + + static inline bool sev_snp_enabled(void) { return false; } + static inline void snp_accept_memory(phys_addr_t start, phys_addr_t end) { } ++static inline u64 sev_get_status(void) { return 0; } + + #endif + diff --git a/queue-6.6/x86-cpu-amd-fix-workaround-for-erratum-1054.patch b/queue-6.6/x86-cpu-amd-fix-workaround-for-erratum-1054.patch new file mode 100644 index 0000000000..89b9f82bad --- /dev/null +++ b/queue-6.6/x86-cpu-amd-fix-workaround-for-erratum-1054.patch @@ -0,0 +1,67 @@ +From 263e55949d8902a6a09bdb92a1ab6a3f67231abe Mon Sep 17 00:00:00 2001 +From: Sandipan Das +Date: Fri, 18 Apr 2025 11:49:40 +0530 +Subject: x86/cpu/amd: Fix workaround for erratum 1054 + +From: Sandipan Das + +commit 263e55949d8902a6a09bdb92a1ab6a3f67231abe upstream. + +Erratum 1054 affects AMD Zen processors that are a part of Family 17h +Models 00-2Fh and the workaround is to not set HWCR[IRPerfEn]. However, +when X86_FEATURE_ZEN1 was introduced, the condition to detect unaffected +processors was incorrectly changed in a way that the IRPerfEn bit gets +set only for unaffected Zen 1 processors. + +Ensure that HWCR[IRPerfEn] is set for all unaffected processors. This +includes a subset of Zen 1 (Family 17h Models 30h and above) and all +later processors. Also clear X86_FEATURE_IRPERF on affected processors +so that the IRPerfCount register is not used by other entities like the +MSR PMU driver. + +Fixes: 232afb557835 ("x86/CPU/AMD: Add X86_FEATURE_ZEN1") +Signed-off-by: Sandipan Das +Signed-off-by: Ingo Molnar +Acked-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/caa057a9d6f8ad579e2f1abaa71efbd5bd4eaf6d.1744956467.git.sandipan.das@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -1039,6 +1039,16 @@ static void init_amd_zen1(struct cpuinfo + + pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n"); + setup_force_cpu_bug(X86_BUG_DIV0); ++ ++ /* ++ * Turn off the Instructions Retired free counter on machines that are ++ * susceptible to erratum #1054 "Instructions Retired Performance ++ * Counter May Be Inaccurate". ++ */ ++ if (c->x86_model < 0x30) { ++ msr_clear_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); ++ clear_cpu_cap(c, X86_FEATURE_IRPERF); ++ } + } + + static bool cpu_has_zenbleed_microcode(void) +@@ -1185,13 +1195,8 @@ static void init_amd(struct cpuinfo_x86 + if (!cpu_feature_enabled(X86_FEATURE_XENPV)) + set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS); + +- /* +- * Turn on the Instructions Retired free counter on machines not +- * susceptible to erratum #1054 "Instructions Retired Performance +- * Counter May Be Inaccurate". +- */ +- if (cpu_has(c, X86_FEATURE_IRPERF) && +- (boot_cpu_has(X86_FEATURE_ZEN1) && c->x86_model > 0x2f)) ++ /* Enable the Instructions Retired free counter */ ++ if (cpu_has(c, X86_FEATURE_IRPERF)) + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + + check_null_seg_clears_base(c); diff --git a/queue-6.6/x86-microcode-amd-extend-the-sha-check-to-zen5-block-loading-of-any-unreleased-standalone-zen5-microcode-patches.patch b/queue-6.6/x86-microcode-amd-extend-the-sha-check-to-zen5-block-loading-of-any-unreleased-standalone-zen5-microcode-patches.patch new file mode 100644 index 0000000000..c1e6a63e36 --- /dev/null +++ b/queue-6.6/x86-microcode-amd-extend-the-sha-check-to-zen5-block-loading-of-any-unreleased-standalone-zen5-microcode-patches.patch @@ -0,0 +1,56 @@ +From 805b743fc163f1abef7ce1bea8eca8dfab5b685b Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Thu, 10 Apr 2025 13:42:22 +0200 +Subject: x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches + +From: Borislav Petkov (AMD) + +commit 805b743fc163f1abef7ce1bea8eca8dfab5b685b upstream. + +All Zen5 machines out there should get BIOS updates which update to the +correct microcode patches addressing the microcode signature issue. +However, silly people carve out random microcode blobs from BIOS +packages and think are doing other people a service this way... + +Block loading of any unreleased standalone Zen5 microcode patches. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Ingo Molnar +Cc: +Cc: Andrew Cooper +Cc: Boris Ostrovsky +Cc: Linus Torvalds +Cc: Maciej S. Szmigiero +Cc: Nikolay Borisov +Cc: Tom Lendacky +Link: https://lore.kernel.org/r/20250410114222.32523-1-bp@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -201,6 +201,12 @@ static bool need_sha_check(u32 cur_rev) + case 0xa70c0: return cur_rev <= 0xa70C009; break; + case 0xaa001: return cur_rev <= 0xaa00116; break; + case 0xaa002: return cur_rev <= 0xaa00218; break; ++ case 0xb0021: return cur_rev <= 0xb002146; break; ++ case 0xb1010: return cur_rev <= 0xb101046; break; ++ case 0xb2040: return cur_rev <= 0xb204031; break; ++ case 0xb4040: return cur_rev <= 0xb404031; break; ++ case 0xb6000: return cur_rev <= 0xb600031; break; ++ case 0xb7000: return cur_rev <= 0xb700031; break; + default: break; + } + +@@ -216,8 +222,7 @@ static bool verify_sha256_digest(u32 pat + struct sha256_state s; + int i; + +- if (x86_family(bsp_cpuid_1_eax) < 0x17 || +- x86_family(bsp_cpuid_1_eax) > 0x19) ++ if (x86_family(bsp_cpuid_1_eax) < 0x17) + return true; + + if (!need_sha_check(cur_rev))