From 12ad6316bec56c66f829f3ba034b2cd632ac4ac6 Mon Sep 17 00:00:00 2001 From: Konstantin Demin <rockdrilla@gmail.com> Date: Mon, 7 Apr 2025 13:34:51 +0300 Subject: [PATCH] release 6.14.1 --- debian/bin/genpatch-pfkernel | 2 +- debian/changelog | 7 + debian/config/config | 1 + ...-Fix-built-in-mic-on-another-ASUS-Vi.patch | 7 +- ...te-Modify-the-min_perf-calculation-i.patch | 2 +- ...te-Remove-the-redundant-des_perf-cla.patch | 2 +- ...te-Pass-min-max_limit_perf-as-min-ma.patch | 2 +- ...pstate-Convert-all-perf-values-to-u8.patch | 2 +- ...tate-Modularize-perf-freq-conversion.patch | 2 +- ...te-Remove-the-unnecessary-cpufreq_up.patch | 2 +- ...te-Add-missing-NULL-ptr-check-in-amd.patch | 2 +- ...te-Use-scope-based-cleanup-for-cpufr.patch | 2 +- ...te-Remove-the-unncecessary-driver_lo.patch | 2 +- ...tate-Fix-the-clamping-of-perf-values.patch | 2 +- ...te-Invalidate-cppc_req_cached-during.patch | 2 +- ...te-Show-a-warning-when-a-CPU-fails-t.patch | 2 +- ...te-Drop-min-and-max-cached-frequenci.patch | 2 +- ...pstate-Move-perf-values-into-a-union.patch | 2 +- ...-cpufreq-amd-pstate-Overhaul-locking.patch | 2 +- ...req-amd-pstate-Drop-cppc_cap1_cached.patch | 2 +- ...te-ut-Use-_free-macro-to-free-put-po.patch | 2 +- ...te-ut-Allow-lowest-nonlinear-and-low.patch | 2 +- ...state-ut-Drop-SUCCESS-and-FAIL-enums.patch | 2 +- ...te-ut-Run-on-all-of-the-correct-CPUs.patch | 2 +- ...-amd-pstate-ut-Adjust-variable-scope.patch | 2 +- ...te-Replace-all-AMD_CPPC_-macros-with.patch | 2 +- ...te-Cache-CPPC-request-in-shared-mem-.patch | 2 +- ...te-Move-all-EPP-tracing-into-_update.patch | 2 +- ...te-Update-cppc_req_cached-for-shared.patch | 2 +- ...te-Drop-debug-statements-for-policy-.patch | 2 +- ...freq-amd-pstate-Rework-CPPC-enabling.patch | 2 +- ...-cpufreq-amd-pstate-Stop-caching-EPP.patch | 2 +- ...te-Drop-actions-in-amd_pstate_epp_cp.patch | 2 +- ...te-fix-warning-noticed-by-kernel-tes.patch | 2 +- ...pty-delayed-iputs-list-on-unmount-du.patch | 76 +++++++ ...chunk-map-leak-after-failure-to-add-.patch | 30 +++ ...zone-activation-with-missing-devices.patch | 36 +++ ...-zone-finishing-with-missing-devices.patch | 36 +++ ...puidle-Prefer-teo-over-menu-governor.patch | 2 +- ...ts-make-the-fast-path-64-bit-specifi.patch | 2 +- ...tr-rewrite-AESNI-AVX-optimized-CTR-a.patch | 2 +- ...dom-stack-corruption-after-get_block.patch | 122 +++++++++++ ...ial-wrong-error-return-from-get_bloc.patch | 30 +++ ...pm-do-not-start-chip-while-suspended.patch | 2 +- ...x-the-flood-of-invalid-error-reports.patch | 2 +- ...uplicate-unlikely-definition-in-insn.patch | 36 +++ ...timeout-handling-when-waiting-for-TP.patch | 44 ++++ ..._tlb_range-when-used-for-zapping-nor.patch | 50 +++++ ...ave-restore-TSC-sched_clock-on-suspe.patch | 68 ++++++ ...en-uretprobe-syscall-trampoline-chec.patch | 87 ++++++++ ...nr_integrity_segments-is-cloned-in-b.patch | 32 +++ ...PCI-Fix-wrong-length-of-devres-array.patch | 40 ++++ ...-the-racy-usage-of-fs_struct-in_exec.patch | 84 +++++++ ...Fix-a-possible-req-cancellation-race.patch | 207 ++++++++++++++++++ ...ix-management-of-listener-transports.patch | 128 +++++++++++ ...g-CB_RECALL_ANY-when-the-backchannel.patch | 55 +++++ ...-clobbers-non-zero-status-returned-f.patch | 35 +++ ...n-NFS4ERR_FILE_OPEN-when-removing-a-.patch | 68 ++++++ ...e-the-return-code-of-svc_proc_regist.patch | 88 ++++++++ ...ATUS_FREEABLE-when-searching-via-nfs.patch | 54 +++++ ...t-dl_stid-if-fail-to-queue-dl_recall.patch | 97 ++++++++ ...ig-setting-to-enable-delegated-times.patch | 74 +++++++ ...NULL-pointer-dereference-in-dbg-call.patch | 37 ++++ ...nds-check-for-durable-handle-context.patch | 60 +++++ ...in-offload-along-with-other-paramete.patch | 59 +++++ ...ounds-check-for-create-lease-context.patch | 41 ++++ ...ter-free-in-ksmbd_sessions_deregiste.patch | 31 +++ ...fix-integer-overflow-in-match_server.patch | 36 +++ ...n-use-after-free-in-multichannel-con.patch | 105 +++++++++ ...-overflow-in-dacloffset-bounds-check.patch | 70 ++++++ ...ero-num_subauth-before-sub_auth-is-a.patch | 32 +++ ...ointer-dereference-in-alloc_preauth_.patch | 125 +++++++++++ .../0001-zstd-import-upstream-v1.5.7.patch | 2 +- ...efactor-intentional-wrap-around-test.patch | 2 +- .../sauce/0001-ZEN-Add-VHBA-driver.patch | 2 +- debian/patches/series | 40 +++- 76 files changed, 2260 insertions(+), 46 deletions(-) create mode 100644 debian/patches/patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch create mode 100644 debian/patches/patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch create mode 100644 debian/patches/patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch create mode 100644 debian/patches/patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch create mode 100644 debian/patches/patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch create mode 100644 debian/patches/patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch rename debian/patches/{patchset-zen => patchset-pf}/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch (96%) create mode 100644 debian/patches/patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch create mode 100644 debian/patches/patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch create mode 100644 debian/patches/patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch create mode 100644 debian/patches/patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch create mode 100644 debian/patches/patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch create mode 100644 debian/patches/patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch create mode 100644 debian/patches/patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch create mode 100644 debian/patches/patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch create mode 100644 debian/patches/patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch create mode 100644 debian/patches/patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch create mode 100644 debian/patches/patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch create mode 100644 debian/patches/patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch create mode 100644 debian/patches/patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch create mode 100644 debian/patches/patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch create mode 100644 debian/patches/patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch create mode 100644 debian/patches/patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch create mode 100644 debian/patches/patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch create mode 100644 debian/patches/patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch create mode 100644 debian/patches/patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch create mode 100644 debian/patches/patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch create mode 100644 debian/patches/patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch create mode 100644 debian/patches/patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch create mode 100644 debian/patches/patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch create mode 100644 debian/patches/patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch create mode 100644 debian/patches/patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch create mode 100644 debian/patches/patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch create mode 100644 debian/patches/patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch diff --git a/debian/bin/genpatch-pfkernel b/debian/bin/genpatch-pfkernel index 7e959bd..5613a06 100755 --- a/debian/bin/genpatch-pfkernel +++ b/debian/bin/genpatch-pfkernel @@ -7,7 +7,7 @@ w=$(git rev-parse --path-format=absolute --show-toplevel) ; : "${w:?}" ; cd "$w" dst='debian/patches/pf-tmp' src='../linux-extras' -branches='amd-pstate cpuidle crypto fixes kbuild zstd' +branches='amd-pstate btrfs cpuidle crypto exfat fixes fuse kbuild nfs smb zstd' if [ -d "${dst}" ] ; then rm -rf "${dst}" ; fi mkdir -p "${dst}" diff --git a/debian/changelog b/debian/changelog index 5ce8c06..e594d22 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (6.14.1-1) sid; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.14.1 + + -- Konstantin Demin <rockdrilla@gmail.com> Mon, 07 Apr 2025 12:41:44 +0300 + linux (6.14-1) sid; urgency=medium * Sync with Debian. diff --git a/debian/config/config b/debian/config/config index d59c3b0..94d944b 100644 --- a/debian/config/config +++ b/debian/config/config @@ -1854,6 +1854,7 @@ CONFIG_NFSD_BLOCKLAYOUT=y # CONFIG_NFSD_V4_2_INTER_SSC is not set CONFIG_NFSD_V4_SECURITY_LABEL=y # CONFIG_NFSD_LEGACY_CLIENT_TRACKING is not set +# CONFIG_NFSD_V4_DELEG_TIMESTAMPS is not set ## ## file: fs/nls/Kconfig diff --git a/debian/patches/bugfix/all/ALSA-hda-realtek-Fix-built-in-mic-on-another-ASUS-Vi.patch b/debian/patches/bugfix/all/ALSA-hda-realtek-Fix-built-in-mic-on-another-ASUS-Vi.patch index d6a1d60..c035a60 100644 --- a/debian/patches/bugfix/all/ALSA-hda-realtek-Fix-built-in-mic-on-another-ASUS-Vi.patch +++ b/debian/patches/bugfix/all/ALSA-hda-realtek-Fix-built-in-mic-on-another-ASUS-Vi.patch @@ -17,11 +17,9 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de> sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index eec3ea1a7e08..79004bc8107b 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c -@@ -10889,6 +10889,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { +@@ -10772,6 +10772,7 @@ static const struct hda_quirk alc269_fix SND_PCI_QUIRK(0x1043, 0x1c43, "ASUS UX8406MA", ALC245_FIXUP_CS35L41_SPI_2), SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401), SND_PCI_QUIRK(0x1043, 0x1c63, "ASUS GU605M", ALC285_FIXUP_ASUS_GU605_SPI_SPEAKER2_TO_DAC1), @@ -29,6 +27,3 @@ index eec3ea1a7e08..79004bc8107b 100644 SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS), SND_PCI_QUIRK(0x1043, 0x1c9f, "ASUS G614JU/JV/JI", ALC285_FIXUP_ASUS_HEADSET_MIC), SND_PCI_QUIRK(0x1043, 0x1caf, "ASUS G634JY/JZ/JI/JG", ALC285_FIXUP_ASUS_SPI_REAR_SPEAKERS), --- -2.49.0 - diff --git a/debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Modify-the-min_perf-calculation-i.patch b/debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Modify-the-min_perf-calculation-i.patch index 8a2ca33..d2e0495 100644 --- a/debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Modify-the-min_perf-calculation-i.patch +++ b/debian/patches/patchset-pf/amd-pstate/0001-cpufreq-amd-pstate-Modify-the-min_perf-calculation-i.patch @@ -1,4 +1,4 @@ -From b6c0305214154bc26d20b130266fc1ba8341b58c Mon Sep 17 00:00:00 2001 +From c8c9ab8ff5cc5c0809cd958679614ade200a6ab3 Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:14 +0000 Subject: cpufreq/amd-pstate: Modify the min_perf calculation in adjust_perf diff --git a/debian/patches/patchset-pf/amd-pstate/0002-cpufreq-amd-pstate-Remove-the-redundant-des_perf-cla.patch b/debian/patches/patchset-pf/amd-pstate/0002-cpufreq-amd-pstate-Remove-the-redundant-des_perf-cla.patch index a448bdb..873bff7 100644 --- a/debian/patches/patchset-pf/amd-pstate/0002-cpufreq-amd-pstate-Remove-the-redundant-des_perf-cla.patch +++ b/debian/patches/patchset-pf/amd-pstate/0002-cpufreq-amd-pstate-Remove-the-redundant-des_perf-cla.patch @@ -1,4 +1,4 @@ -From 6e51c53b5e940312c71ce5ea68cf94a000beab01 Mon Sep 17 00:00:00 2001 +From 16466d169a187b4c650771234de119279346f523 Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:15 +0000 Subject: cpufreq/amd-pstate: Remove the redundant des_perf clamping in diff --git a/debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Pass-min-max_limit_perf-as-min-ma.patch b/debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Pass-min-max_limit_perf-as-min-ma.patch index fa4d3cb..b402e45 100644 --- a/debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Pass-min-max_limit_perf-as-min-ma.patch +++ b/debian/patches/patchset-pf/amd-pstate/0003-cpufreq-amd-pstate-Pass-min-max_limit_perf-as-min-ma.patch @@ -1,4 +1,4 @@ -From ad3fffe8ff1f18ad437d8b0d0bb602ba3c24adf7 Mon Sep 17 00:00:00 2001 +From 0dfebf0094ea7c512cf3db1013cf82124d4bbc3a Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:16 +0000 Subject: cpufreq/amd-pstate: Pass min/max_limit_perf as min/max_perf to diff --git a/debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Convert-all-perf-values-to-u8.patch b/debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Convert-all-perf-values-to-u8.patch index 948010b..df80491 100644 --- a/debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Convert-all-perf-values-to-u8.patch +++ b/debian/patches/patchset-pf/amd-pstate/0004-cpufreq-amd-pstate-Convert-all-perf-values-to-u8.patch @@ -1,4 +1,4 @@ -From 300686c32b77583f45c6763535da85f2242bf820 Mon Sep 17 00:00:00 2001 +From 3daf64b383bc41feb0bf23790939b4512ba9170d Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:17 +0000 Subject: cpufreq/amd-pstate: Convert all perf values to u8 diff --git a/debian/patches/patchset-pf/amd-pstate/0005-cpufreq-amd-pstate-Modularize-perf-freq-conversion.patch b/debian/patches/patchset-pf/amd-pstate/0005-cpufreq-amd-pstate-Modularize-perf-freq-conversion.patch index 38fe48a..7989ea1 100644 --- a/debian/patches/patchset-pf/amd-pstate/0005-cpufreq-amd-pstate-Modularize-perf-freq-conversion.patch +++ b/debian/patches/patchset-pf/amd-pstate/0005-cpufreq-amd-pstate-Modularize-perf-freq-conversion.patch @@ -1,4 +1,4 @@ -From 8b87350a2e336e54b4d2638ac042bb2f7416312a Mon Sep 17 00:00:00 2001 +From b132b889dc7aa398a789e02dd6fbd5a512b4a9e0 Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:18 +0000 Subject: cpufreq/amd-pstate: Modularize perf<->freq conversion diff --git a/debian/patches/patchset-pf/amd-pstate/0006-cpufreq-amd-pstate-Remove-the-unnecessary-cpufreq_up.patch b/debian/patches/patchset-pf/amd-pstate/0006-cpufreq-amd-pstate-Remove-the-unnecessary-cpufreq_up.patch index 61df8f8..4765162 100644 --- a/debian/patches/patchset-pf/amd-pstate/0006-cpufreq-amd-pstate-Remove-the-unnecessary-cpufreq_up.patch +++ b/debian/patches/patchset-pf/amd-pstate/0006-cpufreq-amd-pstate-Remove-the-unnecessary-cpufreq_up.patch @@ -1,4 +1,4 @@ -From b638a74c3b16e0781bb25478c135726862c9271d Mon Sep 17 00:00:00 2001 +From 6c284985cc268da10f0e38f1f3b9af62ecfc3998 Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:19 +0000 Subject: cpufreq/amd-pstate: Remove the unnecessary cpufreq_update_policy call diff --git a/debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch b/debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch index 08bfbc6..a789ced 100644 --- a/debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch +++ b/debian/patches/patchset-pf/amd-pstate/0007-cpufreq-amd-pstate-Add-missing-NULL-ptr-check-in-amd.patch @@ -1,4 +1,4 @@ -From 156278367fd2c0863dc06f9a7df0a654ae336726 Mon Sep 17 00:00:00 2001 +From f50ac94149bc07092ecf5b68558f02920436f77c Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:21 +0000 Subject: cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update diff --git a/debian/patches/patchset-pf/amd-pstate/0008-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch b/debian/patches/patchset-pf/amd-pstate/0008-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch index a3311ce..9252012 100644 --- a/debian/patches/patchset-pf/amd-pstate/0008-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch +++ b/debian/patches/patchset-pf/amd-pstate/0008-cpufreq-amd-pstate-Use-scope-based-cleanup-for-cpufr.patch @@ -1,4 +1,4 @@ -From e36868a11daa43eff94abd32f19b1783e89298d4 Mon Sep 17 00:00:00 2001 +From b5b334f66595052e69ecaa501b8a6ebdb0fd6eed Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:22 +0000 Subject: cpufreq/amd-pstate: Use scope based cleanup for cpufreq_policy refs diff --git a/debian/patches/patchset-pf/amd-pstate/0009-cpufreq-amd-pstate-Remove-the-unncecessary-driver_lo.patch b/debian/patches/patchset-pf/amd-pstate/0009-cpufreq-amd-pstate-Remove-the-unncecessary-driver_lo.patch index 9480fd8..61beb6b 100644 --- a/debian/patches/patchset-pf/amd-pstate/0009-cpufreq-amd-pstate-Remove-the-unncecessary-driver_lo.patch +++ b/debian/patches/patchset-pf/amd-pstate/0009-cpufreq-amd-pstate-Remove-the-unncecessary-driver_lo.patch @@ -1,4 +1,4 @@ -From 9b7b7d59c5425246ffda281e761ef3ec3b0e4fbc Mon Sep 17 00:00:00 2001 +From eff2c5a3f292e822968919a9792010de65b417b5 Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Wed, 5 Feb 2025 11:25:23 +0000 Subject: cpufreq/amd-pstate: Remove the unncecessary driver_lock in diff --git a/debian/patches/patchset-pf/amd-pstate/0010-cpufreq-amd-pstate-Fix-the-clamping-of-perf-values.patch b/debian/patches/patchset-pf/amd-pstate/0010-cpufreq-amd-pstate-Fix-the-clamping-of-perf-values.patch index 181ed72..7aaa81e 100644 --- a/debian/patches/patchset-pf/amd-pstate/0010-cpufreq-amd-pstate-Fix-the-clamping-of-perf-values.patch +++ b/debian/patches/patchset-pf/amd-pstate/0010-cpufreq-amd-pstate-Fix-the-clamping-of-perf-values.patch @@ -1,4 +1,4 @@ -From f09ef5b8aacd5b16ac1ea93103b41a7e88b174ed Mon Sep 17 00:00:00 2001 +From e836285ca35390d656adffee520d48cd7bedd5b3 Mon Sep 17 00:00:00 2001 From: Dhananjay Ugwekar <dhananjay.ugwekar@amd.com> Date: Sat, 22 Feb 2025 03:32:22 +0000 Subject: cpufreq/amd-pstate: Fix the clamping of perf values diff --git a/debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Invalidate-cppc_req_cached-during.patch b/debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Invalidate-cppc_req_cached-during.patch index a301e9c..2ccdadb 100644 --- a/debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Invalidate-cppc_req_cached-during.patch +++ b/debian/patches/patchset-pf/amd-pstate/0011-cpufreq-amd-pstate-Invalidate-cppc_req_cached-during.patch @@ -1,4 +1,4 @@ -From 210d043d7b244588c911e355f2d5339bda9c8209 Mon Sep 17 00:00:00 2001 +From 0a417434299b27aebbb444e7545a7d668c40d288 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:16 -0600 Subject: cpufreq/amd-pstate: Invalidate cppc_req_cached during suspend diff --git a/debian/patches/patchset-pf/amd-pstate/0012-cpufreq-amd-pstate-Show-a-warning-when-a-CPU-fails-t.patch b/debian/patches/patchset-pf/amd-pstate/0012-cpufreq-amd-pstate-Show-a-warning-when-a-CPU-fails-t.patch index c6f5e36..f9204fe 100644 --- a/debian/patches/patchset-pf/amd-pstate/0012-cpufreq-amd-pstate-Show-a-warning-when-a-CPU-fails-t.patch +++ b/debian/patches/patchset-pf/amd-pstate/0012-cpufreq-amd-pstate-Show-a-warning-when-a-CPU-fails-t.patch @@ -1,4 +1,4 @@ -From a0233b8c2c01e98ddeb2e80768d4c7172311b200 Mon Sep 17 00:00:00 2001 +From ea1821eae465dfff9a9ef90662c2ce79e5abfe6e Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:17 -0600 Subject: cpufreq/amd-pstate: Show a warning when a CPU fails to setup diff --git a/debian/patches/patchset-pf/amd-pstate/0013-cpufreq-amd-pstate-Drop-min-and-max-cached-frequenci.patch b/debian/patches/patchset-pf/amd-pstate/0013-cpufreq-amd-pstate-Drop-min-and-max-cached-frequenci.patch index dbb540e..3fcbe23 100644 --- a/debian/patches/patchset-pf/amd-pstate/0013-cpufreq-amd-pstate-Drop-min-and-max-cached-frequenci.patch +++ b/debian/patches/patchset-pf/amd-pstate/0013-cpufreq-amd-pstate-Drop-min-and-max-cached-frequenci.patch @@ -1,4 +1,4 @@ -From ad672c3336331cab028c27e4a73153f517bb1844 Mon Sep 17 00:00:00 2001 +From 72016df62985637e59f075e25233d8ca942eb391 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:18 -0600 Subject: cpufreq/amd-pstate: Drop min and max cached frequencies diff --git a/debian/patches/patchset-pf/amd-pstate/0014-cpufreq-amd-pstate-Move-perf-values-into-a-union.patch b/debian/patches/patchset-pf/amd-pstate/0014-cpufreq-amd-pstate-Move-perf-values-into-a-union.patch index f925f90..f7bddbb 100644 --- a/debian/patches/patchset-pf/amd-pstate/0014-cpufreq-amd-pstate-Move-perf-values-into-a-union.patch +++ b/debian/patches/patchset-pf/amd-pstate/0014-cpufreq-amd-pstate-Move-perf-values-into-a-union.patch @@ -1,4 +1,4 @@ -From b96076ada115f25a4944f6f111b22c44a5d1a3cf Mon Sep 17 00:00:00 2001 +From 289c4432443c54497bfe75410a516ca24475504d Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:19 -0600 Subject: cpufreq/amd-pstate: Move perf values into a union diff --git a/debian/patches/patchset-pf/amd-pstate/0015-cpufreq-amd-pstate-Overhaul-locking.patch b/debian/patches/patchset-pf/amd-pstate/0015-cpufreq-amd-pstate-Overhaul-locking.patch index 9fcd898..d647dd7 100644 --- a/debian/patches/patchset-pf/amd-pstate/0015-cpufreq-amd-pstate-Overhaul-locking.patch +++ b/debian/patches/patchset-pf/amd-pstate/0015-cpufreq-amd-pstate-Overhaul-locking.patch @@ -1,4 +1,4 @@ -From 6c0b59640cce68d7574078d7d1e549bdb8f0128d Mon Sep 17 00:00:00 2001 +From 34925ac1038d19197f0a2ac8574496e77645fdf5 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:20 -0600 Subject: cpufreq/amd-pstate: Overhaul locking diff --git a/debian/patches/patchset-pf/amd-pstate/0016-cpufreq-amd-pstate-Drop-cppc_cap1_cached.patch b/debian/patches/patchset-pf/amd-pstate/0016-cpufreq-amd-pstate-Drop-cppc_cap1_cached.patch index b41b670..e5421b3 100644 --- a/debian/patches/patchset-pf/amd-pstate/0016-cpufreq-amd-pstate-Drop-cppc_cap1_cached.patch +++ b/debian/patches/patchset-pf/amd-pstate/0016-cpufreq-amd-pstate-Drop-cppc_cap1_cached.patch @@ -1,4 +1,4 @@ -From 7c9409faeb921c76988b4cd2294ca0a959775f35 Mon Sep 17 00:00:00 2001 +From 33c2b6f10f140e35f44d2be9bd8dc9eb459fb29a Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:21 -0600 Subject: cpufreq/amd-pstate: Drop `cppc_cap1_cached` diff --git a/debian/patches/patchset-pf/amd-pstate/0017-cpufreq-amd-pstate-ut-Use-_free-macro-to-free-put-po.patch b/debian/patches/patchset-pf/amd-pstate/0017-cpufreq-amd-pstate-ut-Use-_free-macro-to-free-put-po.patch index 4af0d8e..31a9c57 100644 --- a/debian/patches/patchset-pf/amd-pstate/0017-cpufreq-amd-pstate-ut-Use-_free-macro-to-free-put-po.patch +++ b/debian/patches/patchset-pf/amd-pstate/0017-cpufreq-amd-pstate-ut-Use-_free-macro-to-free-put-po.patch @@ -1,4 +1,4 @@ -From 346b2824b742a8f5943db8c8200ba4a7492bb3cf Mon Sep 17 00:00:00 2001 +From 22a3d411de53a42057ab0dc45bb00306fd855807 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:22 -0600 Subject: cpufreq/amd-pstate-ut: Use _free macro to free put policy diff --git a/debian/patches/patchset-pf/amd-pstate/0018-cpufreq-amd-pstate-ut-Allow-lowest-nonlinear-and-low.patch b/debian/patches/patchset-pf/amd-pstate/0018-cpufreq-amd-pstate-ut-Allow-lowest-nonlinear-and-low.patch index e3f4afb..a8304ab 100644 --- a/debian/patches/patchset-pf/amd-pstate/0018-cpufreq-amd-pstate-ut-Allow-lowest-nonlinear-and-low.patch +++ b/debian/patches/patchset-pf/amd-pstate/0018-cpufreq-amd-pstate-ut-Allow-lowest-nonlinear-and-low.patch @@ -1,4 +1,4 @@ -From 310f8a994f55561902e5a75ff8623988921e3908 Mon Sep 17 00:00:00 2001 +From e42e4d9ee2e953137488e531be82c4d2d1c10d1c Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:23 -0600 Subject: cpufreq/amd-pstate-ut: Allow lowest nonlinear and lowest to be the diff --git a/debian/patches/patchset-pf/amd-pstate/0019-cpufreq-amd-pstate-ut-Drop-SUCCESS-and-FAIL-enums.patch b/debian/patches/patchset-pf/amd-pstate/0019-cpufreq-amd-pstate-ut-Drop-SUCCESS-and-FAIL-enums.patch index 264b38d..70ccd12 100644 --- a/debian/patches/patchset-pf/amd-pstate/0019-cpufreq-amd-pstate-ut-Drop-SUCCESS-and-FAIL-enums.patch +++ b/debian/patches/patchset-pf/amd-pstate/0019-cpufreq-amd-pstate-ut-Drop-SUCCESS-and-FAIL-enums.patch @@ -1,4 +1,4 @@ -From bc4a683dbfcc306851bbfec33f9c857c523d4848 Mon Sep 17 00:00:00 2001 +From 141c02d0bbbca11a1fceae703a6b7dbfe6315b18 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:24 -0600 Subject: cpufreq/amd-pstate-ut: Drop SUCCESS and FAIL enums diff --git a/debian/patches/patchset-pf/amd-pstate/0020-cpufreq-amd-pstate-ut-Run-on-all-of-the-correct-CPUs.patch b/debian/patches/patchset-pf/amd-pstate/0020-cpufreq-amd-pstate-ut-Run-on-all-of-the-correct-CPUs.patch index 37eaa37..c5c5b44 100644 --- a/debian/patches/patchset-pf/amd-pstate/0020-cpufreq-amd-pstate-ut-Run-on-all-of-the-correct-CPUs.patch +++ b/debian/patches/patchset-pf/amd-pstate/0020-cpufreq-amd-pstate-ut-Run-on-all-of-the-correct-CPUs.patch @@ -1,4 +1,4 @@ -From 3651a3bd2d07f627d5382ec9e9b980c689d0eb98 Mon Sep 17 00:00:00 2001 +From 2fe00ce7f79ef57185bdd84e736d8bf47286eb8f Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:25 -0600 Subject: cpufreq/amd-pstate-ut: Run on all of the correct CPUs diff --git a/debian/patches/patchset-pf/amd-pstate/0021-cpufreq-amd-pstate-ut-Adjust-variable-scope.patch b/debian/patches/patchset-pf/amd-pstate/0021-cpufreq-amd-pstate-ut-Adjust-variable-scope.patch index 4c5f051..7340b8c 100644 --- a/debian/patches/patchset-pf/amd-pstate/0021-cpufreq-amd-pstate-ut-Adjust-variable-scope.patch +++ b/debian/patches/patchset-pf/amd-pstate/0021-cpufreq-amd-pstate-ut-Adjust-variable-scope.patch @@ -1,4 +1,4 @@ -From 4ec612c9d5de9620b8f0ad4463db5d08c2d68222 Mon Sep 17 00:00:00 2001 +From 95bbcd16b467dceea295dbd97c7347e7dd15dabc Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:26 -0600 Subject: cpufreq/amd-pstate-ut: Adjust variable scope diff --git a/debian/patches/patchset-pf/amd-pstate/0022-cpufreq-amd-pstate-Replace-all-AMD_CPPC_-macros-with.patch b/debian/patches/patchset-pf/amd-pstate/0022-cpufreq-amd-pstate-Replace-all-AMD_CPPC_-macros-with.patch index 7af21f6..936fd4e 100644 --- a/debian/patches/patchset-pf/amd-pstate/0022-cpufreq-amd-pstate-Replace-all-AMD_CPPC_-macros-with.patch +++ b/debian/patches/patchset-pf/amd-pstate/0022-cpufreq-amd-pstate-Replace-all-AMD_CPPC_-macros-with.patch @@ -1,4 +1,4 @@ -From 1512ed2a741a0df98972679da6177df4998fd8ce Mon Sep 17 00:00:00 2001 +From 98519671cd3691a45f23a7de4862ec0642b5921e Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:27 -0600 Subject: cpufreq/amd-pstate: Replace all AMD_CPPC_* macros with masks diff --git a/debian/patches/patchset-pf/amd-pstate/0023-cpufreq-amd-pstate-Cache-CPPC-request-in-shared-mem-.patch b/debian/patches/patchset-pf/amd-pstate/0023-cpufreq-amd-pstate-Cache-CPPC-request-in-shared-mem-.patch index 505d80a..87aa49c 100644 --- a/debian/patches/patchset-pf/amd-pstate/0023-cpufreq-amd-pstate-Cache-CPPC-request-in-shared-mem-.patch +++ b/debian/patches/patchset-pf/amd-pstate/0023-cpufreq-amd-pstate-Cache-CPPC-request-in-shared-mem-.patch @@ -1,4 +1,4 @@ -From bf6e8073cc7f17d6be40e16a04b5a277d7217f39 Mon Sep 17 00:00:00 2001 +From fc5fe86b4f63ed2ff8230c48e737185451e9c3a4 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:28 -0600 Subject: cpufreq/amd-pstate: Cache CPPC request in shared mem case too diff --git a/debian/patches/patchset-pf/amd-pstate/0024-cpufreq-amd-pstate-Move-all-EPP-tracing-into-_update.patch b/debian/patches/patchset-pf/amd-pstate/0024-cpufreq-amd-pstate-Move-all-EPP-tracing-into-_update.patch index 24a45aa..1f70768 100644 --- a/debian/patches/patchset-pf/amd-pstate/0024-cpufreq-amd-pstate-Move-all-EPP-tracing-into-_update.patch +++ b/debian/patches/patchset-pf/amd-pstate/0024-cpufreq-amd-pstate-Move-all-EPP-tracing-into-_update.patch @@ -1,4 +1,4 @@ -From 1a3ff33ff2fbe3ecc2d86addd115329fddb28ea1 Mon Sep 17 00:00:00 2001 +From e1b5c43aa7bf8d75d2043809ff38fee0b7d26259 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:29 -0600 Subject: cpufreq/amd-pstate: Move all EPP tracing into *_update_perf and diff --git a/debian/patches/patchset-pf/amd-pstate/0025-cpufreq-amd-pstate-Update-cppc_req_cached-for-shared.patch b/debian/patches/patchset-pf/amd-pstate/0025-cpufreq-amd-pstate-Update-cppc_req_cached-for-shared.patch index efb3248..c8667d6 100644 --- a/debian/patches/patchset-pf/amd-pstate/0025-cpufreq-amd-pstate-Update-cppc_req_cached-for-shared.patch +++ b/debian/patches/patchset-pf/amd-pstate/0025-cpufreq-amd-pstate-Update-cppc_req_cached-for-shared.patch @@ -1,4 +1,4 @@ -From eaf7b28995ee0346be8ac59869645e975eb6a91c Mon Sep 17 00:00:00 2001 +From d53216c4c9f67163c9dec656862f1135d6f4af63 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:30 -0600 Subject: cpufreq/amd-pstate: Update cppc_req_cached for shared mem EPP writes diff --git a/debian/patches/patchset-pf/amd-pstate/0026-cpufreq-amd-pstate-Drop-debug-statements-for-policy-.patch b/debian/patches/patchset-pf/amd-pstate/0026-cpufreq-amd-pstate-Drop-debug-statements-for-policy-.patch index c10b4af..330a8ec 100644 --- a/debian/patches/patchset-pf/amd-pstate/0026-cpufreq-amd-pstate-Drop-debug-statements-for-policy-.patch +++ b/debian/patches/patchset-pf/amd-pstate/0026-cpufreq-amd-pstate-Drop-debug-statements-for-policy-.patch @@ -1,4 +1,4 @@ -From a2ec1d51a050afc3a6d3ce35412d082e916e7eef Mon Sep 17 00:00:00 2001 +From cecd79d237f4b5d19adac7fb9d57c59c77e40547 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:31 -0600 Subject: cpufreq/amd-pstate: Drop debug statements for policy setting diff --git a/debian/patches/patchset-pf/amd-pstate/0027-cpufreq-amd-pstate-Rework-CPPC-enabling.patch b/debian/patches/patchset-pf/amd-pstate/0027-cpufreq-amd-pstate-Rework-CPPC-enabling.patch index d8a4cfe..a402911 100644 --- a/debian/patches/patchset-pf/amd-pstate/0027-cpufreq-amd-pstate-Rework-CPPC-enabling.patch +++ b/debian/patches/patchset-pf/amd-pstate/0027-cpufreq-amd-pstate-Rework-CPPC-enabling.patch @@ -1,4 +1,4 @@ -From 3a840f6d42aba96e1974857c157cab2f9c220045 Mon Sep 17 00:00:00 2001 +From bbb0d5ec2d1d757fc7b71086f505113845cc2aab Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:32 -0600 Subject: cpufreq/amd-pstate: Rework CPPC enabling diff --git a/debian/patches/patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch b/debian/patches/patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch index 075bb79..b511149 100644 --- a/debian/patches/patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch +++ b/debian/patches/patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch @@ -1,4 +1,4 @@ -From 5fda2a5a547244c99bce9327e77e2ff253f77add Mon Sep 17 00:00:00 2001 +From f11b0be50d2c87af1a401397f8918015e15199c6 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:33 -0600 Subject: cpufreq/amd-pstate: Stop caching EPP diff --git a/debian/patches/patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch b/debian/patches/patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch index 6fe1cd5..2ec986b 100644 --- a/debian/patches/patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch +++ b/debian/patches/patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch @@ -1,4 +1,4 @@ -From 7757237a6ee08403e9a0e58eebf53ae2203f65ae Mon Sep 17 00:00:00 2001 +From 509a6a82d6558983a84407e77aa398501b5c814a Mon Sep 17 00:00:00 2001 From: Mario Limonciello <mario.limonciello@amd.com> Date: Wed, 26 Feb 2025 01:49:34 -0600 Subject: cpufreq/amd-pstate: Drop actions in amd_pstate_epp_cpu_offline() diff --git a/debian/patches/patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch b/debian/patches/patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch index e9adf6d..ed73130 100644 --- a/debian/patches/patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch +++ b/debian/patches/patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch @@ -1,4 +1,4 @@ -From f25d506d1e54b7d0a5fe42284cd5f2ca5c21cef7 Mon Sep 17 00:00:00 2001 +From 476817b414eddbf798161c3b33ef1209098bdf50 Mon Sep 17 00:00:00 2001 From: Mario Limonciello <superm1@kernel.org> Date: Thu, 27 Feb 2025 14:09:08 -0600 Subject: cpufreq/amd-pstate: fix warning noticed by kernel test robot diff --git a/debian/patches/patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch b/debian/patches/patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch new file mode 100644 index 0000000..771c1ce --- /dev/null +++ b/debian/patches/patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch @@ -0,0 +1,76 @@ +From 361b73ca6606d8bace6fe78b63d508d747c6689a Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Wed, 5 Mar 2025 16:52:26 +0000 +Subject: btrfs: fix non-empty delayed iputs list on unmount due to compressed + write workers + +At close_ctree() after we have ran delayed iputs either through explicitly +calling btrfs_run_delayed_iputs() or later during the call to +btrfs_commit_super() or btrfs_error_commit_super(), we assert that the +delayed iputs list is empty. + +When we have compressed writes this assertion may fail because delayed +iputs may have been added to the list after we last ran delayed iputs. +This happens like this: + +1) We have a compressed write bio executing; + +2) We enter close_ctree() and flush the fs_info->endio_write_workers + queue which is the queue used for running ordered extent completion; + +3) The compressed write bio finishes and enters + btrfs_finish_compressed_write_work(), where it calls + btrfs_finish_ordered_extent() which in turn calls + btrfs_queue_ordered_fn(), which queues a work item in the + fs_info->endio_write_workers queue that we have flushed before; + +4) At close_ctree() we proceed, run all existing delayed iputs and + call btrfs_commit_super() (which also runs delayed iputs), but before + we run the following assertion below: + + ASSERT(list_empty(&fs_info->delayed_iputs)) + + A delayed iput is added by the step below... + +5) The ordered extent completion job queued in step 3 runs and results in + creating a delayed iput when dropping the last reference of the ordered + extent (a call to btrfs_put_ordered_extent() made from + btrfs_finish_one_ordered()); + +6) At this point the delayed iputs list is not empty, so the assertion at + close_ctree() fails. + +Fix this by flushing the fs_info->compressed_write_workers queue at +close_ctree() before flushing the fs_info->endio_write_workers queue, +respecting the queue dependency as the later is responsible for the +execution of ordered extent completion. + +CC: stable@vger.kernel.org # 5.15+ +Reviewed-by: Qu Wenruo <wqu@suse.com> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +--- + fs/btrfs/disk-io.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4346,6 +4346,18 @@ void __cold close_ctree(struct btrfs_fs_ + btrfs_flush_workqueue(fs_info->delalloc_workers); + + /* ++ * When finishing a compressed write bio we schedule a work queue item ++ * to finish an ordered extent - btrfs_finish_compressed_write_work() ++ * calls btrfs_finish_ordered_extent() which in turns does a call to ++ * btrfs_queue_ordered_fn(), and that queues the ordered extent ++ * completion either in the endio_write_workers work queue or in the ++ * fs_info->endio_freespace_worker work queue. We flush those queues ++ * below, so before we flush them we must flush this queue for the ++ * workers of compressed writes. ++ */ ++ flush_workqueue(fs_info->compressed_write_workers); ++ ++ /* + * After we parked the cleaner kthread, ordered extents may have + * completed and created new delayed iputs. If one of the async reclaim + * tasks is running and in the RUN_DELAYED_IPUTS flush state, then we diff --git a/debian/patches/patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch b/debian/patches/patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch new file mode 100644 index 0000000..d14a716 --- /dev/null +++ b/debian/patches/patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch @@ -0,0 +1,30 @@ +From 9ac804f2001675a05f01a2f74af0c85861801e59 Mon Sep 17 00:00:00 2001 +From: Filipe Manana <fdmanana@suse.com> +Date: Tue, 11 Mar 2025 15:50:50 +0000 +Subject: btrfs: tests: fix chunk map leak after failure to add it to the tree + +If we fail to add the chunk map to the fs mapping tree we exit +test_rmap_block() without freeing the chunk map. Fix this by adding a +call to btrfs_free_chunk_map() before exiting the test function if the +call to btrfs_add_chunk_map() failed. + +Fixes: 7dc66abb5a47 ("btrfs: use a dedicated data structure for chunk maps") +CC: stable@vger.kernel.org # 6.12+ +Reviewed-by: Boris Burkov <boris@bur.io> +Signed-off-by: Filipe Manana <fdmanana@suse.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +--- + fs/btrfs/tests/extent-map-tests.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tests/extent-map-tests.c ++++ b/fs/btrfs/tests/extent-map-tests.c +@@ -1045,6 +1045,7 @@ static int test_rmap_block(struct btrfs_ + ret = btrfs_add_chunk_map(fs_info, map); + if (ret) { + test_err("error adding chunk map to mapping tree"); ++ btrfs_free_chunk_map(map); + goto out_free; + } + diff --git a/debian/patches/patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch b/debian/patches/patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch new file mode 100644 index 0000000..a41a7ac --- /dev/null +++ b/debian/patches/patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch @@ -0,0 +1,36 @@ +From 2d168cd506ec0b7a7619433aa0299b0be05ce655 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Date: Mon, 17 Mar 2025 12:24:58 +0100 +Subject: btrfs: zoned: fix zone activation with missing devices + +If btrfs_zone_activate() is called with a filesystem that has missing +devices (e.g. a RAID file system mounted in degraded mode) it is accessing +the btrfs_device::zone_info pointer, which will not be set if the device in +question is missing. + +Check if the device is present (by checking if it has a valid block +device pointer associated) and if not, skip zone activation for it. + +Fixes: f9a912a3c45f ("btrfs: zoned: make zone activation multi stripe capable") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com> +Reviewed-by: Anand Jain <anand.jain@oracle.com> +Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +--- + fs/btrfs/zoned.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -2111,6 +2111,9 @@ bool btrfs_zone_activate(struct btrfs_bl + physical = map->stripes[i].physical; + zinfo = device->zone_info; + ++ if (!device->bdev) ++ continue; ++ + if (zinfo->max_active_zones == 0) + continue; + diff --git a/debian/patches/patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch b/debian/patches/patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch new file mode 100644 index 0000000..16a73ed --- /dev/null +++ b/debian/patches/patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch @@ -0,0 +1,36 @@ +From 5d05bf549f00ac4b04476b749847a7fcb019a73f Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Date: Mon, 17 Mar 2025 12:24:59 +0100 +Subject: btrfs: zoned: fix zone finishing with missing devices + +If do_zone_finish() is called with a filesystem that has missing devices +(e.g. a RAID file system mounted in degraded mode) it is accessing the +btrfs_device::zone_info pointer, which will not be set if the device +in question is missing. + +Check if the device is present (by checking if it has a valid block device +pointer associated) and if not, skip zone finishing for it. + +Fixes: 4dcbb8ab31c1 ("btrfs: zoned: make zone finishing multi stripe capable") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Naohiro Aota <naohiro.aota@wdc.com> +Reviewed-by: Anand Jain <anand.jain@oracle.com> +Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> +Reviewed-by: David Sterba <dsterba@suse.com> +Signed-off-by: David Sterba <dsterba@suse.com> +--- + fs/btrfs/zoned.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -2275,6 +2275,9 @@ static int do_zone_finish(struct btrfs_b + struct btrfs_zoned_device_info *zinfo = device->zone_info; + unsigned int nofs_flags; + ++ if (!device->bdev) ++ continue; ++ + if (zinfo->max_active_zones == 0) + continue; + diff --git a/debian/patches/patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch b/debian/patches/patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch index ca9b0c7..99b21f6 100644 --- a/debian/patches/patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch +++ b/debian/patches/patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch @@ -1,4 +1,4 @@ -From 7a0fbf076914b2b0e55feddd839212af92bdffb3 Mon Sep 17 00:00:00 2001 +From 247749c27f92a789d4f1727aa870167c25ca3c5e Mon Sep 17 00:00:00 2001 From: Christian Loehle <christian.loehle@arm.com> Date: Thu, 5 Sep 2024 10:26:39 +0100 Subject: cpuidle: Prefer teo over menu governor diff --git a/debian/patches/patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch b/debian/patches/patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch index 6cd4781..cdaf353 100644 --- a/debian/patches/patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch +++ b/debian/patches/patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch @@ -1,4 +1,4 @@ -From 594316efc465f1408482e0d1dd379f4e3a6a5c7c Mon Sep 17 00:00:00 2001 +From 5e5a835c50afc3b9bb2b8b9175d0924abb5a7f3c Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers@google.com> Date: Mon, 27 Jan 2025 13:16:09 -0800 Subject: crypto: x86/aes-xts - make the fast path 64-bit specific diff --git a/debian/patches/patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch b/debian/patches/patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch index 2e2a475..0300cae 100644 --- a/debian/patches/patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch +++ b/debian/patches/patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch @@ -1,4 +1,4 @@ -From b988178e5a6498eea32891a711f065cfbe4cedf4 Mon Sep 17 00:00:00 2001 +From 9564bcf085acd0bdea688cb6165302a6871a7c08 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers@google.com> Date: Mon, 10 Feb 2025 08:50:20 -0800 Subject: crypto: x86/aes-ctr - rewrite AESNI+AVX optimized CTR and add VAES diff --git a/debian/patches/patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch b/debian/patches/patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch new file mode 100644 index 0000000..7726eb4 --- /dev/null +++ b/debian/patches/patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch @@ -0,0 +1,122 @@ +From 99d63b3e3be79190d3bb4759bfb3a47fd00cfdbe Mon Sep 17 00:00:00 2001 +From: Sungjong Seo <sj1557.seo@samsung.com> +Date: Fri, 21 Mar 2025 15:34:42 +0900 +Subject: exfat: fix random stack corruption after get_block + +When get_block is called with a buffer_head allocated on the stack, such +as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in +the following race condition situation. + + <CPU 0> <CPU 1> +mpage_read_folio + <<bh on stack>> + do_mpage_readpage + exfat_get_block + bh_read + __bh_read + get_bh(bh) + submit_bh + wait_on_buffer + ... + end_buffer_read_sync + __end_buffer_read_notouch + unlock_buffer + <<keep going>> + ... + ... + ... + ... +<<bh is not valid out of mpage_read_folio>> + . + . +another_function + <<variable A on stack>> + put_bh(bh) + atomic_dec(bh->b_count) + * stack corruption here * + +This patch returns -EAGAIN if a folio does not have buffers when bh_read +needs to be called. By doing this, the caller can fallback to functions +like block_read_full_folio(), create a buffer_head in the folio, and then +call get_block again. + +Let's do not call bh_read() with on-stack buffer_head. + +Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") +Cc: stable@vger.kernel.org +Tested-by: Yeongjin Gil <youngjin.gil@samsung.com> +Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com> +Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +--- + fs/exfat/inode.c | 39 +++++++++++++++++++++++++++++++++------ + 1 file changed, 33 insertions(+), 6 deletions(-) + +--- a/fs/exfat/inode.c ++++ b/fs/exfat/inode.c +@@ -344,7 +344,8 @@ static int exfat_get_block(struct inode + * The block has been partially written, + * zero the unwritten part and map the block. + */ +- loff_t size, off, pos; ++ loff_t size, pos; ++ void *addr; + + max_blocks = 1; + +@@ -355,17 +356,41 @@ static int exfat_get_block(struct inode + if (!bh_result->b_folio) + goto done; + ++ /* ++ * No buffer_head is allocated. ++ * (1) bmap: It's enough to fill bh_result without I/O. ++ * (2) read: The unwritten part should be filled with 0 ++ * If a folio does not have any buffers, ++ * let's returns -EAGAIN to fallback to ++ * per-bh IO like block_read_full_folio(). ++ */ ++ if (!folio_buffers(bh_result->b_folio)) { ++ err = -EAGAIN; ++ goto done; ++ } ++ + pos = EXFAT_BLK_TO_B(iblock, sb); + size = ei->valid_size - pos; +- off = pos & (PAGE_SIZE - 1); ++ addr = folio_address(bh_result->b_folio) + ++ offset_in_folio(bh_result->b_folio, pos); + +- folio_set_bh(bh_result, bh_result->b_folio, off); ++ /* Check if bh->b_data points to proper addr in folio */ ++ if (bh_result->b_data != addr) { ++ exfat_fs_error_ratelimit(sb, ++ "b_data(%p) != folio_addr(%p)", ++ bh_result->b_data, addr); ++ err = -EINVAL; ++ goto done; ++ } ++ ++ /* Read a block */ + err = bh_read(bh_result, 0); + if (err < 0) +- goto unlock_ret; ++ goto done; + +- folio_zero_segment(bh_result->b_folio, off + size, +- off + sb->s_blocksize); ++ /* Zero unwritten part of a block */ ++ memset(bh_result->b_data + size, 0, ++ bh_result->b_size - size); + } else { + /* + * The range has not been written, clear the mapped flag +@@ -376,6 +401,8 @@ static int exfat_get_block(struct inode + } + done: + bh_result->b_size = EXFAT_BLK_TO_B(max_blocks, sb); ++ if (err < 0) ++ clear_buffer_mapped(bh_result); + unlock_ret: + mutex_unlock(&sbi->s_lock); + return err; diff --git a/debian/patches/patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch b/debian/patches/patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch new file mode 100644 index 0000000..6868d0b --- /dev/null +++ b/debian/patches/patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch @@ -0,0 +1,30 @@ +From 8a19bb487633ff4dcf9c247cd3913ea4db26abca Mon Sep 17 00:00:00 2001 +From: Sungjong Seo <sj1557.seo@samsung.com> +Date: Wed, 26 Mar 2025 23:48:48 +0900 +Subject: exfat: fix potential wrong error return from get_block + +If there is no error, get_block() should return 0. However, when bh_read() +returns 1, get_block() also returns 1 in the same manner. + +Let's set err to 0, if there is no error from bh_read() + +Fixes: 11a347fb6cef ("exfat: change to get file size from DataLength") +Cc: stable@vger.kernel.org +Signed-off-by: Sungjong Seo <sj1557.seo@samsung.com> +Reviewed-by: Yuezhang Mo <Yuezhang.Mo@sony.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +--- + fs/exfat/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/exfat/inode.c ++++ b/fs/exfat/inode.c +@@ -391,6 +391,8 @@ static int exfat_get_block(struct inode + /* Zero unwritten part of a block */ + memset(bh_result->b_data + size, 0, + bh_result->b_size - size); ++ ++ err = 0; + } else { + /* + * The range has not been written, clear the mapped flag diff --git a/debian/patches/patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch b/debian/patches/patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch index 4277af3..c442e1c 100644 --- a/debian/patches/patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch +++ b/debian/patches/patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch @@ -1,4 +1,4 @@ -From 52af8f543922b47a31ddbb6ffb81f40ad9993309 Mon Sep 17 00:00:00 2001 +From 9efac88375330a6f29f091e9dd5fd6154670ba56 Mon Sep 17 00:00:00 2001 From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> Date: Fri, 7 Feb 2025 15:07:46 -0300 Subject: tpm: do not start chip while suspended diff --git a/debian/patches/patchset-zen/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch b/debian/patches/patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch similarity index 96% rename from debian/patches/patchset-zen/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch rename to debian/patches/patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch index 6328b9b..26ccacf 100644 --- a/debian/patches/patchset-zen/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch +++ b/debian/patches/patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch @@ -1,4 +1,4 @@ -From 69907adec3041a6a89d192441a61481d80ee5806 Mon Sep 17 00:00:00 2001 +From 8886788eed16c79124bc530950f09c3f2fa881a8 Mon Sep 17 00:00:00 2001 From: Qiuxu Zhuo <qiuxu.zhuo@intel.com> Date: Wed, 12 Feb 2025 16:33:54 +0800 Subject: EDAC/igen6: Fix the flood of invalid error reports diff --git a/debian/patches/patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch b/debian/patches/patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch new file mode 100644 index 0000000..06e47e1 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch @@ -0,0 +1,36 @@ +From b40bdfdcffa333ad169327c5b8fe1b93542c7e0a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor <nathan@kernel.org> +Date: Tue, 18 Mar 2025 15:32:30 -0700 +Subject: x86/tools: Drop duplicate unlikely() definition in + insn_decoder_test.c + +After commit c104c16073b7 ("Kunit to check the longest symbol length"), +there is a warning when building with clang because there is now a +definition of unlikely from compiler.h in tools/include/linux, which +conflicts with the one in the instruction decoder selftest: + + arch/x86/tools/insn_decoder_test.c:15:9: warning: 'unlikely' macro redefined [-Wmacro-redefined] + +Remove the second unlikely() definition, as it is no longer necessary, +clearing up the warning. + +Fixes: c104c16073b7 ("Kunit to check the longest symbol length") +Signed-off-by: Nathan Chancellor <nathan@kernel.org> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Acked-by: Shuah Khan <skhan@linuxfoundation.org> +Link: https://lore.kernel.org/r/20250318-x86-decoder-test-fix-unlikely-redef-v1-1-74c84a7bf05b@kernel.org +--- + arch/x86/tools/insn_decoder_test.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/x86/tools/insn_decoder_test.c ++++ b/arch/x86/tools/insn_decoder_test.c +@@ -11,8 +11,6 @@ + #include <unistd.h> + #include <stdarg.h> + +-#define unlikely(cond) (cond) +- + #include <asm/insn.h> + #include <inat.c> + #include <insn.c> diff --git a/debian/patches/patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch b/debian/patches/patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch new file mode 100644 index 0000000..0fc1ef4 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch @@ -0,0 +1,44 @@ +From 073fb5ff9a001882fa884a0a8efddc88860ad791 Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell <noodles@meta.com> +Date: Wed, 12 Mar 2025 07:31:57 +0200 +Subject: tpm, tpm_tis: Fix timeout handling when waiting for TPM status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The change to only use interrupts to handle supported status changes +introduced an issue when it is necessary to poll for the status. Rather +than checking for the status after sleeping the code now sleeps after +the check. This means a correct, but slower, status change on the part +of the TPM can be missed, resulting in a spurious timeout error, +especially on a more loaded system. Switch back to sleeping *then* +checking. An up front check of the status has been done at the start of +the function, so this does not cause an additional delay when the status +is already what we're looking for. + +Cc: stable@vger.kernel.org # v6.4+ +Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts") +Signed-off-by: Jonathan McDowell <noodles@meta.com> +Reviewed-by: Michal Suchánek <msuchanek@suse.de> +Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com> +Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> +Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> +--- + drivers/char/tpm/tpm_tis_core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -114,11 +114,10 @@ again: + return 0; + /* process status changes without irq support */ + do { ++ usleep_range(priv->timeout_min, priv->timeout_max); + status = chip->ops->status(chip); + if ((status & mask) == mask) + return 0; +- usleep_range(priv->timeout_min, +- priv->timeout_max); + } while (time_before(jiffies, stop)); + return -ETIME; + } diff --git a/debian/patches/patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch b/debian/patches/patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch new file mode 100644 index 0000000..850a43d --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch @@ -0,0 +1,50 @@ +From e24882a961e2d85cc4c8319a56734a0d7c7867fc Mon Sep 17 00:00:00 2001 +From: Jann Horn <jannh@google.com> +Date: Fri, 3 Jan 2025 19:39:38 +0100 +Subject: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs + +On the following path, flush_tlb_range() can be used for zapping normal +PMD entries (PMD entries that point to page tables) together with the PTE +entries in the pointed-to page table: + + collapse_pte_mapped_thp + pmdp_collapse_flush + flush_tlb_range + +The arm64 version of flush_tlb_range() has a comment describing that it can +be used for page table removal, and does not use any last-level +invalidation optimizations. Fix the X86 version by making it behave the +same way. + +Currently, X86 only uses this information for the following two purposes, +which I think means the issue doesn't have much impact: + + - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be + IPI'd to avoid issues with speculative page table walks. + - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. + +The patch "x86/mm: only invalidate final translations with INVLPGB" which +is currently under review (see +<https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) +would probably be making the impact of this a lot worse. + +Fixes: 016c4d92cd16 ("x86/mm/tlb: Add freed_tables argument to flush_tlb_mm_range") +Signed-off-by: Jann Horn <jannh@google.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250103-x86-collapse-flush-fix-v1-1-3c521856cfa6@google.com +--- + arch/x86/include/asm/tlbflush.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -311,7 +311,7 @@ static inline bool mm_in_asid_transition + flush_tlb_mm_range((vma)->vm_mm, start, end, \ + ((vma)->vm_flags & VM_HUGETLB) \ + ? huge_page_shift(hstate_vma(vma)) \ +- : PAGE_SHIFT, false) ++ : PAGE_SHIFT, true) + + extern void flush_tlb_all(void); + extern void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start, diff --git a/debian/patches/patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch b/debian/patches/patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch new file mode 100644 index 0000000..e06a8fb --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch @@ -0,0 +1,68 @@ +From 7a0abf17cceb511425b7af34291243b4a270e770 Mon Sep 17 00:00:00 2001 +From: "Guilherme G. Piccoli" <gpiccoli@igalia.com> +Date: Sat, 15 Feb 2025 17:58:16 -0300 +Subject: x86/tsc: Always save/restore TSC sched_clock() on suspend/resume + +TSC could be reset in deep ACPI sleep states, even with invariant TSC. + +That's the reason we have sched_clock() save/restore functions, to deal +with this situation. But what happens is that such functions are guarded +with a check for the stability of sched_clock - if not considered stable, +the save/restore routines aren't executed. + +On top of that, we have a clear comment in native_sched_clock() saying +that *even* with TSC unstable, we continue using TSC for sched_clock due +to its speed. + +In other words, if we have a situation of TSC getting detected as unstable, +it marks the sched_clock as unstable as well, so subsequent S3 sleep cycles +could bring bogus sched_clock values due to the lack of the save/restore +mechanism, causing warnings like this: + + [22.954918] ------------[ cut here ]------------ + [22.954923] Delta way too big! 18446743750843854390 ts=18446744072977390405 before=322133536015 after=322133536015 write stamp=18446744072977390405 + [22.954923] If you just came from a suspend/resume, + [22.954923] please switch to the trace global clock: + [22.954923] echo global > /sys/kernel/tracing/trace_clock + [22.954923] or add trace_clock=global to the kernel command line + [22.954937] WARNING: CPU: 2 PID: 5728 at kernel/trace/ring_buffer.c:2890 rb_add_timestamp+0x193/0x1c0 + +Notice that the above was reproduced even with "trace_clock=global". + +The fix for that is to _always_ save/restore the sched_clock on suspend +cycle _if TSC is used_ as sched_clock - only if we fallback to jiffies +the sched_clock_stable() check becomes relevant to save/restore the +sched_clock. + +Debugged-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> +Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Cc: stable@vger.kernel.org +Cc: Thomas Gleixner <tglx@linutronix.de> +Cc: Peter Zijlstra <peterz@infradead.org> +Cc: Linus Torvalds <torvalds@linux-foundation.org> +Link: https://lore.kernel.org/r/20250215210314.351480-1-gpiccoli@igalia.com +--- + arch/x86/kernel/tsc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -959,7 +959,7 @@ static unsigned long long cyc2ns_suspend + + void tsc_save_sched_clock_state(void) + { +- if (!sched_clock_stable()) ++ if (!static_branch_likely(&__use_tsc) && !sched_clock_stable()) + return; + + cyc2ns_suspend = sched_clock(); +@@ -979,7 +979,7 @@ void tsc_restore_sched_clock_state(void) + unsigned long flags; + int cpu; + +- if (!sched_clock_stable()) ++ if (!static_branch_likely(&__use_tsc) && !sched_clock_stable()) + return; + + local_irq_save(flags); diff --git a/debian/patches/patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch b/debian/patches/patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch new file mode 100644 index 0000000..0484bfb --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch @@ -0,0 +1,87 @@ +From bbbc88e65bb8036be1fe3386c0061d9be4c5a442 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa <jolsa@kernel.org> +Date: Wed, 12 Feb 2025 23:04:33 +0100 +Subject: uprobes/x86: Harden uretprobe syscall trampoline check + +Jann reported a possible issue when trampoline_check_ip returns +address near the bottom of the address space that is allowed to +call into the syscall if uretprobes are not set up: + + https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf + +Though the mmap minimum address restrictions will typically prevent +creating mappings there, let's make sure uretprobe syscall checks +for that. + +Fixes: ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe") +Reported-by: Jann Horn <jannh@google.com> +Signed-off-by: Jiri Olsa <jolsa@kernel.org> +Signed-off-by: Ingo Molnar <mingo@kernel.org> +Reviewed-by: Oleg Nesterov <oleg@redhat.com> +Reviewed-by: Kees Cook <kees@kernel.org> +Acked-by: Andrii Nakryiko <andrii@kernel.org> +Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> +Acked-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> +Cc: Andy Lutomirski <luto@kernel.org> +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250212220433.3624297-1-jolsa@kernel.org +--- + arch/x86/kernel/uprobes.c | 14 +++++++++----- + include/linux/uprobes.h | 2 ++ + kernel/events/uprobes.c | 2 +- + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -357,19 +357,23 @@ void *arch_uprobe_trampoline(unsigned lo + return &insn; + } + +-static unsigned long trampoline_check_ip(void) ++static unsigned long trampoline_check_ip(unsigned long tramp) + { +- unsigned long tramp = uprobe_get_trampoline_vaddr(); +- + return tramp + (uretprobe_syscall_check - uretprobe_trampoline_entry); + } + + SYSCALL_DEFINE0(uretprobe) + { + struct pt_regs *regs = task_pt_regs(current); +- unsigned long err, ip, sp, r11_cx_ax[3]; ++ unsigned long err, ip, sp, r11_cx_ax[3], tramp; ++ ++ /* If there's no trampoline, we are called from wrong place. */ ++ tramp = uprobe_get_trampoline_vaddr(); ++ if (unlikely(tramp == UPROBE_NO_TRAMPOLINE_VADDR)) ++ goto sigill; + +- if (regs->ip != trampoline_check_ip()) ++ /* Make sure the ip matches the only allowed sys_uretprobe caller. */ ++ if (unlikely(regs->ip != trampoline_check_ip(tramp))) + goto sigill; + + err = copy_from_user(r11_cx_ax, (void __user *)regs->sp, sizeof(r11_cx_ax)); +--- a/include/linux/uprobes.h ++++ b/include/linux/uprobes.h +@@ -39,6 +39,8 @@ struct page; + + #define MAX_URETPROBE_DEPTH 64 + ++#define UPROBE_NO_TRAMPOLINE_VADDR (~0UL) ++ + struct uprobe_consumer { + /* + * handler() can return UPROBE_HANDLER_REMOVE to signal the need to +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -2169,8 +2169,8 @@ void uprobe_copy_process(struct task_str + */ + unsigned long uprobe_get_trampoline_vaddr(void) + { ++ unsigned long trampoline_vaddr = UPROBE_NO_TRAMPOLINE_VADDR; + struct xol_area *area; +- unsigned long trampoline_vaddr = -1; + + /* Pairs with xol_add_vma() smp_store_release() */ + area = READ_ONCE(current->mm->uprobes_state.xol_area); /* ^^^ */ diff --git a/debian/patches/patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch b/debian/patches/patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch new file mode 100644 index 0000000..9bca027 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch @@ -0,0 +1,32 @@ +From f4511f63677bd3e7831561b1407a69a71cb519bc Mon Sep 17 00:00:00 2001 +From: Ming Lei <ming.lei@redhat.com> +Date: Mon, 10 Mar 2025 19:54:53 +0800 +Subject: block: make sure ->nr_integrity_segments is cloned in + blk_rq_prep_clone + +Make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone(), +otherwise requests cloned by device-mapper multipath will not have the +proper nr_integrity_segments values set, then BUG() is hit from +sg_alloc_table_chained(). + +Fixes: b0fd271d5fba ("block: add request clone interface (v2)") +Cc: stable@vger.kernel.org +Cc: Christoph Hellwig <hch@infradead.org> +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Link: https://lore.kernel.org/r/20250310115453.2271109-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe <axboe@kernel.dk> +--- + block/blk-mq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3314,6 +3314,7 @@ int blk_rq_prep_clone(struct request *rq + rq->special_vec = rq_src->special_vec; + } + rq->nr_phys_segments = rq_src->nr_phys_segments; ++ rq->nr_integrity_segments = rq_src->nr_integrity_segments; + + if (rq->bio && blk_crypto_rq_bio_prep(rq, rq->bio, gfp_mask) < 0) + goto free_and_out; diff --git a/debian/patches/patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch b/debian/patches/patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch new file mode 100644 index 0000000..dc281bc --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch @@ -0,0 +1,40 @@ +From 46b8c87f1aa08a0794b45b394c5462f33bec54b0 Mon Sep 17 00:00:00 2001 +From: Philipp Stanner <phasta@kernel.org> +Date: Wed, 12 Mar 2025 09:06:34 +0100 +Subject: PCI: Fix wrong length of devres array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The array for the iomapping cookie addresses has a length of +PCI_STD_NUM_BARS. This constant, however, only describes standard BARs; +while PCI can allow for additional, special BARs. + +The total number of PCI resources is described by constant +PCI_NUM_RESOURCES, which is also used in, e.g., pci_select_bars(). + +Thus, the devres array has so far been too small. + +Change the length of the devres array to PCI_NUM_RESOURCES. + +Link: https://lore.kernel.org/r/20250312080634.13731-3-phasta@kernel.org +Fixes: bbaff68bf4a4 ("PCI: Add managed partial-BAR request and map infrastructure") +Signed-off-by: Philipp Stanner <phasta@kernel.org> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org> +Cc: stable@vger.kernel.org # v6.11+ +--- + drivers/pci/devres.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/devres.c ++++ b/drivers/pci/devres.c +@@ -40,7 +40,7 @@ + * Legacy struct storing addresses to whole mapped BARs. + */ + struct pcim_iomap_devres { +- void __iomem *table[PCI_STD_NUM_BARS]; ++ void __iomem *table[PCI_NUM_RESOURCES]; + }; + + /* Used to restore the old INTx state on driver detach. */ diff --git a/debian/patches/patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch b/debian/patches/patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch new file mode 100644 index 0000000..3093924 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch @@ -0,0 +1,84 @@ +From 9741b8592433f51ed477c9dba6d304562aa7de18 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov <oleg@redhat.com> +Date: Mon, 24 Mar 2025 17:00:03 +0100 +Subject: exec: fix the racy usage of fs_struct->in_exec + +check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve() +paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it +fails we have the following race: + + T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex + + T2 sets fs->in_exec = 1 + + T1 clears fs->in_exec + + T2 continues with fs->in_exec == 0 + +Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held. + +Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Oleg Nesterov <oleg@redhat.com> +Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com +Signed-off-by: Christian Brauner <brauner@kernel.org> +--- + fs/exec.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1229,13 +1229,12 @@ int begin_new_exec(struct linux_binprm * + */ + bprm->point_of_no_return = true; + +- /* +- * Make this the only thread in the thread group. +- */ ++ /* Make this the only thread in the thread group */ + retval = de_thread(me); + if (retval) + goto out; +- ++ /* see the comment in check_unsafe_exec() */ ++ current->fs->in_exec = 0; + /* + * Cancel any io_uring activity across execve + */ +@@ -1497,6 +1496,8 @@ static void free_bprm(struct linux_binpr + } + free_arg_pages(bprm); + if (bprm->cred) { ++ /* in case exec fails before de_thread() succeeds */ ++ current->fs->in_exec = 0; + mutex_unlock(¤t->signal->cred_guard_mutex); + abort_creds(bprm->cred); + } +@@ -1618,6 +1619,10 @@ static void check_unsafe_exec(struct lin + * suid exec because the differently privileged task + * will be able to manipulate the current directory, etc. + * It would be nice to force an unshare instead... ++ * ++ * Otherwise we set fs->in_exec = 1 to deny clone(CLONE_FS) ++ * from another sub-thread until de_thread() succeeds, this ++ * state is protected by cred_guard_mutex we hold. + */ + n_fs = 1; + spin_lock(&p->fs->lock); +@@ -1862,7 +1867,6 @@ static int bprm_execve(struct linux_binp + + sched_mm_cid_after_execve(current); + /* execve succeeded */ +- current->fs->in_exec = 0; + current->in_execve = 0; + rseq_execve(current); + user_events_execve(current); +@@ -1881,7 +1885,6 @@ out: + force_fatal_sig(SIGSEGV); + + sched_mm_cid_after_execve(current); +- current->fs->in_exec = 0; + current->in_execve = 0; + + return retval; diff --git a/debian/patches/patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch b/debian/patches/patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch new file mode 100644 index 0000000..db3e513 --- /dev/null +++ b/debian/patches/patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch @@ -0,0 +1,207 @@ +From 6e7ac63c4c4a8fe7c66f856f4091d9b20899f167 Mon Sep 17 00:00:00 2001 +From: Bernd Schubert <bschubert@ddn.com> +Date: Tue, 25 Mar 2025 18:29:31 +0100 +Subject: fuse: {io-uring} Fix a possible req cancellation race + +task-A (application) might be in request_wait_answer and +try to remove the request when it has FR_PENDING set. + +task-B (a fuse-server io-uring task) might handle this +request with FUSE_IO_URING_CMD_COMMIT_AND_FETCH, when +fetching the next request and accessed the req from +the pending list in fuse_uring_ent_assign_req(). +That code path was not protected by fiq->lock and so +might race with task-A. + +For scaling reasons we better don't use fiq->lock, but +add a handler to remove canceled requests from the queue. + +This also removes usage of fiq->lock from +fuse_uring_add_req_to_ring_ent() altogether, as it was +there just to protect against this race and incomplete. + +Also added is a comment why FR_PENDING is not cleared. + +Fixes: c090c8abae4b ("fuse: Add io-uring sqe commit and fetch support") +Cc: <stable@vger.kernel.org> # v6.14 +Reported-by: Joanne Koong <joannelkoong@gmail.com> +Closes: https://lore.kernel.org/all/CAJnrk1ZgHNb78dz-yfNTpxmW7wtT88A=m-zF0ZoLXKLUHRjNTw@mail.gmail.com/ +Signed-off-by: Bernd Schubert <bschubert@ddn.com> +Reviewed-by: Joanne Koong <joannelkoong@gmail.com> +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +--- + fs/fuse/dev.c | 34 +++++++++++++++++++++++++--------- + fs/fuse/dev_uring.c | 15 +++++++++++---- + fs/fuse/dev_uring_i.h | 6 ++++++ + fs/fuse/fuse_dev_i.h | 1 + + fs/fuse/fuse_i.h | 3 +++ + 5 files changed, 46 insertions(+), 13 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -407,6 +407,24 @@ static int queue_interrupt(struct fuse_r + return 0; + } + ++bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock) ++{ ++ spin_lock(lock); ++ if (test_bit(FR_PENDING, &req->flags)) { ++ /* ++ * FR_PENDING does not get cleared as the request will end ++ * up in destruction anyway. ++ */ ++ list_del(&req->list); ++ spin_unlock(lock); ++ __fuse_put_request(req); ++ req->out.h.error = -EINTR; ++ return true; ++ } ++ spin_unlock(lock); ++ return false; ++} ++ + static void request_wait_answer(struct fuse_req *req) + { + struct fuse_conn *fc = req->fm->fc; +@@ -428,22 +446,20 @@ static void request_wait_answer(struct f + } + + if (!test_bit(FR_FORCE, &req->flags)) { ++ bool removed; ++ + /* Only fatal signals may interrupt this */ + err = wait_event_killable(req->waitq, + test_bit(FR_FINISHED, &req->flags)); + if (!err) + return; + +- spin_lock(&fiq->lock); +- /* Request is not yet in userspace, bail out */ +- if (test_bit(FR_PENDING, &req->flags)) { +- list_del(&req->list); +- spin_unlock(&fiq->lock); +- __fuse_put_request(req); +- req->out.h.error = -EINTR; ++ if (test_bit(FR_URING, &req->flags)) ++ removed = fuse_uring_remove_pending_req(req); ++ else ++ removed = fuse_remove_pending_req(req, &fiq->lock); ++ if (removed) + return; +- } +- spin_unlock(&fiq->lock); + } + + /* +--- a/fs/fuse/dev_uring.c ++++ b/fs/fuse/dev_uring.c +@@ -726,8 +726,6 @@ static void fuse_uring_add_req_to_ring_e + struct fuse_req *req) + { + struct fuse_ring_queue *queue = ent->queue; +- struct fuse_conn *fc = req->fm->fc; +- struct fuse_iqueue *fiq = &fc->iq; + + lockdep_assert_held(&queue->lock); + +@@ -737,9 +735,7 @@ static void fuse_uring_add_req_to_ring_e + ent->state); + } + +- spin_lock(&fiq->lock); + clear_bit(FR_PENDING, &req->flags); +- spin_unlock(&fiq->lock); + ent->fuse_req = req; + ent->state = FRRS_FUSE_REQ; + list_move(&ent->list, &queue->ent_w_req_queue); +@@ -1238,6 +1234,8 @@ void fuse_uring_queue_fuse_req(struct fu + if (unlikely(queue->stopped)) + goto err_unlock; + ++ set_bit(FR_URING, &req->flags); ++ req->ring_queue = queue; + ent = list_first_entry_or_null(&queue->ent_avail_queue, + struct fuse_ring_ent, list); + if (ent) +@@ -1276,6 +1274,8 @@ bool fuse_uring_queue_bq_req(struct fuse + return false; + } + ++ set_bit(FR_URING, &req->flags); ++ req->ring_queue = queue; + list_add_tail(&req->list, &queue->fuse_req_bg_queue); + + ent = list_first_entry_or_null(&queue->ent_avail_queue, +@@ -1306,6 +1306,13 @@ bool fuse_uring_queue_bq_req(struct fuse + return true; + } + ++bool fuse_uring_remove_pending_req(struct fuse_req *req) ++{ ++ struct fuse_ring_queue *queue = req->ring_queue; ++ ++ return fuse_remove_pending_req(req, &queue->lock); ++} ++ + static const struct fuse_iqueue_ops fuse_io_uring_ops = { + /* should be send over io-uring as enhancement */ + .send_forget = fuse_dev_queue_forget, +--- a/fs/fuse/dev_uring_i.h ++++ b/fs/fuse/dev_uring_i.h +@@ -142,6 +142,7 @@ void fuse_uring_abort_end_requests(struc + int fuse_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags); + void fuse_uring_queue_fuse_req(struct fuse_iqueue *fiq, struct fuse_req *req); + bool fuse_uring_queue_bq_req(struct fuse_req *req); ++bool fuse_uring_remove_pending_req(struct fuse_req *req); + + static inline void fuse_uring_abort(struct fuse_conn *fc) + { +@@ -199,6 +200,11 @@ static inline bool fuse_uring_ready(stru + { + return false; + } ++ ++static inline bool fuse_uring_remove_pending_req(struct fuse_req *req) ++{ ++ return false; ++} + + #endif /* CONFIG_FUSE_IO_URING */ + +--- a/fs/fuse/fuse_dev_i.h ++++ b/fs/fuse/fuse_dev_i.h +@@ -61,6 +61,7 @@ int fuse_copy_out_args(struct fuse_copy_ + void fuse_dev_queue_forget(struct fuse_iqueue *fiq, + struct fuse_forget_link *forget); + void fuse_dev_queue_interrupt(struct fuse_iqueue *fiq, struct fuse_req *req); ++bool fuse_remove_pending_req(struct fuse_req *req, spinlock_t *lock); + + #endif + +--- a/fs/fuse/fuse_i.h ++++ b/fs/fuse/fuse_i.h +@@ -378,6 +378,7 @@ struct fuse_io_priv { + * FR_FINISHED: request is finished + * FR_PRIVATE: request is on private list + * FR_ASYNC: request is asynchronous ++ * FR_URING: request is handled through fuse-io-uring + */ + enum fuse_req_flag { + FR_ISREPLY, +@@ -392,6 +393,7 @@ enum fuse_req_flag { + FR_FINISHED, + FR_PRIVATE, + FR_ASYNC, ++ FR_URING, + }; + + /** +@@ -441,6 +443,7 @@ struct fuse_req { + + #ifdef CONFIG_FUSE_IO_URING + void *ring_entry; ++ void *ring_queue; + #endif + }; + diff --git a/debian/patches/patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch b/debian/patches/patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch new file mode 100644 index 0000000..e064754 --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch @@ -0,0 +1,128 @@ +From ae5d3e4f701948dd6241451d41d9dfa0f0f703cd Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia <okorniev@redhat.com> +Date: Fri, 17 Jan 2025 11:32:58 -0500 +Subject: nfsd: fix management of listener transports + +Currently, when no active threads are running, a root user using nfsdctl +command can try to remove a particular listener from the list of previously +added ones, then start the server by increasing the number of threads, +it leads to the following problem: + +[ 158.835354] refcount_t: addition on 0; use-after-free. +[ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0 +[ 158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse +[ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7 +[ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN +[ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 +[ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) +[ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0 +[ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0 +[ 158.842000] sp : ffff800089be7d80 +[ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148 +[ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010 +[ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028 +[ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000 +[ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493 +[ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000 +[ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001 +[ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc +[ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000 +[ 158.845528] Call trace: +[ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P) +[ 158.845894] svc_recv+0x58c/0x680 [sunrpc] +[ 158.846183] nfsd+0x1fc/0x348 [nfsd] +[ 158.846390] kthread+0x274/0x2f8 +[ 158.846546] ret_from_fork+0x10/0x20 +[ 158.846714] ---[ end trace 0000000000000000 ]--- + +nfsd_nl_listener_set_doit() would manipulate the list of transports of +server's sv_permsocks and close the specified listener but the other +list of transports (server's sp_xprts list) would not be changed leading +to the problem above. + +Instead, determined if the nfsdctl is trying to remove a listener, in +which case, delete all the existing listener transports and re-create +all-but-the-removed ones. + +Fixes: 16a471177496 ("NFSD: add listener-{set,get} netlink command") +Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/nfsctl.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1917,6 +1917,7 @@ int nfsd_nl_listener_set_doit(struct sk_ + struct svc_serv *serv; + LIST_HEAD(permsocks); + struct nfsd_net *nn; ++ bool delete = false; + int err, rem; + + mutex_lock(&nfsd_mutex); +@@ -1977,34 +1978,28 @@ int nfsd_nl_listener_set_doit(struct sk_ + } + } + +- /* For now, no removing old sockets while server is running */ +- if (serv->sv_nrthreads && !list_empty(&permsocks)) { ++ /* ++ * If there are listener transports remaining on the permsocks list, ++ * it means we were asked to remove a listener. ++ */ ++ if (!list_empty(&permsocks)) { + list_splice_init(&permsocks, &serv->sv_permsocks); +- spin_unlock_bh(&serv->sv_lock); +- err = -EBUSY; +- goto out_unlock_mtx; ++ delete = true; + } ++ spin_unlock_bh(&serv->sv_lock); + +- /* Close the remaining sockets on the permsocks list */ +- while (!list_empty(&permsocks)) { +- xprt = list_first_entry(&permsocks, struct svc_xprt, xpt_list); +- list_move(&xprt->xpt_list, &serv->sv_permsocks); +- +- /* +- * Newly-created sockets are born with the BUSY bit set. Clear +- * it if there are no threads, since nothing can pick it up +- * in that case. +- */ +- if (!serv->sv_nrthreads) +- clear_bit(XPT_BUSY, &xprt->xpt_flags); +- +- set_bit(XPT_CLOSE, &xprt->xpt_flags); +- spin_unlock_bh(&serv->sv_lock); +- svc_xprt_close(xprt); +- spin_lock_bh(&serv->sv_lock); ++ /* Do not remove listeners while there are active threads. */ ++ if (serv->sv_nrthreads) { ++ err = -EBUSY; ++ goto out_unlock_mtx; + } + +- spin_unlock_bh(&serv->sv_lock); ++ /* ++ * Since we can't delete an arbitrary llist entry, destroy the ++ * remaining listeners and recreate the list. ++ */ ++ if (delete) ++ svc_xprt_destroy_all(serv, net); + + /* walk list of addrs again, open any that still don't exist */ + nlmsg_for_each_attr(attr, info->nlhdr, GENL_HDRLEN, rem) { +@@ -2031,6 +2026,9 @@ int nfsd_nl_listener_set_doit(struct sk_ + + xprt = svc_find_listener(serv, xcl_name, net, sa); + if (xprt) { ++ if (delete) ++ WARN_ONCE(1, "Transport type=%s already exists\n", ++ xcl_name); + svc_xprt_put(xprt); + continue; + } diff --git a/debian/patches/patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch b/debian/patches/patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch new file mode 100644 index 0000000..b4edbdd --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch @@ -0,0 +1,55 @@ +From 71e2b1f41ebbead746c5b99384ebb9fb7c73a079 Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Tue, 14 Jan 2025 17:09:24 -0500 +Subject: NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up + +NFSD sends CB_RECALL_ANY to clients when the server is low on +memory or that client has a large number of delegations outstanding. + +We've seen cases where NFSD attempts to send CB_RECALL_ANY requests +to disconnected clients, and gets confused. These calls never go +anywhere if a backchannel transport to the target client isn't +available. Before the server can send any backchannel operation, the +client has to connect first and then do a BIND_CONN_TO_SESSION. + +This patch doesn't address the root cause of the confusion, but +there's no need to queue up these optional operations if they can't +go anywhere. + +Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition") +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/nfs4state.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -6860,14 +6860,19 @@ deleg_reaper(struct nfsd_net *nn) + spin_lock(&nn->client_lock); + list_for_each_safe(pos, next, &nn->client_lru) { + clp = list_entry(pos, struct nfs4_client, cl_lru); +- if (clp->cl_state != NFSD4_ACTIVE || +- list_empty(&clp->cl_delegations) || +- atomic_read(&clp->cl_delegs_in_recall) || +- test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags) || +- (ktime_get_boottime_seconds() - +- clp->cl_ra_time < 5)) { ++ ++ if (clp->cl_state != NFSD4_ACTIVE) ++ continue; ++ if (list_empty(&clp->cl_delegations)) ++ continue; ++ if (atomic_read(&clp->cl_delegs_in_recall)) ++ continue; ++ if (test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags)) ++ continue; ++ if (ktime_get_boottime_seconds() - clp->cl_ra_time < 5) ++ continue; ++ if (clp->cl_cb_state != NFSD4_CB_UP) + continue; +- } + list_add(&clp->cl_ra_cblist, &cblist); + + /* release in nfsd4_cb_recall_any_release */ diff --git a/debian/patches/patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch b/debian/patches/patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch new file mode 100644 index 0000000..cefb06e --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch @@ -0,0 +1,35 @@ +From e9976f5c50b6513c156c4f5a1d9fde96efb50d29 Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Sun, 26 Jan 2025 16:50:17 -0500 +Subject: NFSD: nfsd_unlink() clobbers non-zero status returned from + fh_fill_pre_attrs() + +If fh_fill_pre_attrs() returns a non-zero status, the error flow +takes it through out_unlock, which then overwrites the returned +status code with + + err = nfserrno(host_err); + +Fixes: a332018a91c4 ("nfsd: handle failure to collect pre/post-op attrs more sanely") +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/vfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -2011,11 +2011,9 @@ out_nfserr: + * error status. + */ + err = nfserr_file_open; +- } else { +- err = nfserrno(host_err); + } + out: +- return err; ++ return err != nfs_ok ? err : nfserrno(host_err); + out_unlock: + inode_unlock(dirp); + goto out_drop_write; diff --git a/debian/patches/patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch b/debian/patches/patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch new file mode 100644 index 0000000..dddd545 --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch @@ -0,0 +1,68 @@ +From c6e51270335aa72d7f255051119792629ed2ad2d Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Sun, 26 Jan 2025 16:50:18 -0500 +Subject: NFSD: Never return NFS4ERR_FILE_OPEN when removing a directory + +RFC 8881 Section 18.25.4 paragraph 5 tells us that the server +should return NFS4ERR_FILE_OPEN only if the target object is an +opened file. This suggests that returning this status when removing +a directory will confuse NFS clients. + +This is a version-specific issue; nfsd_proc_remove/rmdir() and +nfsd3_proc_remove/rmdir() already return nfserr_access as +appropriate. + +Unfortunately there is no quick way for nfsd4_remove() to determine +whether the target object is a file or not, so the check is done in +in nfsd_unlink() for now. + +Reported-by: Trond Myklebust <trondmy@hammerspace.com> +Fixes: 466e16f0920f ("nfsd: check for EBUSY from vfs_rmdir/vfs_unink.") +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/vfs.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1931,9 +1931,17 @@ out: + return err; + } + +-/* +- * Unlink a file or directory +- * N.B. After this call fhp needs an fh_put ++/** ++ * nfsd_unlink - remove a directory entry ++ * @rqstp: RPC transaction context ++ * @fhp: the file handle of the parent directory to be modified ++ * @type: enforced file type of the object to be removed ++ * @fname: the name of directory entry to be removed ++ * @flen: length of @fname in octets ++ * ++ * After this call fhp needs an fh_put. ++ * ++ * Returns a generic NFS status code in network byte-order. + */ + __be32 + nfsd_unlink(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, +@@ -2007,10 +2015,14 @@ out_drop_write: + fh_drop_write(fhp); + out_nfserr: + if (host_err == -EBUSY) { +- /* name is mounted-on. There is no perfect +- * error status. ++ /* ++ * See RFC 8881 Section 18.25.4 para 4: NFSv4 REMOVE ++ * wants a status unique to the object type. + */ +- err = nfserr_file_open; ++ if (type != S_IFDIR) ++ err = nfserr_file_open; ++ else ++ err = nfserr_acces; + } + out: + return err != nfs_ok ? err : nfserrno(host_err); diff --git a/debian/patches/patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch b/debian/patches/patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch new file mode 100644 index 0000000..a8b6946 --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch @@ -0,0 +1,88 @@ +From be9eb38c29f63437120c1b4c5d1e7df98851e05e Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@kernel.org> +Date: Thu, 6 Feb 2025 13:12:13 -0500 +Subject: nfsd: don't ignore the return code of svc_proc_register() + +Currently, nfsd_proc_stat_init() ignores the return value of +svc_proc_register(). If the procfile creation fails, then the kernel +will WARN when it tries to remove the entry later. + +Fix nfsd_proc_stat_init() to return the same type of pointer as +svc_proc_register(), and fix up nfsd_net_init() to check that and fail +the nfsd_net construction if it occurs. + +svc_proc_register() can fail if the dentry can't be allocated, or if an +identical dentry already exists. The second case is pretty unlikely in +the nfsd_net construction codepath, so if this happens, return -ENOMEM. + +Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ +Cc: stable@vger.kernel.org # v6.9 +Signed-off-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/nfsctl.c | 9 ++++++++- + fs/nfsd/stats.c | 4 ++-- + fs/nfsd/stats.h | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -2202,8 +2202,14 @@ static __net_init int nfsd_net_init(stru + NFSD_STATS_COUNTERS_NUM); + if (retval) + goto out_repcache_error; ++ + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); + nn->nfsd_svcstats.program = &nfsd_programs[0]; ++ if (!nfsd_proc_stat_init(net)) { ++ retval = -ENOMEM; ++ goto out_proc_error; ++ } ++ + for (i = 0; i < sizeof(nn->nfsd_versions); i++) + nn->nfsd_versions[i] = nfsd_support_version(i); + for (i = 0; i < sizeof(nn->nfsd4_minorversions); i++) +@@ -2213,13 +2219,14 @@ static __net_init int nfsd_net_init(stru + nfsd4_init_leases_net(nn); + get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); + seqlock_init(&nn->writeverf_lock); +- nfsd_proc_stat_init(net); + #if IS_ENABLED(CONFIG_NFS_LOCALIO) + spin_lock_init(&nn->local_clients_lock); + INIT_LIST_HEAD(&nn->local_clients); + #endif + return 0; + ++out_proc_error: ++ percpu_counter_destroy_many(nn->counter, NFSD_STATS_COUNTERS_NUM); + out_repcache_error: + nfsd_idmap_shutdown(net); + out_idmap_error: +--- a/fs/nfsd/stats.c ++++ b/fs/nfsd/stats.c +@@ -73,11 +73,11 @@ static int nfsd_show(struct seq_file *se + + DEFINE_PROC_SHOW_ATTRIBUTE(nfsd); + +-void nfsd_proc_stat_init(struct net *net) ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) + { + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + +- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); ++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + } + + void nfsd_proc_stat_shutdown(struct net *net) +--- a/fs/nfsd/stats.h ++++ b/fs/nfsd/stats.h +@@ -10,7 +10,7 @@ + #include <uapi/linux/nfsd/stats.h> + #include <linux/percpu_counter.h> + +-void nfsd_proc_stat_init(struct net *net); ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); + void nfsd_proc_stat_shutdown(struct net *net); + + static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) diff --git a/debian/patches/patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch b/debian/patches/patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch new file mode 100644 index 0000000..6393e17 --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch @@ -0,0 +1,54 @@ +From 8ae7239f6e86e8eaf9b2d95164b9d88b0af1c9c7 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@kernel.org> +Date: Thu, 13 Feb 2025 09:08:29 -0500 +Subject: nfsd: allow SC_STATUS_FREEABLE when searching via + nfs4_lookup_stateid() + +The pynfs DELEG8 test fails when run against nfsd. It acquires a +delegation and then lets the lease time out. It then tries to use the +deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets +bad NFS4ERR_BAD_STATEID instead. + +When a delegation is revoked, it's initially marked with +SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked +with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for +s FREE_STATEID call. + +nfs4_lookup_stateid() accepts a statusmask that includes the status +flags that a found stateid is allowed to have. Currently, that mask +never includes SC_STATUS_FREEABLE, which means that revoked delegations +are (almost) never found. + +Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it +from nfsd4_delegreturn() since it's now always implied. + +Fixes: 8dd91e8d31fe ("nfsd: fix race between laundromat and free_stateid") +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/nfs4state.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -7056,7 +7056,7 @@ nfsd4_lookup_stateid(struct nfsd4_compou + */ + statusmask |= SC_STATUS_REVOKED; + +- statusmask |= SC_STATUS_ADMIN_REVOKED; ++ statusmask |= SC_STATUS_ADMIN_REVOKED | SC_STATUS_FREEABLE; + + if (ZERO_STATEID(stateid) || ONE_STATEID(stateid) || + CLOSE_STATEID(stateid)) +@@ -7711,9 +7711,7 @@ nfsd4_delegreturn(struct svc_rqst *rqstp + if ((status = fh_verify(rqstp, &cstate->current_fh, S_IFREG, 0))) + return status; + +- status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, +- SC_STATUS_REVOKED | SC_STATUS_FREEABLE, +- &s, nn); ++ status = nfsd4_lookup_stateid(cstate, stateid, SC_TYPE_DELEG, SC_STATUS_REVOKED, &s, nn); + if (status) + goto out; + dp = delegstateid(s); diff --git a/debian/patches/patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch b/debian/patches/patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch new file mode 100644 index 0000000..15aadaa --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch @@ -0,0 +1,97 @@ +From e5747c32073db3e624d454b80c94f5cb9b362370 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng <lilingfeng3@huawei.com> +Date: Thu, 13 Feb 2025 22:42:20 +0800 +Subject: nfsd: put dl_stid if fail to queue dl_recall + +Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we +increment the reference count of dl_stid. +We expect that after the corresponding work_struct is processed, the +reference count of dl_stid will be decremented through the callback +function nfsd4_cb_recall_release. +However, if the call to nfsd4_run_cb fails, the incremented reference +count of dl_stid will not be decremented correspondingly, leading to the +following nfs4_stid leak: +unreferenced object 0xffff88812067b578 (size 344): + comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) + hex dump (first 32 bytes): + 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ + 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. + backtrace: + kmem_cache_alloc+0x4b9/0x700 + nfsd4_process_open1+0x34/0x300 + nfsd4_open+0x2d1/0x9d0 + nfsd4_proc_compound+0x7a2/0xe30 + nfsd_dispatch+0x241/0x3e0 + svc_process_common+0x5d3/0xcc0 + svc_process+0x2a3/0x320 + nfsd+0x180/0x2e0 + kthread+0x199/0x1d0 + ret_from_fork+0x30/0x50 + ret_from_fork_asm+0x1b/0x30 +unreferenced object 0xffff8881499f4d28 (size 368): + comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... + 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... + backtrace: + kmem_cache_alloc+0x4b9/0x700 + nfs4_alloc_stid+0x29/0x210 + alloc_init_deleg+0x92/0x2e0 + nfs4_set_delegation+0x284/0xc00 + nfs4_open_delegation+0x216/0x3f0 + nfsd4_process_open2+0x2b3/0xee0 + nfsd4_open+0x770/0x9d0 + nfsd4_proc_compound+0x7a2/0xe30 + nfsd_dispatch+0x241/0x3e0 + svc_process_common+0x5d3/0xcc0 + svc_process+0x2a3/0x320 + nfsd+0x180/0x2e0 + kthread+0x199/0x1d0 + ret_from_fork+0x30/0x50 + ret_from_fork_asm+0x1b/0x30 +Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if +fail to queue dl_recall. + +Cc: stable@vger.kernel.org +Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/nfs4state.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1050,6 +1050,12 @@ static struct nfs4_ol_stateid * nfs4_all + return openlockstateid(stid); + } + ++/* ++ * As the sc_free callback of deleg, this may be called by nfs4_put_stid ++ * in nfsd_break_one_deleg. ++ * Considering nfsd_break_one_deleg is called with the flc->flc_lock held, ++ * this function mustn't ever sleep. ++ */ + static void nfs4_free_deleg(struct nfs4_stid *stid) + { + struct nfs4_delegation *dp = delegstateid(stid); +@@ -5414,6 +5420,7 @@ static const struct nfsd4_callback_ops n + + static void nfsd_break_one_deleg(struct nfs4_delegation *dp) + { ++ bool queued; + /* + * We're assuming the state code never drops its reference + * without first removing the lease. Since we're in this lease +@@ -5422,7 +5429,10 @@ static void nfsd_break_one_deleg(struct + * we know it's safe to take a reference. + */ + refcount_inc(&dp->dl_stid.sc_count); +- WARN_ON_ONCE(!nfsd4_run_cb(&dp->dl_recall)); ++ queued = nfsd4_run_cb(&dp->dl_recall); ++ WARN_ON_ONCE(!queued); ++ if (!queued) ++ nfs4_put_stid(&dp->dl_stid); + } + + /* Called from break_lease() with flc_lock held. */ diff --git a/debian/patches/patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch b/debian/patches/patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch new file mode 100644 index 0000000..6fa4f8d --- /dev/null +++ b/debian/patches/patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch @@ -0,0 +1,74 @@ +From 26d356ebfcd275f01c22349404676755dd36a4c4 Mon Sep 17 00:00:00 2001 +From: Chuck Lever <chuck.lever@oracle.com> +Date: Tue, 11 Mar 2025 23:06:38 -0400 +Subject: NFSD: Add a Kconfig setting to enable delegated timestamps + +After three tries, we still see test failures with delegated +timestamps. Disable them by default, but leave the implementation +intact so that development can continue. + +Cc: stable@vger.kernel.org # v6.14 +Reviewed-by: Jeff Layton <jlayton@kernel.org> +Signed-off-by: Chuck Lever <chuck.lever@oracle.com> +--- + fs/nfsd/Kconfig | 12 +++++++++++- + fs/nfsd/nfs4state.c | 16 ++++++++++++++-- + 2 files changed, 25 insertions(+), 3 deletions(-) + +--- a/fs/nfsd/Kconfig ++++ b/fs/nfsd/Kconfig +@@ -172,6 +172,16 @@ config NFSD_LEGACY_CLIENT_TRACKING + recoverydir, or spawn a process directly using a usermodehelper + upcall. + +- These legacy client tracking methods have proven to be probelmatic ++ These legacy client tracking methods have proven to be problematic + and will be removed in the future. Say Y here if you need support + for them in the interim. ++ ++config NFSD_V4_DELEG_TIMESTAMPS ++ bool "Support delegated timestamps" ++ depends on NFSD_V4 ++ default n ++ help ++ NFSD implements delegated timestamps according to ++ draft-ietf-nfsv4-delstid-08 "Extending the Opening of Files". This ++ is currently an experimental feature and is therefore left disabled ++ by default. +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -5958,11 +5958,23 @@ nfsd4_verify_setuid_write(struct nfsd4_o + return 0; + } + ++#ifdef CONFIG_NFSD_V4_DELEG_TIMESTAMPS ++static bool nfsd4_want_deleg_timestamps(const struct nfsd4_open *open) ++{ ++ return open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS; ++} ++#else /* CONFIG_NFSD_V4_DELEG_TIMESTAMPS */ ++static bool nfsd4_want_deleg_timestamps(const struct nfsd4_open *open) ++{ ++ return false; ++} ++#endif /* CONFIG NFSD_V4_DELEG_TIMESTAMPS */ ++ + static struct nfs4_delegation * + nfs4_set_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp, + struct svc_fh *parent) + { +- bool deleg_ts = open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS; ++ bool deleg_ts = nfsd4_want_deleg_timestamps(open); + struct nfs4_client *clp = stp->st_stid.sc_client; + struct nfs4_file *fp = stp->st_stid.sc_file; + struct nfs4_clnt_odstate *odstate = stp->st_clnt_odstate; +@@ -6161,8 +6173,8 @@ static void + nfs4_open_delegation(struct nfsd4_open *open, struct nfs4_ol_stateid *stp, + struct svc_fh *currentfh) + { +- bool deleg_ts = open->op_deleg_want & OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS; + struct nfs4_openowner *oo = openowner(stp->st_stateowner); ++ bool deleg_ts = nfsd4_want_deleg_timestamps(open); + struct nfs4_client *clp = stp->st_stid.sc_client; + struct svc_fh *parent = NULL; + struct nfs4_delegation *dp; diff --git a/debian/patches/patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch b/debian/patches/patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch new file mode 100644 index 0000000..0fe7503 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch @@ -0,0 +1,37 @@ +From c1a019d5fef8266e444159bc2bdaf9a5c9c7ef76 Mon Sep 17 00:00:00 2001 +From: Alexandra Diupina <adiupina@astralinux.ru> +Date: Wed, 19 Mar 2025 17:28:58 +0300 +Subject: cifs: avoid NULL pointer dereference in dbg call + +cifs_server_dbg() implies server to be non-NULL so +move call under condition to avoid NULL pointer dereference. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/client/smb2misc.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2misc.c ++++ b/fs/smb/client/smb2misc.c +@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_ + WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative"); + spin_unlock(&cifs_tcp_ses_lock); + +- if (tcon->ses) ++ if (tcon->ses) { + server = tcon->ses->server; +- +- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", +- tcon->tid, persistent_fid, volatile_fid); ++ cifs_server_dbg(FYI, ++ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n", ++ tcon->tid, persistent_fid, volatile_fid); ++ } + + return 0; + } diff --git a/debian/patches/patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch b/debian/patches/patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch new file mode 100644 index 0000000..eb0ffc8 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch @@ -0,0 +1,60 @@ +From 750b72183e7f3d9dc775540cee41c0c06d2c1da4 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Fri, 14 Mar 2025 18:21:47 +0900 +Subject: ksmbd: add bounds check for durable handle context + +Add missing bounds check for durable handle context. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei <norbert@doyensec.com> +Tested-by: Norbert Szetei <norbert@doyensec.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/smb2pdu.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2708,6 +2708,13 @@ static int parse_durable_handle_context( + goto out; + } + ++ if (le16_to_cpu(context->DataOffset) + ++ le32_to_cpu(context->DataLength) < ++ sizeof(struct create_durable_reconn_v2_req)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + recon_v2 = (struct create_durable_reconn_v2_req *)context; + persistent_id = recon_v2->Fid.PersistentFileId; + dh_info->fp = ksmbd_lookup_durable_fd(persistent_id); +@@ -2741,6 +2748,13 @@ static int parse_durable_handle_context( + goto out; + } + ++ if (le16_to_cpu(context->DataOffset) + ++ le32_to_cpu(context->DataLength) < ++ sizeof(struct create_durable_reconn_req)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + recon = (struct create_durable_reconn_req *)context; + persistent_id = recon->Data.Fid.PersistentFileId; + dh_info->fp = ksmbd_lookup_durable_fd(persistent_id); +@@ -2765,6 +2779,13 @@ static int parse_durable_handle_context( + err = -EINVAL; + goto out; + } ++ ++ if (le16_to_cpu(context->DataOffset) + ++ le32_to_cpu(context->DataLength) < ++ sizeof(struct create_durable_req_v2)) { ++ err = -EINVAL; ++ goto out; ++ } + + durable_v2_blob = + (struct create_durable_req_v2 *)context; diff --git a/debian/patches/patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch b/debian/patches/patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch new file mode 100644 index 0000000..a106750 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch @@ -0,0 +1,59 @@ +From 419b06f0ca7662c17a026ab0117ba9887dbd0477 Mon Sep 17 00:00:00 2001 +From: Aman <aman1@microsoft.com> +Date: Thu, 6 Mar 2025 17:46:43 +0000 +Subject: CIFS: Propagate min offload along with other parameters from primary + to secondary channels. + +In a multichannel setup, it was observed that a few fields were not being +copied over to the secondary channels, which impacted performance in cases +where these options were relevant but not properly synchronized. To address +this, this patch introduces copying the following parameters from the +primary channel to the secondary channels: + +- min_offload +- compression.requested +- dfs_conn +- ignore_signature +- leaf_fullpath +- noblockcnt +- retrans +- sign + +By copying these parameters, we ensure consistency across channels and +prevent performance degradation due to missing or outdated settings. + +Cc: stable@vger.kernel.org +Signed-off-by: Aman <aman1@microsoft.com> +Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/client/connect.c | 1 + + fs/smb/client/sess.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -1676,6 +1676,7 @@ cifs_get_tcp_session(struct smb3_fs_cont + /* Grab netns reference for this server. */ + cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns)); + ++ tcp_ses->sign = ctx->sign; + tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId); + tcp_ses->noblockcnt = ctx->rootfs; + tcp_ses->noblocksnd = ctx->noblocksnd || ctx->rootfs; +--- a/fs/smb/client/sess.c ++++ b/fs/smb/client/sess.c +@@ -522,6 +522,13 @@ cifs_ses_add_channel(struct cifs_ses *se + ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay; + ctx->echo_interval = ses->server->echo_interval / HZ; + ctx->max_credits = ses->server->max_credits; ++ ctx->min_offload = ses->server->min_offload; ++ ctx->compress = ses->server->compression.requested; ++ ctx->dfs_conn = ses->server->dfs_conn; ++ ctx->ignore_signature = ses->server->ignore_signature; ++ ctx->leaf_fullpath = ses->server->leaf_fullpath; ++ ctx->rootfs = ses->server->noblockcnt; ++ ctx->retrans = ses->server->retrans; + + /* + * This will be used for encoding/decoding user/domain/pw diff --git a/debian/patches/patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch b/debian/patches/patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch new file mode 100644 index 0000000..5461fcb --- /dev/null +++ b/debian/patches/patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch @@ -0,0 +1,41 @@ +From df179d4868b57eb8bcd7587559164178f17f0747 Mon Sep 17 00:00:00 2001 +From: Norbert Szetei <norbert@doyensec.com> +Date: Sat, 15 Mar 2025 12:19:28 +0900 +Subject: ksmbd: add bounds check for create lease context + +Add missing bounds check for create lease context. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei <norbert@doyensec.com> +Tested-by: Norbert Szetei <norbert@doyensec.com> +Signed-off-by: Norbert Szetei <norbert@doyensec.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/oplock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/smb/server/oplock.c ++++ b/fs/smb/server/oplock.c +@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state + if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) { + struct create_lease_v2 *lc = (struct create_lease_v2 *)cc; + ++ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) < ++ sizeof(struct create_lease_v2) - 4) ++ return NULL; ++ + memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE); + lreq->req_state = lc->lcontext.LeaseState; + lreq->flags = lc->lcontext.LeaseFlags; +@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state + } else { + struct create_lease *lc = (struct create_lease *)cc; + ++ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) < ++ sizeof(struct create_lease)) ++ return NULL; ++ + memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE); + lreq->req_state = lc->lcontext.LeaseState; + lreq->flags = lc->lcontext.LeaseFlags; diff --git a/debian/patches/patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch b/debian/patches/patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch new file mode 100644 index 0000000..325e6df --- /dev/null +++ b/debian/patches/patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch @@ -0,0 +1,31 @@ +From d72853120541d47779616db780a15a42afe4ad9b Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Sat, 22 Mar 2025 09:20:19 +0900 +Subject: ksmbd: fix use-after-free in ksmbd_sessions_deregister() + +In multichannel mode, UAF issue can occur in session_deregister +when the second channel sets up a session through the connection of +the first channel. session that is freed through the global session +table can be accessed again through ->sessions of connection. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei <norbert@doyensec.com> +Tested-by: Norbert Szetei <norbert@doyensec.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/mgmt/user_session.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -230,6 +230,9 @@ void ksmbd_sessions_deregister(struct ks + if (!ksmbd_chann_del(conn, sess) && + xa_empty(&sess->ksmbd_chann_list)) { + hash_del(&sess->hlist); ++ down_write(&conn->session_lock); ++ xa_erase(&conn->sessions, sess->id); ++ up_write(&conn->session_lock); + ksmbd_session_destroy(sess); + } + } diff --git a/debian/patches/patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch b/debian/patches/patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch new file mode 100644 index 0000000..615abb7 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch @@ -0,0 +1,36 @@ +From 87a17042db9d288d1c5bf3eac2a31bd3315a8cd0 Mon Sep 17 00:00:00 2001 +From: Roman Smirnov <r.smirnov@omp.ru> +Date: Mon, 31 Mar 2025 11:22:49 +0300 +Subject: cifs: fix integer overflow in match_server() + +The echo_interval is not limited in any way during mounting, +which makes it possible to write a large number to it. This can +cause an overflow when multiplying ctx->echo_interval by HZ in +match_server(). + +Add constraints for echo_interval to smb3_fs_context_parse_param(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable") +Cc: stable@vger.kernel.org +Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/client/fs_context.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1377,6 +1377,11 @@ static int smb3_fs_context_parse_param(s + ctx->closetimeo = HZ * result.uint_32; + break; + case Opt_echo_interval: ++ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN || ++ result.uint_32 > SMB_ECHO_INTERVAL_MAX) { ++ cifs_errorf(fc, "echo interval is out of bounds\n"); ++ goto cifs_parse_mount_err; ++ } + ctx->echo_interval = result.uint_32; + break; + case Opt_snapshot: diff --git a/debian/patches/patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch b/debian/patches/patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch new file mode 100644 index 0000000..cf8d0fb --- /dev/null +++ b/debian/patches/patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch @@ -0,0 +1,105 @@ +From 13cf611fba8e4bcb60b66abb0c2a2456d7863c18 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Thu, 27 Mar 2025 21:22:51 +0900 +Subject: ksmbd: fix session use-after-free in multichannel connection + +There is a race condition between session setup and +ksmbd_sessions_deregister. The session can be freed before the connection +is added to channel list of session. +This patch check reference count of session before freeing it. + +Cc: stable@vger.kernel.org +Reported-by: Sean Heelan <seanheelan@gmail.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/auth.c | 4 ++-- + fs/smb/server/mgmt/user_session.c | 14 ++++++++------ + fs/smb/server/smb2pdu.c | 7 ++++--- + 3 files changed, 14 insertions(+), 11 deletions(-) + +--- a/fs/smb/server/auth.c ++++ b/fs/smb/server/auth.c +@@ -1016,9 +1016,9 @@ static int ksmbd_get_encryption_key(stru + + ses_enc_key = enc ? sess->smb3encryptionkey : + sess->smb3decryptionkey; +- if (enc) +- ksmbd_user_session_get(sess); + memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE); ++ if (!enc) ++ ksmbd_user_session_put(sess); + + return 0; + } +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -181,7 +181,7 @@ static void ksmbd_expire_session(struct + down_write(&sessions_table_lock); + down_write(&conn->session_lock); + xa_for_each(&conn->sessions, id, sess) { +- if (atomic_read(&sess->refcnt) == 0 && ++ if (atomic_read(&sess->refcnt) <= 1 && + (sess->state != SMB2_SESSION_VALID || + time_after(jiffies, + sess->last_active + SMB2_SESSION_TIMEOUT))) { +@@ -233,7 +233,8 @@ void ksmbd_sessions_deregister(struct ks + down_write(&conn->session_lock); + xa_erase(&conn->sessions, sess->id); + up_write(&conn->session_lock); +- ksmbd_session_destroy(sess); ++ if (atomic_dec_and_test(&sess->refcnt)) ++ ksmbd_session_destroy(sess); + } + } + } +@@ -252,7 +253,8 @@ void ksmbd_sessions_deregister(struct ks + if (xa_empty(&sess->ksmbd_chann_list)) { + xa_erase(&conn->sessions, sess->id); + hash_del(&sess->hlist); +- ksmbd_session_destroy(sess); ++ if (atomic_dec_and_test(&sess->refcnt)) ++ ksmbd_session_destroy(sess); + } + } + up_write(&conn->session_lock); +@@ -312,8 +314,8 @@ void ksmbd_user_session_put(struct ksmbd + + if (atomic_read(&sess->refcnt) <= 0) + WARN_ON(1); +- else +- atomic_dec(&sess->refcnt); ++ else if (atomic_dec_and_test(&sess->refcnt)) ++ ksmbd_session_destroy(sess); + } + + struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn, +@@ -420,7 +422,7 @@ static struct ksmbd_session *__session_c + xa_init(&sess->rpc_handle_list); + sess->sequence_number = 1; + rwlock_init(&sess->tree_conns_lock); +- atomic_set(&sess->refcnt, 1); ++ atomic_set(&sess->refcnt, 2); + + ret = __init_smb2_session(sess); + if (ret) +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2239,13 +2239,14 @@ int smb2_session_logoff(struct ksmbd_wor + return -ENOENT; + } + +- ksmbd_destroy_file_table(&sess->file_table); + down_write(&conn->session_lock); + sess->state = SMB2_SESSION_EXPIRED; + up_write(&conn->session_lock); + +- ksmbd_free_user(sess->user); +- sess->user = NULL; ++ if (sess->user) { ++ ksmbd_free_user(sess->user); ++ sess->user = NULL; ++ } + ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE); + + rsp->StructureSize = cpu_to_le16(4); diff --git a/debian/patches/patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch b/debian/patches/patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch new file mode 100644 index 0000000..34fdcbc --- /dev/null +++ b/debian/patches/patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch @@ -0,0 +1,70 @@ +From 3fe0cc7e4d24b0a152798ec17ceed4156fe96033 Mon Sep 17 00:00:00 2001 +From: Norbert Szetei <norbert@doyensec.com> +Date: Sat, 29 Mar 2025 06:58:15 +0000 +Subject: ksmbd: fix overflow in dacloffset bounds check + +The dacloffset field was originally typed as int and used in an +unchecked addition, which could overflow and bypass the existing +bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). + +This could result in out-of-bounds memory access and a kernel crash +when dereferencing the DACL pointer. + +This patch converts dacloffset to unsigned int and uses +check_add_overflow() to validate access to the DACL. + +Cc: stable@vger.kernel.org +Signed-off-by: Norbert Szetei <norbert@doyensec.com> +Acked-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/smbacl.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -1026,7 +1026,9 @@ int smb_inherit_dacl(struct ksmbd_conn * + struct dentry *parent = path->dentry->d_parent; + struct mnt_idmap *idmap = mnt_idmap(path->mnt); + int inherited_flags = 0, flags = 0, i, nt_size = 0, pdacl_size; +- int rc = 0, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; ++ int rc = 0, pntsd_type, pntsd_size, acl_len, aces_size; ++ unsigned int dacloffset; ++ size_t dacl_struct_end; + u16 num_aces, ace_cnt = 0; + char *aces_base; + bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); +@@ -1035,8 +1037,11 @@ int smb_inherit_dacl(struct ksmbd_conn * + parent, &parent_pntsd); + if (pntsd_size <= 0) + return -ENOENT; ++ + dacloffset = le32_to_cpu(parent_pntsd->dacloffset); +- if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) { ++ if (!dacloffset || ++ check_add_overflow(dacloffset, sizeof(struct smb_acl), &dacl_struct_end) || ++ dacl_struct_end > (size_t)pntsd_size) { + rc = -EINVAL; + goto free_parent_pntsd; + } +@@ -1240,7 +1245,9 @@ int smb_check_perm_dacl(struct ksmbd_con + struct smb_ntsd *pntsd = NULL; + struct smb_acl *pdacl; + struct posix_acl *posix_acls; +- int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset; ++ int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size; ++ unsigned int dacl_offset; ++ size_t dacl_struct_end; + struct smb_sid sid; + int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE); + struct smb_ace *ace; +@@ -1259,7 +1266,8 @@ int smb_check_perm_dacl(struct ksmbd_con + + dacl_offset = le32_to_cpu(pntsd->dacloffset); + if (!dacl_offset || +- (dacl_offset + sizeof(struct smb_acl) > pntsd_size)) ++ check_add_overflow(dacl_offset, sizeof(struct smb_acl), &dacl_struct_end) || ++ dacl_struct_end > (size_t)pntsd_size) + goto err_out; + + pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); diff --git a/debian/patches/patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch b/debian/patches/patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch new file mode 100644 index 0000000..5c9f3b2 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch @@ -0,0 +1,32 @@ +From 0cf6aa54e0b5dbd9b1835a3b9f13a154216a7422 Mon Sep 17 00:00:00 2001 +From: Norbert Szetei <norbert@doyensec.com> +Date: Sat, 29 Mar 2025 16:06:01 +0000 +Subject: ksmbd: validate zero num_subauth before sub_auth is accessed + +Access psid->sub_auth[psid->num_subauth - 1] without checking +if num_subauth is non-zero leads to an out-of-bounds read. +This patch adds a validation step to ensure num_subauth != 0 +before sub_auth is accessed. + +Cc: stable@vger.kernel.org +Signed-off-by: Norbert Szetei <norbert@doyensec.com> +Acked-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/smbacl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smbacl.c ++++ b/fs/smb/server/smbacl.c +@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *i + return -EIO; + } + ++ if (psid->num_subauth == 0) { ++ pr_err("%s: zero subauthorities!\n", __func__); ++ return -EIO; ++ } ++ + if (sidtype == SIDOWNER) { + kuid_t uid; + uid_t id; diff --git a/debian/patches/patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch b/debian/patches/patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch new file mode 100644 index 0000000..5879134 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch @@ -0,0 +1,125 @@ +From 21715f2a6462476a4196725e436c4b0d968390ce Mon Sep 17 00:00:00 2001 +From: Namjae Jeon <linkinjeon@kernel.org> +Date: Wed, 2 Apr 2025 09:11:23 +0900 +Subject: ksmbd: fix null pointer dereference in alloc_preauth_hash() + +The Client send malformed smb2 negotiate request. ksmbd return error +response. Subsequently, the client can send smb2 session setup even +thought conn->preauth_info is not allocated. +This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore +session setup request if smb2 negotiate phase is not complete. + +Cc: stable@vger.kernel.org +Tested-by: Steve French <stfrench@microsoft.com> +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-26505 +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +--- + fs/smb/server/connection.h | 11 +++++++++++ + fs/smb/server/mgmt/user_session.c | 4 ++-- + fs/smb/server/smb2pdu.c | 14 +++++++++++--- + 3 files changed, 24 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -27,6 +27,7 @@ enum { + KSMBD_SESS_EXITING, + KSMBD_SESS_NEED_RECONNECT, + KSMBD_SESS_NEED_NEGOTIATE, ++ KSMBD_SESS_NEED_SETUP, + KSMBD_SESS_RELEASING + }; + +@@ -187,6 +188,11 @@ static inline bool ksmbd_conn_need_negot + return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE; + } + ++static inline bool ksmbd_conn_need_setup(struct ksmbd_conn *conn) ++{ ++ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_SETUP; ++} ++ + static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn) + { + return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT; +@@ -217,6 +223,11 @@ static inline void ksmbd_conn_set_need_n + WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE); + } + ++static inline void ksmbd_conn_set_need_setup(struct ksmbd_conn *conn) ++{ ++ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_SETUP); ++} ++ + static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn) + { + WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT); +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -358,13 +358,13 @@ void destroy_previous_session(struct ksm + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); + err = ksmbd_conn_wait_idle_sess_id(conn, id); + if (err) { +- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP); + goto out; + } + + ksmbd_destroy_file_table(&prev_sess->file_table); + prev_sess->state = SMB2_SESSION_EXPIRED; +- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP); + ksmbd_launch_ksmbd_durable_scavenger(); + out: + up_write(&conn->session_lock); +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1249,7 +1249,7 @@ int smb2_handle_negotiate(struct ksmbd_w + } + + conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode); +- ksmbd_conn_set_need_negotiate(conn); ++ ksmbd_conn_set_need_setup(conn); + + err_out: + ksmbd_conn_unlock(conn); +@@ -1271,6 +1271,9 @@ static int alloc_preauth_hash(struct ksm + if (sess->Preauth_HashValue) + return 0; + ++ if (!conn->preauth_info) ++ return -ENOMEM; ++ + sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue, + PREAUTH_HASHVALUE_SIZE, KSMBD_DEFAULT_GFP); + if (!sess->Preauth_HashValue) +@@ -1674,6 +1677,11 @@ int smb2_sess_setup(struct ksmbd_work *w + + ksmbd_debug(SMB, "Received smb2 session setup request\n"); + ++ if (!ksmbd_conn_need_setup(conn) && !ksmbd_conn_good(conn)) { ++ work->send_no_response = 1; ++ return rc; ++ } ++ + WORK_BUFFERS(work, req, rsp); + + rsp->StructureSize = cpu_to_le16(9); +@@ -1913,7 +1921,7 @@ out_err: + if (try_delay) { + ksmbd_conn_set_need_reconnect(conn); + ssleep(5); +- ksmbd_conn_set_need_negotiate(conn); ++ ksmbd_conn_set_need_setup(conn); + } + } + smb2_set_err_rsp(work); +@@ -2247,7 +2255,7 @@ int smb2_session_logoff(struct ksmbd_wor + ksmbd_free_user(sess->user); + sess->user = NULL; + } +- ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE); ++ ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP); + + rsp->StructureSize = cpu_to_le16(4); + err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_logoff_rsp)); diff --git a/debian/patches/patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch b/debian/patches/patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch index 25aab08..d0b5315 100644 --- a/debian/patches/patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch +++ b/debian/patches/patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch @@ -1,4 +1,4 @@ -From ce390f13283adf62f17365d2f55e65e442e2edd8 Mon Sep 17 00:00:00 2001 +From 7aa936e7a4feef1256c1bae5caf02db3074766af Mon Sep 17 00:00:00 2001 From: Oleksandr Natalenko <oleksandr@natalenko.name> Date: Thu, 20 Feb 2025 09:03:32 +0100 Subject: zstd: import upstream v1.5.7 diff --git a/debian/patches/patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch b/debian/patches/patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch index b6e7bb3..588453d 100644 --- a/debian/patches/patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch +++ b/debian/patches/patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch @@ -1,4 +1,4 @@ -From 0df7cc91ac0a3e84f2e0aeec1a71cd737de41b8a Mon Sep 17 00:00:00 2001 +From 70dad0dd41069fbb2c4a85b548e7adc79121a020 Mon Sep 17 00:00:00 2001 From: Kees Cook <keescook@chromium.org> Date: Mon, 22 Jan 2024 16:27:56 -0800 Subject: lib: zstd: Refactor intentional wrap-around test diff --git a/debian/patches/patchset-zen/sauce/0001-ZEN-Add-VHBA-driver.patch b/debian/patches/patchset-zen/sauce/0001-ZEN-Add-VHBA-driver.patch index e873db2..59c1730 100644 --- a/debian/patches/patchset-zen/sauce/0001-ZEN-Add-VHBA-driver.patch +++ b/debian/patches/patchset-zen/sauce/0001-ZEN-Add-VHBA-driver.patch @@ -50,7 +50,7 @@ tag vhba-module-20240917 --- /dev/null +++ b/drivers/scsi/vhba/Makefile @@ -0,0 +1,4 @@ -+VHBA_VERSION := 20240917 ++VHBA_VERSION := 20250329 + +obj-$(CONFIG_VHBA) += vhba.o +ccflags-y := -DVHBA_VERSION=\"$(VHBA_VERSION)\" -Werror diff --git a/debian/patches/series b/debian/patches/series index 5e5d9fa..05e9bd3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -151,11 +151,41 @@ patchset-pf/amd-pstate/0028-cpufreq-amd-pstate-Stop-caching-EPP.patch patchset-pf/amd-pstate/0029-cpufreq-amd-pstate-Drop-actions-in-amd_pstate_epp_cp.patch patchset-pf/amd-pstate/0030-cpufreq-amd-pstate-fix-warning-noticed-by-kernel-tes.patch +patchset-pf/btrfs/0001-btrfs-fix-non-empty-delayed-iputs-list-on-unmount-du.patch +patchset-pf/btrfs/0002-btrfs-tests-fix-chunk-map-leak-after-failure-to-add-.patch +patchset-pf/btrfs/0003-btrfs-zoned-fix-zone-activation-with-missing-devices.patch +patchset-pf/btrfs/0004-btrfs-zoned-fix-zone-finishing-with-missing-devices.patch + patchset-pf/cpuidle/0001-cpuidle-Prefer-teo-over-menu-governor.patch patchset-pf/crypto/0001-crypto-x86-aes-xts-make-the-fast-path-64-bit-specifi.patch patchset-pf/crypto/0002-crypto-x86-aes-ctr-rewrite-AESNI-AVX-optimized-CTR-a.patch +patchset-pf/exfat/0001-exfat-fix-random-stack-corruption-after-get_block.patch +patchset-pf/exfat/0002-exfat-fix-potential-wrong-error-return-from-get_bloc.patch + +patchset-pf/fuse/0001-fuse-io-uring-Fix-a-possible-req-cancellation-race.patch + +patchset-pf/nfs/0001-nfsd-fix-management-of-listener-transports.patch +patchset-pf/nfs/0002-NFSD-Skip-sending-CB_RECALL_ANY-when-the-backchannel.patch +patchset-pf/nfs/0003-NFSD-nfsd_unlink-clobbers-non-zero-status-returned-f.patch +patchset-pf/nfs/0004-NFSD-Never-return-NFS4ERR_FILE_OPEN-when-removing-a-.patch +patchset-pf/nfs/0005-nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch +patchset-pf/nfs/0006-nfsd-allow-SC_STATUS_FREEABLE-when-searching-via-nfs.patch +patchset-pf/nfs/0007-nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch +patchset-pf/nfs/0008-NFSD-Add-a-Kconfig-setting-to-enable-delegated-times.patch + +patchset-pf/smb/0001-cifs-avoid-NULL-pointer-dereference-in-dbg-call.patch +patchset-pf/smb/0002-ksmbd-add-bounds-check-for-durable-handle-context.patch +patchset-pf/smb/0003-CIFS-Propagate-min-offload-along-with-other-paramete.patch +patchset-pf/smb/0004-ksmbd-add-bounds-check-for-create-lease-context.patch +patchset-pf/smb/0005-ksmbd-fix-use-after-free-in-ksmbd_sessions_deregiste.patch +patchset-pf/smb/0006-cifs-fix-integer-overflow-in-match_server.patch +patchset-pf/smb/0007-ksmbd-fix-session-use-after-free-in-multichannel-con.patch +patchset-pf/smb/0008-ksmbd-fix-overflow-in-dacloffset-bounds-check.patch +patchset-pf/smb/0009-ksmbd-validate-zero-num_subauth-before-sub_auth-is-a.patch +patchset-pf/smb/0010-ksmbd-fix-null-pointer-dereference-in-alloc_preauth_.patch + patchset-pf/zstd/0001-zstd-import-upstream-v1.5.7.patch patchset-pf/zstd/0002-lib-zstd-Refactor-intentional-wrap-around-test.patch @@ -262,7 +292,15 @@ patchset-zen/sauce/0023-ZEN-INTERACTIVE-Document-PDS-BMQ-configuration.patch patchset-pf/fixes/0001-tpm-do-not-start-chip-while-suspended.patch patchset-pf/fixes/0002-x86-insn_decoder_test-allow-longer-symbol-names.patch +patchset-pf/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch +patchset-pf/fixes/0004-x86-tools-Drop-duplicate-unlikely-definition-in-insn.patch +patchset-pf/fixes/0005-tpm-tpm_tis-Fix-timeout-handling-when-waiting-for-TP.patch +patchset-pf/fixes/0006-x86-mm-Fix-flush_tlb_range-when-used-for-zapping-nor.patch +patchset-pf/fixes/0007-x86-tsc-Always-save-restore-TSC-sched_clock-on-suspe.patch +patchset-pf/fixes/0008-uprobes-x86-Harden-uretprobe-syscall-trampoline-chec.patch +patchset-pf/fixes/0009-block-make-sure-nr_integrity_segments-is-cloned-in-b.patch +patchset-pf/fixes/0010-PCI-Fix-wrong-length-of-devres-array.patch +patchset-pf/fixes/0011-exec-fix-the-racy-usage-of-fs_struct-in_exec.patch patchset-zen/fixes/0001-arch-Kconfig-Default-to-maximum-amount-of-ASLR-bits.patch patchset-zen/fixes/0002-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch -patchset-zen/fixes/0003-EDAC-igen6-Fix-the-flood-of-invalid-error-reports.patch