From: Greg Kroah-Hartman Date: Mon, 28 Apr 2025 12:08:26 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.293~65 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9da36ee226d529baa5a35780f0a66fb3a1f24b61;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch drm-amd-display-force-full-update-in-gpu-reset.patch kvm-svm-allocate-ir-data-using-atomic-allocation.patch loongarch-remove-a-bogus-reference-to-zone_dma.patch loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch mei-me-add-panther-lake-h-did.patch net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch usb-storage-quirk-for-adata-portable-hdd-ch94.patch virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch --- diff --git a/queue-6.1/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch b/queue-6.1/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch new file mode 100644 index 0000000000..c6ad2e5b57 --- /dev/null +++ b/queue-6.1/crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch @@ -0,0 +1,45 @@ +From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Tue, 22 Apr 2025 11:57:18 +0200 +Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream. + +According to the review by Bill Cox [1], the Atmel SHA204A random number +generator produces random numbers with very low entropy. + +Set the lowest possible entropy for this chip just to be safe. + +[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html + +Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator") +Cc: +Signed-off-by: Marek Behún +Acked-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-sha204a.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/atmel-sha204a.c ++++ b/drivers/crypto/atmel-sha204a.c +@@ -109,6 +109,12 @@ static int atmel_sha204a_probe(struct i2 + i2c_priv->hwrng.read = atmel_sha204a_rng_read; + i2c_priv->hwrng.quality = 1024; + ++ /* ++ * According to review by Bill Cox [1], this HWRNG has very low entropy. ++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html ++ */ ++ i2c_priv->hwrng.quality = 1; ++ + ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng); + if (ret) + dev_warn(&client->dev, "failed to register RNG (%d)\n", ret); diff --git a/queue-6.1/drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch b/queue-6.1/drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch new file mode 100644 index 0000000000..59cfed1870 --- /dev/null +++ b/queue-6.1/drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch @@ -0,0 +1,53 @@ +From 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Tue, 1 Apr 2025 17:05:10 -0400 +Subject: drm/amd/display: Fix gpu reset in multidisplay config + +From: Roman Li + +commit 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 upstream. + +[Why] +The indexing of stream_status in dm_gpureset_commit_state() is incorrect. +That leads to asserts in multi-display configuration after gpu reset. + +[How] +Adjust the indexing logic to align stream_status with surface_updates. + +Fixes: cdaae8371aa9 ("drm/amd/display: Handle GPU reset for DC block") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3808 +Reviewed-by: Aurabindo Pillai +Reviewed-by: Mario Limonciello +Signed-off-by: Roman Li +Signed-off-by: Zaeem Mohamed +Tested-by: Mark Broadworth +Signed-off-by: Alex Deucher +(cherry picked from commit d91bc901398741d317d9b55c59ca949d4bc7394b) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2795,16 +2795,16 @@ static void dm_gpureset_commit_state(str + for (k = 0; k < dc_state->stream_count; k++) { + bundle->stream_update.stream = dc_state->streams[k]; + +- for (m = 0; m < dc_state->stream_status->plane_count; m++) { ++ for (m = 0; m < dc_state->stream_status[k].plane_count; m++) { + bundle->surface_updates[m].surface = +- dc_state->stream_status->plane_states[m]; ++ dc_state->stream_status[k].plane_states[m]; + bundle->surface_updates[m].surface->force_full_update = + true; + } + + update_planes_and_stream_adapter(dm->dc, + UPDATE_TYPE_FULL, +- dc_state->stream_status->plane_count, ++ dc_state->stream_status[k].plane_count, + dc_state->streams[k], + &bundle->stream_update, + bundle->surface_updates); diff --git a/queue-6.1/drm-amd-display-force-full-update-in-gpu-reset.patch b/queue-6.1/drm-amd-display-force-full-update-in-gpu-reset.patch new file mode 100644 index 0000000000..35038d51bd --- /dev/null +++ b/queue-6.1/drm-amd-display-force-full-update-in-gpu-reset.patch @@ -0,0 +1,41 @@ +From 67fe574651c73fe5cc176e35f28f2ec1ba498d14 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Wed, 26 Mar 2025 10:33:51 -0400 +Subject: drm/amd/display: Force full update in gpu reset + +From: Roman Li + +commit 67fe574651c73fe5cc176e35f28f2ec1ba498d14 upstream. + +[Why] +While system undergoing gpu reset always do full update +to sync the dc state before and after reset. + +[How] +Return true in should_reset_plane() if gpu reset detected + +Reviewed-by: Aurabindo Pillai +Reviewed-by: Mario Limonciello +Signed-off-by: Roman Li +Signed-off-by: Zaeem Mohamed +Tested-by: Mark Broadworth +Signed-off-by: Alex Deucher +(cherry picked from commit 2ba8619b9a378ad218ad6c2e2ccaee8f531e08de) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -9358,6 +9358,9 @@ static bool should_reset_plane(struct dr + if (adev->ip_versions[DCE_HWIP][0] < IP_VERSION(3, 2, 0) && state->allow_modeset) + return true; + ++ if (amdgpu_in_reset(adev) && state->allow_modeset) ++ return true; ++ + /* Exit early if we know that we're adding or removing the plane. */ + if (old_plane_state->crtc != new_plane_state->crtc) + return true; diff --git a/queue-6.1/kvm-svm-allocate-ir-data-using-atomic-allocation.patch b/queue-6.1/kvm-svm-allocate-ir-data-using-atomic-allocation.patch new file mode 100644 index 0000000000..338dd97783 --- /dev/null +++ b/queue-6.1/kvm-svm-allocate-ir-data-using-atomic-allocation.patch @@ -0,0 +1,34 @@ +From 7537deda36521fa8fff9133b39c46e31893606f2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 4 Apr 2025 12:38:16 -0700 +Subject: KVM: SVM: Allocate IR data using atomic allocation + +From: Sean Christopherson + +commit 7537deda36521fa8fff9133b39c46e31893606f2 upstream. + +Allocate SVM's interrupt remapping metadata using GFP_ATOMIC as +svm_ir_list_add() is called with IRQs are disabled and irqfs.lock held +when kvm_irq_routing_update() reacts to GSI routing changes. + +Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-2-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/avic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/avic.c ++++ b/arch/x86/kvm/svm/avic.c +@@ -839,7 +839,7 @@ static int svm_ir_list_add(struct vcpu_s + * Allocating new amd_iommu_pi_data, which will get + * add to the per-vcpu ir_list. + */ +- ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT); ++ ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_ATOMIC | __GFP_ACCOUNT); + if (!ir) { + ret = -ENOMEM; + goto out; diff --git a/queue-6.1/loongarch-remove-a-bogus-reference-to-zone_dma.patch b/queue-6.1/loongarch-remove-a-bogus-reference-to-zone_dma.patch new file mode 100644 index 0000000000..d2008f43d5 --- /dev/null +++ b/queue-6.1/loongarch-remove-a-bogus-reference-to-zone_dma.patch @@ -0,0 +1,33 @@ +From c37325cbd91abe3bfab280b3b09947155abe8e07 Mon Sep 17 00:00:00 2001 +From: Petr Tesarik +Date: Thu, 24 Apr 2025 20:15:41 +0800 +Subject: LoongArch: Remove a bogus reference to ZONE_DMA + +From: Petr Tesarik + +commit c37325cbd91abe3bfab280b3b09947155abe8e07 upstream. + +Remove dead code. LoongArch does not have a DMA memory zone (24bit DMA). +The architecture does not even define MAX_DMA_PFN. + +Cc: stable@vger.kernel.org +Reviewed-by: Mike Rapoport (Microsoft) +Signed-off-by: Petr Tesarik +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/mm/init.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/loongarch/mm/init.c ++++ b/arch/loongarch/mm/init.c +@@ -89,9 +89,6 @@ void __init paging_init(void) + { + unsigned long max_zone_pfns[MAX_NR_ZONES]; + +-#ifdef CONFIG_ZONE_DMA +- max_zone_pfns[ZONE_DMA] = MAX_DMA_PFN; +-#endif + #ifdef CONFIG_ZONE_DMA32 + max_zone_pfns[ZONE_DMA32] = MAX_DMA32_PFN; + #endif diff --git a/queue-6.1/loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch b/queue-6.1/loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch new file mode 100644 index 0000000000..08ef93b737 --- /dev/null +++ b/queue-6.1/loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch @@ -0,0 +1,47 @@ +From bd51834d1cf65a2c801295d230c220aeebf87a73 Mon Sep 17 00:00:00 2001 +From: Ming Wang +Date: Thu, 24 Apr 2025 20:15:47 +0800 +Subject: LoongArch: Return NULL from huge_pte_offset() for invalid PMD + +From: Ming Wang + +commit bd51834d1cf65a2c801295d230c220aeebf87a73 upstream. + +LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot +even if the underlying entry points to invalid_pte_table (indicating no +mapping). Callers like smaps_hugetlb_range() fetch this invalid entry +value (the address of invalid_pte_table) via this pointer. + +The generic is_swap_pte() check then incorrectly identifies this address +as a swap entry on LoongArch, because it satisfies the "!pte_present() +&& !pte_none()" conditions. This misinterpretation, combined with a +coincidental match by is_migration_entry() on the address bits, leads to +kernel crashes in pfn_swap_entry_to_page(). + +Fix this at the architecture level by modifying huge_pte_offset() to +check the PMD entry's content using pmd_none() before returning. If the +entry is invalid (i.e., it points to invalid_pte_table), return NULL +instead of the pointer to the slot. + +Cc: stable@vger.kernel.org +Acked-by: Peter Xu +Co-developed-by: Hongchen Zhang +Signed-off-by: Hongchen Zhang +Signed-off-by: Ming Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/mm/hugetlbpage.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/loongarch/mm/hugetlbpage.c ++++ b/arch/loongarch/mm/hugetlbpage.c +@@ -47,7 +47,7 @@ pte_t *huge_pte_offset(struct mm_struct + pmd = pmd_offset(pud, addr); + } + } +- return (pte_t *) pmd; ++ return pmd_none(pmdp_get(pmd)) ? NULL : (pte_t *) pmd; + } + + /* diff --git a/queue-6.1/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch b/queue-6.1/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch new file mode 100644 index 0000000000..91b90307b9 --- /dev/null +++ b/queue-6.1/mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch @@ -0,0 +1,35 @@ +From 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 10 Mar 2025 09:46:57 +0100 +Subject: mcb: fix a double free bug in chameleon_parse_gdd() + +From: Haoxiang Li + +commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream. + +In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' +would be released in mcb_device_register() via put_device(). +Thus, goto 'err' label and free 'mdev' again causes a double free. +Just return if mcb_device_register() fails. + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Cc: stable +Signed-off-by: Haoxiang Li +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mcb/mcb-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -101,7 +101,7 @@ static int chameleon_parse_gdd(struct mc + + ret = mcb_device_register(bus, mdev); + if (ret < 0) +- goto err; ++ return ret; + + return 0; + diff --git a/queue-6.1/mei-me-add-panther-lake-h-did.patch b/queue-6.1/mei-me-add-panther-lake-h-did.patch new file mode 100644 index 0000000000..4046a1347b --- /dev/null +++ b/queue-6.1/mei-me-add-panther-lake-h-did.patch @@ -0,0 +1,42 @@ +From 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Tue, 8 Apr 2025 16:00:05 +0300 +Subject: mei: me: add panther lake H DID + +From: Alexander Usyskin + +commit 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c upstream. + +Add Panther Lake H device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://lore.kernel.org/r/20250408130005.1358140-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 1 + + drivers/misc/mei/pci-me.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -117,6 +117,7 @@ + + #define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */ + ++#define MEI_DEV_ID_PTL_H 0xE370 /* Panther Lake H */ + #define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */ + + /* +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -124,6 +124,7 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_H, MEI_ME_PCH15_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)}, + + /* required last entry */ diff --git a/queue-6.1/net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch b/queue-6.1/net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch new file mode 100644 index 0000000000..0f6b9ac8c4 --- /dev/null +++ b/queue-6.1/net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch @@ -0,0 +1,106 @@ +From 30a41ed32d3088cd0d682a13d7f30b23baed7e93 Mon Sep 17 00:00:00 2001 +From: Fiona Klute +Date: Wed, 16 Apr 2025 12:24:13 +0200 +Subject: net: phy: microchip: force IRQ polling mode for lan88xx + +From: Fiona Klute + +commit 30a41ed32d3088cd0d682a13d7f30b23baed7e93 upstream. + +With lan88xx based devices the lan78xx driver can get stuck in an +interrupt loop while bringing the device up, flooding the kernel log +with messages like the following: + +lan78xx 2-3:1.0 enp1s0u3: kevent 4 may have been dropped + +Removing interrupt support from the lan88xx PHY driver forces the +driver to use polling instead, which avoids the problem. + +The issue has been observed with Raspberry Pi devices at least since +4.14 (see [1], bug report for their downstream kernel), as well as +with Nvidia devices [2] in 2020, where disabling interrupts was the +vendor-suggested workaround (together with the claim that phylib +changes in 4.9 made the interrupt handling in lan78xx incompatible). + +Iperf reports well over 900Mbits/sec per direction with client in +--dualtest mode, so there does not seem to be a significant impact on +throughput (lan88xx device connected via switch to the peer). + +[1] https://github.com/raspberrypi/linux/issues/2447 +[2] https://forums.developer.nvidia.com/t/jetson-xavier-and-lan7800-problem/142134/11 + +Link: https://lore.kernel.org/0901d90d-3f20-4a10-b680-9c978e04ddda@lunn.ch +Fixes: 792aec47d59d ("add microchip LAN88xx phy driver") +Signed-off-by: Fiona Klute +Cc: kernel-list@raspberrypi.com +Cc: stable@vger.kernel.org +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250416102413.30654-1-fiona.klute@gmx.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/microchip.c | 46 ++------------------------------------------ + 1 file changed, 3 insertions(+), 43 deletions(-) + +--- a/drivers/net/phy/microchip.c ++++ b/drivers/net/phy/microchip.c +@@ -31,47 +31,6 @@ static int lan88xx_write_page(struct phy + return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page); + } + +-static int lan88xx_phy_config_intr(struct phy_device *phydev) +-{ +- int rc; +- +- if (phydev->interrupts == PHY_INTERRUPT_ENABLED) { +- /* unmask all source and clear them before enable */ +- rc = phy_write(phydev, LAN88XX_INT_MASK, 0x7FFF); +- rc = phy_read(phydev, LAN88XX_INT_STS); +- rc = phy_write(phydev, LAN88XX_INT_MASK, +- LAN88XX_INT_MASK_MDINTPIN_EN_ | +- LAN88XX_INT_MASK_LINK_CHANGE_); +- } else { +- rc = phy_write(phydev, LAN88XX_INT_MASK, 0); +- if (rc) +- return rc; +- +- /* Ack interrupts after they have been disabled */ +- rc = phy_read(phydev, LAN88XX_INT_STS); +- } +- +- return rc < 0 ? rc : 0; +-} +- +-static irqreturn_t lan88xx_handle_interrupt(struct phy_device *phydev) +-{ +- int irq_status; +- +- irq_status = phy_read(phydev, LAN88XX_INT_STS); +- if (irq_status < 0) { +- phy_error(phydev); +- return IRQ_NONE; +- } +- +- if (!(irq_status & LAN88XX_INT_STS_LINK_CHANGE_)) +- return IRQ_NONE; +- +- phy_trigger_machine(phydev); +- +- return IRQ_HANDLED; +-} +- + static int lan88xx_suspend(struct phy_device *phydev) + { + struct lan88xx_priv *priv = phydev->priv; +@@ -392,8 +351,9 @@ static struct phy_driver microchip_phy_d + .config_aneg = lan88xx_config_aneg, + .link_change_notify = lan88xx_link_change_notify, + +- .config_intr = lan88xx_phy_config_intr, +- .handle_interrupt = lan88xx_handle_interrupt, ++ /* Interrupt handling is broken, do not define related ++ * functions to force polling. ++ */ + + .suspend = lan88xx_suspend, + .resume = genphy_resume, diff --git a/queue-6.1/net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch b/queue-6.1/net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch new file mode 100644 index 0000000000..856c0557de --- /dev/null +++ b/queue-6.1/net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch @@ -0,0 +1,64 @@ +From 9e8d1013b0c38910cbc9e60de74dbe883878469d Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Wed, 16 Apr 2025 18:01:25 +0200 +Subject: net: selftests: initialize TCP header and skb payload with zero + +From: Oleksij Rempel + +commit 9e8d1013b0c38910cbc9e60de74dbe883878469d upstream. + +Zero-initialize TCP header via memset() to avoid garbage values that +may affect checksum or behavior during test transmission. + +Also zero-fill allocated payload and padding regions using memset() +after skb_put(), ensuring deterministic content for all outgoing +test packets. + +Fixes: 3e1e58d64c3d ("net: add generic selftest support") +Signed-off-by: Oleksij Rempel +Cc: stable@vger.kernel.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250416160125.2914724-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/core/selftests.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/net/core/selftests.c ++++ b/net/core/selftests.c +@@ -100,10 +100,10 @@ static struct sk_buff *net_test_get_skb( + ehdr->h_proto = htons(ETH_P_IP); + + if (attr->tcp) { ++ memset(thdr, 0, sizeof(*thdr)); + thdr->source = htons(attr->sport); + thdr->dest = htons(attr->dport); + thdr->doff = sizeof(struct tcphdr) / 4; +- thdr->check = 0; + } else { + uhdr->source = htons(attr->sport); + uhdr->dest = htons(attr->dport); +@@ -144,10 +144,18 @@ static struct sk_buff *net_test_get_skb( + attr->id = net_test_next_id; + shdr->id = net_test_next_id++; + +- if (attr->size) +- skb_put(skb, attr->size); +- if (attr->max_size && attr->max_size > skb->len) +- skb_put(skb, attr->max_size - skb->len); ++ if (attr->size) { ++ void *payload = skb_put(skb, attr->size); ++ ++ memset(payload, 0, attr->size); ++ } ++ ++ if (attr->max_size && attr->max_size > skb->len) { ++ size_t pad_len = attr->max_size - skb->len; ++ void *pad = skb_put(skb, pad_len); ++ ++ memset(pad, 0, pad_len); ++ } + + skb->csum = 0; + skb->ip_summed = CHECKSUM_PARTIAL; diff --git a/queue-6.1/series b/queue-6.1/series index 867c978634..bcc855c1c6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -59,3 +59,16 @@ loongarch-select-arch_use_memtest.patch loongarch-make-regs_irqs_disabled-more-clear.patch wifi-mac80211-export-ieee80211_purge_tx_queue-for-drivers.patch wifi-rtw88-use-ieee80211_purge_tx_queue-to-purge-tx-skb.patch +virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch +crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch +xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch +net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch +net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch +drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch +drm-amd-display-force-full-update-in-gpu-reset.patch +loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch +loongarch-remove-a-bogus-reference-to-zone_dma.patch +kvm-svm-allocate-ir-data-using-atomic-allocation.patch +mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch +usb-storage-quirk-for-adata-portable-hdd-ch94.patch +mei-me-add-panther-lake-h-did.patch diff --git a/queue-6.1/usb-storage-quirk-for-adata-portable-hdd-ch94.patch b/queue-6.1/usb-storage-quirk-for-adata-portable-hdd-ch94.patch new file mode 100644 index 0000000000..9c76def8c6 --- /dev/null +++ b/queue-6.1/usb-storage-quirk-for-adata-portable-hdd-ch94.patch @@ -0,0 +1,36 @@ +From 9ab75eee1a056f896b87d139044dd103adc532b9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 3 Apr 2025 19:59:45 +0200 +Subject: USB: storage: quirk for ADATA Portable HDD CH94 + +From: Oliver Neukum + +commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream. + +Version 1.60 specifically needs this quirk. +Version 2.00 is known good. + +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/unusual_uas.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99 + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_LUNS), + ++/* Reported-by: Oliver Neukum */ ++UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160, ++ "ADATA", ++ "Portable HDD CH94", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_NO_ATA_1X), ++ + /* Reported-by: Benjamin Tissoires */ + UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999, + "Initio Corporation", diff --git a/queue-6.1/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch b/queue-6.1/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch new file mode 100644 index 0000000000..e268f98655 --- /dev/null +++ b/queue-6.1/virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch @@ -0,0 +1,60 @@ +From fbd3039a64b01b769040677c4fc68badeca8e3b2 Mon Sep 17 00:00:00 2001 +From: Halil Pasic +Date: Sat, 22 Mar 2025 01:29:54 +0100 +Subject: virtio_console: fix missing byte order handling for cols and rows + +From: Halil Pasic + +commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream. + +As per virtio spec the fields cols and rows are specified as little +endian. Although there is no legacy interface requirement that would +state that cols and rows need to be handled as native endian when legacy +interface is used, unlike for the fields of the adjacent struct +virtio_console_control, I decided to err on the side of caution based +on some non-conclusive virtio spec repo archaeology and opt for using +virtio16_to_cpu() much like for virtio_console_control.event. Strictly +by the letter of the spec virtio_le_to_cpu() would have been sufficient. +But when the legacy interface is not used, it boils down to the same. + +And when using the legacy interface, the device formatting these as +little endian when the guest is big endian would surprise me more than +it using guest native byte order (which would make it compatible with +the current implementation). Nevertheless somebody trying to implement +the spec following it to the letter could end up forcing little endian +byte order when the legacy interface is in use. So IMHO this ultimately +needs a judgement call by the maintainers. + +Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message") +Signed-off-by: Halil Pasic +Cc: stable@vger.kernel.org # v2.6.35+ +Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/virtio_console.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1615,8 +1615,8 @@ static void handle_control_message(struc + break; + case VIRTIO_CONSOLE_RESIZE: { + struct { +- __u16 rows; +- __u16 cols; ++ __virtio16 rows; ++ __virtio16 cols; + } size; + + if (!is_console_port(port)) +@@ -1624,7 +1624,8 @@ static void handle_control_message(struc + + memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt), + sizeof(size)); +- set_console_size(port, size.rows, size.cols); ++ set_console_size(port, virtio16_to_cpu(vdev, size.rows), ++ virtio16_to_cpu(vdev, size.cols)); + + port->cons.hvc->irq_requested = 1; + resize_console(port); diff --git a/queue-6.1/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch b/queue-6.1/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch new file mode 100644 index 0000000000..a87b5f95cd --- /dev/null +++ b/queue-6.1/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch @@ -0,0 +1,65 @@ +From cc3628dcd851ddd8d418bf0c897024b4621ddc92 Mon Sep 17 00:00:00 2001 +From: Alexey Nepomnyashih +Date: Thu, 17 Apr 2025 12:21:17 +0000 +Subject: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() + +From: Alexey Nepomnyashih + +commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 upstream. + +The function xdp_convert_buff_to_frame() may return NULL if it fails +to correctly convert the XDP buffer into an XDP frame due to memory +constraints, internal errors, or invalid data. Failing to check for NULL +may lead to a NULL pointer dereference if the result is used later in +processing, potentially causing crashes, data corruption, or undefined +behavior. + +On XDP redirect failure, the associated page must be released explicitly +if it was previously retained via get_page(). Failing to do so may result +in a memory leak, as the pages reference count is not decremented. + +Cc: stable@vger.kernel.org # v5.9+ +Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") +Signed-off-by: Alexey Nepomnyashih +Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfron + act = bpf_prog_run_xdp(prog, xdp); + switch (act) { + case XDP_TX: +- get_page(pdata); + xdpf = xdp_convert_buff_to_frame(xdp); ++ if (unlikely(!xdpf)) { ++ trace_xdp_exception(queue->info->netdev, prog, act); ++ break; ++ } ++ get_page(pdata); + err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); +- if (unlikely(!err)) ++ if (unlikely(err <= 0)) { ++ if (err < 0) ++ trace_xdp_exception(queue->info->netdev, prog, act); + xdp_return_frame_rx_napi(xdpf); +- else if (unlikely(err < 0)) +- trace_xdp_exception(queue->info->netdev, prog, act); ++ } + break; + case XDP_REDIRECT: + get_page(pdata); + err = xdp_do_redirect(queue->info->netdev, xdp, prog); + *need_xdp_flush = true; +- if (unlikely(err)) ++ if (unlikely(err)) { + trace_xdp_exception(queue->info->netdev, prog, act); ++ xdp_return_buff(xdp); ++ } + break; + case XDP_PASS: + case XDP_DROP: