From: Greg Kroah-Hartman Date: Tue, 20 May 2025 10:57:01 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.15.184~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=970d9249b3b00086afc32047e12ca0f9a37bf2ab;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bpf-arm64-fix-address-emission-with-tag-based-kasan-enabled.patch bpf-arm64-fix-trampoline-for-bpf_tramp_f_call_orig.patch btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch hwpoison-memory_hotplug-lock-folio-before-unmap-hwpoisoned-folio.patch loongarch-explicitly-specify-code-model-in-makefile.patch mm-vmscan-fix-a-bug-calling-wakeup_kswapd-with-a-wrong-zone-index.patch riscv-mm-fix-the-out-of-bound-issue-of-vmemmap-address.patch sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch --- diff --git a/queue-6.1/bpf-arm64-fix-address-emission-with-tag-based-kasan-enabled.patch b/queue-6.1/bpf-arm64-fix-address-emission-with-tag-based-kasan-enabled.patch new file mode 100644 index 0000000000..aba0a3bfb5 --- /dev/null +++ b/queue-6.1/bpf-arm64-fix-address-emission-with-tag-based-kasan-enabled.patch @@ -0,0 +1,62 @@ +From a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c Mon Sep 17 00:00:00 2001 +From: Peter Collingbourne +Date: Fri, 18 Oct 2024 15:16:43 -0700 +Subject: bpf, arm64: Fix address emission with tag-based KASAN enabled + +From: Peter Collingbourne + +commit a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c upstream. + +When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image +struct on the stack is passed during the size calculation pass and +an address on the heap is passed during code generation. This may +cause a heap buffer overflow if the heap address is tagged because +emit_a64_mov_i64() will emit longer code than it did during the size +calculation pass. The same problem could occur without tag-based +KASAN if one of the 16-bit words of the stack address happened to +be all-ones during the size calculation pass. Fix the problem by +assuming the worst case (4 instructions) when calculating the size +of the bpf_tramp_image address emission. + +Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG") +Signed-off-by: Peter Collingbourne +Signed-off-by: Daniel Borkmann +Acked-by: Xu Kuohai +Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c +Link: https://lore.kernel.org/bpf/20241018221644.3240898-1-pcc@google.com +[Minor context change fixed.] +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/net/bpf_jit_comp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1942,7 +1942,11 @@ static int prepare_trampoline(struct jit + emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx); + + if (flags & BPF_TRAMP_F_CALL_ORIG) { +- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); ++ /* for the first pass, assume the worst case */ ++ if (!ctx->image) ++ ctx->idx += 4; ++ else ++ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); + emit_call((const u64)__bpf_tramp_enter, ctx); + } + +@@ -1986,7 +1990,11 @@ static int prepare_trampoline(struct jit + + if (flags & BPF_TRAMP_F_CALL_ORIG) { + im->ip_epilogue = ctx->image + ctx->idx; +- emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); ++ /* for the first pass, assume the worst case */ ++ if (!ctx->image) ++ ctx->idx += 4; ++ else ++ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); + emit_call((const u64)__bpf_tramp_exit, ctx); + } + diff --git a/queue-6.1/bpf-arm64-fix-trampoline-for-bpf_tramp_f_call_orig.patch b/queue-6.1/bpf-arm64-fix-trampoline-for-bpf_tramp_f_call_orig.patch new file mode 100644 index 0000000000..41e6f4c8a8 --- /dev/null +++ b/queue-6.1/bpf-arm64-fix-trampoline-for-bpf_tramp_f_call_orig.patch @@ -0,0 +1,57 @@ +From 19d3c179a37730caf600a97fed3794feac2b197b Mon Sep 17 00:00:00 2001 +From: Puranjay Mohan +Date: Thu, 11 Jul 2024 15:18:38 +0000 +Subject: bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG + +From: Puranjay Mohan + +commit 19d3c179a37730caf600a97fed3794feac2b197b upstream. + +When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls +__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them +the struct bpf_tramp_image *im pointer as an argument in R0. + +The trampoline generation code uses emit_addr_mov_i64() to emit +instructions for moving the bpf_tramp_image address into R0, but +emit_addr_mov_i64() assumes the address to be in the vmalloc() space +and uses only 48 bits. Because bpf_tramp_image is allocated using +kzalloc(), its address can use more than 48-bits, in this case the +trampoline will pass an invalid address to __bpf_tramp_enter/exit() +causing a kernel crash. + +Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() +as it can work with addresses that are greater than 48-bits. + +Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64") +Signed-off-by: Puranjay Mohan +Signed-off-by: Daniel Borkmann +Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15MB4615.namprd15.prod.outlook.com/ +Link: https://lore.kernel.org/bpf/20240711151838.43469-1-puranjay@kernel.org +[Minor context change fixed.] +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/net/bpf_jit_comp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -1942,7 +1942,7 @@ static int prepare_trampoline(struct jit + emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx); + + if (flags & BPF_TRAMP_F_CALL_ORIG) { +- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx); ++ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); + emit_call((const u64)__bpf_tramp_enter, ctx); + } + +@@ -1986,7 +1986,7 @@ static int prepare_trampoline(struct jit + + if (flags & BPF_TRAMP_F_CALL_ORIG) { + im->ip_epilogue = ctx->image + ctx->idx; +- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx); ++ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx); + emit_call((const u64)__bpf_tramp_exit, ctx); + } + diff --git a/queue-6.1/btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch b/queue-6.1/btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch new file mode 100644 index 0000000000..a178a90c97 --- /dev/null +++ b/queue-6.1/btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch @@ -0,0 +1,72 @@ +From 28cb13f29faf6290597b24b728dc3100c019356f Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 18 Jun 2024 12:15:01 +0100 +Subject: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() + +From: Filipe Manana + +commit 28cb13f29faf6290597b24b728dc3100c019356f upstream. + +Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, +aborting the transaction and logging an error message. + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +[Minor conflict resolved due to code context change.] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -179,6 +179,14 @@ search_again: + ei = btrfs_item_ptr(leaf, path->slots[0], + struct btrfs_extent_item); + num_refs = btrfs_extent_refs(leaf, ei); ++ if (unlikely(num_refs == 0)) { ++ ret = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected zero reference count for extent item (%llu %u %llu)", ++ key.objectid, key.type, key.offset); ++ btrfs_abort_transaction(trans, ret); ++ goto out_free; ++ } + extent_flags = btrfs_extent_flags(leaf, ei); + } else { + ret = -EINVAL; +@@ -190,8 +198,6 @@ search_again: + + goto out_free; + } +- +- BUG_ON(num_refs == 0); + } else { + num_refs = 0; + extent_flags = 0; +@@ -221,10 +227,19 @@ search_again: + goto search_again; + } + spin_lock(&head->lock); +- if (head->extent_op && head->extent_op->update_flags) ++ if (head->extent_op && head->extent_op->update_flags) { + extent_flags |= head->extent_op->flags_to_set; +- else +- BUG_ON(num_refs == 0); ++ } else if (unlikely(num_refs == 0)) { ++ spin_unlock(&head->lock); ++ mutex_unlock(&head->mutex); ++ spin_unlock(&delayed_refs->lock); ++ ret = -EUCLEAN; ++ btrfs_err(fs_info, ++ "unexpected zero reference count for extent %llu (%s)", ++ bytenr, metadata ? "metadata" : "data"); ++ btrfs_abort_transaction(trans, ret); ++ goto out_free; ++ } + + num_refs += head->ref_mod; + spin_unlock(&head->lock); diff --git a/queue-6.1/hwpoison-memory_hotplug-lock-folio-before-unmap-hwpoisoned-folio.patch b/queue-6.1/hwpoison-memory_hotplug-lock-folio-before-unmap-hwpoisoned-folio.patch new file mode 100644 index 0000000000..ce07013157 --- /dev/null +++ b/queue-6.1/hwpoison-memory_hotplug-lock-folio-before-unmap-hwpoisoned-folio.patch @@ -0,0 +1,88 @@ +From af288a426c3e3552b62595c6138ec6371a17dbba Mon Sep 17 00:00:00 2001 +From: Ma Wupeng +Date: Mon, 17 Feb 2025 09:43:29 +0800 +Subject: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio + +From: Ma Wupeng + +commit af288a426c3e3552b62595c6138ec6371a17dbba upstream. + +Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to +be offlined) add page poison checks in do_migrate_range in order to make +offline hwpoisoned page possible by introducing isolate_lru_page and +try_to_unmap for hwpoisoned page. However folio lock must be held before +calling try_to_unmap. Add it to fix this problem. + +Warning will be produced if folio is not locked during unmap: + + ------------[ cut here ]------------ + kernel BUG at ./include/linux/swapops.h:400! + Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP + Modules linked in: + CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41 + Tainted: [W]=WARN + Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 + pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : try_to_unmap_one+0xb08/0xd3c + lr : try_to_unmap_one+0x3dc/0xd3c + Call trace: + try_to_unmap_one+0xb08/0xd3c (P) + try_to_unmap_one+0x3dc/0xd3c (L) + rmap_walk_anon+0xdc/0x1f8 + rmap_walk+0x3c/0x58 + try_to_unmap+0x88/0x90 + unmap_poisoned_folio+0x30/0xa8 + do_migrate_range+0x4a0/0x568 + offline_pages+0x5a4/0x670 + memory_block_action+0x17c/0x374 + memory_subsys_offline+0x3c/0x78 + device_offline+0xa4/0xd0 + state_store+0x8c/0xf0 + dev_attr_store+0x18/0x2c + sysfs_kf_write+0x44/0x54 + kernfs_fop_write_iter+0x118/0x1a8 + vfs_write+0x3a8/0x4bc + ksys_write+0x6c/0xf8 + __arm64_sys_write+0x1c/0x28 + invoke_syscall+0x44/0x100 + el0_svc_common.constprop.0+0x40/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x30/0xd0 + el0t_64_sync_handler+0xc8/0xcc + el0t_64_sync+0x198/0x19c + Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000) + ---[ end trace 0000000000000000 ]--- + +Link: https://lkml.kernel.org/r/20250217014329.3610326-4-mawupeng1@huawei.com +Fixes: b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined") +Signed-off-by: Ma Wupeng +Acked-by: David Hildenbrand +Acked-by: Miaohe Lin +Cc: Michal Hocko +Cc: Naoya Horiguchi +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Xiangyu Chen +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory_hotplug.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1656,8 +1656,12 @@ do_migrate_range(unsigned long start_pfn + if (PageHWPoison(page)) { + if (WARN_ON(folio_test_lru(folio))) + folio_isolate_lru(folio); +- if (folio_mapped(folio)) ++ if (folio_mapped(folio)) { ++ folio_lock(folio); + try_to_unmap(folio, TTU_IGNORE_MLOCK); ++ folio_unlock(folio); ++ } ++ + continue; + } + diff --git a/queue-6.1/loongarch-explicitly-specify-code-model-in-makefile.patch b/queue-6.1/loongarch-explicitly-specify-code-model-in-makefile.patch new file mode 100644 index 0000000000..1375034907 --- /dev/null +++ b/queue-6.1/loongarch-explicitly-specify-code-model-in-makefile.patch @@ -0,0 +1,33 @@ +From e67e0eb6a98b261caf45048f9eb95fd7609289c0 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Fri, 22 Nov 2024 15:47:47 +0800 +Subject: LoongArch: Explicitly specify code model in Makefile + +From: Huacai Chen + +commit e67e0eb6a98b261caf45048f9eb95fd7609289c0 upstream. + +LoongArch's toolchain may change the default code model from normal to +medium. This is unnecessary for kernel, and generates some relocations +which cannot be handled by the module loader. So explicitly specify the +code model to normal in Makefile (for Rust 'normal' is 'small'). + +Cc: stable@vger.kernel.org +Tested-by: Haiyong Sun +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/loongarch/Makefile ++++ b/arch/loongarch/Makefile +@@ -38,7 +38,7 @@ endif + + ifdef CONFIG_64BIT + ld-emul = $(64bit-emul) +-cflags-y += -mabi=lp64s ++cflags-y += -mabi=lp64s -mcmodel=normal + endif + + cflags-y += -pipe -msoft-float diff --git a/queue-6.1/mm-vmscan-fix-a-bug-calling-wakeup_kswapd-with-a-wrong-zone-index.patch b/queue-6.1/mm-vmscan-fix-a-bug-calling-wakeup_kswapd-with-a-wrong-zone-index.patch new file mode 100644 index 0000000000..1811456415 --- /dev/null +++ b/queue-6.1/mm-vmscan-fix-a-bug-calling-wakeup_kswapd-with-a-wrong-zone-index.patch @@ -0,0 +1,95 @@ +From 2774f256e7c0219e2b0a0894af1c76bdabc4f974 Mon Sep 17 00:00:00 2001 +From: Byungchul Park +Date: Fri, 16 Feb 2024 20:15:02 +0900 +Subject: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index + +From: Byungchul Park + +commit 2774f256e7c0219e2b0a0894af1c76bdabc4f974 upstream. + +With numa balancing on, when a numa system is running where a numa node +doesn't have its local memory so it has no managed zones, the following +oops has been observed. It's because wakeup_kswapd() is called with a +wrong zone index, -1. Fixed it by checking the index before calling +wakeup_kswapd(). + +> BUG: unable to handle page fault for address: 00000000000033f3 +> #PF: supervisor read access in kernel mode +> #PF: error_code(0x0000) - not-present page +> PGD 0 P4D 0 +> Oops: 0000 [#1] PREEMPT SMP NOPTI +> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 +> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812) +> Code: (omitted) +> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 +> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 +> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 +> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff +> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 +> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 +> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 +> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 +> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +> PKRU: 55555554 +> Call Trace: +> +> ? __die +> ? page_fault_oops +> ? __pte_offset_map_lock +> ? exc_page_fault +> ? asm_exc_page_fault +> ? wakeup_kswapd +> migrate_misplaced_page +> __handle_mm_fault +> handle_mm_fault +> do_user_addr_fault +> exc_page_fault +> asm_exc_page_fault +> RIP: 0033:0x55b897ba0808 +> Code: (omitted) +> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287 +> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0 +> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0 +> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075 +> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 +> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000 +> + +Link: https://lkml.kernel.org/r/20240216111502.79759-1-byungchul@sk.com +Signed-off-by: Byungchul Park +Reported-by: Hyeongtak Ji +Fixes: c574bbe917036 ("NUMA balancing: optimize page placement for memory tiering system") +Reviewed-by: Oscar Salvador +Cc: Baolin Wang +Cc: "Huang, Ying" +Cc: Johannes Weiner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -2422,6 +2422,14 @@ static int numamigrate_isolate_page(pg_d + if (managed_zone(pgdat->node_zones + z)) + break; + } ++ ++ /* ++ * If there are no managed zones, it should not proceed ++ * further. ++ */ ++ if (z < 0) ++ return 0; ++ + wakeup_kswapd(pgdat->node_zones + z, 0, order, ZONE_MOVABLE); + return 0; + } diff --git a/queue-6.1/riscv-mm-fix-the-out-of-bound-issue-of-vmemmap-address.patch b/queue-6.1/riscv-mm-fix-the-out-of-bound-issue-of-vmemmap-address.patch new file mode 100644 index 0000000000..d8f99b0344 --- /dev/null +++ b/queue-6.1/riscv-mm-fix-the-out-of-bound-issue-of-vmemmap-address.patch @@ -0,0 +1,116 @@ +From f754f27e98f88428aaf6be6e00f5cbce97f62d4b Mon Sep 17 00:00:00 2001 +From: Xu Lu +Date: Mon, 9 Dec 2024 20:26:17 +0800 +Subject: riscv: mm: Fix the out of bound issue of vmemmap address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Lu + +commit f754f27e98f88428aaf6be6e00f5cbce97f62d4b upstream. + +In sparse vmemmap model, the virtual address of vmemmap is calculated as: +((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). +And the struct page's va can be calculated with an offset: +(vmemmap + (pfn)). + +However, when initializing struct pages, kernel actually starts from the +first page from the same section that phys_ram_base belongs to. If the +first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then +we get an va below VMEMMAP_START when calculating va for it's struct page. + +For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the +first page in the same section is actually pfn 0x80000. During +init_unavailable_range(), we will initialize struct page for pfn 0x80000 +with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is +below VMEMMAP_START as well as PCI_IO_END. + +This commit fixes this bug by introducing a new variable +'vmemmap_start_pfn' which is aligned with memory section size and using +it to calculate vmemmap address instead of phys_ram_base. + +Fixes: a11dd49dcb93 ("riscv: Sparse-Memory/vmemmap out-of-bounds fix") +Signed-off-by: Xu Lu +Reviewed-by: Alexandre Ghiti +Tested-by: Björn Töpel +Reviewed-by: Björn Töpel +Link: https://lore.kernel.org/r/20241209122617.53341-1-luxu.kernel@bytedance.com +Signed-off-by: Palmer Dabbelt +Signed-off-by: Zhaoyang Li +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/include/asm/page.h | 1 + + arch/riscv/include/asm/pgtable.h | 2 +- + arch/riscv/mm/init.c | 17 ++++++++++++++++- + 3 files changed, 18 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/page.h ++++ b/arch/riscv/include/asm/page.h +@@ -115,6 +115,7 @@ struct kernel_mapping { + + extern struct kernel_mapping kernel_map; + extern phys_addr_t phys_ram_base; ++extern unsigned long vmemmap_start_pfn; + + #define is_kernel_mapping(x) \ + ((x) >= kernel_map.virt_addr && (x) < (kernel_map.virt_addr + kernel_map.size)) +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -79,7 +79,7 @@ + * Define vmemmap for pfn_to_page & page_to_pfn calls. Needed if kernel + * is configured with CONFIG_SPARSEMEM_VMEMMAP enabled. + */ +-#define vmemmap ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)) ++#define vmemmap ((struct page *)VMEMMAP_START - vmemmap_start_pfn) + + #define PCI_IO_SIZE SZ_16M + #define PCI_IO_END VMEMMAP_START +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -22,6 +22,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -52,6 +53,13 @@ EXPORT_SYMBOL(pgtable_l5_enabled); + phys_addr_t phys_ram_base __ro_after_init; + EXPORT_SYMBOL(phys_ram_base); + ++#ifdef CONFIG_SPARSEMEM_VMEMMAP ++#define VMEMMAP_ADDR_ALIGN (1ULL << SECTION_SIZE_BITS) ++ ++unsigned long vmemmap_start_pfn __ro_after_init; ++EXPORT_SYMBOL(vmemmap_start_pfn); ++#endif ++ + unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)] + __page_aligned_bss; + EXPORT_SYMBOL(empty_zero_page); +@@ -210,8 +218,12 @@ static void __init setup_bootmem(void) + memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start); + + phys_ram_end = memblock_end_of_DRAM(); +- if (!IS_ENABLED(CONFIG_XIP_KERNEL)) ++ if (!IS_ENABLED(CONFIG_XIP_KERNEL)) { + phys_ram_base = memblock_start_of_DRAM(); ++#ifdef CONFIG_SPARSEMEM_VMEMMAP ++ vmemmap_start_pfn = round_down(phys_ram_base, VMEMMAP_ADDR_ALIGN) >> PAGE_SHIFT; ++#endif ++} + /* + * Reserve physical address space that would be mapped to virtual + * addresses greater than (void *)(-PAGE_SIZE) because: +@@ -946,6 +958,9 @@ asmlinkage void __init setup_vm(uintptr_ + kernel_map.xiprom_sz = (uintptr_t)(&_exiprom) - (uintptr_t)(&_xiprom); + + phys_ram_base = CONFIG_PHYS_RAM_BASE; ++#ifdef CONFIG_SPARSEMEM_VMEMMAP ++ vmemmap_start_pfn = round_down(phys_ram_base, VMEMMAP_ADDR_ALIGN) >> PAGE_SHIFT; ++#endif + kernel_map.phys_addr = (uintptr_t)CONFIG_PHYS_RAM_BASE; + kernel_map.size = (uintptr_t)(&_end) - (uintptr_t)(&_start); + diff --git a/queue-6.1/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch b/queue-6.1/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch new file mode 100644 index 0000000000..e27354a4c1 --- /dev/null +++ b/queue-6.1/sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch @@ -0,0 +1,78 @@ +From 10206302af856791fbcc27a33ed3c3eb09b2793d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 31 Mar 2025 09:15:32 +0000 +Subject: sctp: add mutual exclusion in proc_sctp_do_udp_port() + +From: Eric Dumazet + +commit 10206302af856791fbcc27a33ed3c3eb09b2793d upstream. + +We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() +or risk a crash as syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] +CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 + RIP: 0010:kernel_sock_shutdown+0x47/0x70 net/socket.c:3653 +Call Trace: + + udp_tunnel_sock_release+0x68/0x80 net/ipv4/udp_tunnel_core.c:181 + sctp_udp_sock_stop+0x71/0x160 net/sctp/protocol.c:930 + proc_sctp_do_udp_port+0x264/0x450 net/sctp/sysctl.c:553 + proc_sys_call_handler+0x3d0/0x5b0 fs/proc/proc_sysctl.c:601 + iter_file_splice_write+0x91c/0x1150 fs/splice.c:738 + do_splice_from fs/splice.c:935 [inline] + direct_splice_actor+0x18f/0x6c0 fs/splice.c:1158 + splice_direct_to_actor+0x342/0xa30 fs/splice.c:1102 + do_splice_direct_actor fs/splice.c:1201 [inline] + do_splice_direct+0x174/0x240 fs/splice.c:1227 + do_sendfile+0xafd/0xe50 fs/read_write.c:1368 + __do_sys_sendfile64 fs/read_write.c:1429 [inline] + __se_sys_sendfile64 fs/read_write.c:1415 [inline] + __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1415 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + +Fixes: 046c052b475e ("sctp: enable udp tunneling socks") +Reported-by: syzbot+fae49d997eb56fa7c74d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/67ea5c01.050a0220.1547ec.012b.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Acked-by: Xin Long +Link: https://patch.msgid.link/20250331091532.224982-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +[Minor conflict resolved due to code context change.] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -518,6 +518,8 @@ static int proc_sctp_do_auth(struct ctl_ + return ret; + } + ++static DEFINE_MUTEX(sctp_sysctl_mutex); ++ + static int proc_sctp_do_udp_port(struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -542,6 +544,7 @@ static int proc_sctp_do_udp_port(struct + if (new_value > max || new_value < min) + return -EINVAL; + ++ mutex_lock(&sctp_sysctl_mutex); + net->sctp.udp_port = new_value; + sctp_udp_sock_stop(net); + if (new_value) { +@@ -554,6 +557,7 @@ static int proc_sctp_do_udp_port(struct + lock_sock(sk); + sctp_sk(sk)->udp_port = htons(net->sctp.udp_port); + release_sock(sk); ++ mutex_unlock(&sctp_sysctl_mutex); + } + + return ret; diff --git a/queue-6.1/selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch b/queue-6.1/selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch new file mode 100644 index 0000000000..22d31e2902 --- /dev/null +++ b/queue-6.1/selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch @@ -0,0 +1,72 @@ +From ab00ddd802f80e31fc9639c652d736fe3913feae Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Wed, 23 Apr 2025 18:36:45 +0800 +Subject: selftests/mm: compaction_test: support platform with huge mount of memory + +From: Feng Tang + +commit ab00ddd802f80e31fc9639c652d736fe3913feae upstream. + +When running mm selftest to verify mm patches, 'compaction_test' case +failed on an x86 server with 1TB memory. And the root cause is that it +has too much free memory than what the test supports. + +The test case tries to allocate 100000 huge pages, which is about 200 GB +for that x86 server, and when it succeeds, it expects it's large than 1/3 +of 80% of the free memory in system. This logic only works for platform +with 750 GB ( 200 / (1/3) / 80% ) or less free memory, and may raise false +alarm for others. + +Fix it by changing the fixed page number to self-adjustable number +according to the real number of free memory. + +Link: https://lkml.kernel.org/r/20250423103645.2758-1-feng.tang@linux.alibaba.com +Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory") +Signed-off-by: Feng Tang +Acked-by: Dev Jain +Reviewed-by: Baolin Wang +Tested-by: Baolin Wang +Cc: Shuah Khan +Cc: Sri Jayaramappa +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/vm/compaction_test.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/vm/compaction_test.c ++++ b/tools/testing/selftests/vm/compaction_test.c +@@ -89,6 +89,8 @@ int check_compaction(unsigned long mem_f + int compaction_index = 0; + char initial_nr_hugepages[20] = {0}; + char nr_hugepages[20] = {0}; ++ char target_nr_hugepages[24] = {0}; ++ int slen; + + /* We want to test with 80% of available memory. Else, OOM killer comes + in to play */ +@@ -119,11 +121,18 @@ int check_compaction(unsigned long mem_f + + lseek(fd, 0, SEEK_SET); + +- /* Request a large number of huge pages. The Kernel will allocate +- as much as it can */ +- if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) { +- ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n", +- strerror(errno)); ++ /* ++ * Request huge pages for about half of the free memory. The Kernel ++ * will allocate as much as it can, and we expect it will get at least 1/3 ++ */ ++ nr_hugepages_ul = mem_free / hugepage_size / 2; ++ snprintf(target_nr_hugepages, sizeof(target_nr_hugepages), ++ "%lu", nr_hugepages_ul); ++ ++ slen = strlen(target_nr_hugepages); ++ if (write(fd, target_nr_hugepages, slen) != slen) { ++ ksft_print_msg("Failed to write %lu to /proc/sys/vm/nr_hugepages: %s\n", ++ nr_hugepages_ul, strerror(errno)); + goto close_fd; + } + diff --git a/queue-6.1/series b/queue-6.1/series index 63726bb2ac..edea07bce4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -76,3 +76,12 @@ usb-typec-ucsi-displayport-fix-deadlock.patch usb-typec-altmodes-displayport-create-sysfs-nodes-as-driver-s-default-device-attribute-group.patch usb-typec-fix-potential-array-underflow-in-ucsi_ccg_sync_control.patch usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch +selftests-mm-compaction_test-support-platform-with-huge-mount-of-memory.patch +mm-vmscan-fix-a-bug-calling-wakeup_kswapd-with-a-wrong-zone-index.patch +riscv-mm-fix-the-out-of-bound-issue-of-vmemmap-address.patch +bpf-arm64-fix-trampoline-for-bpf_tramp_f_call_orig.patch +bpf-arm64-fix-address-emission-with-tag-based-kasan-enabled.patch +loongarch-explicitly-specify-code-model-in-makefile.patch +hwpoison-memory_hotplug-lock-folio-before-unmap-hwpoisoned-folio.patch +sctp-add-mutual-exclusion-in-proc_sctp_do_udp_port.patch +btrfs-don-t-bug_on-when-0-reference-count-at-btrfs_lookup_extent_info.patch