From 3121c5b160979c05744c4e728cc414c088ab3ebb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 11 Jan 2025 17:39:34 +0100 Subject: [PATCH] 6.12-stable patches added patches: btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch fs-fix-is_mnt_ns_file.patch fs-relax-assertions-on-failure-to-encode-file-handles.patch ksmbd-implement-new-smb3-posix-type.patch mptcp-sysctl-avail-sched-remove-write-access.patch mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch mptcp-sysctl-sched-avoid-using-current-nsproxy.patch rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch --- ...es-for-s390-zlib-hw-compression-path.patch | 82 +++++++++ ...-the-flag-dm_target_passes_integrity.patch | 33 ++++ ...hin-use-rcu-safe-list-first-function.patch | 64 +++++++ ...roots-unaligned-to-block-size-take-2.patch | 160 +++++++++++++++++ ...ranularity-in-dml-ceil-floor-helpers.patch | 63 +++++++ ...emove-unnecessary-amdgpu_irq_get-put.patch | 75 ++++++++ queue-6.12/fs-fix-is_mnt_ns_file.patch | 47 +++++ ...ns-on-failure-to-encode-file-handles.patch | 80 +++++++++ .../ksmbd-implement-new-smb3-posix-type.patch | 96 ++++++++++ ...sctl-avail-sched-remove-write-access.patch | 45 +++++ ...-timeout-avoid-using-current-nsproxy.patch | 53 ++++++ ...tl-sched-avoid-using-current-nsproxy.patch | 169 ++++++++++++++++++ ...-snd-buf-avoid-using-current-nsproxy.patch | 117 ++++++++++++ ...ct-calculation-formula-of-phy-timing.patch | 67 +++++++ ...red-on-in-ufs_qcom_power_up_sequence.patch | 147 +++++++++++++++ ...h_enable-avoid-using-current-nsproxy.patch | 49 +++++ ...hmac_alg-avoid-using-current-nsproxy.patch | 51 ++++++ ...interval-avoid-using-current-nsproxy.patch | 51 ++++++ ..._min-max-avoid-using-current-nsproxy.patch | 58 ++++++ ...udp_port-avoid-using-current-nsproxy.patch | 49 +++++ queue-6.12/series | 21 +++ ...llback-huge-faults-for-unaligned-pfn.patch | 71 ++++++++ 22 files changed, 1648 insertions(+) create mode 100644 queue-6.12/btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch create mode 100644 queue-6.12/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch create mode 100644 queue-6.12/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch create mode 100644 queue-6.12/dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch create mode 100644 queue-6.12/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch create mode 100644 queue-6.12/drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch create mode 100644 queue-6.12/fs-fix-is_mnt_ns_file.patch create mode 100644 queue-6.12/fs-relax-assertions-on-failure-to-encode-file-handles.patch create mode 100644 queue-6.12/ksmbd-implement-new-smb3-posix-type.patch create mode 100644 queue-6.12/mptcp-sysctl-avail-sched-remove-write-access.patch create mode 100644 queue-6.12/mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch create mode 100644 queue-6.12/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch create mode 100644 queue-6.12/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch create mode 100644 queue-6.12/vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch diff --git a/queue-6.12/btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch b/queue-6.12/btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch new file mode 100644 index 00000000000..affde1ab07d --- /dev/null +++ b/queue-6.12/btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch @@ -0,0 +1,82 @@ +From 0ee4736c003daded513de0ff112d4a1e9c85bbab Mon Sep 17 00:00:00 2001 +From: Mikhail Zaslonko +Date: Wed, 18 Dec 2024 11:32:51 +0100 +Subject: btrfs: zlib: fix avail_in bytes for s390 zlib HW compression path + +From: Mikhail Zaslonko + +commit 0ee4736c003daded513de0ff112d4a1e9c85bbab upstream. + +Since the input data length passed to zlib_compress_folios() can be +arbitrary, always setting strm.avail_in to a multiple of PAGE_SIZE may +cause read-in bytes to exceed the input range. Currently this triggers +an assert in btrfs_compress_folios() on the debug kernel (see below). +Fix strm.avail_in calculation for S390 hardware acceleration path. + + assertion failed: *total_in <= orig_len, in fs/btrfs/compression.c:1041 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/compression.c:1041! + monitor event: 0040 ilc:2 [#1] PREEMPT SMP + CPU: 16 UID: 0 PID: 325 Comm: kworker/u273:3 Not tainted 6.13.0-20241204.rc1.git6.fae3b21430ca.300.fc41.s390x+debug #1 + Hardware name: IBM 3931 A01 703 (z/VM 7.4.0) + Workqueue: btrfs-delalloc btrfs_work_helper + Krnl PSW : 0704d00180000000 0000021761df6538 (btrfs_compress_folios+0x198/0x1a0) + R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 + Krnl GPRS: 0000000080000000 0000000000000001 0000000000000047 0000000000000000 + 0000000000000006 ffffff01757bb000 000001976232fcc0 000000000000130c + 000001976232fcd0 000001976232fcc8 00000118ff4a0e30 0000000000000001 + 00000111821ab400 0000011100000000 0000021761df6534 000001976232fb58 + Krnl Code: 0000021761df6528: c020006f5ef4 larl %r2,0000021762be2310 + 0000021761df652e: c0e5ffbd09d5 brasl %r14,00000217615978d8 + #0000021761df6534: af000000 mc 0,0 + >0000021761df6538: 0707 bcr 0,%r7 + 0000021761df653a: 0707 bcr 0,%r7 + 0000021761df653c: 0707 bcr 0,%r7 + 0000021761df653e: 0707 bcr 0,%r7 + 0000021761df6540: c004004bb7ec brcl 0,000002176276d518 + Call Trace: + [<0000021761df6538>] btrfs_compress_folios+0x198/0x1a0 + ([<0000021761df6534>] btrfs_compress_folios+0x194/0x1a0) + [<0000021761d97788>] compress_file_range+0x3b8/0x6d0 + [<0000021761dcee7c>] btrfs_work_helper+0x10c/0x160 + [<0000021761645760>] process_one_work+0x2b0/0x5d0 + [<000002176164637e>] worker_thread+0x20e/0x3e0 + [<000002176165221a>] kthread+0x15a/0x170 + [<00000217615b859c>] __ret_from_fork+0x3c/0x60 + [<00000217626e72d2>] ret_from_fork+0xa/0x38 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<0000021761597924>] _printk+0x4c/0x58 + Kernel panic - not syncing: Fatal exception: panic_on_oops + +Fixes: fd1e75d0105d ("btrfs: make compression path to be subpage compatible") +CC: stable@vger.kernel.org # 6.12+ +Acked-by: Ilya Leoshkevich +Reviewed-by: Qu Wenruo +Signed-off-by: Mikhail Zaslonko +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zlib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/zlib.c b/fs/btrfs/zlib.c +index ddf0d5a448a7..c9e92c6941ec 100644 +--- a/fs/btrfs/zlib.c ++++ b/fs/btrfs/zlib.c +@@ -174,10 +174,10 @@ int zlib_compress_folios(struct list_head *ws, struct address_space *mapping, + copy_page(workspace->buf + i * PAGE_SIZE, + data_in); + start += PAGE_SIZE; +- workspace->strm.avail_in = +- (in_buf_folios << PAGE_SHIFT); + } + workspace->strm.next_in = workspace->buf; ++ workspace->strm.avail_in = min(bytes_left, ++ in_buf_folios << PAGE_SHIFT); + } else { + unsigned int pg_off; + unsigned int cur_len; +-- +2.48.0 + diff --git a/queue-6.12/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch b/queue-6.12/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch new file mode 100644 index 00000000000..fccd894f101 --- /dev/null +++ b/queue-6.12/dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch @@ -0,0 +1,33 @@ +From 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 7 Jan 2025 17:47:01 +0100 +Subject: dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY + +From: Mikulas Patocka + +commit 47f33c27fc9565fb0bc7dfb76be08d445cd3d236 upstream. + +dm-ebs uses dm-bufio to process requests that are not aligned on logical +sector size. dm-bufio doesn't support passing integrity data (and it is +unclear how should it do it), so we shouldn't set the +DM_TARGET_PASSES_INTEGRITY flag. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: d3c7b35c20d6 ("dm: add emulated block size target") +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -442,7 +442,7 @@ static int ebs_iterate_devices(struct dm + static struct target_type ebs_target = { + .name = "ebs", + .version = {1, 0, 1}, +- .features = DM_TARGET_PASSES_INTEGRITY, ++ .features = 0, + .module = THIS_MODULE, + .ctr = ebs_ctr, + .dtr = ebs_dtr, diff --git a/queue-6.12/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch b/queue-6.12/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch new file mode 100644 index 00000000000..6f4687fb26c --- /dev/null +++ b/queue-6.12/dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch @@ -0,0 +1,64 @@ +From 80f130bfad1dab93b95683fc39b87235682b8f72 Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Tue, 7 Jan 2025 15:24:58 -0800 +Subject: dm thin: make get_first_thin use rcu-safe list first function + +From: Krister Johansen + +commit 80f130bfad1dab93b95683fc39b87235682b8f72 upstream. + +The documentation in rculist.h explains the absence of list_empty_rcu() +and cautions programmers against relying on a list_empty() -> +list_first() sequence in RCU safe code. This is because each of these +functions performs its own READ_ONCE() of the list head. This can lead +to a situation where the list_empty() sees a valid list entry, but the +subsequent list_first() sees a different view of list head state after a +modification. + +In the case of dm-thin, this author had a production box crash from a GP +fault in the process_deferred_bios path. This function saw a valid list +head in get_first_thin() but when it subsequently dereferenced that and +turned it into a thin_c, it got the inside of the struct pool, since the +list was now empty and referring to itself. The kernel on which this +occurred printed both a warning about a refcount_t being saturated, and +a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, +prior to the fault itself. When the resulting kdump was examined, it +was possible to see another thread patiently waiting in thin_dtr's +synchronize_rcu. + +The thin_dtr call managed to pull the thin_c out of the active thins +list (and have it be the last entry in the active_thins list) at just +the wrong moment which lead to this crash. + +Fortunately, the fix here is straight forward. Switch get_first_thin() +function to use list_first_or_null_rcu() which performs just a single +READ_ONCE() and returns NULL if the list is already empty. + +This was run against the devicemapper test suite's thin-provisioning +suites for delete and suspend and no regressions were observed. + +Signed-off-by: Krister Johansen +Fixes: b10ebd34ccca ("dm thin: fix rcu_read_lock being held in code that can sleep") +Cc: stable@vger.kernel.org +Acked-by: Ming-Hung Tsai +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-thin.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2332,10 +2332,9 @@ static struct thin_c *get_first_thin(str + struct thin_c *tc = NULL; + + rcu_read_lock(); +- if (!list_empty(&pool->active_thins)) { +- tc = list_entry_rcu(pool->active_thins.next, struct thin_c, list); ++ tc = list_first_or_null_rcu(&pool->active_thins, struct thin_c, list); ++ if (tc) + thin_get(tc); +- } + rcu_read_unlock(); + + return tc; diff --git a/queue-6.12/dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch b/queue-6.12/dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch new file mode 100644 index 00000000000..418e6e88308 --- /dev/null +++ b/queue-6.12/dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch @@ -0,0 +1,160 @@ +From 6df90c02bae468a3a6110bafbc659884d0c4966c Mon Sep 17 00:00:00 2001 +From: Milan Broz +Date: Wed, 18 Dec 2024 13:56:58 +0100 +Subject: dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) + +From: Milan Broz + +commit 6df90c02bae468a3a6110bafbc659884d0c4966c upstream. + +This patch fixes an issue that was fixed in the commit + df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") +but later broken again in the commit + 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") + +If the Reed-Solomon roots setting spans multiple blocks, the code does not +use proper parity bytes and randomly fails to repair even trivial errors. + +This bug cannot happen if the sector size is multiple of RS roots +setting (Android case with roots 2). + +The previous solution was to find a dm-bufio block size that is multiple +of the device sector size and roots size. Unfortunately, the optimization +in commit 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") +is incorrect and uses data block size for some roots (for example, it uses +4096 block size for roots = 20). + +This patch uses a different approach: + + - It always uses a configured data block size for dm-bufio to avoid + possible misaligned IOs. + + - and it caches the processed parity bytes, so it can join it + if it spans two blocks. + +As the RS calculation is called only if an error is detected and +the process is computationally intensive, copying a few more bytes +should not introduce performance issues. + +The issue was reported to cryptsetup with trivial reproducer + https://gitlab.com/cryptsetup/cryptsetup/-/issues/923 + +Reproducer (with roots=20): + + # create verity device with RS FEC + dd if=/dev/urandom of=data.img bs=4096 count=8 status=none + veritysetup format data.img hash.img --fec-device=fec.img --fec-roots=20 | \ + awk '/^Root hash/{ print $3 }' >roothash + + # create an erasure that should always be repairable with this roots setting + dd if=/dev/zero of=data.img conv=notrunc bs=1 count=4 seek=4 status=none + + # try to read it through dm-verity + veritysetup open data.img test hash.img --fec-device=fec.img --fec-roots=20 $(cat roothash) + dd if=/dev/mapper/test of=/dev/null bs=4096 status=noxfer + + Even now the log says it cannot repair it: + : verity-fec: 7:1: FEC 0: failed to correct: -74 + : device-mapper: verity: 7:1: data block 0 is corrupted + ... + +With this fix, errors are properly repaired. + : verity-fec: 7:1: FEC 0: corrected 4 errors + +Signed-off-by: Milan Broz +Fixes: 8ca7cab82bda ("dm verity fec: fix misaligned RS roots IO") +Cc: stable@vger.kernel.org +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 40 ++++++++++++++++++++++++++-------------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -60,15 +60,19 @@ static int fec_decode_rs8(struct dm_veri + * to the data block. Caller is responsible for releasing buf. + */ + static u8 *fec_read_parity(struct dm_verity *v, u64 rsb, int index, +- unsigned int *offset, struct dm_buffer **buf, +- unsigned short ioprio) ++ unsigned int *offset, unsigned int par_buf_offset, ++ struct dm_buffer **buf, unsigned short ioprio) + { + u64 position, block, rem; + u8 *res; + ++ /* We have already part of parity bytes read, skip to the next block */ ++ if (par_buf_offset) ++ index++; ++ + position = (index + rsb) * v->fec->roots; + block = div64_u64_rem(position, v->fec->io_size, &rem); +- *offset = (unsigned int)rem; ++ *offset = par_buf_offset ? 0 : (unsigned int)rem; + + res = dm_bufio_read_with_ioprio(v->fec->bufio, block, buf, ioprio); + if (IS_ERR(res)) { +@@ -128,11 +132,12 @@ static int fec_decode_bufs(struct dm_ver + { + int r, corrected = 0, res; + struct dm_buffer *buf; +- unsigned int n, i, offset; +- u8 *par, *block; ++ unsigned int n, i, offset, par_buf_offset = 0; ++ u8 *par, *block, par_buf[DM_VERITY_FEC_RSM - DM_VERITY_FEC_MIN_RSN]; + struct bio *bio = dm_bio_from_per_bio_data(io, v->ti->per_io_data_size); + +- par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio)); ++ par = fec_read_parity(v, rsb, block_offset, &offset, ++ par_buf_offset, &buf, bio_prio(bio)); + if (IS_ERR(par)) + return PTR_ERR(par); + +@@ -142,7 +147,8 @@ static int fec_decode_bufs(struct dm_ver + */ + fec_for_each_buffer_rs_block(fio, n, i) { + block = fec_buffer_rs_block(v, fio, n, i); +- res = fec_decode_rs8(v, fio, block, &par[offset], neras); ++ memcpy(&par_buf[par_buf_offset], &par[offset], v->fec->roots - par_buf_offset); ++ res = fec_decode_rs8(v, fio, block, par_buf, neras); + if (res < 0) { + r = res; + goto error; +@@ -155,12 +161,21 @@ static int fec_decode_bufs(struct dm_ver + if (block_offset >= 1 << v->data_dev_block_bits) + goto done; + +- /* read the next block when we run out of parity bytes */ +- offset += v->fec->roots; ++ /* Read the next block when we run out of parity bytes */ ++ offset += (v->fec->roots - par_buf_offset); ++ /* Check if parity bytes are split between blocks */ ++ if (offset < v->fec->io_size && (offset + v->fec->roots) > v->fec->io_size) { ++ par_buf_offset = v->fec->io_size - offset; ++ memcpy(par_buf, &par[offset], par_buf_offset); ++ offset += par_buf_offset; ++ } else ++ par_buf_offset = 0; ++ + if (offset >= v->fec->io_size) { + dm_bufio_release(buf); + +- par = fec_read_parity(v, rsb, block_offset, &offset, &buf, bio_prio(bio)); ++ par = fec_read_parity(v, rsb, block_offset, &offset, ++ par_buf_offset, &buf, bio_prio(bio)); + if (IS_ERR(par)) + return PTR_ERR(par); + } +@@ -724,10 +739,7 @@ int verity_fec_ctr(struct dm_verity *v) + return -E2BIG; + } + +- if ((f->roots << SECTOR_SHIFT) & ((1 << v->data_dev_block_bits) - 1)) +- f->io_size = 1 << v->data_dev_block_bits; +- else +- f->io_size = v->fec->roots << SECTOR_SHIFT; ++ f->io_size = 1 << v->data_dev_block_bits; + + f->bufio = dm_bufio_client_create(f->dev->bdev, + f->io_size, diff --git a/queue-6.12/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch b/queue-6.12/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch new file mode 100644 index 00000000000..3c4690f0901 --- /dev/null +++ b/queue-6.12/drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch @@ -0,0 +1,63 @@ +From 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 Mon Sep 17 00:00:00 2001 +From: Roman Li +Date: Fri, 13 Dec 2024 13:51:07 -0500 +Subject: drm/amd/display: Add check for granularity in dml ceil/floor helpers + +From: Roman Li + +commit 0881fbc4fd62e00a2b8e102725f76d10351b2ea8 upstream. + +[Why] +Wrapper functions for dcn_bw_ceil2() and dcn_bw_floor2() +should check for granularity is non zero to avoid assert and +divide-by-zero error in dcn_bw_ functions. + +[How] +Add check for granularity 0. + +Cc: Mario Limonciello +Reviewed-by: Alvin Lee +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit f6e09701c3eb2ccb8cb0518e0b67f1c69742a4ec) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h +@@ -66,11 +66,15 @@ static inline double dml_max5(double a, + + static inline double dml_ceil(double a, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_ceil2(a, granularity); + } + + static inline double dml_floor(double a, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_floor2(a, granularity); + } + +@@ -114,11 +118,15 @@ static inline double dml_ceil_2(double f + + static inline double dml_ceil_ex(double x, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_ceil2(x, granularity); + } + + static inline double dml_floor_ex(double x, double granularity) + { ++ if (granularity == 0) ++ return 0; + return (double) dcn_bw_floor2(x, granularity); + } + diff --git a/queue-6.12/drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch b/queue-6.12/drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch new file mode 100644 index 00000000000..7e50183e8e1 --- /dev/null +++ b/queue-6.12/drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch @@ -0,0 +1,75 @@ +From 5009628d8509dbb90e1b88e01eda00430fa24b4b Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Tue, 17 Dec 2024 14:03:50 -0700 +Subject: drm/amd/display: Remove unnecessary amdgpu_irq_get/put + +From: Alex Hung + +commit 5009628d8509dbb90e1b88e01eda00430fa24b4b upstream. + +[WHY & HOW] +commit 7fb363c57522 ("drm/amd/display: Let drm_crtc_vblank_on/off manage interrupts") +lets drm_crtc_vblank_* to manage interrupts in amdgpu_dm_crtc_set_vblank, +and amdgpu_irq_get/put do not need to be called here. Part of that +patch got lost somehow, so fix it up. + +Fixes: 7fb363c57522 ("drm/amd/display: Let drm_crtc_vblank_on/off manage interrupts") +Reviewed-by: Alex Deucher +Reviewed-by: Leo Li +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 3782305ce5807c18fbf092124b9e8303cf1723ae) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 31 ---------------------- + 1 file changed, 31 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8393,16 +8393,6 @@ static void manage_dm_interrupts(struct + struct amdgpu_crtc *acrtc, + struct dm_crtc_state *acrtc_state) + { +- /* +- * We have no guarantee that the frontend index maps to the same +- * backend index - some even map to more than one. +- * +- * TODO: Use a different interrupt or check DC itself for the mapping. +- */ +- int irq_type = +- amdgpu_display_crtc_idx_to_irq_type( +- adev, +- acrtc->crtc_id); + struct drm_vblank_crtc_config config = {0}; + struct dc_crtc_timing *timing; + int offdelay; +@@ -8428,28 +8418,7 @@ static void manage_dm_interrupts(struct + + drm_crtc_vblank_on_config(&acrtc->base, + &config); +- +- amdgpu_irq_get( +- adev, +- &adev->pageflip_irq, +- irq_type); +-#if defined(CONFIG_DRM_AMD_SECURE_DISPLAY) +- amdgpu_irq_get( +- adev, +- &adev->vline0_irq, +- irq_type); +-#endif + } else { +-#if defined(CONFIG_DRM_AMD_SECURE_DISPLAY) +- amdgpu_irq_put( +- adev, +- &adev->vline0_irq, +- irq_type); +-#endif +- amdgpu_irq_put( +- adev, +- &adev->pageflip_irq, +- irq_type); + drm_crtc_vblank_off(&acrtc->base); + } + } diff --git a/queue-6.12/fs-fix-is_mnt_ns_file.patch b/queue-6.12/fs-fix-is_mnt_ns_file.patch new file mode 100644 index 00000000000..fd30b34b61e --- /dev/null +++ b/queue-6.12/fs-fix-is_mnt_ns_file.patch @@ -0,0 +1,47 @@ +From aa21f333c86c8a09d39189de87abb0153d338190 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 11 Dec 2024 13:11:17 +0100 +Subject: fs: fix is_mnt_ns_file() + +From: Miklos Szeredi + +commit aa21f333c86c8a09d39189de87abb0153d338190 upstream. + +Commit 1fa08aece425 ("nsfs: convert to path_from_stashed() helper") reused +nsfs dentry's d_fsdata, which no longer contains a pointer to +proc_ns_operations. + +Fix the remaining use in is_mnt_ns_file(). + +Fixes: 1fa08aece425 ("nsfs: convert to path_from_stashed() helper") +Cc: stable@vger.kernel.org # v6.9 +Signed-off-by: Miklos Szeredi +Link: https://lore.kernel.org/r/20241211121118.85268-1-mszeredi@redhat.com +Acked-by: Al Viro +Reviewed-by: Jeff Layton +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2055,9 +2055,15 @@ SYSCALL_DEFINE1(oldumount, char __user * + + static bool is_mnt_ns_file(struct dentry *dentry) + { ++ struct ns_common *ns; ++ + /* Is this a proxy for a mount namespace? */ +- return dentry->d_op == &ns_dentry_operations && +- dentry->d_fsdata == &mntns_operations; ++ if (dentry->d_op != &ns_dentry_operations) ++ return false; ++ ++ ns = d_inode(dentry)->i_private; ++ ++ return ns->ops == &mntns_operations; + } + + struct ns_common *from_mnt_ns(struct mnt_namespace *mnt) diff --git a/queue-6.12/fs-relax-assertions-on-failure-to-encode-file-handles.patch b/queue-6.12/fs-relax-assertions-on-failure-to-encode-file-handles.patch new file mode 100644 index 00000000000..2989b3892be --- /dev/null +++ b/queue-6.12/fs-relax-assertions-on-failure-to-encode-file-handles.patch @@ -0,0 +1,80 @@ +From 974e3fe0ac61de85015bbe5a4990cf4127b304b2 Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 19 Dec 2024 12:53:01 +0100 +Subject: fs: relax assertions on failure to encode file handles + +From: Amir Goldstein + +commit 974e3fe0ac61de85015bbe5a4990cf4127b304b2 upstream. + +Encoding file handles is usually performed by a filesystem >encode_fh() +method that may fail for various reasons. + +The legacy users of exportfs_encode_fh(), namely, nfsd and +name_to_handle_at(2) syscall are ready to cope with the possibility +of failure to encode a file handle. + +There are a few other users of exportfs_encode_{fh,fid}() that +currently have a WARN_ON() assertion when ->encode_fh() fails. +Relax those assertions because they are wrong. + +The second linked bug report states commit 16aac5ad1fa9 ("ovl: support +encoding non-decodable file handles") in v6.6 as the regressing commit, +but this is not accurate. + +The aforementioned commit only increases the chances of the assertion +and allows triggering the assertion with the reproducer using overlayfs, +inotify and drop_caches. + +Triggering this assertion was always possible with other filesystems and +other reasons of ->encode_fh() failures and more particularly, it was +also possible with the exact same reproducer using overlayfs that is +mounted with options index=on,nfs_export=on also on kernels < v6.6. +Therefore, I am not listing the aforementioned commit as a Fixes commit. + +Backport hint: this patch will have a trivial conflict applying to +v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. + +Reported-by: syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com +Tested-by: syzbot+ec07f6f5ce62b858579f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-unionfs/671fd40c.050a0220.4735a.024f.GAE@google.com/ +Reported-by: Dmitry Safonov +Closes: https://lore.kernel.org/linux-fsdevel/CAGrbwDTLt6drB9eaUagnQVgdPBmhLfqqxAf3F+Juqy_o6oP8uw@mail.gmail.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Amir Goldstein +Link: https://lore.kernel.org/r/20241219115301.465396-1-amir73il@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fdinfo.c | 4 +--- + fs/overlayfs/copy_up.c | 5 ++--- + 2 files changed, 3 insertions(+), 6 deletions(-) + +--- a/fs/notify/fdinfo.c ++++ b/fs/notify/fdinfo.c +@@ -47,10 +47,8 @@ static void show_mark_fhandle(struct seq + size = f->handle_bytes >> 2; + + ret = exportfs_encode_fid(inode, (struct fid *)f->f_handle, &size); +- if ((ret == FILEID_INVALID) || (ret < 0)) { +- WARN_ONCE(1, "Can't encode file handler for inotify: %d\n", ret); ++ if ((ret == FILEID_INVALID) || (ret < 0)) + return; +- } + + f->handle_type = ret; + f->handle_bytes = size * sizeof(u32); +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -444,9 +444,8 @@ struct ovl_fh *ovl_encode_real_fh(struct + buflen = (dwords << 2); + + err = -EIO; +- if (WARN_ON(fh_type < 0) || +- WARN_ON(buflen > MAX_HANDLE_SZ) || +- WARN_ON(fh_type == FILEID_INVALID)) ++ if (fh_type < 0 || fh_type == FILEID_INVALID || ++ WARN_ON(buflen > MAX_HANDLE_SZ)) + goto out_err; + + fh->fb.version = OVL_FH_VERSION; diff --git a/queue-6.12/ksmbd-implement-new-smb3-posix-type.patch b/queue-6.12/ksmbd-implement-new-smb3-posix-type.patch new file mode 100644 index 00000000000..534a1594609 --- /dev/null +++ b/queue-6.12/ksmbd-implement-new-smb3-posix-type.patch @@ -0,0 +1,96 @@ +From e8580b4c600e085b3c8e6404392de2f822d4c132 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 7 Jan 2025 17:41:21 +0900 +Subject: ksmbd: Implement new SMB3 POSIX type + +From: Namjae Jeon + +commit e8580b4c600e085b3c8e6404392de2f822d4c132 upstream. + +As SMB3 posix extension specification, Give posix file type to posix +mode. + +https://www.samba.org/~slow/SMB3_POSIX/fscc_posix_extensions.html#posix-file-type-definition + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 40 ++++++++++++++++++++++++++++++++++++++++ + fs/smb/server/smb2pdu.h | 10 ++++++++++ + 2 files changed, 50 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -3988,6 +3988,26 @@ static int smb2_populate_readdir_entry(s + posix_info->DeviceId = cpu_to_le32(ksmbd_kstat->kstat->rdev); + posix_info->HardLinks = cpu_to_le32(ksmbd_kstat->kstat->nlink); + posix_info->Mode = cpu_to_le32(ksmbd_kstat->kstat->mode & 0777); ++ switch (ksmbd_kstat->kstat->mode & S_IFMT) { ++ case S_IFDIR: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_DIR << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFLNK: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_SYMLINK << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFCHR: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_CHARDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFBLK: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_BLKDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFIFO: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_FIFO << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFSOCK: ++ posix_info->Mode |= cpu_to_le32(POSIX_TYPE_SOCKET << POSIX_FILETYPE_SHIFT); ++ } ++ + posix_info->Inode = cpu_to_le64(ksmbd_kstat->kstat->ino); + posix_info->DosAttributes = + S_ISDIR(ksmbd_kstat->kstat->mode) ? +@@ -5176,6 +5196,26 @@ static int find_file_posix_info(struct s + file_info->AllocationSize = cpu_to_le64(stat.blocks << 9); + file_info->HardLinks = cpu_to_le32(stat.nlink); + file_info->Mode = cpu_to_le32(stat.mode & 0777); ++ switch (stat.mode & S_IFMT) { ++ case S_IFDIR: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_DIR << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFLNK: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_SYMLINK << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFCHR: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_CHARDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFBLK: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_BLKDEV << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFIFO: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_FIFO << POSIX_FILETYPE_SHIFT); ++ break; ++ case S_IFSOCK: ++ file_info->Mode |= cpu_to_le32(POSIX_TYPE_SOCKET << POSIX_FILETYPE_SHIFT); ++ } ++ + file_info->DeviceId = cpu_to_le32(stat.rdev); + + /* +--- a/fs/smb/server/smb2pdu.h ++++ b/fs/smb/server/smb2pdu.h +@@ -502,4 +502,14 @@ static inline void *smb2_get_msg(void *b + return buf + 4; + } + ++#define POSIX_TYPE_FILE 0 ++#define POSIX_TYPE_DIR 1 ++#define POSIX_TYPE_SYMLINK 2 ++#define POSIX_TYPE_CHARDEV 3 ++#define POSIX_TYPE_BLKDEV 4 ++#define POSIX_TYPE_FIFO 5 ++#define POSIX_TYPE_SOCKET 6 ++ ++#define POSIX_FILETYPE_SHIFT 12 ++ + #endif /* _SMB2PDU_H */ diff --git a/queue-6.12/mptcp-sysctl-avail-sched-remove-write-access.patch b/queue-6.12/mptcp-sysctl-avail-sched-remove-write-access.patch new file mode 100644 index 00000000000..8696037b488 --- /dev/null +++ b/queue-6.12/mptcp-sysctl-avail-sched-remove-write-access.patch @@ -0,0 +1,45 @@ +From 771ec78dc8b48d562e6015bb535ed3cd37043d78 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:29 +0100 +Subject: mptcp: sysctl: avail sched: remove write access + +From: Matthieu Baerts (NGI0) + +commit 771ec78dc8b48d562e6015bb535ed3cd37043d78 upstream. + +'net.mptcp.available_schedulers' sysctl knob is there to list available +schedulers, not to modify this list. + +There are then no reasons to give write access to it. + +Nothing would have been written anyway, but no errors would have been +returned, which is unexpected. + +Fixes: 73c900aa3660 ("mptcp: add net.mptcp.available_schedulers") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-1-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c +index 38d8121331d4..d9b57fab2a13 100644 +--- a/net/mptcp/ctrl.c ++++ b/net/mptcp/ctrl.c +@@ -228,7 +228,7 @@ static struct ctl_table mptcp_sysctl_table[] = { + { + .procname = "available_schedulers", + .maxlen = MPTCP_SCHED_BUF_MAX, +- .mode = 0644, ++ .mode = 0444, + .proc_handler = proc_available_schedulers, + }, + { +-- +2.48.0 + diff --git a/queue-6.12/mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch b/queue-6.12/mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..7886e18631f --- /dev/null +++ b/queue-6.12/mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch @@ -0,0 +1,53 @@ +From 92cf7a51bdae24a32c592adcdd59a773ae149289 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:31 +0100 +Subject: mptcp: sysctl: blackhole timeout: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 92cf7a51bdae24a32c592adcdd59a773ae149289 upstream. + +As mentioned in the previous commit, using the 'net' structure via +'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'pernet' structure can be obtained from the table->data using +container_of(). + +Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-3-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c +index 81c30aa02196..b0dd008e2114 100644 +--- a/net/mptcp/ctrl.c ++++ b/net/mptcp/ctrl.c +@@ -160,7 +160,9 @@ static int proc_blackhole_detect_timeout(const struct ctl_table *table, + int write, void *buffer, size_t *lenp, + loff_t *ppos) + { +- struct mptcp_pernet *pernet = mptcp_get_pernet(current->nsproxy->net_ns); ++ struct mptcp_pernet *pernet = container_of(table->data, ++ struct mptcp_pernet, ++ blackhole_timeout); + int ret; + + ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); +-- +2.48.0 + diff --git a/queue-6.12/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch b/queue-6.12/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..7f24e89912d --- /dev/null +++ b/queue-6.12/mptcp-sysctl-sched-avoid-using-current-nsproxy.patch @@ -0,0 +1,169 @@ +From d38e26e36206ae3d544d496513212ae931d1da0a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:30 +0100 +Subject: mptcp: sysctl: sched: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit d38e26e36206ae3d544d496513212ae931d1da0a upstream. + +Using the 'net' structure via 'current' is not recommended for different +reasons. + +First, if the goal is to use it to read or write per-netns data, this is +inconsistent with how the "generic" sysctl entries are doing: directly +by only using pointers set to the table entry, e.g. table->data. Linked +to that, the per-netns data should always be obtained from the table +linked to the netns it had been created for, which may not coincide with +the reader's or writer's netns. + +Another reason is that access to current->nsproxy->netns can oops if +attempted when current->nsproxy had been dropped when the current task +is exiting. This is what syzbot found, when using acct(2): + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI + KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] + CPU: 1 UID: 0 PID: 5924 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 + RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 + Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 + RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 + + RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 + RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 + RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 + R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 + R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 + FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601 + __kernel_write_iter+0x318/0xa80 fs/read_write.c:612 + __kernel_write+0xf6/0x140 fs/read_write.c:632 + do_acct_process+0xcb0/0x14a0 kernel/acct.c:539 + acct_pin_kill+0x2d/0x100 kernel/acct.c:192 + pin_kill+0x194/0x7c0 fs/fs_pin.c:44 + mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81 + cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366 + task_work_run+0x14e/0x250 kernel/task_work.c:239 + exit_task_work include/linux/task_work.h:43 [inline] + do_exit+0xad8/0x2d70 kernel/exit.c:938 + do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 + get_signal+0x2576/0x2610 kernel/signal.c:3017 + arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 + exit_to_user_mode_loop kernel/entry/common.c:111 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 + do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7fee3cb87a6a + Code: Unable to access opcode bytes at 0x7fee3cb87a40. + RSP: 002b:00007fffcccac688 EFLAGS: 00000202 ORIG_RAX: 0000000000000037 + RAX: 0000000000000000 RBX: 00007fffcccac710 RCX: 00007fee3cb87a6a + RDX: 0000000000000041 RSI: 0000000000000000 RDI: 0000000000000003 + RBP: 0000000000000003 R08: 00007fffcccac6ac R09: 00007fffcccacac7 + R10: 00007fffcccac710 R11: 0000000000000202 R12: 00007fee3cd49500 + R13: 00007fffcccac6ac R14: 0000000000000000 R15: 00007fee3cd4b000 + + Modules linked in: + ---[ end trace 0000000000000000 ]--- + RIP: 0010:proc_scheduler+0xc6/0x3c0 net/mptcp/ctrl.c:125 + Code: 03 42 80 3c 38 00 0f 85 fe 02 00 00 4d 8b a4 24 08 09 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 28 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 cc 02 00 00 4d 8b 7c 24 28 48 8d 84 24 c8 00 00 + RSP: 0018:ffffc900034774e8 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: 1ffff9200068ee9e RCX: ffffc90003477620 + RDX: 0000000000000005 RSI: ffffffff8b08f91e RDI: 0000000000000028 + RBP: 0000000000000001 R08: ffffc90003477710 R09: 0000000000000040 + R10: 0000000000000040 R11: 00000000726f7475 R12: 0000000000000000 + R13: ffffc90003477620 R14: ffffc90003477710 R15: dffffc0000000000 + FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fee3cd452d8 CR3: 000000007d116000 CR4: 00000000003526f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + ---------------- + Code disassembly (best guess), 1 bytes skipped: + 0: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) + 5: 0f 85 fe 02 00 00 jne 0x309 + b: 4d 8b a4 24 08 09 00 mov 0x908(%r12),%r12 + 12: 00 + 13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax + 1a: fc ff df + 1d: 49 8d 7c 24 28 lea 0x28(%r12),%rdi + 22: 48 89 fa mov %rdi,%rdx + 25: 48 c1 ea 03 shr $0x3,%rdx + * 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction + 2d: 0f 85 cc 02 00 00 jne 0x2ff + 33: 4d 8b 7c 24 28 mov 0x28(%r12),%r15 + 38: 48 rex.W + 39: 8d .byte 0x8d + 3a: 84 24 c8 test %ah,(%rax,%rcx,8) + +Here with 'net.mptcp.scheduler', the 'net' structure is not really +needed, because the table->data already has a pointer to the current +scheduler, the only thing needed from the per-netns data. +Simply use 'data', instead of getting (most of the time) the same thing, +but from a longer and indirect way. + +Fixes: 6963c508fd7a ("mptcp: only allow set existing scheduler for net.mptcp.scheduler") +Cc: stable@vger.kernel.org +Reported-by: syzbot+e364f774c6f57f2c86d1@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com +Suggested-by: Al Viro +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-2-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/ctrl.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/net/mptcp/ctrl.c ++++ b/net/mptcp/ctrl.c +@@ -102,16 +102,15 @@ static void mptcp_pernet_set_defaults(st + } + + #ifdef CONFIG_SYSCTL +-static int mptcp_set_scheduler(const struct net *net, const char *name) ++static int mptcp_set_scheduler(char *scheduler, const char *name) + { +- struct mptcp_pernet *pernet = mptcp_get_pernet(net); + struct mptcp_sched_ops *sched; + int ret = 0; + + rcu_read_lock(); + sched = mptcp_sched_find(name); + if (sched) +- strscpy(pernet->scheduler, name, MPTCP_SCHED_NAME_MAX); ++ strscpy(scheduler, name, MPTCP_SCHED_NAME_MAX); + else + ret = -ENOENT; + rcu_read_unlock(); +@@ -122,7 +121,7 @@ static int mptcp_set_scheduler(const str + static int proc_scheduler(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- const struct net *net = current->nsproxy->net_ns; ++ char (*scheduler)[MPTCP_SCHED_NAME_MAX] = ctl->data; + char val[MPTCP_SCHED_NAME_MAX]; + struct ctl_table tbl = { + .data = val, +@@ -130,11 +129,11 @@ static int proc_scheduler(const struct c + }; + int ret; + +- strscpy(val, mptcp_get_scheduler(net), MPTCP_SCHED_NAME_MAX); ++ strscpy(val, *scheduler, MPTCP_SCHED_NAME_MAX); + + ret = proc_dostring(&tbl, write, buffer, lenp, ppos); + if (write && ret == 0) +- ret = mptcp_set_scheduler(net, val); ++ ret = mptcp_set_scheduler(*scheduler, val); + + return ret; + } diff --git a/queue-6.12/rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch b/queue-6.12/rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..0af524e8c37 --- /dev/null +++ b/queue-6.12/rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch @@ -0,0 +1,117 @@ +From 7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:37 +0100 +Subject: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 7f5611cbc4871c7fb1ad36c2e5a9edad63dca95c upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The per-netns structure can be obtained from the table->data using +container_of(), then the 'net' one can be retrieved from the listen +socket (if available). + +Fixes: c6a58ffed536 ("RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-9-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -61,8 +61,10 @@ static atomic_t rds_tcp_unloading = ATOM + + static struct kmem_cache *rds_tcp_conn_slab; + +-static int rds_tcp_skbuf_handler(const struct ctl_table *ctl, int write, +- void *buffer, size_t *lenp, loff_t *fpos); ++static int rds_tcp_sndbuf_handler(const struct ctl_table *ctl, int write, ++ void *buffer, size_t *lenp, loff_t *fpos); ++static int rds_tcp_rcvbuf_handler(const struct ctl_table *ctl, int write, ++ void *buffer, size_t *lenp, loff_t *fpos); + + static int rds_tcp_min_sndbuf = SOCK_MIN_SNDBUF; + static int rds_tcp_min_rcvbuf = SOCK_MIN_RCVBUF; +@@ -74,7 +76,7 @@ static struct ctl_table rds_tcp_sysctl_t + /* data is per-net pointer */ + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = rds_tcp_skbuf_handler, ++ .proc_handler = rds_tcp_sndbuf_handler, + .extra1 = &rds_tcp_min_sndbuf, + }, + #define RDS_TCP_RCVBUF 1 +@@ -83,7 +85,7 @@ static struct ctl_table rds_tcp_sysctl_t + /* data is per-net pointer */ + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = rds_tcp_skbuf_handler, ++ .proc_handler = rds_tcp_rcvbuf_handler, + .extra1 = &rds_tcp_min_rcvbuf, + }, + }; +@@ -682,10 +684,10 @@ static void rds_tcp_sysctl_reset(struct + spin_unlock_irq(&rds_tcp_conn_lock); + } + +-static int rds_tcp_skbuf_handler(const struct ctl_table *ctl, int write, ++static int rds_tcp_skbuf_handler(struct rds_tcp_net *rtn, ++ const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *fpos) + { +- struct net *net = current->nsproxy->net_ns; + int err; + + err = proc_dointvec_minmax(ctl, write, buffer, lenp, fpos); +@@ -694,11 +696,34 @@ static int rds_tcp_skbuf_handler(const s + *(int *)(ctl->extra1)); + return err; + } +- if (write) ++ ++ if (write && rtn->rds_tcp_listen_sock && rtn->rds_tcp_listen_sock->sk) { ++ struct net *net = sock_net(rtn->rds_tcp_listen_sock->sk); ++ + rds_tcp_sysctl_reset(net); ++ } ++ + return 0; + } + ++static int rds_tcp_sndbuf_handler(const struct ctl_table *ctl, int write, ++ void *buffer, size_t *lenp, loff_t *fpos) ++{ ++ struct rds_tcp_net *rtn = container_of(ctl->data, struct rds_tcp_net, ++ sndbuf_size); ++ ++ return rds_tcp_skbuf_handler(rtn, ctl, write, buffer, lenp, fpos); ++} ++ ++static int rds_tcp_rcvbuf_handler(const struct ctl_table *ctl, int write, ++ void *buffer, size_t *lenp, loff_t *fpos) ++{ ++ struct rds_tcp_net *rtn = container_of(ctl->data, struct rds_tcp_net, ++ rcvbuf_size); ++ ++ return rds_tcp_skbuf_handler(rtn, ctl, write, buffer, lenp, fpos); ++} ++ + static void rds_tcp_exit(void) + { + rds_tcp_set_unloading(); diff --git a/queue-6.12/revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch b/queue-6.12/revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch new file mode 100644 index 00000000000..663b74d310d --- /dev/null +++ b/queue-6.12/revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch @@ -0,0 +1,67 @@ +From d08555758fb1dbfb48f0cb58176fdc98009e6070 Mon Sep 17 00:00:00 2001 +From: Chun-Kuang Hu +Date: Thu, 12 Dec 2024 00:19:08 +0000 +Subject: Revert "drm/mediatek: dsi: Correct calculation formula of PHY Timing" + +From: Chun-Kuang Hu + +commit d08555758fb1dbfb48f0cb58176fdc98009e6070 upstream. + +This reverts commit 417d8c47271d5cf1a705e997065873b2a9a36fd4. + +With that patch the panel in the Tentacruel ASUS Chromebook CM14 +(CM1402F) flickers. There are 1 or 2 times per second a black panel. +Stable Kernel 6.11.5 and mainline 6.12-rc4 works only when reverse +that patch. + +Fixes: 417d8c47271d ("drm/mediatek: dsi: Correct calculation formula of PHY Timing") +Cc: stable@vger.kernel.org +Cc: Shuijing Li +Reported-by: Jens Ziller +Closes: https://patchwork.kernel.org/project/dri-devel/patch/20240412031208.30688-1-shuijing.li@mediatek.com/ +Link: https://patchwork.kernel.org/project/dri-devel/patch/20241212001908.6056-1-chunkuang.hu@kernel.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_dsi.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/mediatek/mtk_dsi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c +@@ -248,23 +248,22 @@ static void mtk_dsi_phy_timconfig(struct + u32 data_rate_mhz = DIV_ROUND_UP(dsi->data_rate, HZ_PER_MHZ); + struct mtk_phy_timing *timing = &dsi->phy_timing; + +- timing->lpx = (80 * data_rate_mhz / (8 * 1000)) + 1; +- timing->da_hs_prepare = (59 * data_rate_mhz + 4 * 1000) / 8000 + 1; +- timing->da_hs_zero = (163 * data_rate_mhz + 11 * 1000) / 8000 + 1 - ++ timing->lpx = (60 * data_rate_mhz / (8 * 1000)) + 1; ++ timing->da_hs_prepare = (80 * data_rate_mhz + 4 * 1000) / 8000; ++ timing->da_hs_zero = (170 * data_rate_mhz + 10 * 1000) / 8000 + 1 - + timing->da_hs_prepare; +- timing->da_hs_trail = (78 * data_rate_mhz + 7 * 1000) / 8000 + 1; ++ timing->da_hs_trail = timing->da_hs_prepare + 1; + +- timing->ta_go = 4 * timing->lpx; +- timing->ta_sure = 3 * timing->lpx / 2; +- timing->ta_get = 5 * timing->lpx; +- timing->da_hs_exit = (118 * data_rate_mhz / (8 * 1000)) + 1; ++ timing->ta_go = 4 * timing->lpx - 2; ++ timing->ta_sure = timing->lpx + 2; ++ timing->ta_get = 4 * timing->lpx; ++ timing->da_hs_exit = 2 * timing->lpx + 1; + +- timing->clk_hs_prepare = (57 * data_rate_mhz / (8 * 1000)) + 1; +- timing->clk_hs_post = (65 * data_rate_mhz + 53 * 1000) / 8000 + 1; +- timing->clk_hs_trail = (78 * data_rate_mhz + 7 * 1000) / 8000 + 1; +- timing->clk_hs_zero = (330 * data_rate_mhz / (8 * 1000)) + 1 - +- timing->clk_hs_prepare; +- timing->clk_hs_exit = (118 * data_rate_mhz / (8 * 1000)) + 1; ++ timing->clk_hs_prepare = 70 * data_rate_mhz / (8 * 1000); ++ timing->clk_hs_post = timing->clk_hs_prepare + 8; ++ timing->clk_hs_trail = timing->clk_hs_prepare; ++ timing->clk_hs_zero = timing->clk_hs_trail * 4; ++ timing->clk_hs_exit = 2 * timing->clk_hs_trail; + + timcon0 = FIELD_PREP(LPX, timing->lpx) | + FIELD_PREP(HS_PREP, timing->da_hs_prepare) | diff --git a/queue-6.12/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch b/queue-6.12/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch new file mode 100644 index 00000000000..25ff591068e --- /dev/null +++ b/queue-6.12/scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch @@ -0,0 +1,147 @@ +From 7bac65687510038390a0a54cbe14fba08d037e46 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 19 Dec 2024 22:20:41 +0530 +Subject: scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence() + +From: Manivannan Sadhasivam + +commit 7bac65687510038390a0a54cbe14fba08d037e46 upstream. + +PHY might already be powered on during ufs_qcom_power_up_sequence() in a +couple of cases: + + 1. During UFSHCD_QUIRK_REINIT_AFTER_MAX_GEAR_SWITCH quirk + + 2. Resuming from spm_lvl = 5 suspend + +In those cases, it is necessary to call phy_power_off() and phy_exit() in +ufs_qcom_power_up_sequence() function to power off the PHY before calling +phy_init() and phy_power_on(). + +Case (1) is doing it via ufs_qcom_reinit_notify() callback, but case (2) is +not handled. So to satisfy both cases, call phy_power_off() and phy_exit() +if the phy_count is non-zero. And with this change, the reinit_notify() +callback is no longer needed. + +This fixes the below UFS resume failure with spm_lvl = 5: + +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: Enabling the controller failed +ufshcd-qcom 1d84000.ufshc: ufshcd_host_reset_and_restore: Host init failed -5 +ufs_device_wlun 0:0:0:49488: ufshcd_wl_resume failed: -5 +ufs_device_wlun 0:0:0:49488: PM: dpm_run_callback(): scsi_bus_resume returns -5 +ufs_device_wlun 0:0:0:49488: PM: failed to resume async: error -5 + +Cc: stable@vger.kernel.org # 6.3 +Fixes: baf5ddac90dc ("scsi: ufs: ufs-qcom: Add support for reinitializing the UFS device") +Reported-by: Ram Kumar Dwivedi +Tested-by: Amit Pundir # on SM8550-HDK +Reviewed-by: Bart Van Assche +Tested-by: Neil Armstrong # on SM8550-QRD +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20241219-ufs-qcom-suspend-fix-v3-1-63c4b95a70b9@linaro.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd-priv.h | 6 ------ + drivers/ufs/core/ufshcd.c | 1 - + drivers/ufs/host/ufs-qcom.c | 13 +++++-------- + include/ufs/ufshcd.h | 2 -- + 4 files changed, 5 insertions(+), 17 deletions(-) + +--- a/drivers/ufs/core/ufshcd-priv.h ++++ b/drivers/ufs/core/ufshcd-priv.h +@@ -237,12 +237,6 @@ static inline void ufshcd_vops_config_sc + hba->vops->config_scaling_param(hba, p, data); + } + +-static inline void ufshcd_vops_reinit_notify(struct ufs_hba *hba) +-{ +- if (hba->vops && hba->vops->reinit_notify) +- hba->vops->reinit_notify(hba); +-} +- + static inline int ufshcd_vops_mcq_config_resource(struct ufs_hba *hba) + { + if (hba->vops && hba->vops->mcq_config_resource) +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -8881,7 +8881,6 @@ static int ufshcd_probe_hba(struct ufs_h + ufshcd_device_reset(hba); + ufs_put_device_desc(hba); + ufshcd_hba_stop(hba); +- ufshcd_vops_reinit_notify(hba); + ret = ufshcd_hba_enable(hba); + if (ret) { + dev_err(hba->dev, "Host controller enable failed\n"); +--- a/drivers/ufs/host/ufs-qcom.c ++++ b/drivers/ufs/host/ufs-qcom.c +@@ -368,6 +368,11 @@ static int ufs_qcom_power_up_sequence(st + if (ret) + return ret; + ++ if (phy->power_count) { ++ phy_power_off(phy); ++ phy_exit(phy); ++ } ++ + /* phy initialization - calibrate the phy */ + ret = phy_init(phy); + if (ret) { +@@ -1562,13 +1567,6 @@ static void ufs_qcom_config_scaling_para + } + #endif + +-static void ufs_qcom_reinit_notify(struct ufs_hba *hba) +-{ +- struct ufs_qcom_host *host = ufshcd_get_variant(hba); +- +- phy_power_off(host->generic_phy); +-} +- + /* Resources */ + static const struct ufshcd_res_info ufs_res_info[RES_MAX] = { + {.name = "ufs_mem",}, +@@ -1807,7 +1805,6 @@ static const struct ufs_hba_variant_ops + .device_reset = ufs_qcom_device_reset, + .config_scaling_param = ufs_qcom_config_scaling_param, + .program_key = ufs_qcom_ice_program_key, +- .reinit_notify = ufs_qcom_reinit_notify, + .mcq_config_resource = ufs_qcom_mcq_config_resource, + .get_hba_mac = ufs_qcom_get_hba_mac, + .op_runtime_config = ufs_qcom_op_runtime_config, +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -329,7 +329,6 @@ struct ufs_pwr_mode_info { + * @program_key: program or evict an inline encryption key + * @fill_crypto_prdt: initialize crypto-related fields in the PRDT + * @event_notify: called to notify important events +- * @reinit_notify: called to notify reinit of UFSHCD during max gear switch + * @mcq_config_resource: called to configure MCQ platform resources + * @get_hba_mac: reports maximum number of outstanding commands supported by + * the controller. Should be implemented for UFSHCI 4.0 or later +@@ -381,7 +380,6 @@ struct ufs_hba_variant_ops { + void *prdt, unsigned int num_segments); + void (*event_notify)(struct ufs_hba *hba, + enum ufs_event_type evt, void *data); +- void (*reinit_notify)(struct ufs_hba *); + int (*mcq_config_resource)(struct ufs_hba *hba); + int (*get_hba_mac)(struct ufs_hba *hba); + int (*op_runtime_config)(struct ufs_hba *hba); diff --git a/queue-6.12/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch b/queue-6.12/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..b93a4a1af3f --- /dev/null +++ b/queue-6.12/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch @@ -0,0 +1,49 @@ +From 15649fd5415eda664ef35780c2013adeb5d9c695 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:34 +0100 +Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, but that would +increase the size of this fix, while 'sctp.ctl_sock' still needs to be +retrieved from 'net' structure. + +Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -499,7 +499,7 @@ static int proc_sctp_do_alpha_beta(const + static int proc_sctp_do_auth(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.auth_enable); + struct ctl_table tbl; + int new_value, ret; + diff --git a/queue-6.12/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch b/queue-6.12/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..4c589cc175a --- /dev/null +++ b/queue-6.12/sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch @@ -0,0 +1,51 @@ +From ea62dd1383913b5999f3d16ae99d411f41b528d4 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:32 +0100 +Subject: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is +used. + +Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -387,7 +387,8 @@ static struct ctl_table sctp_net_table[] + static int proc_sctp_do_hmac_alg(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, ++ sctp.sctp_hmac_alg); + struct ctl_table tbl; + bool changed = false; + char *none = "none"; diff --git a/queue-6.12/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch b/queue-6.12/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..e5058f1533a --- /dev/null +++ b/queue-6.12/sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch @@ -0,0 +1,51 @@ +From 6259d2484d0ceff42245d1f09cc8cb6ee72d847a Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:36 +0100 +Subject: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 6259d2484d0ceff42245d1f09cc8cb6ee72d847a upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.probe_interval' is +used. + +Fixes: d1e462a7a5f3 ("sctp: add probe_interval in sysctl and sock/asoc/transport") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-8-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -569,7 +569,8 @@ static int proc_sctp_do_udp_port(const s + static int proc_sctp_do_probe_interval(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, ++ sctp.probe_interval); + struct ctl_table tbl; + int ret, new_value; + diff --git a/queue-6.12/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch b/queue-6.12/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..5a06cb79f5f --- /dev/null +++ b/queue-6.12/sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch @@ -0,0 +1,58 @@ +From 9fc17b76fc70763780aa78b38fcf4742384044a5 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:33 +0100 +Subject: sctp: sysctl: rto_min/max: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit 9fc17b76fc70763780aa78b38fcf4742384044a5 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, as this is the only +member needed from the 'net' structure, but that would increase the size +of this fix, to use '*data' everywhere 'net->sctp.rto_min/max' is used. + +Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-5-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -433,7 +433,7 @@ static int proc_sctp_do_hmac_alg(const s + static int proc_sctp_do_rto_min(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.rto_min); + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; + struct ctl_table tbl; +@@ -461,7 +461,7 @@ static int proc_sctp_do_rto_min(const st + static int proc_sctp_do_rto_max(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.rto_max); + unsigned int min = *(unsigned int *) ctl->extra1; + unsigned int max = *(unsigned int *) ctl->extra2; + struct ctl_table tbl; diff --git a/queue-6.12/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch b/queue-6.12/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch new file mode 100644 index 00000000000..b610e3c4a51 --- /dev/null +++ b/queue-6.12/sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch @@ -0,0 +1,49 @@ +From c10377bbc1972d858eaf0ab366a311b39f8ef1b6 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Wed, 8 Jan 2025 16:34:35 +0100 +Subject: sctp: sysctl: udp_port: avoid using current->nsproxy + +From: Matthieu Baerts (NGI0) + +commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 upstream. + +As mentioned in a previous commit of this series, using the 'net' +structure via 'current' is not recommended for different reasons: + +- Inconsistency: getting info from the reader's/writer's netns vs only + from the opener's netns. + +- current->nsproxy can be NULL in some cases, resulting in an 'Oops' + (null-ptr-deref), e.g. when the current task is exiting, as spotted by + syzbot [1] using acct(2). + +The 'net' structure can be obtained from the table->data using +container_of(). + +Note that table->data could also be used directly, but that would +increase the size of this fix, while 'sctp.ctl_sock' still needs to be +retrieved from 'net' structure. + +Fixes: 046c052b475e ("sctp: enable udp tunneling socks") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] +Suggested-by: Al Viro +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-7-5df34b2083e8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -528,7 +528,7 @@ static int proc_sctp_do_auth(const struc + static int proc_sctp_do_udp_port(const struct ctl_table *ctl, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +- struct net *net = current->nsproxy->net_ns; ++ struct net *net = container_of(ctl->data, struct net, sctp.udp_port); + unsigned int min = *(unsigned int *)ctl->extra1; + unsigned int max = *(unsigned int *)ctl->extra2; + struct ctl_table tbl; diff --git a/queue-6.12/series b/queue-6.12/series index a9f0e05995f..c3e2712d796 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -82,3 +82,24 @@ netfs-fix-kernel-async-dio.patch netfs-fix-read-retry-for-fs-with-no-prepare_read.patch drivers-perf-riscv-fix-platform-firmware-event-data.patch drivers-perf-riscv-return-error-for-default-case.patch +dm-thin-make-get_first_thin-use-rcu-safe-list-first-function.patch +scsi-ufs-qcom-power-off-the-phy-if-it-was-already-powered-on-in-ufs_qcom_power_up_sequence.patch +vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch +fs-relax-assertions-on-failure-to-encode-file-handles.patch +fs-fix-is_mnt_ns_file.patch +dm-ebs-don-t-set-the-flag-dm_target_passes_integrity.patch +dm-verity-fec-fix-rs-fec-repair-for-roots-unaligned-to-block-size-take-2.patch +mptcp-sysctl-avail-sched-remove-write-access.patch +mptcp-sysctl-sched-avoid-using-current-nsproxy.patch +mptcp-sysctl-blackhole-timeout-avoid-using-current-nsproxy.patch +sctp-sysctl-cookie_hmac_alg-avoid-using-current-nsproxy.patch +sctp-sysctl-rto_min-max-avoid-using-current-nsproxy.patch +sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch +sctp-sysctl-udp_port-avoid-using-current-nsproxy.patch +sctp-sysctl-plpmtud_probe_interval-avoid-using-current-nsproxy.patch +rds-sysctl-rds_tcp_-rcv-snd-buf-avoid-using-current-nsproxy.patch +ksmbd-implement-new-smb3-posix-type.patch +btrfs-zlib-fix-avail_in-bytes-for-s390-zlib-hw-compression-path.patch +revert-drm-mediatek-dsi-correct-calculation-formula-of-phy-timing.patch +drm-amd-display-remove-unnecessary-amdgpu_irq_get-put.patch +drm-amd-display-add-check-for-granularity-in-dml-ceil-floor-helpers.patch diff --git a/queue-6.12/vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch b/queue-6.12/vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch new file mode 100644 index 00000000000..a8ca628e9e2 --- /dev/null +++ b/queue-6.12/vfio-pci-fallback-huge-faults-for-unaligned-pfn.patch @@ -0,0 +1,71 @@ +From 09dfc8a5f2ce897005a94bf66cca4f91e4e03700 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Thu, 2 Jan 2025 11:32:54 -0700 +Subject: vfio/pci: Fallback huge faults for unaligned pfn + +From: Alex Williamson + +commit 09dfc8a5f2ce897005a94bf66cca4f91e4e03700 upstream. + +The PFN must also be aligned to the fault order to insert a huge +pfnmap. Test the alignment and fallback when unaligned. + +Fixes: f9e54c3a2f5b ("vfio/pci: implement huge_fault support") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219619 +Reported-by: Athul Krishna +Reported-by: Precific +Reviewed-by: Peter Xu +Tested-by: Precific +Link: https://lore.kernel.org/r/20250102183416.1841878-1-alex.williamson@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/pci/vfio_pci_core.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_core.c ++++ b/drivers/vfio/pci/vfio_pci_core.c +@@ -1661,14 +1661,15 @@ static vm_fault_t vfio_pci_mmap_huge_fau + unsigned long pfn, pgoff = vmf->pgoff - vma->vm_pgoff; + vm_fault_t ret = VM_FAULT_SIGBUS; + +- if (order && (vmf->address & ((PAGE_SIZE << order) - 1) || ++ pfn = vma_to_pfn(vma) + pgoff; ++ ++ if (order && (pfn & ((1 << order) - 1) || ++ vmf->address & ((PAGE_SIZE << order) - 1) || + vmf->address + (PAGE_SIZE << order) > vma->vm_end)) { + ret = VM_FAULT_FALLBACK; + goto out; + } + +- pfn = vma_to_pfn(vma); +- + down_read(&vdev->memory_lock); + + if (vdev->pm_runtime_engaged || !__vfio_pci_memory_enabled(vdev)) +@@ -1676,18 +1677,18 @@ static vm_fault_t vfio_pci_mmap_huge_fau + + switch (order) { + case 0: +- ret = vmf_insert_pfn(vma, vmf->address, pfn + pgoff); ++ ret = vmf_insert_pfn(vma, vmf->address, pfn); + break; + #ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP + case PMD_ORDER: +- ret = vmf_insert_pfn_pmd(vmf, __pfn_to_pfn_t(pfn + pgoff, +- PFN_DEV), false); ++ ret = vmf_insert_pfn_pmd(vmf, ++ __pfn_to_pfn_t(pfn, PFN_DEV), false); + break; + #endif + #ifdef CONFIG_ARCH_SUPPORTS_PUD_PFNMAP + case PUD_ORDER: +- ret = vmf_insert_pfn_pud(vmf, __pfn_to_pfn_t(pfn + pgoff, +- PFN_DEV), false); ++ ret = vmf_insert_pfn_pud(vmf, ++ __pfn_to_pfn_t(pfn, PFN_DEV), false); + break; + #endif + default: -- 2.47.3