From: Greg Kroah-Hartman Date: Sun, 26 Oct 2025 14:51:53 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.301~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e996b161b7012ee0d3d0587036871920d44e0da9;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch net-ravb-enforce-descriptor-type-ordering.patch net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch net-usb-rtl8150-fix-frame-padding.patch ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch revert-cpuidle-menu-avoid-discarding-useful-information.patch selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch vsock-fix-lock-inversion-in-vsock_assign_transport.patch --- diff --git a/queue-6.1/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch b/queue-6.1/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch new file mode 100644 index 0000000000..6ba6f91379 --- /dev/null +++ b/queue-6.1/acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch @@ -0,0 +1,54 @@ +From 6e3a4754717a74e931a9f00b5f953be708e07acb Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Tue, 21 Oct 2025 17:28:25 +0800 +Subject: ACPICA: Work around bogus -Wstringop-overread warning since GCC 11 + +From: Xi Ruoyao + +commit 6e3a4754717a74e931a9f00b5f953be708e07acb upstream. + +When ACPI_MISALIGNMENT_NOT_SUPPORTED is set, GCC can produce a bogus +-Wstringop-overread warning, see [1]. + +To me, it's very clear that we have a compiler bug here, thus just +disable the warning. + +Fixes: a9d13433fe17 ("LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled") +Link: https://lore.kernel.org/all/899f2dec-e8b9-44f4-ab8d-001e160a2aed@roeck-us.net/ +Link: https://github.com/acpica/acpica/commit/abf5b573 +Link: https://gcc.gnu.org/PR122073 [1] +Co-developed-by: Saket Dumbre +Signed-off-by: Saket Dumbre +Signed-off-by: Xi Ruoyao +Acked-by: Huacai Chen +Cc: All applicable +[ rjw: Subject and changelog edits ] +Link: https://patch.msgid.link/20251021092825.822007-1-xry111@xry111.site +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/tbprint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/acpica/tbprint.c ++++ b/drivers/acpi/acpica/tbprint.c +@@ -94,6 +94,11 @@ acpi_tb_print_table_header(acpi_physical + { + struct acpi_table_header local_header; + ++#pragma GCC diagnostic push ++#if defined(__GNUC__) && __GNUC__ >= 11 ++#pragma GCC diagnostic ignored "-Wstringop-overread" ++#endif ++ + if (ACPI_COMPARE_NAMESEG(header->signature, ACPI_SIG_FACS)) { + + /* FACS only has signature and length fields */ +@@ -134,6 +139,7 @@ acpi_tb_print_table_header(acpi_physical + local_header.asl_compiler_id, + local_header.asl_compiler_revision)); + } ++#pragma GCC diagnostic pop + } + + /******************************************************************************* diff --git a/queue-6.1/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch b/queue-6.1/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch new file mode 100644 index 0000000000..814ddfe638 --- /dev/null +++ b/queue-6.1/can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch @@ -0,0 +1,62 @@ +From 8e93ac51e4c6dc399fad59ec21f55f2cfb46d27c Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 20 Oct 2025 11:51:03 +0200 +Subject: can: netlink: can_changelink(): allow disabling of automatic restart + +From: Marc Kleine-Budde + +commit 8e93ac51e4c6dc399fad59ec21f55f2cfb46d27c upstream. + +Since the commit c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL +pointer deref of struct can_priv::do_set_mode"), the automatic restart +delay can only be set for devices that implement the restart handler struct +can_priv::do_set_mode. As it makes no sense to configure a automatic +restart for devices that doesn't support it. + +However, since systemd commit 13ce5d4632e3 ("network/can: properly handle +CAN.RestartSec=0") [1], systemd-networkd correctly handles a restart delay +of "0" (i.e. the restart is disabled). Which means that a disabled restart +is always configured in the kernel. + +On systems with both changes active this causes that CAN interfaces that +don't implement a restart handler cannot be brought up by systemd-networkd. + +Solve this problem by allowing a delay of "0" to be configured, even if the +device does not implement a restart handler. + +[1] https://github.com/systemd/systemd/commit/13ce5d4632e395521e6205c954493c7fc1c4c6e0 + +Cc: stable@vger.kernel.org +Cc: Andrei Lalaev +Reported-by: Marc Kleine-Budde +Closes: https://lore.kernel.org/all/20251020-certain-arrogant-vole-of-sunshine-141841-mkl@pengutronix.de +Fixes: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode") +Link: https://patch.msgid.link/20251020-netlink-fix-restart-v1-1-3f53c7f8520b@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev/netlink.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/dev/netlink.c ++++ b/drivers/net/can/dev/netlink.c +@@ -252,7 +252,9 @@ static int can_changelink(struct net_dev + } + + if (data[IFLA_CAN_RESTART_MS]) { +- if (!priv->do_set_mode) { ++ unsigned int restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); ++ ++ if (restart_ms != 0 && !priv->do_set_mode) { + NL_SET_ERR_MSG(extack, + "Device doesn't support restart from Bus Off"); + return -EOPNOTSUPP; +@@ -261,7 +263,7 @@ static int can_changelink(struct net_dev + /* Do not allow changing restart delay while running */ + if (dev->flags & IFF_UP) + return -EBUSY; +- priv->restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); ++ priv->restart_ms = restart_ms; + } + + if (data[IFLA_CAN_RESTART]) { diff --git a/queue-6.1/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch b/queue-6.1/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch new file mode 100644 index 0000000000..1af7706c81 --- /dev/null +++ b/queue-6.1/mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch @@ -0,0 +1,65 @@ +From bf5570590a981d0659d0808d2d4bcda21b27a2a5 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 21 Oct 2025 20:38:22 +0100 +Subject: MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej W. Rozycki + +commit bf5570590a981d0659d0808d2d4bcda21b27a2a5 upstream. + +MIPS Malta platform code registers the PCI southbridge legacy port I/O +PS/2 keyboard range as a standard resource marked as busy. It prevents +the i8042 driver from registering as it fails to claim the resource in +a call to i8042_platform_init(). Consequently PS/2 keyboard and mouse +devices cannot be used with this platform. + +Fix the issue by removing the busy marker from the standard reservation, +making the driver register successfully: + + serio: i8042 KBD port at 0x60,0x64 irq 1 + serio: i8042 AUX port at 0x60,0x64 irq 12 + +and the resource show up as expected among the legacy devices: + + 00000000-00ffffff : MSC PCI I/O + 00000000-0000001f : dma1 + 00000020-00000021 : pic1 + 00000040-0000005f : timer + 00000060-0000006f : keyboard + 00000060-0000006f : i8042 + 00000070-00000077 : rtc0 + 00000080-0000008f : dma page reg + 000000a0-000000a1 : pic2 + 000000c0-000000df : dma2 + [...] + +If the i8042 driver has not been configured, then the standard resource +will remain there preventing any conflicting dynamic assignment of this +PCI port I/O address range. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ilpo Järvinen +Acked-by: Thomas Bogendoerfer +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/alpine.DEB.2.21.2510211919240.8377@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mti-malta/malta-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/mti-malta/malta-setup.c ++++ b/arch/mips/mti-malta/malta-setup.c +@@ -47,7 +47,7 @@ static struct resource standard_io_resou + .name = "keyboard", + .start = 0x60, + .end = 0x6f, +- .flags = IORESOURCE_IO | IORESOURCE_BUSY ++ .flags = IORESOURCE_IO + }, + { + .name = "dma page reg", diff --git a/queue-6.1/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch b/queue-6.1/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch new file mode 100644 index 0000000000..66a95668e1 --- /dev/null +++ b/queue-6.1/net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch @@ -0,0 +1,113 @@ +From 10843e1492e474c02b91314963161731fa92af91 Mon Sep 17 00:00:00 2001 +From: Tonghao Zhang +Date: Tue, 21 Oct 2025 13:09:33 +0800 +Subject: net: bonding: fix possible peer notify event loss or dup issue + +From: Tonghao Zhang + +commit 10843e1492e474c02b91314963161731fa92af91 upstream. + +If the send_peer_notif counter and the peer event notify are not synchronized. +It may cause problems such as the loss or dup of peer notify event. + +Before this patch: +- If should_notify_peers is true and the lock for send_peer_notif-- fails, peer + event may be sent again in next mii_monitor loop, because should_notify_peers + is still true. +- If should_notify_peers is true and the lock for send_peer_notif-- succeeded, + but the lock for peer event fails, the peer event will be lost. + +This patch locks the RTNL for send_peer_notif, events, and commit simultaneously. + +Fixes: 07a4ddec3ce9 ("bonding: add an option to specify a delay between peer notifications") +Cc: Jay Vosburgh +Cc: Andrew Lunn +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Hangbin Liu +Cc: Nikolay Aleksandrov +Cc: Vincent Bernat +Cc: +Signed-off-by: Tonghao Zhang +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20251021050933.46412-1-tonghao@bamaicloud.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2821,7 +2821,7 @@ static void bond_mii_monitor(struct work + { + struct bonding *bond = container_of(work, struct bonding, + mii_work.work); +- bool should_notify_peers = false; ++ bool should_notify_peers; + bool commit; + unsigned long delay; + struct slave *slave; +@@ -2833,30 +2833,33 @@ static void bond_mii_monitor(struct work + goto re_arm; + + rcu_read_lock(); ++ + should_notify_peers = bond_should_notify_peers(bond); + commit = !!bond_miimon_inspect(bond); +- if (bond->send_peer_notif) { +- rcu_read_unlock(); +- if (rtnl_trylock()) { +- bond->send_peer_notif--; +- rtnl_unlock(); +- } +- } else { +- rcu_read_unlock(); +- } + +- if (commit) { ++ rcu_read_unlock(); ++ ++ if (commit || bond->send_peer_notif) { + /* Race avoidance with bond_close cancel of workqueue */ + if (!rtnl_trylock()) { + delay = 1; +- should_notify_peers = false; + goto re_arm; + } + +- bond_for_each_slave(bond, slave, iter) { +- bond_commit_link_state(slave, BOND_SLAVE_NOTIFY_LATER); ++ if (commit) { ++ bond_for_each_slave(bond, slave, iter) { ++ bond_commit_link_state(slave, ++ BOND_SLAVE_NOTIFY_LATER); ++ } ++ bond_miimon_commit(bond); ++ } ++ ++ if (bond->send_peer_notif) { ++ bond->send_peer_notif--; ++ if (should_notify_peers) ++ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, ++ bond->dev); + } +- bond_miimon_commit(bond); + + rtnl_unlock(); /* might sleep, hold no other locks */ + } +@@ -2864,13 +2867,6 @@ static void bond_mii_monitor(struct work + re_arm: + if (bond->params.miimon) + queue_delayed_work(bond->wq, &bond->mii_work, delay); +- +- if (should_notify_peers) { +- if (!rtnl_trylock()) +- return; +- call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, bond->dev); +- rtnl_unlock(); +- } + } + + static int bond_upper_dev_walk(struct net_device *upper, diff --git a/queue-6.1/net-ravb-enforce-descriptor-type-ordering.patch b/queue-6.1/net-ravb-enforce-descriptor-type-ordering.patch new file mode 100644 index 0000000000..1a68025afb --- /dev/null +++ b/queue-6.1/net-ravb-enforce-descriptor-type-ordering.patch @@ -0,0 +1,73 @@ +From 5370c31e84b0e0999c7b5ff949f4e104def35584 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Fri, 17 Oct 2025 16:18:29 +0100 +Subject: net: ravb: Enforce descriptor type ordering +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lad Prabhakar + +commit 5370c31e84b0e0999c7b5ff949f4e104def35584 upstream. + +Ensure the TX descriptor type fields are published in a safe order so the +DMA engine never begins processing a descriptor chain before all descriptor +fields are fully initialised. + +For multi-descriptor transmits the driver writes DT_FEND into the last +descriptor and DT_FSTART into the first. The DMA engine begins processing +when it observes DT_FSTART. Move the dma_wmb() barrier so it executes +immediately after DT_FEND and immediately before writing DT_FSTART +(and before DT_FSINGLE in the single-descriptor case). This guarantees +that all prior CPU writes to the descriptor memory are visible to the +device before DT_FSTART is seen. + +This avoids a situation where compiler/CPU reordering could publish +DT_FSTART ahead of DT_FEND or other descriptor fields, allowing the DMA to +start on a partially initialised chain and causing corrupted transmissions +or TX timeouts. Such a failure was observed on RZ/G2L with an RT kernel as +transmit queue timeouts and device resets. + +Fixes: 2f45d1902acf ("ravb: minimize TX data copying") +Cc: stable@vger.kernel.org +Co-developed-by: Fabrizio Castro +Signed-off-by: Fabrizio Castro +Signed-off-by: Lad Prabhakar +Reviewed-by: Niklas Söderlund +Link: https://patch.msgid.link/20251017151830.171062-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2054,13 +2054,25 @@ static netdev_tx_t ravb_start_xmit(struc + + skb_tx_timestamp(skb); + } +- /* Descriptor type must be set after all the above writes */ +- dma_wmb(); ++ + if (num_tx_desc > 1) { + desc->die_dt = DT_FEND; + desc--; ++ /* When using multi-descriptors, DT_FEND needs to get written ++ * before DT_FSTART, but the compiler may reorder the memory ++ * writes in an attempt to optimize the code. ++ * Use a dma_wmb() barrier to make sure DT_FEND and DT_FSTART ++ * are written exactly in the order shown in the code. ++ * This is particularly important for cases where the DMA engine ++ * is already running when we are running this code. If the DMA ++ * sees DT_FSTART without the corresponding DT_FEND it will enter ++ * an error condition. ++ */ ++ dma_wmb(); + desc->die_dt = DT_FSTART; + } else { ++ /* Descriptor type must be set after all the above writes */ ++ dma_wmb(); + desc->die_dt = DT_FSINGLE; + } + ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q); diff --git a/queue-6.1/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch b/queue-6.1/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch new file mode 100644 index 0000000000..8a0de638ad --- /dev/null +++ b/queue-6.1/net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch @@ -0,0 +1,52 @@ +From 706136c5723626fcde8dd8f598a4dcd251e24927 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Fri, 17 Oct 2025 16:18:30 +0100 +Subject: net: ravb: Ensure memory write completes before ringing TX doorbell +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lad Prabhakar + +commit 706136c5723626fcde8dd8f598a4dcd251e24927 upstream. + +Add a final dma_wmb() barrier before triggering the transmit request +(TCCR_TSRQ) to ensure all descriptor and buffer writes are visible to +the DMA engine. + +According to the hardware manual, a read-back operation is required +before writing to the doorbell register to guarantee completion of +previous writes. Instead of performing a dummy read, a dma_wmb() is +used to both enforce the same ordering semantics on the CPU side and +also to ensure completion of writes. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Cc: stable@vger.kernel.org +Co-developed-by: Fabrizio Castro +Signed-off-by: Fabrizio Castro +Signed-off-by: Lad Prabhakar +Reviewed-by: Niklas Söderlund +Link: https://patch.msgid.link/20251017151830.171062-5-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2075,6 +2075,14 @@ static netdev_tx_t ravb_start_xmit(struc + dma_wmb(); + desc->die_dt = DT_FSINGLE; + } ++ ++ /* Before ringing the doorbell we need to make sure that the latest ++ * writes have been committed to memory, otherwise it could delay ++ * things until the doorbell is rang again. ++ * This is in replacement of the read operation mentioned in the HW ++ * manuals. ++ */ ++ dma_wmb(); + ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q); + + priv->cur_tx[q] += num_tx_desc; diff --git a/queue-6.1/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch b/queue-6.1/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch new file mode 100644 index 0000000000..51eeb6fe51 --- /dev/null +++ b/queue-6.1/net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch @@ -0,0 +1,51 @@ +From 7f864458e9a6d2000b726d14b3d3a706ac92a3b0 Mon Sep 17 00:00:00 2001 +From: Sebastian Reichel +Date: Tue, 14 Oct 2025 17:49:34 +0200 +Subject: net: stmmac: dwmac-rk: Fix disabling set_clock_selection + +From: Sebastian Reichel + +commit 7f864458e9a6d2000b726d14b3d3a706ac92a3b0 upstream. + +On all platforms set_clock_selection() writes to a GRF register. This +requires certain clocks running and thus should happen before the +clocks are disabled. + +This has been noticed on RK3576 Sige5, which hangs during system suspend +when trying to suspend the second network interface. Note, that +suspending the first interface works, because the second device ensures +that the necessary clocks for the GRF are enabled. + +Cc: stable@vger.kernel.org +Fixes: 2f2b60a0ec28 ("net: ethernet: stmmac: dwmac-rk: Add gmac support for rk3588") +Signed-off-by: Sebastian Reichel +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251014-rockchip-network-clock-fix-v1-1-c257b4afdf75@collabora.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c +@@ -1565,14 +1565,15 @@ static int gmac_clk_enable(struct rk_pri + } + } else { + if (bsp_priv->clk_enabled) { ++ if (bsp_priv->ops && bsp_priv->ops->set_clock_selection) { ++ bsp_priv->ops->set_clock_selection(bsp_priv, ++ bsp_priv->clock_input, false); ++ } ++ + clk_bulk_disable_unprepare(bsp_priv->num_clks, + bsp_priv->clks); + clk_disable_unprepare(bsp_priv->clk_phy); + +- if (bsp_priv->ops && bsp_priv->ops->set_clock_selection) +- bsp_priv->ops->set_clock_selection(bsp_priv, +- bsp_priv->clock_input, false); +- + bsp_priv->clk_enabled = false; + } + } diff --git a/queue-6.1/net-usb-rtl8150-fix-frame-padding.patch b/queue-6.1/net-usb-rtl8150-fix-frame-padding.patch new file mode 100644 index 0000000000..e70dd4d295 --- /dev/null +++ b/queue-6.1/net-usb-rtl8150-fix-frame-padding.patch @@ -0,0 +1,54 @@ +From 75cea9860aa6b2350d90a8d78fed114d27c7eca2 Mon Sep 17 00:00:00 2001 +From: Michal Pecio +Date: Tue, 14 Oct 2025 20:35:28 +0200 +Subject: net: usb: rtl8150: Fix frame padding + +From: Michal Pecio + +commit 75cea9860aa6b2350d90a8d78fed114d27c7eca2 upstream. + +TX frames aren't padded and unknown memory is sent into the ether. + +Theoretically, it isn't even guaranteed that the extra memory exists +and can be sent out, which could cause further problems. In practice, +I found that plenty of tailroom exists in the skb itself (in my test +with ping at least) and skb_padto() easily succeeds, so use it here. + +In the event of -ENOMEM drop the frame like other drivers do. + +The use of one more padding byte instead of a USB zero-length packet +is retained to avoid regression. I have a dodgy Etron xHCI controller +which doesn't seem to support sending ZLPs at all. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Pecio +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251014203528.3f9783c4.michal.pecio@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/rtl8150.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -685,9 +685,16 @@ static netdev_tx_t rtl8150_start_xmit(st + rtl8150_t *dev = netdev_priv(netdev); + int count, res; + ++ /* pad the frame and ensure terminating USB packet, datasheet 9.2.3 */ ++ count = max(skb->len, ETH_ZLEN); ++ if (count % 64 == 0) ++ count++; ++ if (skb_padto(skb, count)) { ++ netdev->stats.tx_dropped++; ++ return NETDEV_TX_OK; ++ } ++ + netif_stop_queue(netdev); +- count = (skb->len < 60) ? 60 : skb->len; +- count = (count & 0x3f) ? count : count + 1; + dev->tx_skb = skb; + usb_fill_bulk_urb(dev->tx_urb, dev->udev, usb_sndbulkpipe(dev->udev, 2), + skb->data, count, write_bulk_callback, dev); diff --git a/queue-6.1/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch b/queue-6.1/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch new file mode 100644 index 0000000000..10b603e65c --- /dev/null +++ b/queue-6.1/ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch @@ -0,0 +1,62 @@ +From 78a63493f8e352296dbc7cb7b3f4973105e8679e Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Thu, 9 Oct 2025 21:19:03 +0530 +Subject: ocfs2: clear extent cache after moving/defragmenting extents + +From: Deepanshu Kartikey + +commit 78a63493f8e352296dbc7cb7b3f4973105e8679e upstream. + +The extent map cache can become stale when extents are moved or +defragmented, causing subsequent operations to see outdated extent flags. +This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). + +The problem occurs when: +1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED +2. ioctl(FITRIM) triggers ocfs2_move_extents() +3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) +4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() + which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) +5. The extent map cache is not invalidated after the move +6. Later write() operations read stale cached flags (0x2) but disk has + updated flags (0x0), causing a mismatch +7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers + +Fix by clearing the extent map cache after each extent move/defrag +operation in __ocfs2_move_extents_range(). This ensures subsequent +operations read fresh extent data from disk. + +Link: https://lore.kernel.org/all/20251009142917.517229-1-kartikey406@gmail.com/T/ +Link: https://lkml.kernel.org/r/20251009154903.522339-1-kartikey406@gmail.com +Fixes: 53069d4e7695 ("Ocfs2/move_extents: move/defrag extents within a certain range.") +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com +Tested-by: syzbot+6fdd8fa3380730a4b22c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=2959889e1f6e216585ce522f7e8bc002b46ad9e7 +Reviewed-by: Mark Fasheh +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/move_extents.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -868,6 +868,11 @@ static int __ocfs2_move_extents_range(st + mlog_errno(ret); + goto out; + } ++ /* ++ * Invalidate extent cache after moving/defragging to prevent ++ * stale cached data with outdated extent flags. ++ */ ++ ocfs2_extent_map_trunc(inode, cpos); + + context->clusters_moved += alloc_size; + next: diff --git a/queue-6.1/revert-cpuidle-menu-avoid-discarding-useful-information.patch b/queue-6.1/revert-cpuidle-menu-avoid-discarding-useful-information.patch new file mode 100644 index 0000000000..3fb537ec0c --- /dev/null +++ b/queue-6.1/revert-cpuidle-menu-avoid-discarding-useful-information.patch @@ -0,0 +1,78 @@ +From 10fad4012234a7dea621ae17c0c9486824f645a0 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Sat, 18 Oct 2025 14:27:15 +0200 +Subject: Revert "cpuidle: menu: Avoid discarding useful information" + +From: Rafael J. Wysocki + +commit 10fad4012234a7dea621ae17c0c9486824f645a0 upstream. + +It is reported that commit 85975daeaa4d ("cpuidle: menu: Avoid discarding +useful information") led to a performance regression on Intel Jasper Lake +systems because it reduced the time spent by CPUs in idle state C7 which +is correlated to the maximum frequency the CPUs can get to because of an +average running power limit [1]. + +Before that commit, get_typical_interval() would have returned UINT_MAX +whenever it had been unable to make a high-confidence prediction which +had led to selecting the deepest available idle state too often and +both power and performance had been inadequate as a result of that on +some systems. However, this had not been a problem on systems with +relatively aggressive average running power limits, like the Jasper Lake +systems in question, because on those systems it was compensated by the +ability to run CPUs faster. + +It was addressed by causing get_typical_interval() to return a number +based on the recent idle duration information available to it even if it +could not make a high-confidence prediction, but that clearly did not +take the possible correlation between idle power and available CPU +capacity into account. + +For this reason, revert most of the changes made by commit 85975daeaa4d, +except for one cosmetic cleanup, and add a comment explaining the +rationale for returning UINT_MAX from get_typical_interval() when it +is unable to make a high-confidence prediction. + +Fixes: 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information") +Closes: https://lore.kernel.org/linux-pm/36iykr223vmcfsoysexug6s274nq2oimcu55ybn6ww4il3g3cv@cohflgdbpnq7/ [1] +Reported-by: Sergey Senozhatsky +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/3663603.iIbC2pHGDl@rafael.j.wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/governors/menu.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +--- a/drivers/cpuidle/governors/menu.c ++++ b/drivers/cpuidle/governors/menu.c +@@ -256,20 +256,17 @@ again: + * + * This can deal with workloads that have long pauses interspersed + * with sporadic activity with a bunch of short pauses. ++ * ++ * However, if the number of remaining samples is too small to exclude ++ * any more outliers, allow the deepest available idle state to be ++ * selected because there are systems where the time spent by CPUs in ++ * deep idle states is correlated to the maximum frequency the CPUs ++ * can get to. On those systems, shallow idle states should be avoided ++ * unless there is a clear indication that the given CPU is most likley ++ * going to be woken up shortly. + */ +- if (divisor * 4 <= INTERVALS * 3) { +- /* +- * If there are sufficiently many data points still under +- * consideration after the outliers have been eliminated, +- * returning without a prediction would be a mistake because it +- * is likely that the next interval will not exceed the current +- * maximum, so return the latter in that case. +- */ +- if (divisor >= INTERVALS / 2) +- return max; +- ++ if (divisor * 4 <= INTERVALS * 3) + return UINT_MAX; +- } + + thresh = max - 1; + goto again; diff --git a/queue-6.1/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch b/queue-6.1/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch new file mode 100644 index 0000000000..ce99985194 --- /dev/null +++ b/queue-6.1/selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch @@ -0,0 +1,36 @@ +From d68460bc31f9c8c6fc81fbb56ec952bec18409f1 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 20 Oct 2025 22:53:27 +0200 +Subject: selftests: mptcp: join: mark 'flush re-add' as skipped if not supported + +From: Matthieu Baerts (NGI0) + +commit d68460bc31f9c8c6fc81fbb56ec952bec18409f1 upstream. + +The call to 'continue_if' was missing: it properly marks a subtest as +'skipped' if the attached condition is not valid. + +Without that, the test is wrongly marked as passed on older kernels. + +Fixes: e06959e9eebd ("selftests: mptcp: join: test for flush/re-add endpoints") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-2-8207030cb0e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3457,7 +3457,7 @@ endpoint_tests() + + # flush and re-add + if reset_with_tcp_filter "flush re-add" ns2 10.0.3.2 REJECT OUTPUT && +- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then ++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + pm_nl_set_limits $ns1 0 2 + pm_nl_set_limits $ns2 1 2 + # broadcast IP: no packet for this address will be received on ns1 diff --git a/queue-6.1/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch b/queue-6.1/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch new file mode 100644 index 0000000000..0ac03165bb --- /dev/null +++ b/queue-6.1/selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch @@ -0,0 +1,45 @@ +From 973f80d715bd2504b4db6e049f292e694145cd79 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 20 Oct 2025 22:53:28 +0200 +Subject: selftests: mptcp: join: mark implicit tests as skipped if not supported + +From: Matthieu Baerts (NGI0) + +commit 973f80d715bd2504b4db6e049f292e694145cd79 upstream. + +The call to 'continue_if' was missing: it properly marks a subtest as +'skipped' if the attached condition is not valid. + +Without that, the test is wrongly marked as passed on older kernels. + +Fixes: 36c4127ae8dd ("selftests: mptcp: join: skip implicit tests if not supported") +Cc: stable@vger.kernel.org +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251020-net-mptcp-c-flag-late-add-addr-v1-3-8207030cb0e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -3309,7 +3309,7 @@ endpoint_tests() + # subflow_rebuild_header is needed to support the implicit flag + # userspace pm type prevents add_addr + if reset "implicit EP" && +- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then ++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + pm_nl_set_limits $ns1 2 2 + pm_nl_set_limits $ns2 2 2 + pm_nl_add_endpoint $ns1 10.0.2.1 flags signal +@@ -3330,7 +3330,7 @@ endpoint_tests() + fi + + if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT && +- mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then ++ continue_if mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then + start_events + pm_nl_set_limits $ns1 0 3 + pm_nl_set_limits $ns2 0 3 diff --git a/queue-6.1/series b/queue-6.1/series index 7f3affbbb2..3b677ca0c2 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -88,3 +88,16 @@ net-enetc-correct-the-value-of-enetc_rxb_truesize.patch dpaa2-eth-fix-the-pointer-passed-to-ptr_align-on-tx-.patch arm64-mm-avoid-always-making-pte-dirty-in-pte_mkwrit.patch sctp-avoid-null-dereference-when-chunk-data-buffer-i.patch +net-bonding-fix-possible-peer-notify-event-loss-or-dup-issue.patch +revert-cpuidle-menu-avoid-discarding-useful-information.patch +acpica-work-around-bogus-wstringop-overread-warning-since-gcc-11.patch +can-netlink-can_changelink-allow-disabling-of-automatic-restart.patch +mips-malta-fix-keyboard-resource-preventing-i8042-driver-from-registering.patch +ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch +vsock-fix-lock-inversion-in-vsock_assign_transport.patch +net-stmmac-dwmac-rk-fix-disabling-set_clock_selection.patch +net-usb-rtl8150-fix-frame-padding.patch +net-ravb-enforce-descriptor-type-ordering.patch +net-ravb-ensure-memory-write-completes-before-ringing-tx-doorbell.patch +selftests-mptcp-join-mark-flush-re-add-as-skipped-if-not-supported.patch +selftests-mptcp-join-mark-implicit-tests-as-skipped-if-not-supported.patch diff --git a/queue-6.1/vsock-fix-lock-inversion-in-vsock_assign_transport.patch b/queue-6.1/vsock-fix-lock-inversion-in-vsock_assign_transport.patch new file mode 100644 index 0000000000..421181c05e --- /dev/null +++ b/queue-6.1/vsock-fix-lock-inversion-in-vsock_assign_transport.patch @@ -0,0 +1,95 @@ +From f7c877e7535260cc7a21484c994e8ce7e8cb6780 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Tue, 21 Oct 2025 14:17:18 +0200 +Subject: vsock: fix lock inversion in vsock_assign_transport() + +From: Stefano Garzarella + +commit f7c877e7535260cc7a21484c994e8ce7e8cb6780 upstream. + +Syzbot reported a potential lock inversion deadlock between +vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. + +The issue was introduced by commit 687aa0c5581b ("vsock: Fix +transport_* TOCTOU") which added vsock_register_mutex locking in +vsock_assign_transport() around the transport->release() call, that can +call vsock_linger(). vsock_assign_transport() can be called with sk_lock +held. vsock_linger() calls sk_wait_event() that temporarily releases and +re-acquires sk_lock. During this window, if another thread hold +vsock_register_mutex while trying to acquire sk_lock, a circular +dependency is created. + +Fix this by releasing vsock_register_mutex before calling +transport->release() and vsock_deassign_transport(). This is safe +because we don't need to hold vsock_register_mutex while releasing the +old transport, and we ensure the new transport won't disappear by +obtaining a module reference first via try_module_get(). + +Reported-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com +Tested-by: syzbot+10e35716f8e4929681fa@syzkaller.appspotmail.com +Fixes: 687aa0c5581b ("vsock: Fix transport_* TOCTOU") +Cc: mhal@rbox.co +Cc: stable@vger.kernel.org +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20251021121718.137668-1-sgarzare@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/af_vsock.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -483,12 +483,26 @@ int vsock_assign_transport(struct vsock_ + goto err; + } + +- if (vsk->transport) { +- if (vsk->transport == new_transport) { +- ret = 0; +- goto err; +- } ++ if (vsk->transport && vsk->transport == new_transport) { ++ ret = 0; ++ goto err; ++ } ++ ++ /* We increase the module refcnt to prevent the transport unloading ++ * while there are open sockets assigned to it. ++ */ ++ if (!new_transport || !try_module_get(new_transport->module)) { ++ ret = -ENODEV; ++ goto err; ++ } ++ ++ /* It's safe to release the mutex after a successful try_module_get(). ++ * Whichever transport `new_transport` points at, it won't go away until ++ * the last module_put() below or in vsock_deassign_transport(). ++ */ ++ mutex_unlock(&vsock_register_mutex); + ++ if (vsk->transport) { + /* transport->release() must be called with sock lock acquired. + * This path can only be taken during vsock_connect(), where we + * have already held the sock lock. In the other cases, this +@@ -508,20 +522,6 @@ int vsock_assign_transport(struct vsock_ + vsk->peer_shutdown = 0; + } + +- /* We increase the module refcnt to prevent the transport unloading +- * while there are open sockets assigned to it. +- */ +- if (!new_transport || !try_module_get(new_transport->module)) { +- ret = -ENODEV; +- goto err; +- } +- +- /* It's safe to release the mutex after a successful try_module_get(). +- * Whichever transport `new_transport` points at, it won't go away until +- * the last module_put() below or in vsock_deassign_transport(). +- */ +- mutex_unlock(&vsock_register_mutex); +- + if (sk->sk_type == SOCK_SEQPACKET) { + if (!new_transport->seqpacket_allow || + !new_transport->seqpacket_allow(remote_cid)) {