diff --git a/debian/changelog b/debian/changelog index 0b19e6d..a2d34a1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +linux (6.15.3-1) sid; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.15.3 + + -- Konstantin Demin Thu, 19 Jun 2025 17:46:46 +0300 + linux (6.15.2-1) sid; urgency=medium * New upstream stable update: diff --git a/debian/patches/debian/tools-perf-install-python-bindings.patch b/debian/patches/debian/tools-perf-install-python-bindings.patch index f6d1ea6..4bbfe3f 100644 --- a/debian/patches/debian/tools-perf-install-python-bindings.patch +++ b/debian/patches/debian/tools-perf-install-python-bindings.patch @@ -10,7 +10,7 @@ Forwarded: not-needed --- a/tools/perf/Makefile.perf +++ b/tools/perf/Makefile.perf -@@ -1157,7 +1157,7 @@ install-bin: install-tools install-tests +@@ -1158,7 +1158,7 @@ install-bin: install-tools install-tests install: install-bin try-install-man install-python_ext: diff --git a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch index 35df3e2..5827b1d 100644 --- a/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch +++ b/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch @@ -50,7 +50,7 @@ Signed-off-by: Ben Hutchings /* Minimum for 512 kiB + 1 user control page. 'free' kiB per user. */ static int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); -@@ -13084,6 +13089,9 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -13110,6 +13115,9 @@ SYSCALL_DEFINE5(perf_event_open, if (err) return err; diff --git a/debian/patches/patchset-pf/fixes/0001-mm-fix-ratelimit_pages-update-error-in-dirty_ratio_h.patch b/debian/patches/patchset-pf/fixes/0001-mm-fix-ratelimit_pages-update-error-in-dirty_ratio_h.patch index a1ccdca..b32f7c2 100644 --- a/debian/patches/patchset-pf/fixes/0001-mm-fix-ratelimit_pages-update-error-in-dirty_ratio_h.patch +++ b/debian/patches/patchset-pf/fixes/0001-mm-fix-ratelimit_pages-update-error-in-dirty_ratio_h.patch @@ -1,4 +1,4 @@ -From cda8b1022f32bb7a917148f75f4641e7a5b3e729 Mon Sep 17 00:00:00 2001 +From 1616d0edbdf3b36a8f4694d35bcf88fa1242c7e8 Mon Sep 17 00:00:00 2001 From: Jinliang Zheng Date: Tue, 15 Apr 2025 17:02:32 +0800 Subject: mm: fix ratelimit_pages update error in dirty_ratio_handler() diff --git a/debian/patches/patchset-pf/fixes/0002-vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch b/debian/patches/patchset-pf/fixes/0002-vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch index 23085db..327c670 100644 --- a/debian/patches/patchset-pf/fixes/0002-vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch +++ b/debian/patches/patchset-pf/fixes/0002-vgacon-Add-check-for-vc_origin-address-range-in-vgac.patch @@ -1,4 +1,4 @@ -From 30a724581b5037176f6492359c189ebb180ccf1f Mon Sep 17 00:00:00 2001 +From 87f7435508fde20e21c6b744723a3203e2045f46 Mon Sep 17 00:00:00 2001 From: GONG Ruiqi Date: Sun, 27 Apr 2025 10:53:03 +0800 Subject: vgacon: Add check for vc_origin address range in vgacon_scroll() diff --git a/debian/patches/patchset-pf/fixes/0003-fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch b/debian/patches/patchset-pf/fixes/0003-fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch index b55ba65..28fa6e9 100644 --- a/debian/patches/patchset-pf/fixes/0003-fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch +++ b/debian/patches/patchset-pf/fixes/0003-fbdev-Fix-do_register_framebuffer-to-prevent-null-pt.patch @@ -1,4 +1,4 @@ -From 5cf26cf9fd9c11cb1543aac026f8928829895663 Mon Sep 17 00:00:00 2001 +From 4aed4d2a911e165342a339c886101dbe3acad5e2 Mon Sep 17 00:00:00 2001 From: Murad Masimov Date: Mon, 28 Apr 2025 18:34:06 +0300 Subject: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in diff --git a/debian/patches/patchset-pf/fixes/0004-fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch b/debian/patches/patchset-pf/fixes/0004-fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch index 4d1505f..a05b608 100644 --- a/debian/patches/patchset-pf/fixes/0004-fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch +++ b/debian/patches/patchset-pf/fixes/0004-fbdev-Fix-fb_set_var-to-prevent-null-ptr-deref-in-fb.patch @@ -1,4 +1,4 @@ -From 54c7f478f1a9d58f5609a48d461c7d495bb8301a Mon Sep 17 00:00:00 2001 +From 10c7fce24a1ad9197a8eabbba454a9a872f03d5c Mon Sep 17 00:00:00 2001 From: Murad Masimov Date: Mon, 28 Apr 2025 18:34:07 +0300 Subject: fbdev: Fix fb_set_var to prevent null-ptr-deref in diff --git a/debian/patches/patchset-pf/fixes/0005-anon_inode-use-a-proper-mode-internally.patch b/debian/patches/patchset-pf/fixes/0005-anon_inode-use-a-proper-mode-internally.patch index 403fbdf..daa40c5 100644 --- a/debian/patches/patchset-pf/fixes/0005-anon_inode-use-a-proper-mode-internally.patch +++ b/debian/patches/patchset-pf/fixes/0005-anon_inode-use-a-proper-mode-internally.patch @@ -1,4 +1,4 @@ -From 9cb2f9d210f915aabe54c5061d84f3fbe93c71ea Mon Sep 17 00:00:00 2001 +From 13ccad7713b89e7693feb5346e7893dc8edce7a8 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 7 Apr 2025 11:54:15 +0200 Subject: anon_inode: use a proper mode internally diff --git a/debian/patches/patchset-pf/fixes/0006-anon_inode-explicitly-block-setattr.patch b/debian/patches/patchset-pf/fixes/0006-anon_inode-explicitly-block-setattr.patch index 9ec70fe..840ba93 100644 --- a/debian/patches/patchset-pf/fixes/0006-anon_inode-explicitly-block-setattr.patch +++ b/debian/patches/patchset-pf/fixes/0006-anon_inode-explicitly-block-setattr.patch @@ -1,4 +1,4 @@ -From ea4199112ae6d8da866417f50e035be01488c502 Mon Sep 17 00:00:00 2001 +From 5a3eea2c3e9675a8b713eef0d52b7c437f1f613b Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 7 Apr 2025 11:54:17 +0200 Subject: anon_inode: explicitly block ->setattr() diff --git a/debian/patches/patchset-pf/fixes/0007-anon_inode-raise-SB_I_NODEV-and-SB_I_NOEXEC.patch b/debian/patches/patchset-pf/fixes/0007-anon_inode-raise-SB_I_NODEV-and-SB_I_NOEXEC.patch index e9139cc..b305b31 100644 --- a/debian/patches/patchset-pf/fixes/0007-anon_inode-raise-SB_I_NODEV-and-SB_I_NOEXEC.patch +++ b/debian/patches/patchset-pf/fixes/0007-anon_inode-raise-SB_I_NODEV-and-SB_I_NOEXEC.patch @@ -1,4 +1,4 @@ -From 79f54c5bc7c6097a379c83e9ed56bee27cf1218a Mon Sep 17 00:00:00 2001 +From 8c9775d285f9755477a8b1f8b215102dce014ed2 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 7 Apr 2025 11:54:19 +0200 Subject: anon_inode: raise SB_I_NODEV and SB_I_NOEXEC diff --git a/debian/patches/patchset-pf/fixes/0008-fs-add-S_ANON_INODE.patch b/debian/patches/patchset-pf/fixes/0008-fs-add-S_ANON_INODE.patch index 048c3ba..f844b1c 100644 --- a/debian/patches/patchset-pf/fixes/0008-fs-add-S_ANON_INODE.patch +++ b/debian/patches/patchset-pf/fixes/0008-fs-add-S_ANON_INODE.patch @@ -1,4 +1,4 @@ -From edaacbee0f33b7371ec460723d1042a6c5a4bb9d Mon Sep 17 00:00:00 2001 +From d90681a50098e204f2e111b9433f6fc73a939854 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 21 Apr 2025 10:27:40 +0200 Subject: fs: add S_ANON_INODE diff --git a/debian/patches/patchset-pf/fixes/0009-configfs-Do-not-override-creating-attribute-file-fai.patch b/debian/patches/patchset-pf/fixes/0009-configfs-Do-not-override-creating-attribute-file-fai.patch index 7267733..57b3fda 100644 --- a/debian/patches/patchset-pf/fixes/0009-configfs-Do-not-override-creating-attribute-file-fai.patch +++ b/debian/patches/patchset-pf/fixes/0009-configfs-Do-not-override-creating-attribute-file-fai.patch @@ -1,4 +1,4 @@ -From ab287d709809b6dfe4d3c42016a543d976533d51 Mon Sep 17 00:00:00 2001 +From c161e0ffb55a12b9b26819fa0ecf8217ab781e97 Mon Sep 17 00:00:00 2001 From: Zijun Hu Date: Wed, 7 May 2025 19:50:26 +0800 Subject: configfs: Do not override creating attribute file failure in diff --git a/debian/patches/patchset-pf/fixes/0010-Don-t-propagate-mounts-into-detached-trees.patch b/debian/patches/patchset-pf/fixes/0010-Don-t-propagate-mounts-into-detached-trees.patch deleted file mode 100644 index 9912527..0000000 --- a/debian/patches/patchset-pf/fixes/0010-Don-t-propagate-mounts-into-detached-trees.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 896b7b0d6ed53a7fe159c4b76f25407c816aa619 Mon Sep 17 00:00:00 2001 -From: Al Viro -Date: Fri, 23 May 2025 19:20:36 -0400 -Subject: Don't propagate mounts into detached trees - -All versions up to 6.14 did not propagate mount events into detached -tree. Shortly after 6.14 a merge of vfs-6.15-rc1.mount.namespace -(130e696aa68b) has changed that. - -Unfortunately, that has caused userland regressions (reported in -https://lore.kernel.org/all/CAOYeF9WQhFDe+BGW=Dp5fK8oRy5AgZ6zokVyTj1Wp4EUiYgt4w@mail.gmail.com/) - -Straight revert wouldn't be an option - in particular, the variant in 6.14 -had a bug that got fixed in d1ddc6f1d9f0 ("fix IS_MNT_PROPAGATING uses") -and we don't want to bring the bug back. - -This is a modification of manual revert posted by Christian, with changes -needed to avoid reintroducing the breakage in scenario described in -d1ddc6f1d9f0. - -Cc: stable@vger.kernel.org -Reported-by: Allison Karlitskaya -Tested-by: Allison Karlitskaya -Acked-by: Christian Brauner -Co-developed-by: Christian Brauner -Signed-off-by: Al Viro ---- - fs/mount.h | 5 ----- - fs/namespace.c | 15 ++------------- - fs/pnode.c | 4 ++-- - 3 files changed, 4 insertions(+), 20 deletions(-) - ---- a/fs/mount.h -+++ b/fs/mount.h -@@ -7,10 +7,6 @@ - - extern struct list_head notify_list; - --typedef __u32 __bitwise mntns_flags_t; -- --#define MNTNS_PROPAGATING ((__force mntns_flags_t)(1 << 0)) -- - struct mnt_namespace { - struct ns_common ns; - struct mount * root; -@@ -37,7 +33,6 @@ struct mnt_namespace { - struct rb_node mnt_ns_tree_node; /* node in the mnt_ns_tree */ - struct list_head mnt_ns_list; /* entry in the sequential list of mounts namespace */ - refcount_t passive; /* number references not pinning @mounts */ -- mntns_flags_t mntns_flags; - } __randomize_layout; - - struct mnt_pcp { ---- a/fs/namespace.c -+++ b/fs/namespace.c -@@ -3648,7 +3648,7 @@ static int do_move_mount(struct path *ol - if (!(attached ? check_mnt(old) : is_anon_ns(ns))) - goto out; - -- if (is_anon_ns(ns)) { -+ if (is_anon_ns(ns) && ns == p->mnt_ns) { - /* - * Ending up with two files referring to the root of the - * same anonymous mount namespace would cause an error -@@ -3656,16 +3656,7 @@ static int do_move_mount(struct path *ol - * twice into the mount tree which would be rejected - * later. But be explicit about it right here. - */ -- if ((is_anon_ns(p->mnt_ns) && ns == p->mnt_ns)) -- goto out; -- -- /* -- * If this is an anonymous mount tree ensure that mount -- * propagation can detect mounts that were just -- * propagated to the target mount tree so we don't -- * propagate onto them. -- */ -- ns->mntns_flags |= MNTNS_PROPAGATING; -+ goto out; - } else if (is_anon_ns(p->mnt_ns)) { - /* - * Don't allow moving an attached mount tree to an -@@ -3722,8 +3713,6 @@ static int do_move_mount(struct path *ol - if (attached) - put_mountpoint(old_mp); - out: -- if (is_anon_ns(ns)) -- ns->mntns_flags &= ~MNTNS_PROPAGATING; - unlock_mount(mp); - if (!err) { - if (attached) { ---- a/fs/pnode.c -+++ b/fs/pnode.c -@@ -231,8 +231,8 @@ static int propagate_one(struct mount *m - /* skip if mountpoint isn't visible in m */ - if (!is_subdir(dest_mp->m_dentry, m->mnt.mnt_root)) - return 0; -- /* skip if m is in the anon_ns we are emptying */ -- if (m->mnt_ns->mntns_flags & MNTNS_PROPAGATING) -+ /* skip if m is in the anon_ns */ -+ if (is_anon_ns(m->mnt_ns)) - return 0; - - if (peers(m, last_dest)) { diff --git a/debian/patches/patchset-pf/fixes/0013-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch b/debian/patches/patchset-pf/fixes/0010-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch similarity index 94% rename from debian/patches/patchset-pf/fixes/0013-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch rename to debian/patches/patchset-pf/fixes/0010-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch index 3579f44..ebb46b8 100644 --- a/debian/patches/patchset-pf/fixes/0013-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch +++ b/debian/patches/patchset-pf/fixes/0010-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch @@ -1,4 +1,4 @@ -From f0579d45f2e03fa3ba0d9466e79a31ea37acb487 Mon Sep 17 00:00:00 2001 +From 9c2fdcdf9d8963a6fa30005a859816639d0bbf95 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Tue, 27 May 2025 07:28:54 -0600 Subject: Revert "Disable FOP_DONTCACHE for now due to bugs" diff --git a/debian/patches/patchset-pf/fixes/0011-mm-filemap-gate-dropbehind-invalidate-on-folio-dirty.patch b/debian/patches/patchset-pf/fixes/0011-mm-filemap-gate-dropbehind-invalidate-on-folio-dirty.patch deleted file mode 100644 index ea59300..0000000 --- a/debian/patches/patchset-pf/fixes/0011-mm-filemap-gate-dropbehind-invalidate-on-folio-dirty.patch +++ /dev/null @@ -1,51 +0,0 @@ -From bc86aaf0e0256220ca787fdbb57a73429ade1129 Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Tue, 27 May 2025 07:28:52 -0600 -Subject: mm/filemap: gate dropbehind invalidate on folio !dirty && !writeback - -It's possible for the folio to either get marked for writeback or -redirtied. Add a helper, filemap_end_dropbehind(), which guards the -folio_unmap_invalidate() call behind check for the folio being both -non-dirty and not under writeback AFTER the folio lock has been -acquired. Use this helper folio_end_dropbehind_write(). - -Cc: stable@vger.kernel.org -Reported-by: Al Viro -Fixes: fb7d3bc41493 ("mm/filemap: drop streaming/uncached pages when writeback completes") -Link: https://lore.kernel.org/linux-fsdevel/20250525083209.GS2023217@ZenIV/ -Signed-off-by: Jens Axboe -Link: https://lore.kernel.org/20250527133255.452431-2-axboe@kernel.dk -Signed-off-by: Christian Brauner ---- - mm/filemap.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - ---- a/mm/filemap.c -+++ b/mm/filemap.c -@@ -1589,6 +1589,16 @@ int folio_wait_private_2_killable(struct - } - EXPORT_SYMBOL(folio_wait_private_2_killable); - -+static void filemap_end_dropbehind(struct folio *folio) -+{ -+ struct address_space *mapping = folio->mapping; -+ -+ VM_BUG_ON_FOLIO(!folio_test_locked(folio), folio); -+ -+ if (mapping && !folio_test_writeback(folio) && !folio_test_dirty(folio)) -+ folio_unmap_invalidate(mapping, folio, 0); -+} -+ - /* - * If folio was marked as dropbehind, then pages should be dropped when writeback - * completes. Do that now. If we fail, it's likely because of a big folio - -@@ -1604,8 +1614,7 @@ static void folio_end_dropbehind_write(s - * invalidation in that case. - */ - if (in_task() && folio_trylock(folio)) { -- if (folio->mapping) -- folio_unmap_invalidate(folio->mapping, folio, 0); -+ filemap_end_dropbehind(folio); - folio_unlock(folio); - } - } diff --git a/debian/patches/patchset-pf/fixes/0014-mm-filemap-unify-read-write-dropbehind-naming.patch b/debian/patches/patchset-pf/fixes/0011-mm-filemap-unify-read-write-dropbehind-naming.patch similarity index 95% rename from debian/patches/patchset-pf/fixes/0014-mm-filemap-unify-read-write-dropbehind-naming.patch rename to debian/patches/patchset-pf/fixes/0011-mm-filemap-unify-read-write-dropbehind-naming.patch index 2410a52..74bad54 100644 --- a/debian/patches/patchset-pf/fixes/0014-mm-filemap-unify-read-write-dropbehind-naming.patch +++ b/debian/patches/patchset-pf/fixes/0011-mm-filemap-unify-read-write-dropbehind-naming.patch @@ -1,4 +1,4 @@ -From 3b4614564770691cf3a6eb88127268ef6a84180c Mon Sep 17 00:00:00 2001 +From 0274339dc053815d099e9c336f11c1e9e5641792 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Tue, 27 May 2025 07:28:55 -0600 Subject: mm/filemap: unify read/write dropbehind naming diff --git a/debian/patches/patchset-pf/fixes/0015-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch b/debian/patches/patchset-pf/fixes/0012-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0015-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch rename to debian/patches/patchset-pf/fixes/0012-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch index de06ef7..f952381 100644 --- a/debian/patches/patchset-pf/fixes/0015-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch +++ b/debian/patches/patchset-pf/fixes/0012-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch @@ -1,4 +1,4 @@ -From 6003153e1bc4ad4952773081d7b89aa1ab2274c3 Mon Sep 17 00:00:00 2001 +From de09560d2e6fbb14ea586063217277e5ebc1bc71 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Tue, 27 May 2025 07:28:56 -0600 Subject: mm/filemap: unify dropbehind flag testing and clearing diff --git a/debian/patches/patchset-pf/fixes/0012-mm-filemap-use-filemap_end_dropbehind-for-read-inval.patch b/debian/patches/patchset-pf/fixes/0012-mm-filemap-use-filemap_end_dropbehind-for-read-inval.patch deleted file mode 100644 index 2306297..0000000 --- a/debian/patches/patchset-pf/fixes/0012-mm-filemap-use-filemap_end_dropbehind-for-read-inval.patch +++ /dev/null @@ -1,51 +0,0 @@ -From fad76185ca91983990c660642151083eb05cbfc0 Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Tue, 27 May 2025 07:28:53 -0600 -Subject: mm/filemap: use filemap_end_dropbehind() for read invalidation - -Use the filemap_end_dropbehind() helper rather than calling -folio_unmap_invalidate() directly, as we need to check if the folio has -been redirtied or marked for writeback once the folio lock has been -re-acquired. - -Cc: stable@vger.kernel.org -Reported-by: Trond Myklebust -Fixes: 8026e49bff9b ("mm/filemap: add read support for RWF_DONTCACHE") -Link: https://lore.kernel.org/linux-fsdevel/ba8a9805331ce258a622feaca266b163db681a10.camel@hammerspace.com/ -Signed-off-by: Jens Axboe -Link: https://lore.kernel.org/20250527133255.452431-3-axboe@kernel.dk -Signed-off-by: Christian Brauner ---- - mm/filemap.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/mm/filemap.c -+++ b/mm/filemap.c -@@ -2644,8 +2644,7 @@ static inline bool pos_same_folio(loff_t - return (pos1 >> shift == pos2 >> shift); - } - --static void filemap_end_dropbehind_read(struct address_space *mapping, -- struct folio *folio) -+static void filemap_end_dropbehind_read(struct folio *folio) - { - if (!folio_test_dropbehind(folio)) - return; -@@ -2653,7 +2652,7 @@ static void filemap_end_dropbehind_read( - return; - if (folio_trylock(folio)) { - if (folio_test_clear_dropbehind(folio)) -- folio_unmap_invalidate(mapping, folio, 0); -+ filemap_end_dropbehind(folio); - folio_unlock(folio); - } - } -@@ -2774,7 +2773,7 @@ put_folios: - for (i = 0; i < folio_batch_count(&fbatch); i++) { - struct folio *folio = fbatch.folios[i]; - -- filemap_end_dropbehind_read(mapping, folio); -+ filemap_end_dropbehind_read(folio); - folio_put(folio); - } - folio_batch_init(&fbatch); diff --git a/debian/patches/patchset-pf/fixes/0016-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch b/debian/patches/patchset-pf/fixes/0013-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0016-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch rename to debian/patches/patchset-pf/fixes/0013-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch index f600beb..5f39c40 100644 --- a/debian/patches/patchset-pf/fixes/0016-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch +++ b/debian/patches/patchset-pf/fixes/0013-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch @@ -1,4 +1,4 @@ -From 61c0b2450f2b85c5053fa4f71d9c619b34d3af6c Mon Sep 17 00:00:00 2001 +From c041325f222c774573ad73d35939451a4e221e52 Mon Sep 17 00:00:00 2001 From: Shivank Garg Date: Mon, 26 May 2025 18:28:18 +0000 Subject: mm/khugepaged: fix race with folio split/free using temporary diff --git a/debian/patches/patchset-pf/fixes/0017-mm-add-folio_expected_ref_count-for-reference-count-.patch b/debian/patches/patchset-pf/fixes/0014-mm-add-folio_expected_ref_count-for-reference-count-.patch similarity index 99% rename from debian/patches/patchset-pf/fixes/0017-mm-add-folio_expected_ref_count-for-reference-count-.patch rename to debian/patches/patchset-pf/fixes/0014-mm-add-folio_expected_ref_count-for-reference-count-.patch index eb9fdc1..97b15e9 100644 --- a/debian/patches/patchset-pf/fixes/0017-mm-add-folio_expected_ref_count-for-reference-count-.patch +++ b/debian/patches/patchset-pf/fixes/0014-mm-add-folio_expected_ref_count-for-reference-count-.patch @@ -1,4 +1,4 @@ -From 214092002cbd9945b7cc6314e76ec42b3f588c01 Mon Sep 17 00:00:00 2001 +From 76653593bdf5fda03717991681b5d60e2af015e9 Mon Sep 17 00:00:00 2001 From: Shivank Garg Date: Wed, 30 Apr 2025 10:01:51 +0000 Subject: mm: add folio_expected_ref_count() for reference count calculation diff --git a/debian/patches/patchset-pf/fixes/0018-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch b/debian/patches/patchset-pf/fixes/0015-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch similarity index 98% rename from debian/patches/patchset-pf/fixes/0018-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch rename to debian/patches/patchset-pf/fixes/0015-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch index 0783b91..82bc2ce 100644 --- a/debian/patches/patchset-pf/fixes/0018-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch +++ b/debian/patches/patchset-pf/fixes/0015-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch @@ -1,4 +1,4 @@ -From 0f52f05148589fe4115322a9cc8ffab760091a0a Mon Sep 17 00:00:00 2001 +From 1e9a258def978a9388a50ae43c85557b0598a7d3 Mon Sep 17 00:00:00 2001 From: Pu Lehui Date: Thu, 29 May 2025 15:56:47 +0000 Subject: mm: fix uprobe pte be overwritten when expanding vma diff --git a/debian/patches/patchset-pf/fixes/0019-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch b/debian/patches/patchset-pf/fixes/0016-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch similarity index 99% rename from debian/patches/patchset-pf/fixes/0019-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch rename to debian/patches/patchset-pf/fixes/0016-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch index 0ec9477..0aae85c 100644 --- a/debian/patches/patchset-pf/fixes/0019-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch +++ b/debian/patches/patchset-pf/fixes/0016-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch @@ -1,4 +1,4 @@ -From 6f1e03b94f7777323aaefd9286d992a1cbd0adf7 Mon Sep 17 00:00:00 2001 +From 2d8c79ec421253aab9560a47a7e73d678c84585c Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Tue, 27 May 2025 23:23:53 +0200 Subject: mm/hugetlb: unshare page tables during VMA split, not before diff --git a/debian/patches/patchset-pf/fixes/0020-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch b/debian/patches/patchset-pf/fixes/0017-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch similarity index 96% rename from debian/patches/patchset-pf/fixes/0020-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch rename to debian/patches/patchset-pf/fixes/0017-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch index 11bf0bc..fad6de6 100644 --- a/debian/patches/patchset-pf/fixes/0020-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch +++ b/debian/patches/patchset-pf/fixes/0017-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch @@ -1,4 +1,4 @@ -From cbd0e47470ea4db11acf3612edf91b5047a90d24 Mon Sep 17 00:00:00 2001 +From e1280358284feaf844db5c6a76078b2c1738c5ae Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Tue, 27 May 2025 23:23:54 +0200 Subject: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race diff --git a/debian/patches/patchset-pf/fixes/0021-mm-madvise-handle-madvise_lock-failure-during-race-u.patch b/debian/patches/patchset-pf/fixes/0018-mm-madvise-handle-madvise_lock-failure-during-race-u.patch similarity index 96% rename from debian/patches/patchset-pf/fixes/0021-mm-madvise-handle-madvise_lock-failure-during-race-u.patch rename to debian/patches/patchset-pf/fixes/0018-mm-madvise-handle-madvise_lock-failure-during-race-u.patch index 6f88d08..d3f9746 100644 --- a/debian/patches/patchset-pf/fixes/0021-mm-madvise-handle-madvise_lock-failure-during-race-u.patch +++ b/debian/patches/patchset-pf/fixes/0018-mm-madvise-handle-madvise_lock-failure-during-race-u.patch @@ -1,4 +1,4 @@ -From cb42e10062f07934d60ce2a9bc154ea7ac0bab5a Mon Sep 17 00:00:00 2001 +From b36611870ea72c82eb78d90a017658394bdb9690 Mon Sep 17 00:00:00 2001 From: SeongJae Park Date: Mon, 2 Jun 2025 10:49:26 -0700 Subject: mm/madvise: handle madvise_lock() failure during race unwinding diff --git a/debian/patches/patchset-pf/fixes/0022-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch b/debian/patches/patchset-pf/fixes/0019-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch similarity index 98% rename from debian/patches/patchset-pf/fixes/0022-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch rename to debian/patches/patchset-pf/fixes/0019-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch index 6b9ba1b..7c07d45 100644 --- a/debian/patches/patchset-pf/fixes/0022-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch +++ b/debian/patches/patchset-pf/fixes/0019-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch @@ -1,4 +1,4 @@ -From 0aeb6f83ff11709bb4b6fc9afa2f742681ca36e1 Mon Sep 17 00:00:00 2001 +From f0ab226d0eae3aa7e26524efc040026a65ead640 Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann Date: Wed, 28 May 2025 10:02:08 +0200 Subject: video: screen_info: Relocate framebuffers behind PCI bridges diff --git a/debian/patches/patchset-pf/fixes/0023-sysfb-Fix-screen_info-type-check-for-VGA.patch b/debian/patches/patchset-pf/fixes/0020-sysfb-Fix-screen_info-type-check-for-VGA.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0023-sysfb-Fix-screen_info-type-check-for-VGA.patch rename to debian/patches/patchset-pf/fixes/0020-sysfb-Fix-screen_info-type-check-for-VGA.patch index d577131..1c16ea3 100644 --- a/debian/patches/patchset-pf/fixes/0023-sysfb-Fix-screen_info-type-check-for-VGA.patch +++ b/debian/patches/patchset-pf/fixes/0020-sysfb-Fix-screen_info-type-check-for-VGA.patch @@ -1,4 +1,4 @@ -From 06ff725d11ea8713876187973c834fb595cb26f1 Mon Sep 17 00:00:00 2001 +From 717bcb42b8cd4119c88249fbfc26d08e25a2ca24 Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann Date: Tue, 3 Jun 2025 17:48:20 +0200 Subject: sysfb: Fix screen_info type check for VGA diff --git a/debian/patches/patchset-pf/fixes/0025-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch b/debian/patches/patchset-pf/fixes/0021-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch similarity index 99% rename from debian/patches/patchset-pf/fixes/0025-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch rename to debian/patches/patchset-pf/fixes/0021-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch index 0242410..d1ef618 100644 --- a/debian/patches/patchset-pf/fixes/0025-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch +++ b/debian/patches/patchset-pf/fixes/0021-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch @@ -1,4 +1,4 @@ -From 7856e6900a09ed537366a5e0c774be8926ee022e Mon Sep 17 00:00:00 2001 +From 08b1e02fc44abc04d813dbc827812db9ebca0dad Mon Sep 17 00:00:00 2001 From: Luo Gengkun Date: Mon, 21 Apr 2025 03:50:21 +0000 Subject: watchdog: fix watchdog may detect false positive of softlockup diff --git a/debian/patches/patchset-pf/fixes/0026-sched-rt-Fix-race-in-push_rt_task.patch b/debian/patches/patchset-pf/fixes/0022-sched-rt-Fix-race-in-push_rt_task.patch similarity index 99% rename from debian/patches/patchset-pf/fixes/0026-sched-rt-Fix-race-in-push_rt_task.patch rename to debian/patches/patchset-pf/fixes/0022-sched-rt-Fix-race-in-push_rt_task.patch index 9a8d90f..e4a7a71 100644 --- a/debian/patches/patchset-pf/fixes/0026-sched-rt-Fix-race-in-push_rt_task.patch +++ b/debian/patches/patchset-pf/fixes/0022-sched-rt-Fix-race-in-push_rt_task.patch @@ -1,4 +1,4 @@ -From 45c6602b7fa2a9dfd05a1f9289504c2437205ce4 Mon Sep 17 00:00:00 2001 +From ff8503c4997332bb5708c3b77f8a19f334e947a9 Mon Sep 17 00:00:00 2001 From: Harshit Agarwal Date: Tue, 25 Feb 2025 18:05:53 +0000 Subject: sched/rt: Fix race in push_rt_task diff --git a/debian/patches/patchset-pf/fixes/0027-sched-fair-Adhere-to-place_entity-constraints.patch b/debian/patches/patchset-pf/fixes/0023-sched-fair-Adhere-to-place_entity-constraints.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0027-sched-fair-Adhere-to-place_entity-constraints.patch rename to debian/patches/patchset-pf/fixes/0023-sched-fair-Adhere-to-place_entity-constraints.patch index 62d3e4d..37360d5 100644 --- a/debian/patches/patchset-pf/fixes/0027-sched-fair-Adhere-to-place_entity-constraints.patch +++ b/debian/patches/patchset-pf/fixes/0023-sched-fair-Adhere-to-place_entity-constraints.patch @@ -1,4 +1,4 @@ -From 14b4658d3fa78b169f36e62e722a076a7c50afd8 Mon Sep 17 00:00:00 2001 +From e02cbdc12bf63da363d7e3391376819241d67fbe Mon Sep 17 00:00:00 2001 From: Peter Zijlstra Date: Tue, 28 Jan 2025 15:39:49 +0100 Subject: sched/fair: Adhere to place_entity() constraints diff --git a/debian/patches/patchset-pf/fixes/0028-alloc_tag-handle-module-codetag-load-errors-as-modul.patch b/debian/patches/patchset-pf/fixes/0024-alloc_tag-handle-module-codetag-load-errors-as-modul.patch similarity index 98% rename from debian/patches/patchset-pf/fixes/0028-alloc_tag-handle-module-codetag-load-errors-as-modul.patch rename to debian/patches/patchset-pf/fixes/0024-alloc_tag-handle-module-codetag-load-errors-as-modul.patch index 462a882..87eb717 100644 --- a/debian/patches/patchset-pf/fixes/0028-alloc_tag-handle-module-codetag-load-errors-as-modul.patch +++ b/debian/patches/patchset-pf/fixes/0024-alloc_tag-handle-module-codetag-load-errors-as-modul.patch @@ -1,4 +1,4 @@ -From 65419a1e04de111460c4f38c47f1db39e71c3357 Mon Sep 17 00:00:00 2001 +From 7257e4f8df6b5783978ab06063fc8529ee2631d5 Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan Date: Wed, 21 May 2025 09:06:02 -0700 Subject: alloc_tag: handle module codetag load errors as module load failures diff --git a/debian/patches/patchset-pf/fixes/0024-x86-iopl-Cure-TIF_IO_BITMAP-inconsistencies.patch b/debian/patches/patchset-pf/fixes/0024-x86-iopl-Cure-TIF_IO_BITMAP-inconsistencies.patch deleted file mode 100644 index 1d29025..0000000 --- a/debian/patches/patchset-pf/fixes/0024-x86-iopl-Cure-TIF_IO_BITMAP-inconsistencies.patch +++ /dev/null @@ -1,113 +0,0 @@ -From ba4c83076943b477c90015581cc88e262a7d772f Mon Sep 17 00:00:00 2001 -From: Thomas Gleixner -Date: Wed, 26 Feb 2025 16:01:57 +0100 -Subject: x86/iopl: Cure TIF_IO_BITMAP inconsistencies - -io_bitmap_exit() is invoked from exit_thread() when a task exists or -when a fork fails. In the latter case the exit_thread() cleans up -resources which were allocated during fork(). - -io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up -in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the -current task. If current has TIF_IO_BITMAP set, but no bitmap installed, -tss_update_io_bitmap() crashes with a NULL pointer dereference. - -There are two issues, which lead to that problem: - - 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when - the task, which is cleaned up, is not the current task. That's a - clear indicator for a cleanup after a failed fork(). - - 2) A task should not have TIF_IO_BITMAP set and neither a bitmap - installed nor IOPL emulation level 3 activated. - - This happens when a kernel thread is created in the context of - a user space thread, which has TIF_IO_BITMAP set as the thread - flags are copied and the IO bitmap pointer is cleared. - - Other than in the failed fork() case this has no impact because - kernel threads including IO workers never return to user space and - therefore never invoke tss_update_io_bitmap(). - -Cure this by adding the missing cleanups and checks: - - 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if - the to be cleaned up task is not the current task. - - 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user - space forks it is set later, when the IO bitmap is inherited in - io_bitmap_share(). - -For paranoia sake, add a warning into tss_update_io_bitmap() to catch -the case, when that code is invoked with inconsistent state. - -Fixes: ea5f1cd7ab49 ("x86/ioperm: Remove bitmap if all permissions dropped") -Reported-by: syzbot+e2b1803445d236442e54@syzkaller.appspotmail.com -Signed-off-by: Thomas Gleixner -Signed-off-by: Borislav Petkov (AMD) -Cc: stable@vger.kernel.org -Link: https://lore.kernel.org/87wmdceom2.ffs@tglx ---- - arch/x86/kernel/ioport.c | 13 +++++++++---- - arch/x86/kernel/process.c | 6 ++++++ - 2 files changed, 15 insertions(+), 4 deletions(-) - ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -33,8 +33,9 @@ void io_bitmap_share(struct task_struct - set_tsk_thread_flag(tsk, TIF_IO_BITMAP); - } - --static void task_update_io_bitmap(struct task_struct *tsk) -+static void task_update_io_bitmap(void) - { -+ struct task_struct *tsk = current; - struct thread_struct *t = &tsk->thread; - - if (t->iopl_emul == 3 || t->io_bitmap) { -@@ -54,7 +55,12 @@ void io_bitmap_exit(struct task_struct * - struct io_bitmap *iobm = tsk->thread.io_bitmap; - - tsk->thread.io_bitmap = NULL; -- task_update_io_bitmap(tsk); -+ /* -+ * Don't touch the TSS when invoked on a failed fork(). TSS -+ * reflects the state of @current and not the state of @tsk. -+ */ -+ if (tsk == current) -+ task_update_io_bitmap(); - if (iobm && refcount_dec_and_test(&iobm->refcnt)) - kfree(iobm); - } -@@ -192,8 +198,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve - } - - t->iopl_emul = level; -- task_update_io_bitmap(current); -- -+ task_update_io_bitmap(); - return 0; - } - ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -181,6 +181,7 @@ int copy_thread(struct task_struct *p, c - frame->ret_addr = (unsigned long) ret_from_fork_asm; - p->thread.sp = (unsigned long) fork_frame; - p->thread.io_bitmap = NULL; -+ clear_tsk_thread_flag(p, TIF_IO_BITMAP); - p->thread.iopl_warn = 0; - memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps)); - -@@ -469,6 +470,11 @@ void native_tss_update_io_bitmap(void) - } else { - struct io_bitmap *iobm = t->io_bitmap; - -+ if (WARN_ON_ONCE(!iobm)) { -+ clear_thread_flag(TIF_IO_BITMAP); -+ native_tss_invalidate_io_bitmap(); -+ } -+ - /* - * Only copy bitmap data when the sequence number differs. The - * update time is accounted to the incoming task. diff --git a/debian/patches/patchset-pf/fixes/0029-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch b/debian/patches/patchset-pf/fixes/0025-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch similarity index 89% rename from debian/patches/patchset-pf/fixes/0029-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch rename to debian/patches/patchset-pf/fixes/0025-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch index 7d8cb5d..7432543 100644 --- a/debian/patches/patchset-pf/fixes/0029-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch +++ b/debian/patches/patchset-pf/fixes/0025-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch @@ -1,4 +1,4 @@ -From 3848ddd6068c425b732da6e8c78b047ed28c6114 Mon Sep 17 00:00:00 2001 +From 57fdc30dcdad60e3b868682cc1e77083c091aef5 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Sun, 27 Apr 2025 12:39:59 -0400 Subject: svcrdma: Unregister the device if svc_rdma_accept() fails @@ -19,7 +19,7 @@ Signed-off-by: Chuck Lever --- a/net/sunrpc/xprtrdma/svc_rdma_transport.c +++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c -@@ -575,6 +575,7 @@ static struct svc_xprt *svc_rdma_accept( +@@ -577,6 +577,7 @@ static struct svc_xprt *svc_rdma_accept( if (newxprt->sc_qp && !IS_ERR(newxprt->sc_qp)) ib_destroy_qp(newxprt->sc_qp); rdma_destroy_id(newxprt->sc_cm_id); diff --git a/debian/patches/patchset-pf/fixes/0030-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch b/debian/patches/patchset-pf/fixes/0026-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch similarity index 96% rename from debian/patches/patchset-pf/fixes/0030-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch rename to debian/patches/patchset-pf/fixes/0026-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch index 089a7bf..cacfc0b 100644 --- a/debian/patches/patchset-pf/fixes/0030-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch +++ b/debian/patches/patchset-pf/fixes/0026-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch @@ -1,4 +1,4 @@ -From 38b409dd5c2fd9496fde05db4fb538a7e3593922 Mon Sep 17 00:00:00 2001 +From 92e99ba55ff0ce68ea7567331beda21861da2028 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Wed, 21 May 2025 16:34:13 -0400 Subject: SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls diff --git a/debian/patches/patchset-pf/fixes/0031-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch b/debian/patches/patchset-pf/fixes/0027-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0031-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch rename to debian/patches/patchset-pf/fixes/0027-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch index e0af3fe..de03a05 100644 --- a/debian/patches/patchset-pf/fixes/0031-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch +++ b/debian/patches/patchset-pf/fixes/0027-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch @@ -1,4 +1,4 @@ -From c3e0e5bd29d97f8e5663026e8c2f25e08f1c4544 Mon Sep 17 00:00:00 2001 +From ac0c5ac5efecec7f731a1d80ec40ef3d34adc5ee Mon Sep 17 00:00:00 2001 From: Saurabh Sengar Date: Thu, 29 May 2025 03:18:30 -0700 Subject: hv_netvsc: fix potential deadlock in netvsc_vf_setxdp() diff --git a/debian/patches/patchset-pf/fixes/0032-net-clear-the-dst-when-changing-skb-protocol.patch b/debian/patches/patchset-pf/fixes/0028-net-clear-the-dst-when-changing-skb-protocol.patch similarity index 90% rename from debian/patches/patchset-pf/fixes/0032-net-clear-the-dst-when-changing-skb-protocol.patch rename to debian/patches/patchset-pf/fixes/0028-net-clear-the-dst-when-changing-skb-protocol.patch index 370069a..f780308 100644 --- a/debian/patches/patchset-pf/fixes/0032-net-clear-the-dst-when-changing-skb-protocol.patch +++ b/debian/patches/patchset-pf/fixes/0028-net-clear-the-dst-when-changing-skb-protocol.patch @@ -1,4 +1,4 @@ -From 0f48fca427618cecf6683fa8e46cb8d0b66bb93d Mon Sep 17 00:00:00 2001 +From 485c82a86fb97fb86cac303348c85b6cf71fd787 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski Date: Mon, 9 Jun 2025 17:12:44 -0700 Subject: net: clear the dst when changing skb protocol @@ -53,7 +53,7 @@ Signed-off-by: Jakub Kicinski --- a/net/core/filter.c +++ b/net/core/filter.c -@@ -3232,6 +3232,13 @@ static const struct bpf_func_proto bpf_s +@@ -3233,6 +3233,13 @@ static const struct bpf_func_proto bpf_s .arg1_type = ARG_PTR_TO_CTX, }; @@ -67,7 +67,7 @@ Signed-off-by: Jakub Kicinski static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len) { /* Caller already did skb_cow() with len as headroom, -@@ -3328,7 +3335,7 @@ static int bpf_skb_proto_4_to_6(struct s +@@ -3329,7 +3336,7 @@ static int bpf_skb_proto_4_to_6(struct s } } @@ -76,7 +76,7 @@ Signed-off-by: Jakub Kicinski skb_clear_hash(skb); return 0; -@@ -3358,7 +3365,7 @@ static int bpf_skb_proto_6_to_4(struct s +@@ -3359,7 +3366,7 @@ static int bpf_skb_proto_6_to_4(struct s } } @@ -85,7 +85,7 @@ Signed-off-by: Jakub Kicinski skb_clear_hash(skb); return 0; -@@ -3549,10 +3556,10 @@ static int bpf_skb_net_grow(struct sk_bu +@@ -3550,10 +3557,10 @@ static int bpf_skb_net_grow(struct sk_bu /* Match skb->protocol to new outer l3 protocol */ if (skb->protocol == htons(ETH_P_IP) && flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6) @@ -98,7 +98,7 @@ Signed-off-by: Jakub Kicinski } if (skb_is_gso(skb)) { -@@ -3605,10 +3612,10 @@ static int bpf_skb_net_shrink(struct sk_ +@@ -3606,10 +3613,10 @@ static int bpf_skb_net_shrink(struct sk_ /* Match skb->protocol to new outer l3 protocol */ if (skb->protocol == htons(ETH_P_IP) && flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV6) diff --git a/debian/patches/patchset-pf/fixes/0033-net_sched-sch_sfq-reject-invalid-perturb-period.patch b/debian/patches/patchset-pf/fixes/0029-net_sched-sch_sfq-reject-invalid-perturb-period.patch similarity index 91% rename from debian/patches/patchset-pf/fixes/0033-net_sched-sch_sfq-reject-invalid-perturb-period.patch rename to debian/patches/patchset-pf/fixes/0029-net_sched-sch_sfq-reject-invalid-perturb-period.patch index 0951490..1b1bb76 100644 --- a/debian/patches/patchset-pf/fixes/0033-net_sched-sch_sfq-reject-invalid-perturb-period.patch +++ b/debian/patches/patchset-pf/fixes/0029-net_sched-sch_sfq-reject-invalid-perturb-period.patch @@ -1,4 +1,4 @@ -From 59765af017c206b162b2ceb8d56a171e40a17719 Mon Sep 17 00:00:00 2001 +From 2bf1f4a3adcecc53c1012e460d1412cece3747ce Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Wed, 11 Jun 2025 08:35:01 +0000 Subject: net_sched: sch_sfq: reject invalid perturb period @@ -35,7 +35,7 @@ Signed-off-by: Jakub Kicinski --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c -@@ -653,6 +653,14 @@ static int sfq_change(struct Qdisc *sch, +@@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch, NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); return -EINVAL; } @@ -50,7 +50,7 @@ Signed-off-by: Jakub Kicinski if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) return -EINVAL; -@@ -669,14 +677,12 @@ static int sfq_change(struct Qdisc *sch, +@@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch, headdrop = q->headdrop; maxdepth = q->maxdepth; maxflows = q->maxflows; diff --git a/debian/patches/patchset-pf/fixes/0035-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch b/debian/patches/patchset-pf/fixes/0030-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch similarity index 98% rename from debian/patches/patchset-pf/fixes/0035-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch rename to debian/patches/patchset-pf/fixes/0030-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch index f8be3f5..31f60a2 100644 --- a/debian/patches/patchset-pf/fixes/0035-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch +++ b/debian/patches/patchset-pf/fixes/0030-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch @@ -1,4 +1,4 @@ -From d7b5f2aa34c56bd2a2d3cda2a7eb7aeb24df6179 Mon Sep 17 00:00:00 2001 +From 90a5248443f925040b46e32fcf6715615c73e396 Mon Sep 17 00:00:00 2001 From: Lorenzo Stoakes Date: Fri, 6 Jun 2025 13:50:32 +0100 Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure diff --git a/debian/patches/patchset-pf/fixes/0036-mm-close-theoretical-race-where-stale-TLB-entries-co.patch b/debian/patches/patchset-pf/fixes/0031-mm-close-theoretical-race-where-stale-TLB-entries-co.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0036-mm-close-theoretical-race-where-stale-TLB-entries-co.patch rename to debian/patches/patchset-pf/fixes/0031-mm-close-theoretical-race-where-stale-TLB-entries-co.patch index 1b23c40..07677c4 100644 --- a/debian/patches/patchset-pf/fixes/0036-mm-close-theoretical-race-where-stale-TLB-entries-co.patch +++ b/debian/patches/patchset-pf/fixes/0031-mm-close-theoretical-race-where-stale-TLB-entries-co.patch @@ -1,4 +1,4 @@ -From db96fe27668a3bb56fa5d745d1c2eed49a95a56f Mon Sep 17 00:00:00 2001 +From 7c9d5350d8acfe1b876a8acabdf247b44a803d58 Mon Sep 17 00:00:00 2001 From: Ryan Roberts Date: Fri, 6 Jun 2025 10:28:07 +0100 Subject: mm: close theoretical race where stale TLB entries could linger diff --git a/debian/patches/patchset-pf/fixes/0037-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch b/debian/patches/patchset-pf/fixes/0032-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch similarity index 94% rename from debian/patches/patchset-pf/fixes/0037-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch rename to debian/patches/patchset-pf/fixes/0032-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch index d652c23..a384a40 100644 --- a/debian/patches/patchset-pf/fixes/0037-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch +++ b/debian/patches/patchset-pf/fixes/0032-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch @@ -1,4 +1,4 @@ -From f8c6b0801edd6f50057610c67120ffb42027f2c2 Mon Sep 17 00:00:00 2001 +From 862a81c79f0bea8ede0352b637b44716f02f71b9 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Fri, 13 Jun 2025 11:01:49 -0600 Subject: io_uring/kbuf: don't truncate end buffer for multiple buffer peeks diff --git a/debian/patches/patchset-pf/fixes/0038-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch b/debian/patches/patchset-pf/fixes/0033-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0038-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch rename to debian/patches/patchset-pf/fixes/0033-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch index 853e609..e635d0a 100644 --- a/debian/patches/patchset-pf/fixes/0038-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch +++ b/debian/patches/patchset-pf/fixes/0033-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch @@ -1,4 +1,4 @@ -From a2ef8773db38d0c3a41761dbed6fc57afa440161 Mon Sep 17 00:00:00 2001 +From bb3d761325a1707c8064a3d7dd556ed6a501a2e7 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Fri, 13 Jun 2025 13:37:41 -0600 Subject: nvme: always punt polled uring_cmd end_io work to task_work diff --git a/debian/patches/patchset-pf/fixes/0039-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch b/debian/patches/patchset-pf/fixes/0034-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch similarity index 95% rename from debian/patches/patchset-pf/fixes/0039-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch rename to debian/patches/patchset-pf/fixes/0034-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch index b7c44a6..cea29d8 100644 --- a/debian/patches/patchset-pf/fixes/0039-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch +++ b/debian/patches/patchset-pf/fixes/0034-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch @@ -1,4 +1,4 @@ -From bb51adf56b5adc7075252cd17136c2288c116602 Mon Sep 17 00:00:00 2001 +From a57621608b2cbcbd0c7da184e9012b9b111a8577 Mon Sep 17 00:00:00 2001 From: Damien Le Moal Date: Wed, 11 Jun 2025 09:59:15 +0900 Subject: block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion diff --git a/debian/patches/patchset-pf/fixes/0034-posix-cpu-timers-fix-race-between-handle_posix_cpu_t.patch b/debian/patches/patchset-pf/fixes/0034-posix-cpu-timers-fix-race-between-handle_posix_cpu_t.patch deleted file mode 100644 index f3b3a02..0000000 --- a/debian/patches/patchset-pf/fixes/0034-posix-cpu-timers-fix-race-between-handle_posix_cpu_t.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b504e1cd491c55390370059280d5fbaa045d5543 Mon Sep 17 00:00:00 2001 -From: Oleg Nesterov -Date: Fri, 13 Jun 2025 19:26:50 +0200 -Subject: posix-cpu-timers: fix race between handle_posix_cpu_timers() and - posix_cpu_timer_del() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If an exiting non-autoreaping task has already passed exit_notify() and -calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent -or debugger right after unlock_task_sighand(). - -If a concurrent posix_cpu_timer_del() runs at that moment, it won't be -able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or -lock_task_sighand() will fail. - -Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. - -This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because -exit_task_work() is called before exit_notify(). But the check still -makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail -anyway in this case. - -Cc: stable@vger.kernel.org -Reported-by: Benoît Sevens -Fixes: 0bdd2ed4138e ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()") -Signed-off-by: Oleg Nesterov -Signed-off-by: Linus Torvalds ---- - kernel/time/posix-cpu-timers.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - ---- a/kernel/time/posix-cpu-timers.c -+++ b/kernel/time/posix-cpu-timers.c -@@ -1406,6 +1406,15 @@ void run_posix_cpu_timers(void) - lockdep_assert_irqs_disabled(); - - /* -+ * Ensure that release_task(tsk) can't happen while -+ * handle_posix_cpu_timers() is running. Otherwise, a concurrent -+ * posix_cpu_timer_del() may fail to lock_task_sighand(tsk) and -+ * miss timer->it.cpu.firing != 0. -+ */ -+ if (tsk->exit_state) -+ return; -+ -+ /* - * If the actual expiry is deferred to task work context and the - * work is already scheduled there is no point to do anything here. - */ diff --git a/debian/patches/patchset-pf/fixes/0040-block-use-plug-request-list-tail-for-one-shot-backme.patch b/debian/patches/patchset-pf/fixes/0035-block-use-plug-request-list-tail-for-one-shot-backme.patch similarity index 97% rename from debian/patches/patchset-pf/fixes/0040-block-use-plug-request-list-tail-for-one-shot-backme.patch rename to debian/patches/patchset-pf/fixes/0035-block-use-plug-request-list-tail-for-one-shot-backme.patch index ba0cd26..2f42dd9 100644 --- a/debian/patches/patchset-pf/fixes/0040-block-use-plug-request-list-tail-for-one-shot-backme.patch +++ b/debian/patches/patchset-pf/fixes/0035-block-use-plug-request-list-tail-for-one-shot-backme.patch @@ -1,4 +1,4 @@ -From 56ae62470a95ac8249c43f5c0d50da2a83c350e0 Mon Sep 17 00:00:00 2001 +From 7fc5a2cbcc8459cab6ae8c5dd1220768027ccb70 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Wed, 11 Jun 2025 08:48:46 -0600 Subject: block: use plug request list tail for one-shot backmerge attempt diff --git a/debian/patches/patchset-pf/fixes/0036-Revert-mm-execmem-Unify-early-execmem_cache-behaviou.patch b/debian/patches/patchset-pf/fixes/0036-Revert-mm-execmem-Unify-early-execmem_cache-behaviou.patch new file mode 100644 index 0000000..a915c91 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0036-Revert-mm-execmem-Unify-early-execmem_cache-behaviou.patch @@ -0,0 +1,149 @@ +From 8ad4520fc849262ab23adbabebd366d4755035bc Mon Sep 17 00:00:00 2001 +From: "Mike Rapoport (Microsoft)" +Date: Tue, 3 Jun 2025 14:14:45 +0300 +Subject: Revert "mm/execmem: Unify early execmem_cache behaviour" + +The commit d6d1e3e6580c ("mm/execmem: Unify early execmem_cache +behaviour") changed early behaviour of execemem ROX cache to allow its +usage in early x86 code that allocates text pages when +CONFIG_MITGATION_ITS is enabled. + +The permission management of the pages allocated from execmem for ITS +mitigation is now completely contained in arch/x86/kernel/alternatives.c +and therefore there is no need to special case early allocations in +execmem. + +This reverts commit d6d1e3e6580ca35071ad474381f053cbf1fb6414. + +Signed-off-by: Mike Rapoport (Microsoft) +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250603111446.2609381-6-rppt@kernel.org +--- + arch/x86/mm/init_32.c | 3 --- + arch/x86/mm/init_64.c | 3 --- + include/linux/execmem.h | 8 +------- + mm/execmem.c | 40 +++------------------------------------- + 4 files changed, 4 insertions(+), 50 deletions(-) + +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -30,7 +30,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -756,8 +755,6 @@ void mark_rodata_ro(void) + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- execmem_cache_make_ro(); +- + kernel_set_to_readonly = 1; + + #ifdef CONFIG_CPA_DEBUG +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -34,7 +34,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -1392,8 +1391,6 @@ void mark_rodata_ro(void) + (end - start) >> 10); + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + +- execmem_cache_make_ro(); +- + kernel_set_to_readonly = 1; + + /* +--- a/include/linux/execmem.h ++++ b/include/linux/execmem.h +@@ -54,7 +54,7 @@ enum execmem_range_flags { + EXECMEM_ROX_CACHE = (1 << 1), + }; + +-#if defined(CONFIG_ARCH_HAS_EXECMEM_ROX) && defined(CONFIG_EXECMEM) ++#ifdef CONFIG_ARCH_HAS_EXECMEM_ROX + /** + * execmem_fill_trapping_insns - set memory to contain instructions that + * will trap +@@ -94,15 +94,9 @@ int execmem_make_temp_rw(void *ptr, size + * Return: 0 on success or negative error code on failure. + */ + int execmem_restore_rox(void *ptr, size_t size); +- +-/* +- * Called from mark_readonly(), where the system transitions to ROX. +- */ +-void execmem_cache_make_ro(void); + #else + static inline int execmem_make_temp_rw(void *ptr, size_t size) { return 0; } + static inline int execmem_restore_rox(void *ptr, size_t size) { return 0; } +-static inline void execmem_cache_make_ro(void) { } + #endif + + /** +--- a/mm/execmem.c ++++ b/mm/execmem.c +@@ -254,34 +254,6 @@ out_unlock: + return ptr; + } + +-static bool execmem_cache_rox = false; +- +-void execmem_cache_make_ro(void) +-{ +- struct maple_tree *free_areas = &execmem_cache.free_areas; +- struct maple_tree *busy_areas = &execmem_cache.busy_areas; +- MA_STATE(mas_free, free_areas, 0, ULONG_MAX); +- MA_STATE(mas_busy, busy_areas, 0, ULONG_MAX); +- struct mutex *mutex = &execmem_cache.mutex; +- void *area; +- +- execmem_cache_rox = true; +- +- mutex_lock(mutex); +- +- mas_for_each(&mas_free, area, ULONG_MAX) { +- unsigned long pages = mas_range_len(&mas_free) >> PAGE_SHIFT; +- set_memory_ro(mas_free.index, pages); +- } +- +- mas_for_each(&mas_busy, area, ULONG_MAX) { +- unsigned long pages = mas_range_len(&mas_busy) >> PAGE_SHIFT; +- set_memory_ro(mas_busy.index, pages); +- } +- +- mutex_unlock(mutex); +-} +- + static int execmem_cache_populate(struct execmem_range *range, size_t size) + { + unsigned long vm_flags = VM_ALLOW_HUGE_VMAP; +@@ -302,15 +274,9 @@ static int execmem_cache_populate(struct + /* fill memory with instructions that will trap */ + execmem_fill_trapping_insns(p, alloc_size, /* writable = */ true); + +- if (execmem_cache_rox) { +- err = set_memory_rox((unsigned long)p, vm->nr_pages); +- if (err) +- goto err_free_mem; +- } else { +- err = set_memory_x((unsigned long)p, vm->nr_pages); +- if (err) +- goto err_free_mem; +- } ++ err = set_memory_rox((unsigned long)p, vm->nr_pages); ++ if (err) ++ goto err_free_mem; + + err = execmem_cache_add(p, alloc_size); + if (err) diff --git a/debian/patches/patchset-pf/fixes/0037-x86-virt-tdx-Avoid-indirect-calls-to-TDX-assembly-fu.patch b/debian/patches/patchset-pf/fixes/0037-x86-virt-tdx-Avoid-indirect-calls-to-TDX-assembly-fu.patch new file mode 100644 index 0000000..c716808 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0037-x86-virt-tdx-Avoid-indirect-calls-to-TDX-assembly-fu.patch @@ -0,0 +1,63 @@ +From 85bfdd784bd61df94fd42daca141ed173f647e8c Mon Sep 17 00:00:00 2001 +From: Kai Huang +Date: Sat, 7 Jun 2025 01:07:37 +1200 +Subject: x86/virt/tdx: Avoid indirect calls to TDX assembly functions + +Two 'static inline' TDX helper functions (sc_retry() and +sc_retry_prerr()) take function pointer arguments which refer to +assembly functions. Normally, the compiler inlines the TDX helper, +realizes that the function pointer targets are completely static -- +thus can be resolved at compile time -- and generates direct call +instructions. + +But, other times (like when CONFIG_CC_OPTIMIZE_FOR_SIZE=y), the +compiler declines to inline the helpers and will instead generate +indirect call instructions. + +Indirect calls to assembly functions require special annotation (for +various Control Flow Integrity mechanisms). But TDX assembly +functions lack the special annotations and can only be called +directly. + +Annotate both the helpers as '__always_inline' to prod the compiler +into maintaining the direct calls. There is no guarantee here, but +Peter has volunteered to report the compiler bug if this assumption +ever breaks[1]. + +Fixes: 1e66a7e27539 ("x86/virt/tdx: Handle SEAMCALL no entropy error in common code") +Fixes: df01f5ae07dd ("x86/virt/tdx: Add SEAMCALL error printing for module initialization") +Signed-off-by: Kai Huang +Signed-off-by: Dave Hansen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/lkml/20250605145914.GW39944@noisy.programming.kicks-ass.net/ [1] +Link: https://lore.kernel.org/all/20250606130737.30713-1-kai.huang%40intel.com +--- + arch/x86/include/asm/tdx.h | 2 +- + arch/x86/virt/vmx/tdx/tdx.c | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/tdx.h ++++ b/arch/x86/include/asm/tdx.h +@@ -100,7 +100,7 @@ void tdx_init(void); + + typedef u64 (*sc_func_t)(u64 fn, struct tdx_module_args *args); + +-static inline u64 sc_retry(sc_func_t func, u64 fn, ++static __always_inline u64 sc_retry(sc_func_t func, u64 fn, + struct tdx_module_args *args) + { + int retry = RDRAND_RETRY_LOOPS; +--- a/arch/x86/virt/vmx/tdx/tdx.c ++++ b/arch/x86/virt/vmx/tdx/tdx.c +@@ -69,8 +69,9 @@ static inline void seamcall_err_ret(u64 + args->r9, args->r10, args->r11); + } + +-static inline int sc_retry_prerr(sc_func_t func, sc_err_func_t err_func, +- u64 fn, struct tdx_module_args *args) ++static __always_inline int sc_retry_prerr(sc_func_t func, ++ sc_err_func_t err_func, ++ u64 fn, struct tdx_module_args *args) + { + u64 sret = sc_retry(func, fn, args); + diff --git a/debian/patches/patchset-pf/fixes/0038-x86-mm-pat-don-t-collapse-pages-without-PSE-set.patch b/debian/patches/patchset-pf/fixes/0038-x86-mm-pat-don-t-collapse-pages-without-PSE-set.patch new file mode 100644 index 0000000..c36e705 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0038-x86-mm-pat-don-t-collapse-pages-without-PSE-set.patch @@ -0,0 +1,31 @@ +From a94cf5c6e7e31be9d4788916ce847adb15735d81 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Tue, 3 Jun 2025 14:14:41 +0300 +Subject: x86/mm/pat: don't collapse pages without PSE set + +Collapsing pages to a leaf PMD or PUD should be done only if +X86_FEATURE_PSE is available, which is not the case when running e.g. +as a Xen PV guest. + +Fixes: 41d88484c71c ("x86/mm/pat: restore large ROX pages after fragmentation") +Signed-off-by: Juergen Gross +Signed-off-by: Mike Rapoport (Microsoft) +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250528123557.12847-3-jgross@suse.com +--- + arch/x86/mm/pat/set_memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -1257,6 +1257,9 @@ static int collapse_pmd_page(pmd_t *pmd, + pgprot_t pgprot; + int i = 0; + ++ if (!cpu_feature_enabled(X86_FEATURE_PSE)) ++ return 0; ++ + addr &= PMD_MASK; + pte = pte_offset_kernel(pmd, addr); + first = *pte; diff --git a/debian/patches/patchset-pf/fixes/0039-x86-Kconfig-only-enable-ROX-cache-in-execmem-when-ST.patch b/debian/patches/patchset-pf/fixes/0039-x86-Kconfig-only-enable-ROX-cache-in-execmem-when-ST.patch new file mode 100644 index 0000000..eebe58a --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0039-x86-Kconfig-only-enable-ROX-cache-in-execmem-when-ST.patch @@ -0,0 +1,34 @@ +From 8f28d595d167316469bb33b701e27b4b79c1aab1 Mon Sep 17 00:00:00 2001 +From: "Mike Rapoport (Microsoft)" +Date: Tue, 3 Jun 2025 14:14:42 +0300 +Subject: x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX + is set + +Currently ROX cache in execmem is enabled regardless of +STRICT_MODULE_RWX setting. This breaks an assumption that module memory +is writable when STRICT_MODULE_RWX is disabled, for instance for kernel +debuggin. + +Only enable ROX cache in execmem when STRICT_MODULE_RWX is set to +restore the original behaviour of module text permissions. + +Fixes: 64f6a4e10c05 ("x86: re-enable EXECMEM_ROX support") +Signed-off-by: Mike Rapoport (Microsoft) +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250603111446.2609381-3-rppt@kernel.org +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -88,7 +88,7 @@ config X86 + select ARCH_HAS_DMA_OPS if GART_IOMMU || XEN + select ARCH_HAS_EARLY_DEBUG if KGDB + select ARCH_HAS_ELF_RANDOMIZE +- select ARCH_HAS_EXECMEM_ROX if X86_64 ++ select ARCH_HAS_EXECMEM_ROX if X86_64 && STRICT_MODULE_RWX + select ARCH_HAS_FAST_MULTIPLIER + select ARCH_HAS_FORTIFY_SOURCE + select ARCH_HAS_GCOV_PROFILE_ALL diff --git a/debian/patches/patchset-pf/fixes/0040-x86-its-move-its_pages-array-to-struct-mod_arch_spec.patch b/debian/patches/patchset-pf/fixes/0040-x86-its-move-its_pages-array-to-struct-mod_arch_spec.patch new file mode 100644 index 0000000..c24e6b7 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0040-x86-its-move-its_pages-array-to-struct-mod_arch_spec.patch @@ -0,0 +1,110 @@ +From 24fd2e3cef1b98f4417b8015ba24a8a4dcaae0c1 Mon Sep 17 00:00:00 2001 +From: "Mike Rapoport (Microsoft)" +Date: Tue, 3 Jun 2025 14:14:43 +0300 +Subject: x86/its: move its_pages array to struct mod_arch_specific + +The of pages with ITS thunks allocated for modules are tracked by an +array in 'struct module'. + +Since this is very architecture specific data structure, move it to +'struct mod_arch_specific'. + +No functional changes. + +Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") +Suggested-by: Peter Zijlstra (Intel) +Signed-off-by: Mike Rapoport (Microsoft) +Signed-off-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250603111446.2609381-4-rppt@kernel.org +--- + arch/x86/include/asm/module.h | 8 ++++++++ + arch/x86/kernel/alternative.c | 19 ++++++++++--------- + include/linux/module.h | 5 ----- + 3 files changed, 18 insertions(+), 14 deletions(-) + +--- a/arch/x86/include/asm/module.h ++++ b/arch/x86/include/asm/module.h +@@ -5,12 +5,20 @@ + #include + #include + ++struct its_array { ++#ifdef CONFIG_MITIGATION_ITS ++ void **pages; ++ int num; ++#endif ++}; ++ + struct mod_arch_specific { + #ifdef CONFIG_UNWINDER_ORC + unsigned int num_orcs; + int *orc_unwind_ip; + struct orc_entry *orc_unwind; + #endif ++ struct its_array its_pages; + }; + + #endif /* _ASM_X86_MODULE_H */ +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -195,8 +195,8 @@ void its_fini_mod(struct module *mod) + its_page = NULL; + mutex_unlock(&text_mutex); + +- for (int i = 0; i < mod->its_num_pages; i++) { +- void *page = mod->its_page_array[i]; ++ for (int i = 0; i < mod->arch.its_pages.num; i++) { ++ void *page = mod->arch.its_pages.pages[i]; + execmem_restore_rox(page, PAGE_SIZE); + } + } +@@ -206,11 +206,11 @@ void its_free_mod(struct module *mod) + if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) + return; + +- for (int i = 0; i < mod->its_num_pages; i++) { +- void *page = mod->its_page_array[i]; ++ for (int i = 0; i < mod->arch.its_pages.num; i++) { ++ void *page = mod->arch.its_pages.pages[i]; + execmem_free(page); + } +- kfree(mod->its_page_array); ++ kfree(mod->arch.its_pages.pages); + } + #endif /* CONFIG_MODULES */ + +@@ -223,14 +223,15 @@ static void *its_alloc(void) + + #ifdef CONFIG_MODULES + if (its_mod) { +- void *tmp = krealloc(its_mod->its_page_array, +- (its_mod->its_num_pages+1) * sizeof(void *), ++ struct its_array *pages = &its_mod->arch.its_pages; ++ void *tmp = krealloc(pages->pages, ++ (pages->num+1) * sizeof(void *), + GFP_KERNEL); + if (!tmp) + return NULL; + +- its_mod->its_page_array = tmp; +- its_mod->its_page_array[its_mod->its_num_pages++] = page; ++ pages->pages = tmp; ++ pages->pages[pages->num++] = page; + + execmem_make_temp_rw(page, PAGE_SIZE); + } +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -586,11 +586,6 @@ struct module { + atomic_t refcnt; + #endif + +-#ifdef CONFIG_MITIGATION_ITS +- int its_num_pages; +- void **its_page_array; +-#endif +- + #ifdef CONFIG_CONSTRUCTORS + /* Constructor functions. */ + ctor_fn_t *ctors; diff --git a/debian/patches/patchset-pf/fixes/0041-x86-its-explicitly-manage-permissions-for-ITS-pages.patch b/debian/patches/patchset-pf/fixes/0041-x86-its-explicitly-manage-permissions-for-ITS-pages.patch new file mode 100644 index 0000000..c93a534 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0041-x86-its-explicitly-manage-permissions-for-ITS-pages.patch @@ -0,0 +1,148 @@ +From 48d82c4dd03de376a6f673bda0f4f2b97138d855 Mon Sep 17 00:00:00 2001 +From: "Peter Zijlstra (Intel)" +Date: Tue, 3 Jun 2025 14:14:44 +0300 +Subject: x86/its: explicitly manage permissions for ITS pages + +execmem_alloc() sets permissions differently depending on the kernel +configuration, CPU support for PSE and whether a page is allocated +before or after mark_rodata_ro(). + +Add tracking for pages allocated for ITS when patching the core kernel +and make sure the permissions for ITS pages are explicitly managed for +both kernel and module allocations. + +Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") +Signed-off-by: Peter Zijlstra (Intel) +Co-developed-by: Mike Rapoport (Microsoft) +Signed-off-by: Mike Rapoport (Microsoft) +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Nikolay Borisov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20250603111446.2609381-5-rppt@kernel.org +--- + arch/x86/kernel/alternative.c | 74 ++++++++++++++++++++++++----------- + 1 file changed, 52 insertions(+), 22 deletions(-) + +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -138,6 +138,24 @@ static struct module *its_mod; + #endif + static void *its_page; + static unsigned int its_offset; ++struct its_array its_pages; ++ ++static void *__its_alloc(struct its_array *pages) ++{ ++ void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE); ++ if (!page) ++ return NULL; ++ ++ void *tmp = krealloc(pages->pages, (pages->num+1) * sizeof(void *), ++ GFP_KERNEL); ++ if (!tmp) ++ return NULL; ++ ++ pages->pages = tmp; ++ pages->pages[pages->num++] = page; ++ ++ return no_free_ptr(page); ++} + + /* Initialize a thunk with the "jmp *reg; int3" instructions. */ + static void *its_init_thunk(void *thunk, int reg) +@@ -173,6 +191,21 @@ static void *its_init_thunk(void *thunk, + return thunk + offset; + } + ++static void its_pages_protect(struct its_array *pages) ++{ ++ for (int i = 0; i < pages->num; i++) { ++ void *page = pages->pages[i]; ++ execmem_restore_rox(page, PAGE_SIZE); ++ } ++} ++ ++static void its_fini_core(void) ++{ ++ if (IS_ENABLED(CONFIG_STRICT_KERNEL_RWX)) ++ its_pages_protect(&its_pages); ++ kfree(its_pages.pages); ++} ++ + #ifdef CONFIG_MODULES + void its_init_mod(struct module *mod) + { +@@ -195,10 +228,8 @@ void its_fini_mod(struct module *mod) + its_page = NULL; + mutex_unlock(&text_mutex); + +- for (int i = 0; i < mod->arch.its_pages.num; i++) { +- void *page = mod->arch.its_pages.pages[i]; +- execmem_restore_rox(page, PAGE_SIZE); +- } ++ if (IS_ENABLED(CONFIG_STRICT_MODULE_RWX)) ++ its_pages_protect(&mod->arch.its_pages); + } + + void its_free_mod(struct module *mod) +@@ -216,28 +247,23 @@ void its_free_mod(struct module *mod) + + static void *its_alloc(void) + { +- void *page __free(execmem) = execmem_alloc(EXECMEM_MODULE_TEXT, PAGE_SIZE); ++ struct its_array *pages = &its_pages; ++ void *page; + ++#ifdef CONFIG_MODULE ++ if (its_mod) ++ pages = &its_mod->arch.its_pages; ++#endif ++ ++ page = __its_alloc(pages); + if (!page) + return NULL; + +-#ifdef CONFIG_MODULES +- if (its_mod) { +- struct its_array *pages = &its_mod->arch.its_pages; +- void *tmp = krealloc(pages->pages, +- (pages->num+1) * sizeof(void *), +- GFP_KERNEL); +- if (!tmp) +- return NULL; +- +- pages->pages = tmp; +- pages->pages[pages->num++] = page; ++ execmem_make_temp_rw(page, PAGE_SIZE); ++ if (pages == &its_pages) ++ set_memory_x((unsigned long)page, 1); + +- execmem_make_temp_rw(page, PAGE_SIZE); +- } +-#endif /* CONFIG_MODULES */ +- +- return no_free_ptr(page); ++ return page; + } + + static void *its_allocate_thunk(int reg) +@@ -291,7 +317,9 @@ u8 *its_static_thunk(int reg) + return thunk; + } + +-#endif ++#else ++static inline void its_fini_core(void) {} ++#endif /* CONFIG_MITIGATION_ITS */ + + /* + * Nomenclature for variable names to simplify and clarify this code and ease +@@ -2368,6 +2396,8 @@ void __init alternative_instructions(voi + apply_retpolines(__retpoline_sites, __retpoline_sites_end); + apply_returns(__return_sites, __return_sites_end); + ++ its_fini_core(); ++ + /* + * Adjust all CALL instructions to point to func()-10, including + * those in .altinstr_replacement. diff --git a/debian/patches/patchset-pf/fixes/0042-KVM-SVM-Clear-current_vmcb-during-vCPU-free-for-all-.patch b/debian/patches/patchset-pf/fixes/0042-KVM-SVM-Clear-current_vmcb-during-vCPU-free-for-all-.patch new file mode 100644 index 0000000..f9bf3d4 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0042-KVM-SVM-Clear-current_vmcb-during-vCPU-free-for-all-.patch @@ -0,0 +1,32 @@ +From 9bed8caa4c73f2d524d9600c74e6cbcff71c2456 Mon Sep 17 00:00:00 2001 +From: Yosry Ahmed +Date: Tue, 29 Apr 2025 08:32:15 -0700 +Subject: KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs + +When freeing a vCPU and thus its VMCB, clear current_vmcb for all possible +CPUs, not just online CPUs, as it's theoretically possible a CPU could go +offline and come back online in conjunction with KVM reusing the page for +a new VMCB. + +Link: https://lore.kernel.org/all/20250320013759.3965869-1-yosry.ahmed@linux.dev +Fixes: fd65d3142f73 ("kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb") +Cc: stable@vger.kernel.org +Cc: Jim Mattson +Signed-off-by: Yosry Ahmed +[sean: split to separate patch, write changelog] +Signed-off-by: Sean Christopherson +--- + arch/x86/kvm/svm/svm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -1488,7 +1488,7 @@ static void svm_clear_current_vmcb(struc + { + int i; + +- for_each_online_cpu(i) ++ for_each_possible_cpu(i) + cmpxchg(per_cpu_ptr(&svm_data.current_vmcb, i), vmcb, NULL); + } + diff --git a/debian/patches/patchset-pf/fixes/0043-KVM-VMX-Flush-shadow-VMCS-on-emergency-reboot.patch b/debian/patches/patchset-pf/fixes/0043-KVM-VMX-Flush-shadow-VMCS-on-emergency-reboot.patch new file mode 100644 index 0000000..a031fa1 --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0043-KVM-VMX-Flush-shadow-VMCS-on-emergency-reboot.patch @@ -0,0 +1,43 @@ +From d74cb6c8b70d9b5ad8482f4821679b83bad9de63 Mon Sep 17 00:00:00 2001 +From: Chao Gao +Date: Mon, 24 Mar 2025 22:08:48 +0800 +Subject: KVM: VMX: Flush shadow VMCS on emergency reboot + +Ensure the shadow VMCS cache is evicted during an emergency reboot to +prevent potential memory corruption if the cache is evicted after reboot. + +This issue was identified through code inspection, as __loaded_vmcs_clear() +flushes both the normal VMCS and the shadow VMCS. + +Avoid checking the "launched" state during an emergency reboot, unlike the +behavior in __loaded_vmcs_clear(). This is important because reboot NMIs +can interfere with operations like copy_shadow_to_vmcs12(), where shadow +VMCSes are loaded directly using VMPTRLD. In such cases, if NMIs occur +right after the VMCS load, the shadow VMCSes will be active but the +"launched" state may not be set. + +Fixes: 16f5b9034b69 ("KVM: nVMX: Copy processor-specific shadow-vmcs to VMCS12") +Cc: stable@vger.kernel.org +Signed-off-by: Chao Gao +Reviewed-by: Kai Huang +Link: https://lore.kernel.org/r/20250324140849.2099723-1-chao.gao@intel.com +Signed-off-by: Sean Christopherson +--- + arch/x86/kvm/vmx/vmx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -769,8 +769,11 @@ void vmx_emergency_disable_virtualizatio + return; + + list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu), +- loaded_vmcss_on_cpu_link) ++ loaded_vmcss_on_cpu_link) { + vmcs_clear(v->vmcs); ++ if (v->shadow_vmcs) ++ vmcs_clear(v->shadow_vmcs); ++ } + + kvm_cpu_vmxoff(); + } diff --git a/debian/patches/patchset-pf/fixes/0044-cgroup-freezer-fix-incomplete-freezing-when-attachin.patch b/debian/patches/patchset-pf/fixes/0044-cgroup-freezer-fix-incomplete-freezing-when-attachin.patch new file mode 100644 index 0000000..3cfd6eb --- /dev/null +++ b/debian/patches/patchset-pf/fixes/0044-cgroup-freezer-fix-incomplete-freezing-when-attachin.patch @@ -0,0 +1,64 @@ +From 6e492900893c011cbe13fbb881cf1e11df08982b Mon Sep 17 00:00:00 2001 +From: Chen Ridong +Date: Wed, 18 Jun 2025 07:32:17 +0000 +Subject: cgroup,freezer: fix incomplete freezing when attaching tasks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An issue was found: + + # cd /sys/fs/cgroup/freezer/ + # mkdir test + # echo FROZEN > test/freezer.state + # cat test/freezer.state + FROZEN + # sleep 1000 & + [1] 863 + # echo 863 > test/cgroup.procs + # cat test/freezer.state + FREEZING + +When tasks are migrated to a frozen cgroup, the freezer fails to +immediately freeze the tasks, causing the cgroup to remain in the +"FREEZING". + +The freeze_task() function is called before clearing the CGROUP_FROZEN +flag. This causes the freezing() check to incorrectly return false, +preventing __freeze_task() from being invoked for the migrated task. + +To fix this issue, clear the CGROUP_FROZEN state before calling +freeze_task(). + +Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic") +Cc: stable@vger.kernel.org # v6.1+ +Reported-by: Zhong Jiawei +Signed-off-by: Chen Ridong +Acked-by: Michal Koutný +Signed-off-by: Tejun Heo +--- + kernel/cgroup/legacy_freezer.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/cgroup/legacy_freezer.c b/kernel/cgroup/legacy_freezer.c +index 039d1eb2f215..507b8f19a262 100644 +--- a/kernel/cgroup/legacy_freezer.c ++++ b/kernel/cgroup/legacy_freezer.c +@@ -188,13 +188,12 @@ static void freezer_attach(struct cgroup_taskset *tset) + if (!(freezer->state & CGROUP_FREEZING)) { + __thaw_task(task); + } else { +- freeze_task(task); +- + /* clear FROZEN and propagate upwards */ + while (freezer && (freezer->state & CGROUP_FROZEN)) { + freezer->state &= ~CGROUP_FROZEN; + freezer = parent_freezer(freezer); + } ++ freeze_task(task); + } + } + +-- +2.50.0 + diff --git a/debian/patches/patchset-pf/nfs/0001-NFSD-unregister-filesystem-in-case-genl_register_fam.patch b/debian/patches/patchset-pf/nfs/0001-NFSD-unregister-filesystem-in-case-genl_register_fam.patch index febf497..71bb98b 100644 --- a/debian/patches/patchset-pf/nfs/0001-NFSD-unregister-filesystem-in-case-genl_register_fam.patch +++ b/debian/patches/patchset-pf/nfs/0001-NFSD-unregister-filesystem-in-case-genl_register_fam.patch @@ -1,4 +1,4 @@ -From c207229d3f7b851d246f1904bc4cab7ae9ada58b Mon Sep 17 00:00:00 2001 +From ef4d2ebb50f1bd0d5b2e3f1aa2280d7d31e4a3c9 Mon Sep 17 00:00:00 2001 From: Maninder Singh Date: Thu, 6 Mar 2025 14:50:06 +0530 Subject: NFSD: unregister filesystem in case genl_register_family() fails diff --git a/debian/patches/patchset-pf/nfs/0002-NFSD-fix-race-between-nfsd-registration-and-exports_.patch b/debian/patches/patchset-pf/nfs/0002-NFSD-fix-race-between-nfsd-registration-and-exports_.patch index 88d4282..a43962f 100644 --- a/debian/patches/patchset-pf/nfs/0002-NFSD-fix-race-between-nfsd-registration-and-exports_.patch +++ b/debian/patches/patchset-pf/nfs/0002-NFSD-fix-race-between-nfsd-registration-and-exports_.patch @@ -1,4 +1,4 @@ -From bda3cf19bcf44807c401b807dee83aadda959287 Mon Sep 17 00:00:00 2001 +From 6c2a6b3e27a3a02fd9f3f92458d4995014dfe69f Mon Sep 17 00:00:00 2001 From: Maninder Singh Date: Thu, 6 Mar 2025 14:50:07 +0530 Subject: NFSD: fix race between nfsd registration and exports_proc diff --git a/debian/patches/patchset-pf/nfs/0003-nfsd-fix-access-checking-for-NLM-under-XPRTSEC-polic.patch b/debian/patches/patchset-pf/nfs/0003-nfsd-fix-access-checking-for-NLM-under-XPRTSEC-polic.patch index 789b1f7..1c2312f 100644 --- a/debian/patches/patchset-pf/nfs/0003-nfsd-fix-access-checking-for-NLM-under-XPRTSEC-polic.patch +++ b/debian/patches/patchset-pf/nfs/0003-nfsd-fix-access-checking-for-NLM-under-XPRTSEC-polic.patch @@ -1,4 +1,4 @@ -From b9293b51ea6182618e474edfbeb5cd34f5e875e8 Mon Sep 17 00:00:00 2001 +From 0d4fc17cb5da09d14dbff91da7e28e50d3f54af2 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia Date: Fri, 21 Mar 2025 20:13:04 -0400 Subject: nfsd: fix access checking for NLM under XPRTSEC policies diff --git a/debian/patches/patchset-pf/nfs/0004-nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-co.patch b/debian/patches/patchset-pf/nfs/0004-nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-co.patch index 120ebf2..db09dbc 100644 --- a/debian/patches/patchset-pf/nfs/0004-nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-co.patch +++ b/debian/patches/patchset-pf/nfs/0004-nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-co.patch @@ -1,4 +1,4 @@ -From 778e820deed49a0dee6115c0aa903e626ab635f6 Mon Sep 17 00:00:00 2001 +From 2fa924062a9494772cd997cb8b1ec572cfe6490f Mon Sep 17 00:00:00 2001 From: NeilBrown Date: Fri, 28 Mar 2025 11:05:59 +1100 Subject: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request diff --git a/debian/patches/patchset-pf/nfs/0005-nfsd-Initialize-ssc-before-laundromat_work-to-preven.patch b/debian/patches/patchset-pf/nfs/0005-nfsd-Initialize-ssc-before-laundromat_work-to-preven.patch index 0b9447f..0a494d1 100644 --- a/debian/patches/patchset-pf/nfs/0005-nfsd-Initialize-ssc-before-laundromat_work-to-preven.patch +++ b/debian/patches/patchset-pf/nfs/0005-nfsd-Initialize-ssc-before-laundromat_work-to-preven.patch @@ -1,4 +1,4 @@ -From 8a7faf80fbb9ecdea403cb4f882354e8a5201acb Mon Sep 17 00:00:00 2001 +From c860b8340bf921de66aa7871f40507dd5628926f Mon Sep 17 00:00:00 2001 From: Li Lingfeng Date: Mon, 14 Apr 2025 22:38:52 +0800 Subject: nfsd: Initialize ssc before laundromat_work to prevent NULL diff --git a/debian/patches/patchset-pf/nfs/0006-NFSD-Implement-FATTR4_CLONE_BLKSIZE-attribute.patch b/debian/patches/patchset-pf/nfs/0006-NFSD-Implement-FATTR4_CLONE_BLKSIZE-attribute.patch index 4a8f0b2..17b3b56 100644 --- a/debian/patches/patchset-pf/nfs/0006-NFSD-Implement-FATTR4_CLONE_BLKSIZE-attribute.patch +++ b/debian/patches/patchset-pf/nfs/0006-NFSD-Implement-FATTR4_CLONE_BLKSIZE-attribute.patch @@ -1,4 +1,4 @@ -From 12e39177848d11c6ac5ad70ce530364fac7f36d3 Mon Sep 17 00:00:00 2001 +From 01089ae8fff5bcc6e9949d50d76b70f2a16abe89 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Wed, 7 May 2025 10:45:15 -0400 Subject: NFSD: Implement FATTR4_CLONE_BLKSIZE attribute diff --git a/debian/patches/patchset-pf/nfs/0007-fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empt.patch b/debian/patches/patchset-pf/nfs/0007-fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empt.patch index f7f17d2..002eeb2 100644 --- a/debian/patches/patchset-pf/nfs/0007-fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empt.patch +++ b/debian/patches/patchset-pf/nfs/0007-fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empt.patch @@ -1,4 +1,4 @@ -From 2623f0468759aba585c7ae86adc1cf1cb11e1b63 Mon Sep 17 00:00:00 2001 +From e0246422dfc08dec0fc3c96f3201bab6ceec6774 Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Wed, 23 Apr 2025 15:22:50 +0200 Subject: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() diff --git a/debian/patches/patchset-pf/nfs/0008-NFSv4-Don-t-check-for-OPEN-feature-support-in-v4.1.patch b/debian/patches/patchset-pf/nfs/0008-NFSv4-Don-t-check-for-OPEN-feature-support-in-v4.1.patch index ec9ddff..bb70674 100644 --- a/debian/patches/patchset-pf/nfs/0008-NFSv4-Don-t-check-for-OPEN-feature-support-in-v4.1.patch +++ b/debian/patches/patchset-pf/nfs/0008-NFSv4-Don-t-check-for-OPEN-feature-support-in-v4.1.patch @@ -1,4 +1,4 @@ -From d87e5957afccde6cc0719ab0a554757dcafa85ce Mon Sep 17 00:00:00 2001 +From d9f4762296075cc67d9974d093a87064075853e1 Mon Sep 17 00:00:00 2001 From: Scott Mayhew Date: Wed, 30 Apr 2025 07:12:29 -0400 Subject: NFSv4: Don't check for OPEN feature support in v4.1 diff --git a/debian/patches/patchset-pf/nfs/0009-NFS-always-probe-for-LOCALIO-support-asynchronously.patch b/debian/patches/patchset-pf/nfs/0009-NFS-always-probe-for-LOCALIO-support-asynchronously.patch index aa21220..2c75969 100644 --- a/debian/patches/patchset-pf/nfs/0009-NFS-always-probe-for-LOCALIO-support-asynchronously.patch +++ b/debian/patches/patchset-pf/nfs/0009-NFS-always-probe-for-LOCALIO-support-asynchronously.patch @@ -1,4 +1,4 @@ -From 9e7464ef730cfe5bbab845ff12b295575d874216 Mon Sep 17 00:00:00 2001 +From 7147868788966e9032cdeb0cf33bd1ae47785088 Mon Sep 17 00:00:00 2001 From: Mike Snitzer Date: Tue, 13 May 2025 12:08:31 -0400 Subject: NFS: always probe for LOCALIO support asynchronously diff --git a/debian/patches/patchset-pf/smb/0009-ksmbd-fix-null-pointer-dereference-in-destroy_previo.patch b/debian/patches/patchset-pf/smb/0009-ksmbd-fix-null-pointer-dereference-in-destroy_previo.patch new file mode 100644 index 0000000..1a7b7f0 --- /dev/null +++ b/debian/patches/patchset-pf/smb/0009-ksmbd-fix-null-pointer-dereference-in-destroy_previo.patch @@ -0,0 +1,45 @@ +From 9d330e139e9993f2489fcfe3048c8e737085646d Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 13 Jun 2025 10:12:43 +0900 +Subject: ksmbd: fix null pointer dereference in destroy_previous_session + +If client set ->PreviousSessionId on kerberos session setup stage, +NULL pointer dereference error will happen. Since sess->user is not +set yet, It can pass the user argument as NULL to destroy_previous_session. +sess->user will be set in ksmbd_krb5_authenticate(). So this patch move +calling destroy_previous_session() after ksmbd_krb5_authenticate(). + +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27391 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +--- + fs/smb/server/smb2pdu.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1607,17 +1607,18 @@ static int krb5_authenticate(struct ksmb + out_len = work->response_sz - + (le16_to_cpu(rsp->SecurityBufferOffset) + 4); + +- /* Check previous session */ +- prev_sess_id = le64_to_cpu(req->PreviousSessionId); +- if (prev_sess_id && prev_sess_id != sess->id) +- destroy_previous_session(conn, sess->user, prev_sess_id); +- + retval = ksmbd_krb5_authenticate(sess, in_blob, in_len, + out_blob, &out_len); + if (retval) { + ksmbd_debug(SMB, "krb5 authentication failed\n"); + return -EINVAL; + } ++ ++ /* Check previous session */ ++ prev_sess_id = le64_to_cpu(req->PreviousSessionId); ++ if (prev_sess_id && prev_sess_id != sess->id) ++ destroy_previous_session(conn, sess->user, prev_sess_id); ++ + rsp->SecurityBufferLength = cpu_to_le16(out_len); + + if ((conn->sign || server_conf.enforced_signing) || diff --git a/debian/patches/patchset-pf/xfs/0001-xfs-don-t-assume-perags-are-initialised-when-trimmin.patch b/debian/patches/patchset-pf/xfs/0001-xfs-don-t-assume-perags-are-initialised-when-trimmin.patch deleted file mode 100644 index 96e8f4f..0000000 --- a/debian/patches/patchset-pf/xfs/0001-xfs-don-t-assume-perags-are-initialised-when-trimmin.patch +++ /dev/null @@ -1,81 +0,0 @@ -From c63d4a0865e8e7549e1305cc67b88a355a4a9a02 Mon Sep 17 00:00:00 2001 -From: Dave Chinner -Date: Thu, 1 May 2025 09:27:24 +1000 -Subject: xfs: don't assume perags are initialised when trimming AGs - -When running fstrim immediately after mounting a V4 filesystem, -the fstrim fails to trim all the free space in the filesystem. It -only trims the first extent in the by-size free space tree in each -AG and then returns. If a second fstrim is then run, it runs -correctly and the entire free space in the filesystem is iterated -and discarded correctly. - -The problem lies in the setup of the trim cursor - it assumes that -pag->pagf_longest is valid without either reading the AGF first or -checking if xfs_perag_initialised_agf(pag) is true or not. - -As a result, when a filesystem is mounted without reading the AGF -(e.g. a clean mount on a v4 filesystem) and the first operation is a -fstrim call, pag->pagf_longest is zero and so the free extent search -starts at the wrong end of the by-size btree and exits after -discarding the first record in the tree. - -Fix this by deferring the initialisation of tcur->count to after -we have locked the AGF and guaranteed that the perag is properly -initialised. We trigger this on tcur->count == 0 after locking the -AGF, as this will only occur on the first call to -xfs_trim_gather_extents() for each AG. If we need to iterate, -tcur->count will be set to the length of the record we need to -restart at, so we can use this to ensure we only sample a valid -pag->pagf_longest value for the iteration. - -Signed-off-by: Dave Chinner -Reviewed-by: Bill O'Donnell -Reviewed-by: Darrick J. Wong -Fixes: 89cfa899608f ("xfs: reduce AGF hold times during fstrim operations") -Cc: # v6.6 -Signed-off-by: Carlos Maiolino ---- - fs/xfs/xfs_discard.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - ---- a/fs/xfs/xfs_discard.c -+++ b/fs/xfs/xfs_discard.c -@@ -167,6 +167,14 @@ xfs_discard_extents( - return error; - } - -+/* -+ * Care must be taken setting up the trim cursor as the perags may not have been -+ * initialised when the cursor is initialised. e.g. a clean mount which hasn't -+ * read in AGFs and the first operation run on the mounted fs is a trim. This -+ * can result in perag fields that aren't initialised until -+ * xfs_trim_gather_extents() calls xfs_alloc_read_agf() to lock down the AG for -+ * the free space search. -+ */ - struct xfs_trim_cur { - xfs_agblock_t start; - xfs_extlen_t count; -@@ -204,6 +212,14 @@ xfs_trim_gather_extents( - if (error) - goto out_trans_cancel; - -+ /* -+ * First time through tcur->count will not have been initialised as -+ * pag->pagf_longest is not guaranteed to be valid before we read -+ * the AGF buffer above. -+ */ -+ if (!tcur->count) -+ tcur->count = pag->pagf_longest; -+ - if (tcur->by_bno) { - /* sub-AG discard request always starts at tcur->start */ - cur = xfs_bnobt_init_cursor(mp, tp, agbp, pag); -@@ -350,7 +366,6 @@ xfs_trim_perag_extents( - { - struct xfs_trim_cur tcur = { - .start = start, -- .count = pag->pagf_longest, - .end = end, - .minlen = minlen, - }; diff --git a/debian/patches/patchset-zen/fixes/0002-x86-cpu-Help-users-notice-when-running-old-Intel-mic.patch b/debian/patches/patchset-zen/fixes/0002-x86-cpu-Help-users-notice-when-running-old-Intel-mic.patch index 4c08530..71e33f0 100644 --- a/debian/patches/patchset-zen/fixes/0002-x86-cpu-Help-users-notice-when-running-old-Intel-mic.patch +++ b/debian/patches/patchset-zen/fixes/0002-x86-cpu-Help-users-notice-when-running-old-Intel-mic.patch @@ -226,7 +226,7 @@ Link: https://lore.kernel.org/all/20250421195659.CF426C07%40davehans-spike.ostc. return cpu_show_common(dev, attr, buf, X86_BUG_ITS); --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c -@@ -1351,10 +1351,52 @@ static bool __init vulnerable_to_its(u64 +@@ -1352,10 +1352,52 @@ static bool __init vulnerable_to_its(u64 return false; } diff --git a/debian/patches/patchset-zen/fixes/0003-drm-i915-snps_hdmi_pll-Fix-64-bit-divisor-truncation.patch b/debian/patches/patchset-zen/fixes/0003-drm-i915-snps_hdmi_pll-Fix-64-bit-divisor-truncation.patch new file mode 100644 index 0000000..e0186da --- /dev/null +++ b/debian/patches/patchset-zen/fixes/0003-drm-i915-snps_hdmi_pll-Fix-64-bit-divisor-truncation.patch @@ -0,0 +1,40 @@ +From 96e19aa45a528ce5c722f1925d750f74efe22a8b Mon Sep 17 00:00:00 2001 +From: Ankit Nautiyal +Date: Fri, 13 Jun 2025 11:42:46 +0530 +Subject: drm/i915/snps_hdmi_pll: Fix 64-bit divisor truncation by using + div64_u64 + +DIV_ROUND_CLOSEST_ULL uses do_div(), which expects a 32-bit divisor. +When passing a 64-bit constant like CURVE2_MULTIPLIER, the value is +silently truncated to u32, potentially leading to incorrect results +on large divisors. + +Replace DIV_ROUND_CLOSEST_ULL with div64_u64(), which correctly +handles full 64-bit division. Since the result is clamped between +1 and 127, rounding is unnecessary and truncating division +is sufficient. + +Fixes: 5947642004bf ("drm/i915/display: Add support for SNPS PHY HDMI PLL algorithm for DG2") +Cc: Ankit Nautiyal +Cc: Suraj Kandpal +Cc: Jani Nikula +Cc: # v6.15+ +Signed-off-by: Ankit Nautiyal +Cherry-picked-for: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/145 +--- + drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c ++++ b/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c +@@ -103,8 +103,8 @@ static void get_ana_cp_int_prop(u64 vco_ + DIV_ROUND_DOWN_ULL(curve_1_interpolated, CURVE0_MULTIPLIER))); + + ana_cp_int_temp = +- DIV_ROUND_CLOSEST_ULL(DIV_ROUND_DOWN_ULL(adjusted_vco_clk1, curve_2_scaled1), +- CURVE2_MULTIPLIER); ++ div64_u64(DIV_ROUND_DOWN_ULL(adjusted_vco_clk1, curve_2_scaled1), ++ CURVE2_MULTIPLIER); + + *ana_cp_int = max(1, min(ana_cp_int_temp, 127)); + diff --git a/debian/patches/patchset-zen/sauce/0008-ZEN-mm-Stop-kswapd-early-when-nothing-s-waiting-for-.patch b/debian/patches/patchset-zen/sauce/0008-ZEN-mm-Stop-kswapd-early-when-nothing-s-waiting-for-.patch index b556673..0682194 100644 --- a/debian/patches/patchset-zen/sauce/0008-ZEN-mm-Stop-kswapd-early-when-nothing-s-waiting-for-.patch +++ b/debian/patches/patchset-zen/sauce/0008-ZEN-mm-Stop-kswapd-early-when-nothing-s-waiting-for-.patch @@ -62,7 +62,7 @@ Contains: /* prevent >1 _updater_ of zone percpu pageset ->high and ->batch fields */ static DEFINE_MUTEX(pcp_batch_high_lock); #define MIN_PERCPU_PAGELIST_HIGH_FRACTION (8) -@@ -4436,6 +4438,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, u +@@ -4432,6 +4434,7 @@ __alloc_pages_slowpath(gfp_t gfp_mask, u unsigned int cpuset_mems_cookie; unsigned int zonelist_iter_cookie; int reserve_flags; @@ -70,7 +70,7 @@ Contains: if (unlikely(nofail)) { /* -@@ -4495,8 +4498,13 @@ restart: +@@ -4491,8 +4494,13 @@ restart: goto nopage; } @@ -85,7 +85,7 @@ Contains: /* * The adjusted alloc_flags might result in immediate success, so try -@@ -4711,9 +4719,12 @@ nopage: +@@ -4707,9 +4715,12 @@ nopage: goto retry; } fail: diff --git a/debian/patches/series b/debian/patches/series index ea92a6e..9fce1a7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -158,8 +158,7 @@ patchset-pf/smb/0005-cifs-deal-with-the-channel-loading-lag-while-picking.patch patchset-pf/smb/0006-cifs-serialize-other-channels-when-query-server-inte.patch patchset-pf/smb/0007-cifs-do-not-disable-interface-polling-on-failure.patch patchset-pf/smb/0008-smb-improve-directory-cache-reuse-for-readdir-operat.patch - -patchset-pf/xfs/0001-xfs-don-t-assume-perags-are-initialised-when-trimmin.patch +patchset-pf/smb/0009-ksmbd-fix-null-pointer-dereference-in-destroy_previo.patch patchset-xanmod/binder/0001-binder-turn-into-module.patch @@ -251,37 +250,41 @@ patchset-pf/fixes/0006-anon_inode-explicitly-block-setattr.patch patchset-pf/fixes/0007-anon_inode-raise-SB_I_NODEV-and-SB_I_NOEXEC.patch patchset-pf/fixes/0008-fs-add-S_ANON_INODE.patch patchset-pf/fixes/0009-configfs-Do-not-override-creating-attribute-file-fai.patch -patchset-pf/fixes/0010-Don-t-propagate-mounts-into-detached-trees.patch -patchset-pf/fixes/0011-mm-filemap-gate-dropbehind-invalidate-on-folio-dirty.patch -patchset-pf/fixes/0012-mm-filemap-use-filemap_end_dropbehind-for-read-inval.patch -patchset-pf/fixes/0013-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch -patchset-pf/fixes/0014-mm-filemap-unify-read-write-dropbehind-naming.patch -patchset-pf/fixes/0015-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch -patchset-pf/fixes/0016-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch -patchset-pf/fixes/0017-mm-add-folio_expected_ref_count-for-reference-count-.patch -patchset-pf/fixes/0018-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch -patchset-pf/fixes/0019-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch -patchset-pf/fixes/0020-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch -patchset-pf/fixes/0021-mm-madvise-handle-madvise_lock-failure-during-race-u.patch -patchset-pf/fixes/0022-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch -patchset-pf/fixes/0023-sysfb-Fix-screen_info-type-check-for-VGA.patch -patchset-pf/fixes/0024-x86-iopl-Cure-TIF_IO_BITMAP-inconsistencies.patch -patchset-pf/fixes/0025-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch -patchset-pf/fixes/0026-sched-rt-Fix-race-in-push_rt_task.patch -patchset-pf/fixes/0027-sched-fair-Adhere-to-place_entity-constraints.patch -patchset-pf/fixes/0028-alloc_tag-handle-module-codetag-load-errors-as-modul.patch -patchset-pf/fixes/0029-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch -patchset-pf/fixes/0030-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch -patchset-pf/fixes/0031-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch -patchset-pf/fixes/0032-net-clear-the-dst-when-changing-skb-protocol.patch -patchset-pf/fixes/0033-net_sched-sch_sfq-reject-invalid-perturb-period.patch -patchset-pf/fixes/0034-posix-cpu-timers-fix-race-between-handle_posix_cpu_t.patch -patchset-pf/fixes/0035-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch -patchset-pf/fixes/0036-mm-close-theoretical-race-where-stale-TLB-entries-co.patch -patchset-pf/fixes/0037-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch -patchset-pf/fixes/0038-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch -patchset-pf/fixes/0039-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch -patchset-pf/fixes/0040-block-use-plug-request-list-tail-for-one-shot-backme.patch +patchset-pf/fixes/0010-Revert-Disable-FOP_DONTCACHE-for-now-due-to-bugs.patch +patchset-pf/fixes/0011-mm-filemap-unify-read-write-dropbehind-naming.patch +patchset-pf/fixes/0012-mm-filemap-unify-dropbehind-flag-testing-and-clearin.patch +patchset-pf/fixes/0013-mm-khugepaged-fix-race-with-folio-split-free-using-t.patch +patchset-pf/fixes/0014-mm-add-folio_expected_ref_count-for-reference-count-.patch +patchset-pf/fixes/0015-mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch +patchset-pf/fixes/0016-mm-hugetlb-unshare-page-tables-during-VMA-split-not-.patch +patchset-pf/fixes/0017-mm-hugetlb-fix-huge_pmd_unshare-vs-GUP-fast-race.patch +patchset-pf/fixes/0018-mm-madvise-handle-madvise_lock-failure-during-race-u.patch +patchset-pf/fixes/0019-video-screen_info-Relocate-framebuffers-behind-PCI-b.patch +patchset-pf/fixes/0020-sysfb-Fix-screen_info-type-check-for-VGA.patch +patchset-pf/fixes/0021-watchdog-fix-watchdog-may-detect-false-positive-of-s.patch +patchset-pf/fixes/0022-sched-rt-Fix-race-in-push_rt_task.patch +patchset-pf/fixes/0023-sched-fair-Adhere-to-place_entity-constraints.patch +patchset-pf/fixes/0024-alloc_tag-handle-module-codetag-load-errors-as-modul.patch +patchset-pf/fixes/0025-svcrdma-Unregister-the-device-if-svc_rdma_accept-fai.patch +patchset-pf/fixes/0026-SUNRPC-Prevent-hang-on-NFS-mount-with-xprtsec-m-tls.patch +patchset-pf/fixes/0027-hv_netvsc-fix-potential-deadlock-in-netvsc_vf_setxdp.patch +patchset-pf/fixes/0028-net-clear-the-dst-when-changing-skb-protocol.patch +patchset-pf/fixes/0029-net_sched-sch_sfq-reject-invalid-perturb-period.patch +patchset-pf/fixes/0030-mm-vma-reset-VMA-iterator-on-commit_merge-OOM-failur.patch +patchset-pf/fixes/0031-mm-close-theoretical-race-where-stale-TLB-entries-co.patch +patchset-pf/fixes/0032-io_uring-kbuf-don-t-truncate-end-buffer-for-multiple.patch +patchset-pf/fixes/0033-nvme-always-punt-polled-uring_cmd-end_io-work-to-tas.patch +patchset-pf/fixes/0034-block-Clear-BIO_EMULATES_ZONE_APPEND-flag-on-BIO-com.patch +patchset-pf/fixes/0035-block-use-plug-request-list-tail-for-one-shot-backme.patch +patchset-pf/fixes/0036-Revert-mm-execmem-Unify-early-execmem_cache-behaviou.patch +patchset-pf/fixes/0037-x86-virt-tdx-Avoid-indirect-calls-to-TDX-assembly-fu.patch +patchset-pf/fixes/0038-x86-mm-pat-don-t-collapse-pages-without-PSE-set.patch +patchset-pf/fixes/0039-x86-Kconfig-only-enable-ROX-cache-in-execmem-when-ST.patch +patchset-pf/fixes/0040-x86-its-move-its_pages-array-to-struct-mod_arch_spec.patch +patchset-pf/fixes/0041-x86-its-explicitly-manage-permissions-for-ITS-pages.patch +patchset-pf/fixes/0042-KVM-SVM-Clear-current_vmcb-during-vCPU-free-for-all-.patch +patchset-pf/fixes/0043-KVM-VMX-Flush-shadow-VMCS-on-emergency-reboot.patch patchset-zen/fixes/0001-drivers-firmware-skip-simpledrm-if-nvidia-drm.modese.patch patchset-zen/fixes/0002-x86-cpu-Help-users-notice-when-running-old-Intel-mic.patch +patchset-zen/fixes/0003-drm-i915-snps_hdmi_pll-Fix-64-bit-divisor-truncation.patch