From 2fd70adfb647f426640c83b04759f354a9b6ac99 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Oct 2025 20:15:01 +0200 Subject: [PATCH] 6.6-stable patches added patches: ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch --- ...-on-fsctl_query_interface_info-ioctl.patch | 193 ++++++++++++++++++ ...lag-dropping-behavior-in-ksm_madvise.patch | 124 +++++++++++ ...-policy-check-from-check_nfsd_access.patch | 177 ++++++++++++++++ ...-are-powered-for-config-reads-part-2.patch | 66 ++++++ queue-6.6/series | 4 + 5 files changed, 564 insertions(+) create mode 100644 queue-6.6/ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch create mode 100644 queue-6.6/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch create mode 100644 queue-6.6/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch create mode 100644 queue-6.6/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch diff --git a/queue-6.6/ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch b/queue-6.6/ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch new file mode 100644 index 0000000000..8886904f00 --- /dev/null +++ b/queue-6.6/ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch @@ -0,0 +1,193 @@ +From b2d99376c5d61eb60ffdb6c503e4b6c8f9712ddd Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 10 Jan 2025 13:37:05 +0900 +Subject: ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL + +From: Namjae Jeon + +commit b2d99376c5d61eb60ffdb6c503e4b6c8f9712ddd upstream. + +ksmbd.mount will give each interfaces list and bind_interfaces_only flags +to ksmbd server. Previously, the interfaces list was sent only +when bind_interfaces_only was enabled. +ksmbd server browse only interfaces list given from ksmbd.conf on +FSCTL_QUERY_INTERFACE_INFO IOCTL. + +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/ksmbd_netlink.h | 3 + + fs/smb/server/server.h | 1 + fs/smb/server/smb2pdu.c | 4 ++ + fs/smb/server/transport_ipc.c | 1 + fs/smb/server/transport_tcp.c | 67 +++++++++++++++++++----------------------- + fs/smb/server/transport_tcp.h | 1 + 6 files changed, 40 insertions(+), 37 deletions(-) + +--- a/fs/smb/server/ksmbd_netlink.h ++++ b/fs/smb/server/ksmbd_netlink.h +@@ -108,8 +108,9 @@ struct ksmbd_startup_request { + __u32 smb2_max_credits; /* MAX credits */ + __u32 smbd_max_io_size; /* smbd read write size */ + __u32 max_connections; /* Number of maximum simultaneous connections */ ++ __s8 bind_interfaces_only; + __u32 max_ip_connections; /* Number of maximum connection per ip address */ +- __u32 reserved[125]; /* Reserved room */ ++ __s8 reserved[499]; /* Reserved room */ + __u32 ifc_list_sz; /* interfaces list size */ + __s8 ____payload[]; + } __packed; +--- a/fs/smb/server/server.h ++++ b/fs/smb/server/server.h +@@ -46,6 +46,7 @@ struct ksmbd_server_config { + unsigned int max_ip_connections; + + char *conf[SERVER_CONF_WORK_GROUP + 1]; ++ bool bind_interfaces_only; + }; + + extern struct ksmbd_server_config server_conf; +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -38,6 +38,7 @@ + #include "mgmt/user_session.h" + #include "mgmt/ksmbd_ida.h" + #include "ndr.h" ++#include "transport_tcp.h" + + static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) + { +@@ -7790,6 +7791,9 @@ static int fsctl_query_iface_info_ioctl( + if (netdev->type == ARPHRD_LOOPBACK) + continue; + ++ if (!ksmbd_find_netdev_name_iface_list(netdev->name)) ++ continue; ++ + flags = dev_get_flags(netdev); + if (!(flags & IFF_RUNNING)) + continue; +--- a/fs/smb/server/transport_ipc.c ++++ b/fs/smb/server/transport_ipc.c +@@ -327,6 +327,7 @@ static int ipc_server_config_on_startup( + ret = ksmbd_set_netbios_name(req->netbios_name); + ret |= ksmbd_set_server_string(req->server_string); + ret |= ksmbd_set_work_group(req->work_group); ++ server_conf.bind_interfaces_only = req->bind_interfaces_only; + ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req), + req->ifc_list_sz); + out: +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -551,30 +551,37 @@ out_clear: + return ret; + } + ++struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name) ++{ ++ struct interface *iface; ++ ++ list_for_each_entry(iface, &iface_list, entry) ++ if (!strcmp(iface->name, netdev_name)) ++ return iface; ++ return NULL; ++} ++ + static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, + void *ptr) + { + struct net_device *netdev = netdev_notifier_info_to_dev(ptr); + struct interface *iface; +- int ret, found = 0; ++ int ret; + + switch (event) { + case NETDEV_UP: + if (netif_is_bridge_port(netdev)) + return NOTIFY_OK; + +- list_for_each_entry(iface, &iface_list, entry) { +- if (!strcmp(iface->name, netdev->name)) { +- found = 1; +- if (iface->state != IFACE_STATE_DOWN) +- break; +- ret = create_socket(iface); +- if (ret) +- return NOTIFY_OK; +- break; +- } ++ iface = ksmbd_find_netdev_name_iface_list(netdev->name); ++ if (iface && iface->state == IFACE_STATE_DOWN) { ++ ksmbd_debug(CONN, "netdev-up event: netdev(%s) is going up\n", ++ iface->name); ++ ret = create_socket(iface); ++ if (ret) ++ return NOTIFY_OK; + } +- if (!found && bind_additional_ifaces) { ++ if (!iface && bind_additional_ifaces) { + iface = alloc_iface(kstrdup(netdev->name, GFP_KERNEL)); + if (!iface) + return NOTIFY_OK; +@@ -584,19 +591,19 @@ static int ksmbd_netdev_event(struct not + } + break; + case NETDEV_DOWN: +- list_for_each_entry(iface, &iface_list, entry) { +- if (!strcmp(iface->name, netdev->name) && +- iface->state == IFACE_STATE_CONFIGURED) { +- tcp_stop_kthread(iface->ksmbd_kthread); +- iface->ksmbd_kthread = NULL; +- mutex_lock(&iface->sock_release_lock); +- tcp_destroy_socket(iface->ksmbd_socket); +- iface->ksmbd_socket = NULL; +- mutex_unlock(&iface->sock_release_lock); ++ iface = ksmbd_find_netdev_name_iface_list(netdev->name); ++ if (iface && iface->state == IFACE_STATE_CONFIGURED) { ++ ksmbd_debug(CONN, "netdev-down event: netdev(%s) is going down\n", ++ iface->name); ++ tcp_stop_kthread(iface->ksmbd_kthread); ++ iface->ksmbd_kthread = NULL; ++ mutex_lock(&iface->sock_release_lock); ++ tcp_destroy_socket(iface->ksmbd_socket); ++ iface->ksmbd_socket = NULL; ++ mutex_unlock(&iface->sock_release_lock); + +- iface->state = IFACE_STATE_DOWN; +- break; +- } ++ iface->state = IFACE_STATE_DOWN; ++ break; + } + break; + } +@@ -665,18 +672,6 @@ int ksmbd_tcp_set_interfaces(char *ifc_l + int sz = 0; + + if (!ifc_list_sz) { +- struct net_device *netdev; +- +- rtnl_lock(); +- for_each_netdev(&init_net, netdev) { +- if (netif_is_bridge_port(netdev)) +- continue; +- if (!alloc_iface(kstrdup(netdev->name, GFP_KERNEL))) { +- rtnl_unlock(); +- return -ENOMEM; +- } +- } +- rtnl_unlock(); + bind_additional_ifaces = 1; + return 0; + } +--- a/fs/smb/server/transport_tcp.h ++++ b/fs/smb/server/transport_tcp.h +@@ -8,6 +8,7 @@ + + int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz); + void ksmbd_free_transport(struct ksmbd_transport *kt); ++struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name); + int ksmbd_tcp_init(void); + void ksmbd_tcp_destroy(void); + diff --git a/queue-6.6/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch b/queue-6.6/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch new file mode 100644 index 0000000000..70a1616854 --- /dev/null +++ b/queue-6.6/mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch @@ -0,0 +1,124 @@ +From f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 Mon Sep 17 00:00:00 2001 +From: Jakub Acs +Date: Wed, 1 Oct 2025 09:03:52 +0000 +Subject: mm/ksm: fix flag-dropping behavior in ksm_madvise + +From: Jakub Acs + +commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 upstream. + +syzkaller discovered the following crash: (kernel BUG) + +[ 44.607039] ------------[ cut here ]------------ +[ 44.607422] kernel BUG at mm/userfaultfd.c:2067! +[ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI +[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) +[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 + + + +[ 44.617726] Call Trace: +[ 44.617926] +[ 44.619284] userfaultfd_release+0xef/0x1b0 +[ 44.620976] __fput+0x3f9/0xb60 +[ 44.621240] fput_close_sync+0x110/0x210 +[ 44.622222] __x64_sys_close+0x8f/0x120 +[ 44.622530] do_syscall_64+0x5b/0x2f0 +[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 44.623244] RIP: 0033:0x7f365bb3f227 + +Kernel panics because it detects UFFD inconsistency during +userfaultfd_release_all(). Specifically, a VMA which has a valid pointer +to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. + +The inconsistency is caused in ksm_madvise(): when user calls madvise() +with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, +it accidentally clears all flags stored in the upper 32 bits of +vma->vm_flags. + +Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and +int are 32-bit wide. This setup causes the following mishap during the &= +~VM_MERGEABLE assignment. + +VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. +After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then +promoted to unsigned long before the & operation. This promotion fills +upper 32 bits with leading 0s, as we're doing unsigned conversion (and +even for a signed conversion, this wouldn't help as the leading bit is 0). +& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff +instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears +the upper 32-bits of its value. + +Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the +BIT() macro. + +Note: other VM_* flags are not affected: This only happens to the +VM_MERGEABLE flag, as the other VM_* flags are all constants of type int +and after ~ operation, they end up with leading 1 and are thus converted +to unsigned long with leading 1s. + +Note 2: +After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is +no longer a kernel BUG, but a WARNING at the same place: + +[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 + +but the root-cause (flag-drop) remains the same. + +[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] + Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ +Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de +Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") +Signed-off-by: Jakub Acs +Signed-off-by: Miguel Ojeda +Acked-by: David Hildenbrand +Acked-by: SeongJae Park +Tested-by: Alice Ryhl +Tested-by: Miguel Ojeda +Cc: Xu Xin +Cc: Chengming Zhou +Cc: Peter Xu +Cc: Axel Rasmussen +Cc: +Signed-off-by: Andrew Morton +[acsjakub@amazon.de: adapt rust bindgen const to older versions] +Signed-off-by: Jakub Acs +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mm.h | 2 +- + rust/bindings/bindings_helper.h | 2 ++ + rust/bindings/lib.rs | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -315,7 +315,7 @@ extern unsigned int kobjsize(const void + #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ + #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ + #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ +-#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ ++#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ + + #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS + #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ +--- a/rust/bindings/bindings_helper.h ++++ b/rust/bindings/bindings_helper.h +@@ -12,8 +12,10 @@ + #include + #include + #include ++#include + + /* `bindgen` gets confused at certain things. */ + const size_t BINDINGS_ARCH_SLAB_MINALIGN = ARCH_SLAB_MINALIGN; + const gfp_t BINDINGS_GFP_KERNEL = GFP_KERNEL; + const gfp_t BINDINGS___GFP_ZERO = __GFP_ZERO; ++const vm_flags_t BINDINGS_VM_MERGEABLE = VM_MERGEABLE; +--- a/rust/bindings/lib.rs ++++ b/rust/bindings/lib.rs +@@ -51,3 +51,4 @@ pub use bindings_raw::*; + + pub const GFP_KERNEL: gfp_t = BINDINGS_GFP_KERNEL; + pub const __GFP_ZERO: gfp_t = BINDINGS___GFP_ZERO; ++pub const VM_MERGEABLE: vm_flags_t = BINDINGS_VM_MERGEABLE; diff --git a/queue-6.6/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch b/queue-6.6/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch new file mode 100644 index 0000000000..08d4b99c56 --- /dev/null +++ b/queue-6.6/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch @@ -0,0 +1,177 @@ +From smayhew@redhat.com Tue Oct 21 20:11:20 2025 +From: Scott Mayhew +Date: Mon, 20 Oct 2025 16:50:04 -0400 +Subject: nfsd: decouple the xprtsec policy check from check_nfsd_access() +To: stable@vger.kernel.org +Cc: chuck.lever@oracle.com +Message-ID: <20251020205004.1034718-1-smayhew@redhat.com> + +From: Scott Mayhew + +[ Upstream commit e4f574ca9c6dfa66695bb054ff5df43ecea873ec ] + +This is a backport of e4f574ca9c6d specifically for the 6.6-stable +kernel. It differs from the upstream version mainly in that it's +working around the absence of some 6.12-era commits: +- 1459ad57673b nfsd: Move error code mapping to per-version proc code. +- 0a183f24a7ae NFSD: Handle @rqstp == NULL in check_nfsd_access() +- 5e66d2d92a1c nfsd: factor out __fh_verify to allow NULL rqstp to be + passed + +A while back I had reported that an NFSv3 client could successfully +mount using '-o xprtsec=none' an export that had been exported with +'xprtsec=tls:mtls'. By "successfully" I mean that the mount command +would succeed and the mount would show up in /proc/mount. Attempting +to do anything futher with the mount would be met with NFS3ERR_ACCES. + +Transport Layer Security isn't an RPC security flavor or pseudo-flavor, +so we shouldn't be conflating them when determining whether the access +checks can be bypassed. Split check_nfsd_access() into two helpers, and +have fh_verify() call the helpers directly since fh_verify() has +logic that allows one or both of the checks to be skipped. All other +sites will continue to call check_nfsd_access(). + +Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/ +Fixes: 9280c5774314 ("NFSD: Handle new xprtsec= export option") +Signed-off-by: Scott Mayhew +Acked-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/export.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++-------- + fs/nfsd/export.h | 2 + + fs/nfsd/nfsfh.c | 12 ++++++++++- + 3 files changed, 65 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/export.c ++++ b/fs/nfsd/export.c +@@ -1071,28 +1071,62 @@ static struct svc_export *exp_find(struc + return exp; + } + +-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ++/** ++ * check_xprtsec_policy - check if access to export is allowed by the ++ * xprtsec policy ++ * @exp: svc_export that is being accessed. ++ * @rqstp: svc_rqst attempting to access @exp. ++ * ++ * Helper function for check_nfsd_access(). Note that callers should be ++ * using check_nfsd_access() instead of calling this function directly. The ++ * one exception is fh_verify() since it has logic that may result in one ++ * or both of the helpers being skipped. ++ * ++ * Return values: ++ * %nfs_ok if access is granted, or ++ * %nfserr_acces or %nfserr_wrongsec if access is denied ++ */ ++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) + { +- struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; + struct svc_xprt *xprt = rqstp->rq_xprt; + + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { + if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && + !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && + test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } +- goto denied; + +-ok: ++ return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; ++} ++ ++/** ++ * check_security_flavor - check if access to export is allowed by the ++ * xprtsec policy ++ * @exp: svc_export that is being accessed. ++ * @rqstp: svc_rqst attempting to access @exp. ++ * ++ * Helper function for check_nfsd_access(). Note that callers should be ++ * using check_nfsd_access() instead of calling this function directly. The ++ * one exception is fh_verify() since it has logic that may result in one ++ * or both of the helpers being skipped. ++ * ++ * Return values: ++ * %nfs_ok if access is granted, or ++ * %nfserr_acces or %nfserr_wrongsec if access is denied ++ */ ++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp) ++{ ++ struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; ++ + /* legacy gss-only clients are always OK: */ + if (exp->ex_client == rqstp->rq_gssclient) + return 0; +@@ -1117,10 +1151,20 @@ ok: + if (nfsd4_spo_must_allow(rqstp)) + return 0; + +-denied: + return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; + } + ++__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ++{ ++ __be32 status; ++ ++ status = check_xprtsec_policy(exp, rqstp); ++ if (status != nfs_ok) ++ return status; ++ ++ return check_security_flavor(exp, rqstp); ++} ++ + /* + * Uses rq_client and rq_gssclient to find an export; uses rq_client (an + * auth_unix client) if it's available and has secinfo information; +--- a/fs/nfsd/export.h ++++ b/fs/nfsd/export.h +@@ -100,6 +100,8 @@ struct svc_expkey { + #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) + + int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp); ++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp); ++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp); + __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp); + + /* +--- a/fs/nfsd/nfsfh.c ++++ b/fs/nfsd/nfsfh.c +@@ -371,6 +371,16 @@ fh_verify(struct svc_rqst *rqstp, struct + goto out; + + /* ++ * NLM is allowed to bypass the xprtsec policy check because lockd ++ * doesn't support xprtsec. ++ */ ++ if (!(access & NFSD_MAY_LOCK)) { ++ error = check_xprtsec_policy(exp, rqstp); ++ if (error) ++ goto out; ++ } ++ ++ /* + * pseudoflavor restrictions are not enforced on NLM, + * which clients virtually always use auth_sys for, + * even while using RPCSEC_GSS for NFS. +@@ -386,7 +396,7 @@ fh_verify(struct svc_rqst *rqstp, struct + && exp->ex_path.dentry == dentry) + goto skip_pseudoflavor_check; + +- error = check_nfsd_access(exp, rqstp); ++ error = check_security_flavor(exp, rqstp); + if (error) + goto out; + diff --git a/queue-6.6/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch b/queue-6.6/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch new file mode 100644 index 0000000000..0041ca06e9 --- /dev/null +++ b/queue-6.6/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch @@ -0,0 +1,66 @@ +From briannorris@chromium.org Tue Oct 21 20:12:10 2025 +From: Brian Norris +Date: Mon, 20 Oct 2025 13:41:36 -0700 +Subject: PCI/sysfs: Ensure devices are powered for config reads (part 2) +To: stable@vger.kernel.org +Cc: bhelgaas@google.com, Brian Norris , Brian Norris +Message-ID: <20251020204146.3193844-1-briannorris@chromium.org> + +From: Brian Norris + +Commit 48991e493507 ("PCI/sysfs: Ensure devices are powered for config +reads") was applied to various linux-stable trees. However, prior to +6.12.y, we do not have commit d2bd39c0456b ("PCI: Store all PCIe +Supported Link Speeds"). Therefore, we also need to apply the change to +max_link_speed_show(). + +This was pointed out here: + + Re: Patch "PCI/sysfs: Ensure devices are powered for config reads" has been added to the 6.6-stable tree + https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ + +Original change description follows: + + The "max_link_width", "current_link_speed", "current_link_width", + "secondary_bus_number", and "subordinate_bus_number" sysfs files all access + config registers, but they don't check the runtime PM state. If the device + is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus + values, or worse, depending on implementation details. + + Wrap these access in pci_config_pm_runtime_{get,put}() like most of the + rest of the similar sysfs attributes. + + Notably, "max_link_speed" does not access config registers; it returns a + cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link + Speeds"). + +Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") +Link: https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ +Signed-off-by: Brian Norris +Signed-off-by: Brian Norris +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -186,9 +186,15 @@ static ssize_t max_link_speed_show(struc + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ ssize_t ret; + +- return sysfs_emit(buf, "%s\n", +- pci_speed_string(pcie_get_speed_cap(pdev))); ++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ ++ pci_config_pm_runtime_get(pdev); ++ ret = sysfs_emit(buf, "%s\n", ++ pci_speed_string(pcie_get_speed_cap(pdev))); ++ pci_config_pm_runtime_put(pdev); ++ ++ return ret; + } + static DEVICE_ATTR_RO(max_link_speed); + diff --git a/queue-6.6/series b/queue-6.6/series index d2b748354a..bd412702c5 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -96,3 +96,7 @@ pci-add-pci_vdevice_sub-helper-macro.patch ixgbevf-add-support-for-intel-r-e610-device.patch ixgbevf-fix-getting-link-speed-data-for-e610-devices.patch ixgbevf-fix-mailbox-api-compatibility-by-negotiating-supported-features.patch +nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch +pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch +ksmbd-browse-interfaces-list-on-fsctl_query_interface_info-ioctl.patch +mm-ksm-fix-flag-dropping-behavior-in-ksm_madvise.patch -- 2.47.3