From: Sasha Levin Date: Sun, 27 Apr 2025 23:06:50 +0000 (-0400) Subject: Fixes for 6.1 X-Git-Tag: v5.4.293~77 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cbd4a340743a7e33660bdc2072ee9ac5543c25f4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/btrfs-avoid-page_lockend-underflow-in-btrfs_punch_ho.patch b/queue-6.1/btrfs-avoid-page_lockend-underflow-in-btrfs_punch_ho.patch new file mode 100644 index 0000000000..99544b3ab7 --- /dev/null +++ b/queue-6.1/btrfs-avoid-page_lockend-underflow-in-btrfs_punch_ho.patch @@ -0,0 +1,95 @@ +From c50dcbb2d1ae49da15ddfaaa0648f8a41340c587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Mar 2025 17:46:35 +1030 +Subject: btrfs: avoid page_lockend underflow in btrfs_punch_hole_lock_range() + +From: Qu Wenruo + +[ Upstream commit bc2dbc4983afedd198490cca043798f57c93e9bf ] + +[BUG] +When running btrfs/004 with 4K fs block size and 64K page size, +sometimes fsstress workload can take 100% CPU for a while, but not long +enough to trigger a 120s hang warning. + +[CAUSE] +When such 100% CPU usage happens, btrfs_punch_hole_lock_range() is +always in the call trace. + +One example when this problem happens, the function +btrfs_punch_hole_lock_range() got the following parameters: + + lock_start = 4096, lockend = 20469 + +Then we calculate @page_lockstart by rounding up lock_start to page +boundary, which is 64K (page size is 64K). + +For @page_lockend, we round down the value towards page boundary, which +result 0. Then since we need to pass an inclusive end to +filemap_range_has_page(), we subtract 1 from the rounded down value, +resulting in (u64)-1. + +In the above case, the range is inside the same page, and we do not even +need to call filemap_range_has_page(), not to mention to call it with +(u64)-1 at the end. + +This behavior will cause btrfs_punch_hole_lock_range() to busy loop +waiting for irrelevant range to have its pages dropped. + +[FIX] +Calculate @page_lockend by just rounding down @lockend, without +decreasing the value by one. So @page_lockend will no longer overflow. + +Then exit early if @page_lockend is no larger than @page_lockstart. +As it means either the range is inside the same page, or the two pages +are adjacent already. + +Finally only decrease @page_lockend when calling filemap_range_has_page(). + +Fixes: 0528476b6ac7 ("btrfs: fix the filemap_range_has_page() call in btrfs_punch_hole_lock_range()") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/file.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c +index 9e06d1a0d373d..3814f09dc4ae0 100644 +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2224,15 +2224,20 @@ static void btrfs_punch_hole_lock_range(struct inode *inode, + * will always return true. + * So here we need to do extra page alignment for + * filemap_range_has_page(). ++ * ++ * And do not decrease page_lockend right now, as it can be 0. + */ + const u64 page_lockstart = round_up(lockstart, PAGE_SIZE); +- const u64 page_lockend = round_down(lockend + 1, PAGE_SIZE) - 1; ++ const u64 page_lockend = round_down(lockend + 1, PAGE_SIZE); + + while (1) { + truncate_pagecache_range(inode, lockstart, lockend); + + lock_extent(&BTRFS_I(inode)->io_tree, lockstart, lockend, + cached_state); ++ /* The same page or adjacent pages. */ ++ if (page_lockend <= page_lockstart) ++ break; + /* + * We can't have ordered extents in the range, nor dirty/writeback + * pages, because we have locked the inode's VFS lock in exclusive +@@ -2244,7 +2249,7 @@ static void btrfs_punch_hole_lock_range(struct inode *inode, + * we do, unlock the range and retry. + */ + if (!filemap_range_has_page(inode->i_mapping, page_lockstart, +- page_lockend)) ++ page_lockend - 1)) + break; + + unlock_extent(&BTRFS_I(inode)->io_tree, lockstart, lockend, +-- +2.39.5 + diff --git a/queue-6.1/cpufreq-cppc-fix-invalid-return-value-in-.get-callba.patch b/queue-6.1/cpufreq-cppc-fix-invalid-return-value-in-.get-callba.patch new file mode 100644 index 0000000000..35db3ecd2d --- /dev/null +++ b/queue-6.1/cpufreq-cppc-fix-invalid-return-value-in-.get-callba.patch @@ -0,0 +1,40 @@ +From 0efda3fc55fe78f8728e09d684e3273aa23be084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Apr 2025 11:11:42 +0100 +Subject: cpufreq: cppc: Fix invalid return value in .get() callback + +From: Marc Zyngier + +[ Upstream commit 2b8e6b58889c672e1ae3601d9b2b070be4dc2fbc ] + +Returning a negative error code in a function with an unsigned +return type is a pretty bad idea. It is probably worse when the +justification for the change is "our static analisys tool found it". + +Fixes: cf7de25878a1 ("cppc_cpufreq: Fix possible null pointer dereference") +Signed-off-by: Marc Zyngier +Cc: "Rafael J. Wysocki" +Cc: Viresh Kumar +Reviewed-by: Lifeng Zheng +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cppc_cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index 12fc07ed3502b..cfa2e3f0e56bd 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -749,7 +749,7 @@ static unsigned int cppc_cpufreq_get_rate(unsigned int cpu) + int ret; + + if (!policy) +- return -ENODEV; ++ return 0; + + cpu_data = policy->driver_data; + +-- +2.39.5 + diff --git a/queue-6.1/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_.patch b/queue-6.1/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_.patch new file mode 100644 index 0000000000..27aa3064d9 --- /dev/null +++ b/queue-6.1/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_.patch @@ -0,0 +1,51 @@ +From 921914b6d489a9b1e41c796a8122eedcb0dc4025 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 23:03:53 +0800 +Subject: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() + +From: Henry Martin + +[ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ] + +cpufreq_cpu_get_raw() can return NULL when the target CPU is not present +in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for +this case, which results in a NULL pointer dereference. + +Add NULL check after cpufreq_cpu_get_raw() to prevent this issue. + +Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol") +Signed-off-by: Henry Martin +Acked-by: Sudeep Holla +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scmi-cpufreq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c +index 079940c69ee0b..e4989764efe2a 100644 +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -33,11 +33,17 @@ static const struct scmi_perf_proto_ops *perf_ops; + + static unsigned int scmi_cpufreq_get_rate(unsigned int cpu) + { +- struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu); +- struct scmi_data *priv = policy->driver_data; ++ struct cpufreq_policy *policy; ++ struct scmi_data *priv; + unsigned long rate; + int ret; + ++ policy = cpufreq_cpu_get_raw(cpu); ++ if (unlikely(!policy)) ++ return 0; ++ ++ priv = policy->driver_data; ++ + ret = perf_ops->freq_get(ph, priv->domain_id, &rate, false); + if (ret) + return 0; +-- +2.39.5 + diff --git a/queue-6.1/cpufreq-scpi-fix-null-ptr-deref-in-scpi_cpufreq_get_.patch b/queue-6.1/cpufreq-scpi-fix-null-ptr-deref-in-scpi_cpufreq_get_.patch new file mode 100644 index 0000000000..bf808aec53 --- /dev/null +++ b/queue-6.1/cpufreq-scpi-fix-null-ptr-deref-in-scpi_cpufreq_get_.patch @@ -0,0 +1,49 @@ +From 67081dfc46f5e259f6d02a4ac12ae07bf1414447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 23:03:54 +0800 +Subject: cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() + +From: Henry Martin + +[ Upstream commit 73b24dc731731edf762f9454552cb3a5b7224949 ] + +cpufreq_cpu_get_raw() can return NULL when the target CPU is not present +in the policy->cpus mask. scpi_cpufreq_get_rate() does not check for +this case, which results in a NULL pointer dereference. + +Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency") +Signed-off-by: Henry Martin +Acked-by: Sudeep Holla +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scpi-cpufreq.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c +index 433deec4b61f8..217073faf60cf 100644 +--- a/drivers/cpufreq/scpi-cpufreq.c ++++ b/drivers/cpufreq/scpi-cpufreq.c +@@ -29,9 +29,16 @@ static struct scpi_ops *scpi_ops; + + static unsigned int scpi_cpufreq_get_rate(unsigned int cpu) + { +- struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu); +- struct scpi_data *priv = policy->driver_data; +- unsigned long rate = clk_get_rate(priv->clk); ++ struct cpufreq_policy *policy; ++ struct scpi_data *priv; ++ unsigned long rate; ++ ++ policy = cpufreq_cpu_get_raw(cpu); ++ if (unlikely(!policy)) ++ return 0; ++ ++ priv = policy->driver_data; ++ rate = clk_get_rate(priv->clk); + + return rate / 1000; + } +-- +2.39.5 + diff --git a/queue-6.1/dma-contiguous-avoid-warning-about-unused-size_bytes.patch b/queue-6.1/dma-contiguous-avoid-warning-about-unused-size_bytes.patch new file mode 100644 index 0000000000..d50e6a73ad --- /dev/null +++ b/queue-6.1/dma-contiguous-avoid-warning-about-unused-size_bytes.patch @@ -0,0 +1,42 @@ +From d21cdeb6dfc89ffe0b101f72b68a2d2d0acd8146 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 17:15:42 +0200 +Subject: dma/contiguous: avoid warning about unused size_bytes + +From: Arnd Bergmann + +[ Upstream commit d7b98ae5221007d3f202746903d4c21c7caf7ea9 ] + +When building with W=1, this variable is unused for configs with +CONFIG_CMA_SIZE_SEL_PERCENTAGE=y: + +kernel/dma/contiguous.c:67:26: error: 'size_bytes' defined but not used [-Werror=unused-const-variable=] + +Change this to a macro to avoid the warning. + +Fixes: c64be2bb1c6e ("drivers: add Contiguous Memory Allocator") +Signed-off-by: Arnd Bergmann +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20250409151557.3890443-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/dma/contiguous.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c +index 6ea80ae426228..24d96a2fe0628 100644 +--- a/kernel/dma/contiguous.c ++++ b/kernel/dma/contiguous.c +@@ -69,8 +69,7 @@ struct cma *dma_contiguous_default_area; + * Users, who want to set the size of global CMA area for their system + * should use cma= kernel parameter. + */ +-static const phys_addr_t size_bytes __initconst = +- (phys_addr_t)CMA_SIZE_MBYTES * SZ_1M; ++#define size_bytes ((phys_addr_t)CMA_SIZE_MBYTES * SZ_1M) + static phys_addr_t size_cmdline __initdata = -1; + static phys_addr_t base_cmdline __initdata; + static phys_addr_t limit_cmdline __initdata; +-- +2.39.5 + diff --git a/queue-6.1/iommu-amd-return-an-error-if-vcpu-affinity-is-set-fo.patch b/queue-6.1/iommu-amd-return-an-error-if-vcpu-affinity-is-set-fo.patch new file mode 100644 index 0000000000..363792f38f --- /dev/null +++ b/queue-6.1/iommu-amd-return-an-error-if-vcpu-affinity-is-set-fo.patch @@ -0,0 +1,38 @@ +From 4de887f38663e324a5fbaa9aac84f29f251b75b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 12:38:20 -0700 +Subject: iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE + +From: Sean Christopherson + +[ Upstream commit 07172206a26dcf3f0bf7c3ecaadd4242b008ea54 ] + +Return -EINVAL instead of success if amd_ir_set_vcpu_affinity() is +invoked without use_vapic; lying to KVM about whether or not the IRTE was +configured to post IRQs is all kinds of bad. + +Fixes: d98de49a53e4 ("iommu/amd: Enable vAPIC interrupt remapping mode by default") +Signed-off-by: Sean Christopherson +Message-ID: <20250404193923.1413163-6-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index 5d34416b3468d..4421b464947b8 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -3589,7 +3589,7 @@ static int amd_ir_set_vcpu_affinity(struct irq_data *data, void *vcpu_info) + * we should not modify the IRTE + */ + if (!dev_data || !dev_data->use_vapic) +- return 0; ++ return -EINVAL; + + ir_data->cfg = irqd_cfg(data); + pi_data->ir_data = ir_data; +-- +2.39.5 + diff --git a/queue-6.1/loongarch-make-regs_irqs_disabled-more-clear.patch b/queue-6.1/loongarch-make-regs_irqs_disabled-more-clear.patch new file mode 100644 index 0000000000..9e7cf06bdb --- /dev/null +++ b/queue-6.1/loongarch-make-regs_irqs_disabled-more-clear.patch @@ -0,0 +1,46 @@ +From 0777f8fc0abfee9e7f728d7cfbb7641bdfaaffea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 20:15:41 +0800 +Subject: LoongArch: Make regs_irqs_disabled() more clear + +From: Tiezhu Yang + +[ Upstream commit bb0511d59db9b3e40c8d51f0d151ccd0fd44071d ] + +In the current code, the definition of regs_irqs_disabled() is actually +"!(regs->csr_prmd & CSR_CRMD_IE)" because arch_irqs_disabled_flags() is +defined as "!(flags & CSR_CRMD_IE)", it looks a little strange. + +Define regs_irqs_disabled() as !(regs->csr_prmd & CSR_PRMD_PIE) directly +to make it more clear, no functional change. + +While at it, the return value of regs_irqs_disabled() is true or false, +so change its type to reflect that and also make it always inline. + +Fixes: 803b0fc5c3f2 ("LoongArch: Add process management") +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/include/asm/ptrace.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/loongarch/include/asm/ptrace.h b/arch/loongarch/include/asm/ptrace.h +index 59c4608de91db..f5d9096d18aa1 100644 +--- a/arch/loongarch/include/asm/ptrace.h ++++ b/arch/loongarch/include/asm/ptrace.h +@@ -32,9 +32,9 @@ struct pt_regs { + unsigned long __last[]; + } __aligned(8); + +-static inline int regs_irqs_disabled(struct pt_regs *regs) ++static __always_inline bool regs_irqs_disabled(struct pt_regs *regs) + { +- return arch_irqs_disabled_flags(regs->csr_prmd); ++ return !(regs->csr_prmd & CSR_PRMD_PIE); + } + + static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) +-- +2.39.5 + diff --git a/queue-6.1/loongarch-select-arch_use_memtest.patch b/queue-6.1/loongarch-select-arch_use_memtest.patch new file mode 100644 index 0000000000..f656bc1288 --- /dev/null +++ b/queue-6.1/loongarch-select-arch_use_memtest.patch @@ -0,0 +1,40 @@ +From 6ab591e63b6c0fd67022f1878aed6631effefddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 20:15:22 +0800 +Subject: LoongArch: Select ARCH_USE_MEMTEST + +From: Yuli Wang + +[ Upstream commit fb8e9f59d6f292c3d9fea6c155c22ea5fc3053ab ] + +As of commit dce44566192e ("mm/memtest: add ARCH_USE_MEMTEST"), +architectures must select ARCH_USE_MEMTESET to enable CONFIG_MEMTEST. + +Commit 628c3bb40e9a ("LoongArch: Add boot and setup routines") added +support for early_memtest but did not select ARCH_USE_MEMTESET. + +Fixes: 628c3bb40e9a ("LoongArch: Add boot and setup routines") +Tested-by: Erpeng Xu +Tested-by: Yuli Wang +Signed-off-by: Yuli Wang +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/loongarch/Kconfig b/arch/loongarch/Kconfig +index 0166d357069d9..6c55d85b1c767 100644 +--- a/arch/loongarch/Kconfig ++++ b/arch/loongarch/Kconfig +@@ -51,6 +51,7 @@ config LOONGARCH + select ARCH_SUPPORTS_NUMA_BALANCING + select ARCH_USE_BUILTIN_BSWAP + select ARCH_USE_CMPXCHG_LOCKREF ++ select ARCH_USE_MEMTEST + select ARCH_USE_QUEUED_RWLOCKS + select ARCH_USE_QUEUED_SPINLOCKS + select ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT +-- +2.39.5 + diff --git a/queue-6.1/net-dsa-mt7530-sync-driver-specific-behavior-of-mt75.patch b/queue-6.1/net-dsa-mt7530-sync-driver-specific-behavior-of-mt75.patch new file mode 100644 index 0000000000..db8ad8a229 --- /dev/null +++ b/queue-6.1/net-dsa-mt7530-sync-driver-specific-behavior-of-mt75.patch @@ -0,0 +1,57 @@ +From c47082a8b43874c46e044fe76615b6c247164468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 04:10:20 +0100 +Subject: net: dsa: mt7530: sync driver-specific behavior of MT7531 variants + +From: Daniel Golle + +[ Upstream commit 497041d763016c2e8314d2f6a329a9b77c3797ca ] + +MT7531 standalone and MMIO variants found in MT7988 and EN7581 share +most basic properties. Despite that, assisted_learning_on_cpu_port and +mtu_enforcement_ingress were only applied for MT7531 but not for MT7988 +or EN7581, causing the expected issues on MMIO devices. + +Apply both settings equally also for MT7988 and EN7581 by moving both +assignments form mt7531_setup() to mt7531_setup_common(). + +This fixes unwanted flooding of packets due to unknown unicast +during DA lookup, as well as issues with heterogenous MTU settings. + +Fixes: 7f54cc9772ce ("net: dsa: mt7530: split-off common parts from mt7531_setup") +Signed-off-by: Daniel Golle +Reviewed-by: Chester A. Unal +Link: https://patch.msgid.link/89ed7ec6d4fa0395ac53ad2809742bb1ce61ed12.1745290867.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index 1aba0cf38630f..308e56a73df01 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -2558,6 +2558,9 @@ mt7531_setup_common(struct dsa_switch *ds) + struct mt7530_priv *priv = ds->priv; + int ret, i; + ++ ds->assisted_learning_on_cpu_port = true; ++ ds->mtu_enforcement_ingress = true; ++ + mt753x_trap_frames(priv); + + /* Enable and reset MIB counters */ +@@ -2701,9 +2704,6 @@ mt7531_setup(struct dsa_switch *ds) + if (ret) + return ret; + +- ds->assisted_learning_on_cpu_port = true; +- ds->mtu_enforcement_ingress = true; +- + return 0; + } + +-- +2.39.5 + diff --git a/queue-6.1/net-lwtunnel-disable-bhs-when-required.patch b/queue-6.1/net-lwtunnel-disable-bhs-when-required.patch new file mode 100644 index 0000000000..374464ae13 --- /dev/null +++ b/queue-6.1/net-lwtunnel-disable-bhs-when-required.patch @@ -0,0 +1,120 @@ +From 46edb6d4693b3c132a0952f88d8db9926b8465da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 18:07:16 +0200 +Subject: net: lwtunnel: disable BHs when required + +From: Justin Iurman + +[ Upstream commit c03a49f3093a4903c8a93c8b5c9a297b5343b169 ] + +In lwtunnel_{output|xmit}(), dev_xmit_recursion() may be called in +preemptible scope for PREEMPT kernels. This patch disables BHs before +calling dev_xmit_recursion(). BHs are re-enabled only at the end, since +we must ensure the same CPU is used for both dev_xmit_recursion_inc() +and dev_xmit_recursion_dec() (and any other recursion levels in some +cases) in order to maintain valid per-cpu counters. + +Reported-by: Alexei Starovoitov +Closes: https://lore.kernel.org/netdev/CAADnVQJFWn3dBFJtY+ci6oN1pDFL=TzCmNbRgey7MdYxt_AP2g@mail.gmail.com/ +Reported-by: Eduard Zingerman +Closes: https://lore.kernel.org/netdev/m2h62qwf34.fsf@gmail.com/ +Fixes: 986ffb3a57c5 ("net: lwtunnel: fix recursion loops") +Signed-off-by: Justin Iurman +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250416160716.8823-1-justin.iurman@uliege.be +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/lwtunnel.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c +index 4417a18b3e951..f63586c9ce021 100644 +--- a/net/core/lwtunnel.c ++++ b/net/core/lwtunnel.c +@@ -332,6 +332,8 @@ int lwtunnel_output(struct net *net, struct sock *sk, struct sk_buff *skb) + struct dst_entry *dst; + int ret; + ++ local_bh_disable(); ++ + if (dev_xmit_recursion()) { + net_crit_ratelimited("%s(): recursion limit reached on datapath\n", + __func__); +@@ -347,8 +349,10 @@ int lwtunnel_output(struct net *net, struct sock *sk, struct sk_buff *skb) + lwtstate = dst->lwtstate; + + if (lwtstate->type == LWTUNNEL_ENCAP_NONE || +- lwtstate->type > LWTUNNEL_ENCAP_MAX) +- return 0; ++ lwtstate->type > LWTUNNEL_ENCAP_MAX) { ++ ret = 0; ++ goto out; ++ } + + ret = -EOPNOTSUPP; + rcu_read_lock(); +@@ -363,11 +367,13 @@ int lwtunnel_output(struct net *net, struct sock *sk, struct sk_buff *skb) + if (ret == -EOPNOTSUPP) + goto drop; + +- return ret; ++ goto out; + + drop: + kfree_skb(skb); + ++out: ++ local_bh_enable(); + return ret; + } + EXPORT_SYMBOL_GPL(lwtunnel_output); +@@ -379,6 +385,8 @@ int lwtunnel_xmit(struct sk_buff *skb) + struct dst_entry *dst; + int ret; + ++ local_bh_disable(); ++ + if (dev_xmit_recursion()) { + net_crit_ratelimited("%s(): recursion limit reached on datapath\n", + __func__); +@@ -395,8 +403,10 @@ int lwtunnel_xmit(struct sk_buff *skb) + lwtstate = dst->lwtstate; + + if (lwtstate->type == LWTUNNEL_ENCAP_NONE || +- lwtstate->type > LWTUNNEL_ENCAP_MAX) +- return 0; ++ lwtstate->type > LWTUNNEL_ENCAP_MAX) { ++ ret = 0; ++ goto out; ++ } + + ret = -EOPNOTSUPP; + rcu_read_lock(); +@@ -411,11 +421,13 @@ int lwtunnel_xmit(struct sk_buff *skb) + if (ret == -EOPNOTSUPP) + goto drop; + +- return ret; ++ goto out; + + drop: + kfree_skb(skb); + ++out: ++ local_bh_enable(); + return ret; + } + EXPORT_SYMBOL_GPL(lwtunnel_xmit); +@@ -427,6 +439,8 @@ int lwtunnel_input(struct sk_buff *skb) + struct dst_entry *dst; + int ret; + ++ DEBUG_NET_WARN_ON_ONCE(!in_softirq()); ++ + if (dev_xmit_recursion()) { + net_crit_ratelimited("%s(): recursion limit reached on datapath\n", + __func__); +-- +2.39.5 + diff --git a/queue-6.1/net-phy-leds-fix-memory-leak.patch b/queue-6.1/net-phy-leds-fix-memory-leak.patch new file mode 100644 index 0000000000..77015a29a1 --- /dev/null +++ b/queue-6.1/net-phy-leds-fix-memory-leak.patch @@ -0,0 +1,101 @@ +From 9ca50b1b2144c91face6b9b942f67feb84e5b115 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:25:56 +0800 +Subject: net: phy: leds: fix memory leak + +From: Qingfang Deng + +[ Upstream commit b7f0ee992adf601aa00c252418266177eb7ac2bc ] + +A network restart test on a router led to an out-of-memory condition, +which was traced to a memory leak in the PHY LED trigger code. + +The root cause is misuse of the devm API. The registration function +(phy_led_triggers_register) is called from phy_attach_direct, not +phy_probe, and the unregister function (phy_led_triggers_unregister) +is called from phy_detach, not phy_remove. This means the register and +unregister functions can be called multiple times for the same PHY +device, but devm-allocated memory is not freed until the driver is +unbound. + +This also prevents kmemleak from detecting the leak, as the devm API +internally stores the allocated pointer. + +Fix this by replacing devm_kzalloc/devm_kcalloc with standard +kzalloc/kcalloc, and add the corresponding kfree calls in the unregister +path. + +Fixes: 3928ee6485a3 ("net: phy: leds: Add support for "link" trigger") +Fixes: 2e0bc452f472 ("net: phy: leds: add support for led triggers on phy link state change") +Signed-off-by: Hao Guan +Signed-off-by: Qingfang Deng +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250417032557.2929427-1-dqfext@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_led_triggers.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/phy_led_triggers.c b/drivers/net/phy/phy_led_triggers.c +index f550576eb9dae..6f9d8da76c4df 100644 +--- a/drivers/net/phy/phy_led_triggers.c ++++ b/drivers/net/phy/phy_led_triggers.c +@@ -91,9 +91,8 @@ int phy_led_triggers_register(struct phy_device *phy) + if (!phy->phy_num_led_triggers) + return 0; + +- phy->led_link_trigger = devm_kzalloc(&phy->mdio.dev, +- sizeof(*phy->led_link_trigger), +- GFP_KERNEL); ++ phy->led_link_trigger = kzalloc(sizeof(*phy->led_link_trigger), ++ GFP_KERNEL); + if (!phy->led_link_trigger) { + err = -ENOMEM; + goto out_clear; +@@ -103,10 +102,9 @@ int phy_led_triggers_register(struct phy_device *phy) + if (err) + goto out_free_link; + +- phy->phy_led_triggers = devm_kcalloc(&phy->mdio.dev, +- phy->phy_num_led_triggers, +- sizeof(struct phy_led_trigger), +- GFP_KERNEL); ++ phy->phy_led_triggers = kcalloc(phy->phy_num_led_triggers, ++ sizeof(struct phy_led_trigger), ++ GFP_KERNEL); + if (!phy->phy_led_triggers) { + err = -ENOMEM; + goto out_unreg_link; +@@ -127,11 +125,11 @@ int phy_led_triggers_register(struct phy_device *phy) + out_unreg: + while (i--) + phy_led_trigger_unregister(&phy->phy_led_triggers[i]); +- devm_kfree(&phy->mdio.dev, phy->phy_led_triggers); ++ kfree(phy->phy_led_triggers); + out_unreg_link: + phy_led_trigger_unregister(phy->led_link_trigger); + out_free_link: +- devm_kfree(&phy->mdio.dev, phy->led_link_trigger); ++ kfree(phy->led_link_trigger); + phy->led_link_trigger = NULL; + out_clear: + phy->phy_num_led_triggers = 0; +@@ -145,8 +143,13 @@ void phy_led_triggers_unregister(struct phy_device *phy) + + for (i = 0; i < phy->phy_num_led_triggers; i++) + phy_led_trigger_unregister(&phy->phy_led_triggers[i]); ++ kfree(phy->phy_led_triggers); ++ phy->phy_led_triggers = NULL; + +- if (phy->led_link_trigger) ++ if (phy->led_link_trigger) { + phy_led_trigger_unregister(phy->led_link_trigger); ++ kfree(phy->led_link_trigger); ++ phy->led_link_trigger = NULL; ++ } + } + EXPORT_SYMBOL_GPL(phy_led_triggers_unregister); +-- +2.39.5 + diff --git a/queue-6.1/net_sched-hfsc-fix-a-potential-uaf-in-hfsc_dequeue-t.patch b/queue-6.1/net_sched-hfsc-fix-a-potential-uaf-in-hfsc_dequeue-t.patch new file mode 100644 index 0000000000..9d27fd4f88 --- /dev/null +++ b/queue-6.1/net_sched-hfsc-fix-a-potential-uaf-in-hfsc_dequeue-t.patch @@ -0,0 +1,51 @@ +From e56741247fae7e6d219ca94fcc765d6876765688 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:47:31 -0700 +Subject: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too + +From: Cong Wang + +[ Upstream commit 6ccbda44e2cc3d26fd22af54c650d6d5d801addf ] + +Similarly to the previous patch, we need to safe guard hfsc_dequeue() +too. But for this one, we don't have a reliable reproducer. + +Fixes: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ("Linux-2.6.12-rc2") +Reported-by: Gerrard Tai +Signed-off-by: Cong Wang +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20250417184732.943057-3-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_hfsc.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index 901bc93ece5aa..dbed490aafd3d 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -1636,10 +1636,16 @@ hfsc_dequeue(struct Qdisc *sch) + if (cl->qdisc->q.qlen != 0) { + /* update ed */ + next_len = qdisc_peek_len(cl->qdisc); +- if (realtime) +- update_ed(cl, next_len); +- else +- update_d(cl, next_len); ++ /* Check queue length again since some qdisc implementations ++ * (e.g., netem/codel) might empty the queue during the peek ++ * operation. ++ */ ++ if (cl->qdisc->q.qlen != 0) { ++ if (realtime) ++ update_ed(cl, next_len); ++ else ++ update_d(cl, next_len); ++ } + } else { + /* the class becomes passive */ + eltree_remove(cl); +-- +2.39.5 + diff --git a/queue-6.1/net_sched-hfsc-fix-a-uaf-vulnerability-in-class-hand.patch b/queue-6.1/net_sched-hfsc-fix-a-uaf-vulnerability-in-class-hand.patch new file mode 100644 index 0000000000..0690b4c71f --- /dev/null +++ b/queue-6.1/net_sched-hfsc-fix-a-uaf-vulnerability-in-class-hand.patch @@ -0,0 +1,70 @@ +From 67b7e5252a9a970974edc3ee86df46a65aef7c51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:47:30 -0700 +Subject: net_sched: hfsc: Fix a UAF vulnerability in class handling + +From: Cong Wang + +[ Upstream commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c ] + +This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class +handling. The issue occurs due to a time-of-check/time-of-use condition +in hfsc_change_class() when working with certain child qdiscs like netem +or codel. + +The vulnerability works as follows: +1. hfsc_change_class() checks if a class has packets (q.qlen != 0) +2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., + codel, netem) might drop packets and empty the queue +3. The code continues assuming the queue is still non-empty, adding + the class to vttree +4. This breaks HFSC scheduler assumptions that only non-empty classes + are in vttree +5. Later, when the class is destroyed, this can lead to a Use-After-Free + +The fix adds a second queue length check after qdisc_peek_len() to verify +the queue wasn't emptied. + +Fixes: 21f4d5cc25ec ("net_sched/hfsc: fix curve activation in hfsc_change_class()") +Reported-by: Gerrard Tai +Reviewed-by: Konstantin Khlebnikov +Signed-off-by: Cong Wang +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20250417184732.943057-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_hfsc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index 54dddc2ff5025..901bc93ece5aa 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -959,6 +959,7 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + + if (cl != NULL) { + int old_flags; ++ int len = 0; + + if (parentid) { + if (cl->cl_parent && +@@ -989,9 +990,13 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + if (usc != NULL) + hfsc_change_usc(cl, usc, cur_time); + ++ if (cl->qdisc->q.qlen != 0) ++ len = qdisc_peek_len(cl->qdisc); ++ /* Check queue length again since some qdisc implementations ++ * (e.g., netem/codel) might empty the queue during the peek ++ * operation. ++ */ + if (cl->qdisc->q.qlen != 0) { +- int len = qdisc_peek_len(cl->qdisc); +- + if (cl->cl_flags & HFSC_RSC) { + if (old_flags & HFSC_RSC) + update_ed(cl, len); +-- +2.39.5 + diff --git a/queue-6.1/perf-x86-fix-non-sampling-counting-events-on-certain.patch b/queue-6.1/perf-x86-fix-non-sampling-counting-events-on-certain.patch new file mode 100644 index 0000000000..2c325a4d86 --- /dev/null +++ b/queue-6.1/perf-x86-fix-non-sampling-counting-events-on-certain.patch @@ -0,0 +1,62 @@ +From 61b2208399467bbe166125c55e713978261003cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 06:47:24 +0000 +Subject: perf/x86: Fix non-sampling (counting) events on certain x86 platforms + +From: Luo Gengkun + +[ Upstream commit 1a97fea9db9e9b9c4839d4232dde9f505ff5b4cc ] + +Perf doesn't work at perf stat for hardware events on certain x86 platforms: + + $perf stat -- sleep 1 + Performance counter stats for 'sleep 1': + 16.44 msec task-clock # 0.016 CPUs utilized + 2 context-switches # 121.691 /sec + 0 cpu-migrations # 0.000 /sec + 54 page-faults # 3.286 K/sec + cycles + instructions + branches + branch-misses + +The reason is that the check in x86_pmu_hw_config() for sampling events is +unexpectedly applied to counting events as well. + +It should only impact x86 platforms with limit_period used for non-PEBS +events. For Intel platforms, it should only impact some older platforms, +e.g., HSW, BDW and NHM. + +Fixes: 88ec7eedbbd2 ("perf/x86: Fix low freqency setting issue") +Signed-off-by: Luo Gengkun +Signed-off-by: Ingo Molnar +Reviewed-by: Kan Liang +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Ravi Bangoria +Link: https://lore.kernel.org/r/20250423064724.3716211-1-luogengkun@huaweicloud.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c +index fa07447324445..a8732dd9fedb9 100644 +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -623,7 +623,7 @@ int x86_pmu_hw_config(struct perf_event *event) + if (event->attr.type == event->pmu->type) + event->hw.config |= event->attr.config & X86_RAW_EVENT_MASK; + +- if (!event->attr.freq && x86_pmu.limit_period) { ++ if (is_sampling_event(event) && !event->attr.freq && x86_pmu.limit_period) { + s64 left = event->attr.sample_period; + x86_pmu.limit_period(event, &left); + if (left > event->attr.sample_period) +-- +2.39.5 + diff --git a/queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the.patch b/queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the.patch new file mode 100644 index 0000000000..815eca59c7 --- /dev/null +++ b/queue-6.1/riscv-uprobes-add-missing-fence.i-after-building-the.patch @@ -0,0 +1,61 @@ +From ccd18ae73bffa825652610b0f927a8087ba88d7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 13:14:00 +0200 +Subject: riscv: uprobes: Add missing fence.i after building the XOL buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit 7d1d19a11cfbfd8bae1d89cc010b2cc397cd0c48 ] + +The XOL (execute out-of-line) buffer is used to single-step the +replaced instruction(s) for uprobes. The RISC-V port was missing a +proper fence.i (i$ flushing) after constructing the XOL buffer, which +can result in incorrect execution of stale/broken instructions. + +This was found running the BPF selftests "test_progs: +uprobe_autoattach, attach_probe" on the Spacemit K1/X60, where the +uprobes tests randomly blew up. + +Reviewed-by: Guo Ren +Fixes: 74784081aac8 ("riscv: Add uprobes supported") +Signed-off-by: Björn Töpel +Link: https://lore.kernel.org/r/20250419111402.1660267-2-bjorn@kernel.org +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/probes/uprobes.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/arch/riscv/kernel/probes/uprobes.c b/arch/riscv/kernel/probes/uprobes.c +index 194f166b2cc40..0d18ee53fd649 100644 +--- a/arch/riscv/kernel/probes/uprobes.c ++++ b/arch/riscv/kernel/probes/uprobes.c +@@ -161,6 +161,7 @@ void arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr, + /* Initialize the slot */ + void *kaddr = kmap_atomic(page); + void *dst = kaddr + (vaddr & ~PAGE_MASK); ++ unsigned long start = (unsigned long)dst; + + memcpy(dst, src, len); + +@@ -170,13 +171,6 @@ void arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr, + *(uprobe_opcode_t *)dst = __BUG_INSN_32; + } + ++ flush_icache_range(start, start + len); + kunmap_atomic(kaddr); +- +- /* +- * We probably need flush_icache_user_page() but it needs vma. +- * This should work on most of architectures by default. If +- * architecture needs to do something different it can define +- * its own version of the function. +- */ +- flush_dcache_page(page); + } +-- +2.39.5 + diff --git a/queue-6.1/scsi-core-clear-flags-for-scsi_cmnd-that-did-not-com.patch b/queue-6.1/scsi-core-clear-flags-for-scsi_cmnd-that-did-not-com.patch new file mode 100644 index 0000000000..a64a8d39ce --- /dev/null +++ b/queue-6.1/scsi-core-clear-flags-for-scsi_cmnd-that-did-not-com.patch @@ -0,0 +1,50 @@ +From f6065d4385894131a0797a2fbac356df9692ad45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 11:49:33 +0300 +Subject: scsi: core: Clear flags for scsi_cmnd that did not complete + +From: Anastasia Kovaleva + +[ Upstream commit 54bebe46871d4e56e05fcf55c1a37e7efa24e0a8 ] + +Commands that have not been completed with scsi_done() do not clear the +SCMD_INITIALIZED flag and therefore will not be properly reinitialized. +Thus, the next time the scsi_cmnd structure is used, the command may +fail in scsi_cmd_runtime_exceeded() due to the old jiffies_at_alloc +value: + + kernel: sd 16:0:1:84: [sdts] tag#405 timing out command, waited 720s + kernel: sd 16:0:1:84: [sdts] tag#405 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=66636s + +Clear flags for commands that have not been completed by SCSI. + +Fixes: 4abafdc4360d ("block: remove the initialize_rq_fn blk_mq_ops method") +Signed-off-by: Anastasia Kovaleva +Link: https://lore.kernel.org/r/20250324084933.15932-2-a.kovaleva@yadro.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 8e75eb1b6eab8..df61d7b906653 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1158,8 +1158,12 @@ EXPORT_SYMBOL_GPL(scsi_alloc_request); + */ + static void scsi_cleanup_rq(struct request *rq) + { ++ struct scsi_cmnd *cmd = blk_mq_rq_to_pdu(rq); ++ ++ cmd->flags = 0; ++ + if (rq->rq_flags & RQF_DONTPREP) { +- scsi_mq_uninit_cmd(blk_mq_rq_to_pdu(rq)); ++ scsi_mq_uninit_cmd(cmd); + rq->rq_flags &= ~RQF_DONTPREP; + } + } +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index a95b12b29f..70c60949c3 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -40,3 +40,20 @@ s390-pci-support-mmap-of-pci-resources-except-for-is.patch asoc-qcom-q6dsp-add-support-to-more-display-ports.patch asoc-qcom-fix-sc7280-lpass-potential-buffer-overflow.patch selftests-mm-generate-a-temporary-mountpoint-for-cgr.patch +dma-contiguous-avoid-warning-about-unused-size_bytes.patch +cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_.patch +cpufreq-scpi-fix-null-ptr-deref-in-scpi_cpufreq_get_.patch +cpufreq-cppc-fix-invalid-return-value-in-.get-callba.patch +btrfs-avoid-page_lockend-underflow-in-btrfs_punch_ho.patch +scsi-core-clear-flags-for-scsi_cmnd-that-did-not-com.patch +net-lwtunnel-disable-bhs-when-required.patch +net-phy-leds-fix-memory-leak.patch +tipc-fix-null-pointer-dereference-in-tipc_mon_reinit.patch +net_sched-hfsc-fix-a-uaf-vulnerability-in-class-hand.patch +net_sched-hfsc-fix-a-potential-uaf-in-hfsc_dequeue-t.patch +net-dsa-mt7530-sync-driver-specific-behavior-of-mt75.patch +iommu-amd-return-an-error-if-vcpu-affinity-is-set-fo.patch +riscv-uprobes-add-missing-fence.i-after-building-the.patch +perf-x86-fix-non-sampling-counting-events-on-certain.patch +loongarch-select-arch_use_memtest.patch +loongarch-make-regs_irqs_disabled-more-clear.patch diff --git a/queue-6.1/tipc-fix-null-pointer-dereference-in-tipc_mon_reinit.patch b/queue-6.1/tipc-fix-null-pointer-dereference-in-tipc_mon_reinit.patch new file mode 100644 index 0000000000..ff160210c7 --- /dev/null +++ b/queue-6.1/tipc-fix-null-pointer-dereference-in-tipc_mon_reinit.patch @@ -0,0 +1,125 @@ +From 2d8bd372535ebce2dfbb9203d121212c4dd4ecb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 14:47:15 +0700 +Subject: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() + +From: Tung Nguyen + +[ Upstream commit d63527e109e811ef11abb1c2985048fdb528b4cb ] + +syzbot reported: + +tipc: Node number set to 1055423674 +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 3 UID: 0 PID: 6017 Comm: kworker/3:5 Not tainted 6.15.0-rc1-syzkaller-00246-g900241a5cc15 #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Workqueue: events tipc_net_finalize_work +RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 +... +RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba +RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 +RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 +R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 +FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + tipc_net_finalize+0x10b/0x180 net/tipc/net.c:140 + process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 + process_scheduled_works kernel/workqueue.c:3319 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 + kthread+0x3c2/0x780 kernel/kthread.c:464 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +... +RIP: 0010:tipc_mon_reinit_self+0x11c/0x210 net/tipc/monitor.c:719 +... +RSP: 0018:ffffc9000356fb68 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003ee87cba +RDX: 0000000000000000 RSI: ffffffff8dbc56a7 RDI: ffff88804c2cc010 +RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000007 +R13: fffffbfff2111097 R14: ffff88804ead8000 R15: ffff88804ead9010 +FS: 0000000000000000(0000) GS:ffff888097ab9000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000f720eb00 CR3: 000000000e182000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +There is a racing condition between workqueue created when enabling +bearer and another thread created when disabling bearer right after +that as follow: + +enabling_bearer | disabling_bearer +--------------- | ---------------- +tipc_disc_timeout() | +{ | bearer_disable() + ... | { + schedule_work(&tn->work); | tipc_mon_delete() + ... | { +} | ... + | write_lock_bh(&mon->lock); + | mon->self = NULL; + | write_unlock_bh(&mon->lock); + | ... + | } +tipc_net_finalize_work() | } +{ | + ... | + tipc_net_finalize() | + { | + ... | + tipc_mon_reinit_self() | + { | + ... | + write_lock_bh(&mon->lock); | + mon->self->addr = tipc_own_addr(net); | + write_unlock_bh(&mon->lock); | + ... | + } | + ... | + } | + ... | +} | + +'mon->self' is set to NULL in disabling_bearer thread and dereferenced +later in enabling_bearer thread. + +This commit fixes this issue by validating 'mon->self' before assigning +node address to it. + +Reported-by: syzbot+ed60da8d686dc709164c@syzkaller.appspotmail.com +Fixes: 46cb01eeeb86 ("tipc: update mon's self addr when node addr generated") +Signed-off-by: Tung Nguyen +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250417074826.578115-1-tung.quang.nguyen@est.tech +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/monitor.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c +index 9618e4429f0fe..23efd35adaa35 100644 +--- a/net/tipc/monitor.c ++++ b/net/tipc/monitor.c +@@ -716,7 +716,8 @@ void tipc_mon_reinit_self(struct net *net) + if (!mon) + continue; + write_lock_bh(&mon->lock); +- mon->self->addr = tipc_own_addr(net); ++ if (mon->self) ++ mon->self->addr = tipc_own_addr(net); + write_unlock_bh(&mon->lock); + } + } +-- +2.39.5 +