June 2024 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.35 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/parisc/include/asm/cacheflush.h | 15 arch/parisc/include/asm/pgtable.h | 27 arch/parisc/kernel/cache.c | 413 ++++++---- arch/powerpc/include/asm/uaccess.h | 16 arch/riscv/kvm/aia_device.c | 7 arch/riscv/kvm/vcpu_onereg.c | 4 arch/riscv/mm/init.c | 21 arch/riscv/mm/pageattr.c | 28 arch/x86/boot/compressed/Makefile | 4 arch/x86/boot/main.c | 4 arch/x86/include/asm/alternative.h | 22 arch/x86/include/asm/atomic64_32.h | 2 arch/x86/include/asm/cpufeature.h | 2 arch/x86/include/asm/irq_stack.h | 2 arch/x86/include/asm/uaccess.h | 6 arch/x86/kernel/amd_nb.c | 9 arch/x86/kernel/machine_kexec_64.c | 11 arch/x86/kvm/svm/sev.c | 38 arch/x86/kvm/svm/svm.c | 25 arch/x86/kvm/svm/svm.h | 4 arch/x86/lib/getuser.S | 6 block/blk-flush.c | 3 block/sed-opal.c | 2 drivers/acpi/x86/utils.c | 24 drivers/base/core.c | 3 drivers/block/null_blk/zoned.c | 2 drivers/clk/clkdev.c | 2 drivers/clk/sifive/sifive-prci.c | 8 drivers/cxl/core/region.c | 18 drivers/dma-buf/st-dma-fence.c | 6 drivers/dma/dma-axi-dmac.c | 2 drivers/firmware/qcom_scm.c | 18 drivers/gpio/Kconfig | 2 drivers/gpio/gpio-tqmx86.c | 110 +- drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c | 2 drivers/gpu/drm/bridge/panel.c | 7 drivers/gpu/drm/drm_gem_shmem_helper.c | 3 drivers/gpu/drm/exynos/exynos_drm_vidi.c | 7 drivers/gpu/drm/exynos/exynos_hdmi.c | 7 drivers/gpu/drm/i915/display/intel_audio.c | 32 drivers/gpu/drm/i915/display/intel_audio.h | 1 drivers/gpu/drm/i915/display/intel_display_driver.c | 2 drivers/gpu/drm/i915/gem/i915_gem_object.h | 4 drivers/gpu/drm/i915/gt/intel_breadcrumbs.c | 15 drivers/gpu/drm/panel/panel-sitronix-st7789v.c | 4 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 3 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 276 ++---- drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 6 drivers/gpu/drm/vmwgfx/vmwgfx_ldu.c | 5 drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 5 drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 47 + drivers/greybus/interface.c | 1 drivers/hid/hid-core.c | 1 drivers/hid/hid-logitech-dj.c | 4 drivers/hid/hid-nvidia-shield.c | 4 drivers/hwtracing/intel_th/pci.c | 25 drivers/i2c/busses/i2c-at91-slave.c | 3 drivers/i2c/busses/i2c-designware-slave.c | 2 drivers/iio/adc/ad9467.c | 4 drivers/iio/adc/adi-axi-adc.c | 5 drivers/iio/common/inv_sensors/inv_sensors_timestamp.c | 15 drivers/iio/dac/ad5592r-base.c | 2 drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 4 drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 4 drivers/iommu/amd/init.c | 9 drivers/irqchip/irq-gic-v3-its.c | 44 - drivers/irqchip/irq-riscv-intc.c | 89 +- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gp.c | 9 drivers/misc/mei/pci-me.c | 4 drivers/misc/vmw_vmci/vmci_event.c | 6 drivers/net/dsa/qca/qca8k-leds.c | 12 drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c | 2 drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 11 drivers/net/ethernet/google/gve/gve_rx_dqo.c | 8 drivers/net/ethernet/google/gve/gve_tx_dqo.c | 20 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 drivers/net/ethernet/hisilicon/hns3/hns3_enet.h | 2 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 21 drivers/net/ethernet/intel/ice/ice.h | 43 - drivers/net/ethernet/intel/ice/ice_lib.c | 13 drivers/net/ethernet/intel/ice/ice_main.c | 22 drivers/net/ethernet/intel/ice/ice_nvm.c | 28 drivers/net/ethernet/intel/ice/ice_xsk.c | 13 drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 33 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 drivers/net/ethernet/mellanox/mlx5/core/fw.c | 4 drivers/net/ethernet/mellanox/mlx5/core/health.c | 8 drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 8 drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 4 drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 4 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 25 drivers/net/geneve.c | 10 drivers/net/phy/micrel.c | 104 ++ drivers/net/phy/sfp.c | 3 drivers/net/vmxnet3/vmxnet3_drv.c | 2 drivers/net/vxlan/vxlan_core.c | 4 drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c | 2 drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 5 drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 drivers/net/wwan/iosm/iosm_ipc_devlink.c | 2 drivers/nvme/host/pr.c | 2 drivers/nvme/target/passthru.c | 6 drivers/pci/controller/pcie-rockchip-ep.c | 6 drivers/platform/x86/dell/dell-smbios-base.c | 92 -- drivers/pmdomain/ti/ti_sci_pm_domains.c | 20 drivers/ptp/ptp_chardev.c | 3 drivers/remoteproc/ti_k3_r5_remoteproc.c | 58 + drivers/scsi/mpi3mr/mpi3mr_app.c | 62 + drivers/scsi/mpt3sas/mpt3sas_base.c | 19 drivers/scsi/mpt3sas/mpt3sas_base.h | 3 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 4 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 23 drivers/scsi/scsi.c | 7 drivers/scsi/scsi_transport_sas.c | 23 drivers/scsi/sd.c | 17 drivers/spmi/hisi-spmi-controller.c | 1 drivers/thunderbolt/debugfs.c | 5 drivers/tty/n_tty.c | 22 drivers/tty/serial/8250/8250_dw.c | 125 +-- drivers/tty/serial/8250/8250_dwlib.c | 3 drivers/tty/serial/8250/8250_dwlib.h | 3 drivers/tty/serial/8250/8250_pxa.c | 1 drivers/tty/serial/serial_port.c | 152 +++ drivers/ufs/core/ufs-mcq.c | 17 drivers/ufs/core/ufshcd.c | 6 drivers/usb/Makefile | 1 drivers/usb/class/cdc-wdm.c | 4 drivers/usb/host/xhci-pci.c | 7 drivers/usb/host/xhci-ring.c | 59 + drivers/usb/host/xhci.h | 1 drivers/usb/storage/alauda.c | 9 drivers/usb/typec/tcpm/tcpm.c | 5 fs/btrfs/zoned.c | 330 ++++--- fs/cachefiles/daemon.c | 4 fs/cachefiles/interface.c | 7 fs/cachefiles/internal.h | 52 + fs/cachefiles/ondemand.c | 320 +++++-- fs/jfs/xattr.c | 4 fs/nfs/dir.c | 47 - fs/nfs/nfs4proc.c | 23 fs/nfsd/nfsfh.c | 4 fs/nilfs2/dir.c | 59 - fs/nilfs2/segment.c | 3 fs/ocfs2/file.c | 2 fs/ocfs2/namei.c | 2 fs/proc/vmcore.c | 2 fs/smb/server/oplock.c | 30 fs/smb/server/smb2pdu.c | 26 fs/smb/server/smb_common.c | 4 fs/smb/server/vfs.c | 17 fs/smb/server/vfs.h | 3 fs/smb/server/vfs_cache.c | 31 fs/smb/server/vfs_cache.h | 2 fs/tracefs/event_inode.c | 51 - fs/xfs/libxfs/xfs_ag.c | 11 fs/xfs/libxfs/xfs_sb.c | 40 fs/xfs/libxfs/xfs_sb.h | 5 fs/xfs/scrub/btree.c | 7 fs/xfs/scrub/common.c | 4 fs/xfs/scrub/stats.c | 4 fs/xfs/xfs_aops.c | 7 fs/xfs/xfs_icache.c | 8 fs/xfs/xfs_inode.c | 15 fs/xfs/xfs_iomap.c | 4 fs/xfs/xfs_log_recover.c | 23 fs/xfs/xfs_trans.h | 9 include/linux/bpf.h | 2 include/linux/iommu.h | 2 include/linux/property.h | 26 include/linux/pse-pd/pse.h | 4 include/linux/serial_core.h | 3 include/linux/soc/andes/irq.h | 18 include/net/bluetooth/hci_core.h | 36 include/net/ip_tunnels.h | 5 include/scsi/scsi_transport_sas.h | 2 include/trace/events/cachefiles.h | 8 io_uring/io-wq.c | 57 - io_uring/kbuf.c | 3 io_uring/rsrc.c | 1 kernel/bpf/core.c | 4 kernel/bpf/map_in_map.c | 14 kernel/bpf/syscall.c | 19 kernel/bpf/verifier.c | 4 kernel/dma/swiotlb.c | 83 +- kernel/events/core.c | 13 kernel/fork.c | 18 kernel/gen_kheaders.sh | 2 kernel/pid_namespace.c | 1 kernel/time/tick-common.c | 42 - kernel/trace/bpf_trace.c | 22 mm/memory-failure.c | 23 net/ax25/af_ax25.c | 6 net/ax25/ax25_dev.c | 2 net/bluetooth/l2cap_core.c | 12 net/bpf/test_run.c | 6 net/bridge/br_mst.c | 13 net/core/sock_map.c | 16 net/ethtool/ioctl.c | 2 net/ipv4/tcp.c | 9 net/ipv6/ioam6_iptunnel.c | 8 net/ipv6/ip6_fib.c | 6 net/ipv6/route.c | 5 net/ipv6/seg6_iptunnel.c | 14 net/ipv6/tcp_ipv6.c | 3 net/mac80211/he.c | 10 net/mac80211/mesh_pathtbl.c | 13 net/mac80211/sta_info.c | 4 net/mptcp/pm_netlink.c | 21 net/mptcp/protocol.c | 10 net/ncsi/internal.h | 2 net/ncsi/ncsi-manage.c | 93 -- net/ncsi/ncsi-rsp.c | 4 net/netfilter/ipset/ip_set_core.c | 81 + net/netfilter/ipset/ip_set_list_set.c | 30 net/netfilter/nft_meta.c | 3 net/netfilter/nft_payload.c | 4 net/sched/sch_multiq.c | 2 net/sched/sch_taprio.c | 15 net/smc/af_smc.c | 22 net/sunrpc/auth_gss/auth_gss.c | 4 net/unix/af_unix.c | 108 +- net/unix/diag.c | 12 net/wireless/core.c | 2 net/wireless/pmsr.c | 8 net/wireless/sysfs.c | 4 net/wireless/util.c | 7 scripts/mod/modpost.c | 5 security/integrity/ima/ima_api.c | 16 security/integrity/ima/ima_template_lib.c | 17 security/landlock/fs.c | 13 tools/perf/util/auxtrace.c | 4 tools/testing/cxl/test/mem.c | 1 tools/testing/selftests/ftrace/test.d/dynevent/test_duplicates.tc | 2 tools/testing/selftests/ftrace/test.d/filter/event-filter-function.tc | 20 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_eventname.tc | 3 tools/testing/selftests/mm/compaction_test.c | 106 +- tools/testing/selftests/net/Makefile | 2 tools/testing/selftests/net/forwarding/lib.sh | 52 - tools/testing/selftests/net/lib.sh | 97 ++ tools/testing/selftests/net/mptcp/mptcp_join.sh | 5 tools/tracing/rtla/src/timerlat_aa.c | 109 +- tools/tracing/rtla/src/timerlat_top.c | 17 249 files changed, 3424 insertions(+), 1932 deletions(-) Aapo Vienamo (1): thunderbolt: debugfs: Fix margin debugfs node creation condition Adam Miotk (1): drm/bridge/panel: Fix runtime warning on panel bridge release Adrian Hunter (1): perf auxtrace: Fix multiple use of --itrace option Alan Stern (1): USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages Aleksandr Mishin (4): net/mlx5: Fix tainted pointer delete is case of flow rules creation fail net: wwan: iosm: Fix tainted pointer delete is case of region creation fail liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send() Alexander Shishkin (5): intel_th: pci: Add Granite Rapids support intel_th: pci: Add Granite Rapids SOC support intel_th: pci: Add Sapphire Rapids SOC support intel_th: pci: Add Meteor Lake-S support intel_th: pci: Add Lunar Lake support Amit Sunil Dhamne (1): usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps Amjad Ouled-Ameur (1): drm/komeda: check for error-valued pointer Andrey Albershteyn (1): xfs: allow cross-linking special files without project quota Andrii Nakryiko (1): bpf: fix multi-uprobe PID filtering logic Andy Shevchenko (7): net dsa: qca8k: fix usages of device_get_named_child_node() device property: Implement device_is_big_endian() serial: core: Add UPIO_UNKNOWN constant for unknown port type serial: port: Introduce a common helper to read properties serial: 8250_dw: Switch to use uart_read_port_properties() serial: 8250_dw: Replace ACPI device check by a quirk serial: 8250_dw: Don't use struct dw8250_data outside of 8250_dw Apurva Nandan (1): remoteproc: k3-r5: Wait for core0 power-up before powering up core1 Armin Wolf (1): platform/x86: dell-smbios: Fix wrong token data in sysfs Baokun Li (9): cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd cachefiles: remove requests from xarray during flushing requests cachefiles: add spin_lock for cachefiles_ondemand_info cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() cachefiles: fix slab-use-after-free in cachefiles_ondemand_daemon_read() cachefiles: remove err_put_fd label in cachefiles_ondemand_daemon_read() cachefiles: never get a new anonymous fd if ondemand_id is valid cachefiles: defer exposing anon_fd until after copy_to_user() succeeds cachefiles: flush all requests after setting CACHEFILES_DEAD Beleswar Padhi (2): remoteproc: k3-r5: Do not allow core1 to power up before core0 via sysfs remoteproc: k3-r5: Jump to error handling labels in start/stop errors Benjamin Poirier (1): selftests: forwarding: Avoid failures to source net/lib.sh Benjamin Segall (1): x86/boot: Don't add the EFI stub to targets, again Breno Leitao (2): scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Chanwoo Lee (1): scsi: ufs: mcq: Fix error output and clean up ufshcd_mcq_abort() Chen Hanxiao (1): SUNRPC: return proper error from gss_wrap_req_priv Chen Ni (2): HID: nvidia-shield: Add missing check for input_ff_create_memless drm/panel: sitronix-st7789v: Add check for of_drm_get_panel_orientation Chengming Zhou (1): block: fix request.queuelist usage in flush Chris Wilson (1): drm/i915/gt: Disarm breadcrumbs if engines are already idle Christoph Hellwig (4): btrfs: zoned: introduce a zone_info struct in btrfs_load_block_group_zone_info btrfs: zoned: factor out per-zone logic from btrfs_load_block_group_zone_info btrfs: zoned: factor out single bg handling from btrfs_load_block_group_zone_info btrfs: zoned: factor out DUP bg handling from btrfs_load_block_group_zone_info Cong Wang (1): bpf: Fix a potential use-after-free in bpf_link_free() Csókás, Bence (1): net: sfp: Always call `sfp_sm_mod_remove()` on remove Damien Le Moal (3): scsi: core: Disable CDL by default scsi: mpi3mr: Fix ATA NCQ priority support null_blk: Print correct max open zones limit in null_init_zoned_dev() Daniel Borkmann (1): vxlan: Fix regression when dropping packets due to invalid src addresses Daniel Bristot de Oliveira (2): rtla/timerlat: Simplify "no value" printing on top rtla/auto-analysis: Replace \t with spaces Daniel Wagner (1): nvmet-passthru: propagate status from id override functions Darrick J. Wong (2): xfs: fix imprecise logic in xchk_btree_check_block_owner xfs: fix scrub stats file permissions Dave Chinner (4): xfs: fix SEEK_HOLE/DATA for regions with active COW extents xfs: shrink failure needs to hold AGI buffer xfs: allow sunit mount option to repair bad primary sb stripe values xfs: don't use current->journal_info Dave Jiang (1): cxl/test: Add missing vmalloc.h for tools/testing/cxl/test/mem.c David Howells (1): cachefiles, erofs: Fix NULL deref in when cachefiles is not doing ondemand-mode David Kaplan (1): x86/kexec: Fix bug with call depth tracking David Lechner (1): iio: adc: ad9467: fix scan type sign Davide Ornaghi (1): netfilter: nft_inner: validate mandatory meta and payload DelphineCCChiu (1): net/ncsi: Fix the multi thread manner of NCSI driver Dev Jain (1): selftests/mm: compaction_test: fix bogus test success on Aarch64 Dirk Behme (1): drivers: core: synchronize really_probe() and dev_uevent() Doug Brown (1): serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level Douglas Anderson (1): serial: port: Don't block system suspend even if bytes are left to xmit Duoming Zhou (1): ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() Emmanuel Grumbach (1): wifi: iwlwifi: mvm: don't read past the mfuart notifcation Eric Dumazet (5): ipv6: ioam: block BH from ioam6_output() ipv6: sr: block BH in seg6_output_core() and seg6_input_core() net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP ipv6: fix possible race in __fib6_drop_pcpu_from() tcp: fix race in tcp_v6_syn_recv_sock() Fedor Pchelkin (1): dma-buf: handle testing kthreads creation failure Filipe Manana (1): btrfs: zoned: fix use-after-free due to race with dev replace Gabor Juhos (1): firmware: qcom_scm: disable clocks if qcom_scm_bw_enable() fails Gal Pressman (2): geneve: Fix incorrect inner network header offset when innerprotoinherit is set net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets Greg Kroah-Hartman (2): jfs: xattr: fix buffer overflow for invalid xattr Linux 6.6.35 Gregor Herburger (1): gpio: tqmx86: fix typo in Kconfig label Hagar Gamal Halim Hemdan (1): vmci: prevent speculation leaks by sanitizing event in event_deliver() Hagar Hemdan (1): irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() Haifeng Xu (1): perf/core: Fix missing wakeup when waiting for context reference Hangbin Liu (4): selftests/net: add lib.sh selftests/net: add variable NS_LIST for lib.sh selftests/net/lib: update busywait timeout value selftests/net/lib: no need to record ns name if it already exist Hangyu Hua (1): net: sched: sch_multiq: fix possible OOB write in multiq_tune() Hector Martin (1): xhci: Handle TD clearing for multiple streams case Hou Tao (1): bpf: Optimize the free of inner map Ian Forbes (4): drm/vmwgfx: Filter modes which exceed graphics memory drm/vmwgfx: 3D disabled should not effect STDU memory limits drm/vmwgfx: Remove STDU logic from generic mode_valid function drm/vmwgfx: Don't memcmp equivalent pointers Ilpo Järvinen (1): tty: n_tty: Fix buffer offsets when lookahead is used Imre Deak (1): drm/i915: Fix audio component initialization Jacob Keller (1): ice: fix iteration of TLVs in Preserved Fields Area Jakub Kicinski (1): net: tls: fix marking packets as decrypted Jani Nikula (1): drm/exynos/vidi: fix memory leak in .get_modes() Jason Xing (2): tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB mptcp: count CLOSE-WAIT sockets for MPTCP_MIB_CURRESTAB Jean Delvare (2): i2c: at91: Fix the functionality flags of the slave-only interface i2c: designware: Fix the functionality flags of the slave-only interface Jean-Baptiste Maneyrol (3): iio: invensense: fix odr switching to same value iio: imu: inv_icm42600: delete unneeded update watermark call iio: invensense: fix interrupt timestamp alignment Jens Axboe (1): io_uring: check for non-NULL file pointer in io_file_can_poll() Jia Zhu (4): cachefiles: introduce object ondemand state cachefiles: extract ondemand info field from cachefiles_object cachefiles: resend an open request if the read request's object is closed cachefiles: add restore command to recover inflight ondemand read requests Jie Wang (1): net: hns3: add cond_resched() to hns3 ring buffer init process Jiri Olsa (2): bpf: Store ref_ctr_offsets values in bpf_uprobe array bpf: Set run context for rawtp test_run callback Johannes Berg (2): wifi: cfg80211: fully move wiphy work to unbound workqueue wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64 John David Anglin (1): parisc: Try to fix random segmentation faults in package builds John Ernberg (1): USB: xen-hcd: Traverse host/ when CONFIG_USB_XEN_HCD is selected Joshua Washington (1): gve: ignore nonrelevant GSO type bits when processing TSO headers José Expósito (1): HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode() Jozsef Kadlecsik (1): netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Karol Kolacinski (1): ptp: Fix error message on failed pin verification Kees Cook (1): x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking Kory Maincent (1): net: pse-pd: Use EOPNOTSUPP error code instead of ENOTSUPP Kuangyi Chiang (2): xhci: Apply reset resume quirk to Etron EJ188 xHCI host xhci: Apply broken streams quirk to Etron EJ188 xHCI host Kun(llfl) (1): iommu/amd: Fix sysfs leak in iommu init Kuniyuki Iwashima (15): af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted peer. af_unix: Annodate data-races around sk->sk_state for writers. af_unix: Annotate data-race of sk->sk_state in unix_inq_len(). af_unix: Annotate data-races around sk->sk_state in unix_write_space() and poll(). af_unix: Annotate data-race of sk->sk_state in unix_stream_connect(). af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg(). af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb(). af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG. af_unix: Annotate data-races around sk->sk_sndbuf. af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen. af_unix: Use unix_recvq_full_lockless() in unix_stream_connect(). af_unix: Use skb_queue_empty_lockless() in unix_release_sock(). af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen(). af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill(). af_unix: Annotate data-race of sk->sk_state in unix_accept(). Kyle Tso (1): usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state Lars Kellogg-Stedman (1): ax25: Fix refcount imbalance on inbound connections Larysa Zaremba (2): ice: remove af_xdp_zc_qps bitmap ice: add flag to distinguish reset from .ndo_bpf in XDP rings config Li Zhijian (1): cxl/region: Fix memregion leaks in devm_cxl_add_region() Lin Ma (1): wifi: cfg80211: pmsr: use correct nla_get_uX functions Lingbo Kong (1): wifi: mac80211: correctly parse Spatial Reuse Parameter Set element Long Li (1): xfs: ensure submit buffers on LSN boundaries in error handlers Lu Baolu (1): iommu: Return right value in iommu_sva_bind_device() Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ Marc Ferland (1): iio: dac: ad5592r: fix temperature channel scaling value Marek Szyprowski (1): drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found Mario Limonciello (1): ACPI: x86: Force StorageD3Enable on more products Mark Brown (1): selftests/mm: log a consistent test name for check_compaction Martin K. Petersen (1): scsi: sd: Use READ(16) when reading block zero on large capacity disks Martin Krastev (1): drm/vmwgfx: Refactor drm connector probing for display modes Masahiro Yamada (1): modpost: do not warn about missing MODULE_DESCRIPTION() for vmlinux.o Masami Hiramatsu (Google) (2): selftests/ftrace: Fix to check required event file selftests/tracing: Fix event filter test to retry up to 10 times Mathias Nyman (1): xhci: Set correct transferred length for cancelled bulk transfers Matthew Wilcox (Oracle) (2): memory-failure: use a folio in me_huge_page() nilfs2: return the mapped address from nilfs_get_page() Matthias Maennich (1): kheaders: explicitly define file modes for archived headers Matthias Schiffer (3): gpio: tqmx86: introduce shadow register for GPIO output value gpio: tqmx86: store IRQ trigger type and unmask status separately gpio: tqmx86: fix broken IRQ_TYPE_EDGE_BOTH interrupt type Matthias Stocker (1): vmxnet3: disable rx data ring on dma allocation failure Matthieu Baerts (NGI0) (2): selftests: net: lib: support errexit with busywait selftests: net: lib: avoid error removing empty netns name Miaohe Lin (2): mm/memory-failure: fix handling of dissolved but not taken off from buddy pages mm/huge_memory: don't unpoison huge_zero_folio Michael Ellerman (1): powerpc/uaccess: Fix build errors seen with GCC 13/14 Michael J. Ruhl (1): clkdev: Update clkdev id usage to allow for longer names Michael Roth (1): KVM: SEV: Do not intercept accesses to MSR_IA32_XSS for SEV-ES guests Mickaël Salaün (1): landlock: Fix d_parent walk Miri Korenblit (2): wifi: iwlwifi: mvm: don't initialize csa_work twice wifi: iwlwifi: mvm: check n_ssids before accessing the ssids Mordechay Goodstein (1): wifi: iwlwifi: mvm: set properly mac header Moshe Shemesh (1): net/mlx5: Stop waiting for PCI if pci channel is offline Muhammad Usama Anjum (1): selftests/mm: conform test to TAP format output Nam Cao (2): riscv: fix overlap of allocated page and PTR_ERR riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context Namjae Jeon (3): ksmbd: use rwsem instead of rwlock for lease break ksmbd: move leading slash check to smb2_get_name() ksmbd: fix missing use of get_write in in smb2_set_ea() NeilBrown (1): NFS: add barriers when testing for NFS_FSDATA_BLOCKED Nicolas Escande (1): wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects Nikita Zhandarovich (1): HID: core: remove unnecessary WARN_ON() in implement() Nikolay Aleksandrov (2): net: bridge: mst: pass vlan group directly to br_mst_vlan_set_state net: bridge: mst: fix suspicious rcu usage in br_mst_set_state Nuno Sa (2): dmaengine: axi-dmac: fix possible race in remove() iio: adc: axi-adc: make sure AXI clock is enabled Oleg Nesterov (2): tick/nohz_full: Don't abuse smp_call_function_single() in tick_setup_device() zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING Olga Kornievskaia (1): NFSv4.1 enforce rootpath check in fs_location query Paolo Abeni (1): mptcp: ensure snd_una is properly initialized on connect Pauli Virtanen (1): Bluetooth: fix connection setup in l2cap_connect Pavel Begunkov (1): io_uring/rsrc: don't lock while !TASK_RUNNING Peter Delevoryas (1): net/ncsi: Simplify Kconfig/dts control flow Petr Pavlu (1): net/ipv6: Fix the RT cache flush via sysctl using a previous delay Petr Tesarik (1): swiotlb: extend buffer pre-padding to alloc_align_mask if necessary Quan Zhou (1): RISC-V: KVM: Fix incorrect reg_subtype labels in kvm_riscv_vcpu_set_reg_isa_ext function Rao Shoaib (1): af_unix: Read with MSG_PEEK loops if the first unread byte is OOB Ravi Bangoria (2): KVM: SEV-ES: Disallow SEV-ES guests when X86_FEATURE_LBRV is absent KVM: SEV-ES: Delegate LBR virtualization to the processor Remi Pommarel (2): wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup() wifi: cfg80211: Lock wiphy in cfg80211_get_station Rick Wertenbroek (1): PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore Ryusuke Konishi (2): nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors nilfs2: fix potential kernel bug due to lack of writeback flag waiting Sagar Cheluvegowda (1): net: stmmac: dwmac-qcom-ethqos: Configure host DMA width Sam James (1): Revert "fork: defer linking file vma until vma is fully initialized" Samuel Holland (1): clk: sifive: Do not register clkdevs for PRCI clocks Shahar S Matityahu (1): wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef Shay Drory (1): net/mlx5: Always stop health timer during driver removal Shichao Lai (1): usb-storage: alauda: Check whether the media is initialized Sicong Huang (1): greybus: Fix use-after-free bug in gb_interface_release due to race condition. Stefan Berger (1): ima: Fix use-after-free on a dentry's dname.name Steven Rostedt (Google) (2): eventfs: Update all the eventfs_inodes from the events descriptor tracing/selftests: Fix kprobe event name test for .isra. functions Su Hui (3): net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() io_uring/io-wq: avoid garbage value of 'match' in io_wq_enqueue() block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() Su Yue (2): ocfs2: use coarse time for new created files ocfs2: fix races between hole punching and AIO+DIO Subbaraya Sundeep (1): octeontx2-af: Always allocate PF entries from low prioriy zone Sunil V L (1): irqchip/riscv-intc: Prevent memory leak when riscv_intc_init_common() fails Taehee Yoo (1): ionic: fix use after netif_napi_del() Thadeu Lima de Souza Cascardo (1): sock_map: avoid race between sock_map_close and sk_psock_put Tomas Winkler (1): mei: me: release irq in mei_me_pci_resume error path Tomi Valkeinen (1): pmdomain: ti-sci: Fix duplicate PD referrals Tristram Ha (2): net: phy: micrel: fix KSZ9477 PHY issues after suspend/resume net: phy: Micrel KSZ8061: fix errata solution not taking effect problem Trond Myklebust (1): knfsd: LOOKUP can return an illegal error value Uros Bizjak (1): x86/asm: Use %c/%n instead of %P operand modifier in asm templates Vamshi Gajjela (1): spmi: hisi-spmi-controller: Do not override device identifier Vidya Srinivas (1): drm/i915/dpt: Make DPT object unshrinkable Wachowski, Karol (1): drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE) Weiwen Hu (1): nvme: fix nvme_pr_* status code parsing Wen Gu (1): net/smc: avoid overwriting when adjusting sock bufsizes Will Deacon (2): swiotlb: Enforce page alignment in swiotlb_alloc() swiotlb: Reinstate page-alignment for mappings >= PAGE_SIZE Xiaolei Wang (1): net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs parameters Yazen Ghannam (1): x86/amd_nb: Check for invalid SMN reads Yong-Xuan Wang (1): RISC-V: KVM: No need to use mask when hart-index-bit is 0 Yonglong Liu (1): net: hns3: fix kernel crash problem in concurrent scenario YonglongLi (2): mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID mptcp: pm: update add_addr counters after connect Yongzhi Liu (2): misc: microchip: pci1xxxx: fix double free in the error handling of gp_aux_bus_probe() misc: microchip: pci1xxxx: Fix a memory leak in the error handling of gp_aux_bus_probe() Yu Chien Peter Lin (2): irqchip/riscv-intc: Allow large non-standard interrupt number irqchip/riscv-intc: Introduce Andes hart-level interrupt controller Ziqi Chen (1): scsi: ufs: core: Quiesce request queues before checking pending cmds Ziwei Xiao (1): gve: Clear napi->skb before dev_kfree_skb_any()

4 months, 1 week

1
1
0 0

[PATCH 0/3] MIPS misc patches

by Jiaxun Yang

Signed-off-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com> --- Jiaxun Yang (3): hw/mips/loongson3_virt: Store core_iocsr into LoongsonMachineState hw/mips/loongson3_virt: Fix condition of IPI IOCSR connection linux-user/mips64: Use MIPS64R2-generic as default CPU type hw/mips/loongson3_virt.c | 6 +++++- linux-user/mips64/target_elf.h | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) --- base-commit: 02d9c38236cf8c9826e5c5be61780c4444cb4ae0 change-id: 20240621-loongson3-ipi-follow-1f4919621882 Best regards, -- Jiaxun Yang <jiaxun.yang(a)flygoat.com>

4 months, 1 week

1
1
0 0

[PATCH net 5/5] can: mcp251xfd: fix infinite loop when xmit fails

by Marc Kleine-Budde

From: Vitor Soares <vitor.soares(a)toradex.com> When the mcp251xfd_start_xmit() function fails, the driver stops processing messages, and the interrupt routine does not return, running indefinitely even after killing the running application. Error messages: [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16 [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3). ... and repeat forever. The issue can be triggered when multiple devices share the same SPI interface. And there is concurrent access to the bus. The problem occurs because tx_ring->head increments even if mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX package while still expecting a response in mcp251xfd_handle_tefif_one(). Resolve the issue by starting a workqueue to write the tx obj synchronously if err = -EBUSY. In case of another error, decrement tx_ring->head, remove skb from the echo stack, and drop the message. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Cc: stable(a)vger.kernel.org Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> Link: https://lore.kernel.org/all/20240517134355.770777-1-ivitro@gmail.com [mkl: use more imperative wording in patch description] Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- .../net/can/spi/mcp251xfd/mcp251xfd-core.c | 14 ++++- drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c | 55 ++++++++++++++++--- drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 5 ++ 3 files changed, 65 insertions(+), 9 deletions(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c index 1d9057dc44f2..bf1589aef1fc 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c @@ -1618,11 +1618,20 @@ static int mcp251xfd_open(struct net_device *ndev) clear_bit(MCP251XFD_FLAGS_DOWN, priv->flags); can_rx_offload_enable(&priv->offload); + priv->wq = alloc_ordered_workqueue("%s-mcp251xfd_wq", + WQ_FREEZABLE | WQ_MEM_RECLAIM, + dev_name(&spi->dev)); + if (!priv->wq) { + err = -ENOMEM; + goto out_can_rx_offload_disable; + } + INIT_WORK(&priv->tx_work, mcp251xfd_tx_obj_write_sync); + err = request_threaded_irq(spi->irq, NULL, mcp251xfd_irq, IRQF_SHARED | IRQF_ONESHOT, dev_name(&spi->dev), priv); if (err) - goto out_can_rx_offload_disable; + goto out_destroy_workqueue; err = mcp251xfd_chip_interrupts_enable(priv); if (err) @@ -1634,6 +1643,8 @@ static int mcp251xfd_open(struct net_device *ndev) out_free_irq: free_irq(spi->irq, priv); + out_destroy_workqueue: + destroy_workqueue(priv->wq); out_can_rx_offload_disable: can_rx_offload_disable(&priv->offload); set_bit(MCP251XFD_FLAGS_DOWN, priv->flags); @@ -1661,6 +1672,7 @@ static int mcp251xfd_stop(struct net_device *ndev) hrtimer_cancel(&priv->tx_irq_timer); mcp251xfd_chip_interrupts_disable(priv); free_irq(ndev->irq, priv); + destroy_workqueue(priv->wq); can_rx_offload_disable(&priv->offload); mcp251xfd_timestamp_stop(priv); mcp251xfd_chip_stop(priv, CAN_STATE_STOPPED); diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c index 160528d3cc26..b1de8052a45c 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c @@ -131,6 +131,39 @@ mcp251xfd_tx_obj_from_skb(const struct mcp251xfd_priv *priv, tx_obj->xfer[0].len = len; } +static void mcp251xfd_tx_failure_drop(const struct mcp251xfd_priv *priv, + struct mcp251xfd_tx_ring *tx_ring, + int err) +{ + struct net_device *ndev = priv->ndev; + struct net_device_stats *stats = &ndev->stats; + unsigned int frame_len = 0; + u8 tx_head; + + tx_ring->head--; + stats->tx_dropped++; + tx_head = mcp251xfd_get_tx_head(tx_ring); + can_free_echo_skb(ndev, tx_head, &frame_len); + netdev_completed_queue(ndev, 1, frame_len); + netif_wake_queue(ndev); + + if (net_ratelimit()) + netdev_err(priv->ndev, "ERROR in %s: %d\n", __func__, err); +} + +void mcp251xfd_tx_obj_write_sync(struct work_struct *work) +{ + struct mcp251xfd_priv *priv = container_of(work, struct mcp251xfd_priv, + tx_work); + struct mcp251xfd_tx_obj *tx_obj = priv->tx_work_obj; + struct mcp251xfd_tx_ring *tx_ring = priv->tx; + int err; + + err = spi_sync(priv->spi, &tx_obj->msg); + if (err) + mcp251xfd_tx_failure_drop(priv, tx_ring, err); +} + static int mcp251xfd_tx_obj_write(const struct mcp251xfd_priv *priv, struct mcp251xfd_tx_obj *tx_obj) { @@ -162,6 +195,11 @@ static bool mcp251xfd_tx_busy(const struct mcp251xfd_priv *priv, return false; } +static bool mcp251xfd_work_busy(struct work_struct *work) +{ + return work_busy(work); +} + netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, struct net_device *ndev) { @@ -175,7 +213,8 @@ netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, if (can_dev_dropped_skb(ndev, skb)) return NETDEV_TX_OK; - if (mcp251xfd_tx_busy(priv, tx_ring)) + if (mcp251xfd_tx_busy(priv, tx_ring) || + mcp251xfd_work_busy(&priv->tx_work)) return NETDEV_TX_BUSY; tx_obj = mcp251xfd_get_tx_obj_next(tx_ring); @@ -193,13 +232,13 @@ netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, netdev_sent_queue(priv->ndev, frame_len); err = mcp251xfd_tx_obj_write(priv, tx_obj); - if (err) - goto out_err; - - return NETDEV_TX_OK; - - out_err: - netdev_err(priv->ndev, "ERROR in %s: %d\n", __func__, err); + if (err == -EBUSY) { + netif_stop_queue(ndev); + priv->tx_work_obj = tx_obj; + queue_work(priv->wq, &priv->tx_work); + } else if (err) { + mcp251xfd_tx_failure_drop(priv, tx_ring, err); + } return NETDEV_TX_OK; } diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h index 24510b3b8020..b35bfebd23f2 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h @@ -633,6 +633,10 @@ struct mcp251xfd_priv { struct mcp251xfd_rx_ring *rx[MCP251XFD_FIFO_RX_NUM]; struct mcp251xfd_tx_ring tx[MCP251XFD_FIFO_TX_NUM]; + struct workqueue_struct *wq; + struct work_struct tx_work; + struct mcp251xfd_tx_obj *tx_work_obj; + DECLARE_BITMAP(flags, __MCP251XFD_FLAGS_SIZE__); u8 rx_ring_num; @@ -952,6 +956,7 @@ void mcp251xfd_skb_set_timestamp(const struct mcp251xfd_priv *priv, void mcp251xfd_timestamp_init(struct mcp251xfd_priv *priv); void mcp251xfd_timestamp_stop(struct mcp251xfd_priv *priv); +void mcp251xfd_tx_obj_write_sync(struct work_struct *work); netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, struct net_device *ndev); -- 2.43.0

4 months, 1 week

1
0
0 0

[PATCH net 3/5] net: can: j1939: recover socket queue on CAN bus error during BAM transmission

by Marc Kleine-Budde

From: Oleksij Rempel <o.rempel(a)pengutronix.de> Addresses an issue where a CAN bus error during a BAM transmission could stall the socket queue, preventing further transmissions even after the bus error is resolved. The fix activates the next queued session after the error recovery, allowing communication to continue. Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol") Cc: stable(a)vger.kernel.org Reported-by: Alexander Hölzl <alexander.hoelzl(a)gmx.net> Tested-by: Alexander Hölzl <alexander.hoelzl(a)gmx.net> Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Link: https://lore.kernel.org/all/20240528070648.1947203-1-o.rempel@pengutronix.de Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/j1939/transport.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c index c6569f98d251..4be73de5033c 100644 --- a/net/can/j1939/transport.c +++ b/net/can/j1939/transport.c @@ -1696,6 +1696,8 @@ static int j1939_xtp_rx_rts_session_active(struct j1939_session *session, j1939_session_timers_cancel(session); j1939_session_cancel(session, J1939_XTP_ABORT_BUSY); + if (session->transmission) + j1939_session_deactivate_activate_next(session); return -EBUSY; } -- 2.43.0

4 months, 1 week

1
0
0 0

[PATCH net 2/5] net: can: j1939: Initialize unused data in j1939_send_one()

by Marc Kleine-Budde

From: Shigeru Yoshida <syoshida(a)redhat.com> syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() creates full frame including unused data, but it doesn't initialize it. This causes the kernel-infoleak issue. Fix this by initializing unused data. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] memcpy_to_msg include/linux/skbuff.h:4113 [inline] raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 ___sys_recvmsg+0x223/0x840 net/socket.c:2845 do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1313 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 sock_alloc_send_skb include/net/sock.h:1842 [inline] j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-15 of 16 are uninitialized Memory access of size 16 starts at ffff888120969690 Data copied to user address 00000000200017c0 CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Reported-and-tested-by: syzbot+5681e40d297b30f5b513(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5681e40d297b30f5b513 Acked-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Signed-off-by: Shigeru Yoshida <syoshida(a)redhat.com> Link: https://lore.kernel.org/all/20240517035953.2617090-1-syoshida@redhat.com Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- net/can/j1939/main.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c index a6fb89fa6278..7e8a20f2fc42 100644 --- a/net/can/j1939/main.c +++ b/net/can/j1939/main.c @@ -30,10 +30,6 @@ MODULE_ALIAS("can-proto-" __stringify(CAN_J1939)); /* CAN_HDR: #bytes before can_frame data part */ #define J1939_CAN_HDR (offsetof(struct can_frame, data)) -/* CAN_FTR: #bytes beyond data part */ -#define J1939_CAN_FTR (sizeof(struct can_frame) - J1939_CAN_HDR - \ - sizeof(((struct can_frame *)0)->data)) - /* lowest layer */ static void j1939_can_recv(struct sk_buff *iskb, void *data) { @@ -342,7 +338,7 @@ int j1939_send_one(struct j1939_priv *priv, struct sk_buff *skb) memset(cf, 0, J1939_CAN_HDR); /* make it a full can frame again */ - skb_put(skb, J1939_CAN_FTR + (8 - dlc)); + skb_put_zero(skb, 8 - dlc); canid = CAN_EFF_FLAG | (skcb->priority << 26) | -- 2.43.0

4 months, 1 week

1
0
0 0

[PATCH 0/7] dt-bindings: i2c: few fixes and cleanups

by Krzysztof Kozlowski

Few fixes for I2C controller schemas. The third patch (atmel,at91sam) depends on first, so I suggest not splitting this into fixes branch but take as is via next branch. Best regards, Krzysztof --- Krzysztof Kozlowski (7): dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema dt-bindings: i2c: atmel,at91sam: drop unneeded address/size-cells dt-bindings: i2c: nvidia,tegra20: drop unneeded address/size-cells dt-bindings: i2c: samsung,s3c2410: drop unneeded address/size-cells dt-bindings: i2c: ti,omap4: reference i2c-controller.yaml schema dt-bindings: i2c: adjust indentation in DTS example to coding style .../devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 10 +- .../devicetree/bindings/i2c/brcm,brcmstb-i2c.yaml | 28 +++--- .../bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +- .../devicetree/bindings/i2c/i2c-demux-pinctrl.yaml | 106 ++++++++++----------- .../bindings/i2c/nvidia,tegra20-i2c.yaml | 6 -- .../devicetree/bindings/i2c/renesas,iic-emev2.yaml | 14 +-- .../devicetree/bindings/i2c/renesas,rcar-i2c.yaml | 20 ++-- .../devicetree/bindings/i2c/renesas,riic.yaml | 34 +++---- .../bindings/i2c/renesas,rmobile-iic.yaml | 24 ++--- .../bindings/i2c/samsung,s3c2410-i2c.yaml | 6 -- .../devicetree/bindings/i2c/st,stm32-i2c.yaml | 66 ++++++------- .../devicetree/bindings/i2c/ti,omap4-i2c.yaml | 64 +++++-------- 12 files changed, 174 insertions(+), 206 deletions(-) --- base-commit: 76db4c64526c5e8ba0f56ad3d890dce8f9b00bbc change-id: 20240620-dt-bindings-i2c-clean-b5a0b2dfdece Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

4 months, 1 week

3
7
0 0

[PATCH v6] can: mcp251xfd: fix infinite loop when xmit fails

by Vitor Soares

From: Vitor Soares <vitor.soares(a)toradex.com> When the mcp251xfd_start_xmit() function fails, the driver stops processing messages, and the interrupt routine does not return, running indefinitely even after killing the running application. Error messages: [ 441.298819] mcp251xfd spi2.0 can0: ERROR in mcp251xfd_start_xmit: -16 [ 441.306498] mcp251xfd spi2.0 can0: Transmit Event FIFO buffer not empty. (seq=0x000017c7, tef_tail=0x000017cf, tef_head=0x000017d0, tx_head=0x000017d3). ... and repeat forever. The issue can be triggered when multiple devices share the same SPI interface. And there is concurrent access to the bus. The problem occurs because tx_ring->head increments even if mcp251xfd_start_xmit() fails. Consequently, the driver skips one TX package while still expecting a response in mcp251xfd_handle_tefif_one(). This patch resolves the issue by starting a workqueue to write the tx obj synchronously if err = -EBUSY. In case of another error, it decrements tx_ring->head, removes skb from the echo stack, and drops the message. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Cc: stable(a)vger.kernel.org Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> --- v5->v6 - Move alloc/destroy workqueue to open()/stop() callbacks. - Change workqueue to workqueue ordered. - Return NETDEV_TX_BUSY if the worker is busy, replacing the previouse priv->tx_work_obj = NULL. With this change, setting priv->tx_work_obj = NULL is not necessary anymore. V4->V5: - Start a workqueue to write tx obj with spi_sync() when spi_async() == -EBUSY. V3->V4: - Leave can_put_echo_skb() and stop the queue if needed, before mcp251xfd_tx_obj_write(). - Re-sync head and remove echo skb if mcp251xfd_tx_obj_write() fails. - Revert -> return NETDEV_TX_BUSY if mcp251xfd_tx_obj_write() == -EBUSY. V2->V3: - Add tx_dropped stats. - netdev_sent_queue() only if can_put_echo_skb() succeed. V1->V2: - Return NETDEV_TX_BUSY if mcp251xfd_tx_obj_write() == -EBUSY. - Rework the commit message to address the change above. - Change can_put_echo_skb() to be called after mcp251xfd_tx_obj_write() succeed. Otherwise, we get Kernel NULL pointer dereference error. .../net/can/spi/mcp251xfd/mcp251xfd-core.c | 14 ++++- drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c | 55 ++++++++++++++++--- drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 5 ++ 3 files changed, 65 insertions(+), 9 deletions(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c index 1d9057dc44f2..bf1589aef1fc 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c @@ -1618,11 +1618,20 @@ static int mcp251xfd_open(struct net_device *ndev) clear_bit(MCP251XFD_FLAGS_DOWN, priv->flags); can_rx_offload_enable(&priv->offload); + priv->wq = alloc_ordered_workqueue("%s-mcp251xfd_wq", + WQ_FREEZABLE | WQ_MEM_RECLAIM, + dev_name(&spi->dev)); + if (!priv->wq) { + err = -ENOMEM; + goto out_can_rx_offload_disable; + } + INIT_WORK(&priv->tx_work, mcp251xfd_tx_obj_write_sync); + err = request_threaded_irq(spi->irq, NULL, mcp251xfd_irq, IRQF_SHARED | IRQF_ONESHOT, dev_name(&spi->dev), priv); if (err) - goto out_can_rx_offload_disable; + goto out_destroy_workqueue; err = mcp251xfd_chip_interrupts_enable(priv); if (err) @@ -1634,6 +1643,8 @@ static int mcp251xfd_open(struct net_device *ndev) out_free_irq: free_irq(spi->irq, priv); + out_destroy_workqueue: + destroy_workqueue(priv->wq); out_can_rx_offload_disable: can_rx_offload_disable(&priv->offload); set_bit(MCP251XFD_FLAGS_DOWN, priv->flags); @@ -1661,6 +1672,7 @@ static int mcp251xfd_stop(struct net_device *ndev) hrtimer_cancel(&priv->tx_irq_timer); mcp251xfd_chip_interrupts_disable(priv); free_irq(ndev->irq, priv); + destroy_workqueue(priv->wq); can_rx_offload_disable(&priv->offload); mcp251xfd_timestamp_stop(priv); mcp251xfd_chip_stop(priv, CAN_STATE_STOPPED); diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c index 160528d3cc26..b1de8052a45c 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tx.c @@ -131,6 +131,39 @@ mcp251xfd_tx_obj_from_skb(const struct mcp251xfd_priv *priv, tx_obj->xfer[0].len = len; } +static void mcp251xfd_tx_failure_drop(const struct mcp251xfd_priv *priv, + struct mcp251xfd_tx_ring *tx_ring, + int err) +{ + struct net_device *ndev = priv->ndev; + struct net_device_stats *stats = &ndev->stats; + unsigned int frame_len = 0; + u8 tx_head; + + tx_ring->head--; + stats->tx_dropped++; + tx_head = mcp251xfd_get_tx_head(tx_ring); + can_free_echo_skb(ndev, tx_head, &frame_len); + netdev_completed_queue(ndev, 1, frame_len); + netif_wake_queue(ndev); + + if (net_ratelimit()) + netdev_err(priv->ndev, "ERROR in %s: %d\n", __func__, err); +} + +void mcp251xfd_tx_obj_write_sync(struct work_struct *work) +{ + struct mcp251xfd_priv *priv = container_of(work, struct mcp251xfd_priv, + tx_work); + struct mcp251xfd_tx_obj *tx_obj = priv->tx_work_obj; + struct mcp251xfd_tx_ring *tx_ring = priv->tx; + int err; + + err = spi_sync(priv->spi, &tx_obj->msg); + if (err) + mcp251xfd_tx_failure_drop(priv, tx_ring, err); +} + static int mcp251xfd_tx_obj_write(const struct mcp251xfd_priv *priv, struct mcp251xfd_tx_obj *tx_obj) { @@ -162,6 +195,11 @@ static bool mcp251xfd_tx_busy(const struct mcp251xfd_priv *priv, return false; } +static bool mcp251xfd_work_busy(struct work_struct *work) +{ + return work_busy(work); +} + netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, struct net_device *ndev) { @@ -175,7 +213,8 @@ netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, if (can_dev_dropped_skb(ndev, skb)) return NETDEV_TX_OK; - if (mcp251xfd_tx_busy(priv, tx_ring)) + if (mcp251xfd_tx_busy(priv, tx_ring) || + mcp251xfd_work_busy(&priv->tx_work)) return NETDEV_TX_BUSY; tx_obj = mcp251xfd_get_tx_obj_next(tx_ring); @@ -193,13 +232,13 @@ netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, netdev_sent_queue(priv->ndev, frame_len); err = mcp251xfd_tx_obj_write(priv, tx_obj); - if (err) - goto out_err; - - return NETDEV_TX_OK; - - out_err: - netdev_err(priv->ndev, "ERROR in %s: %d\n", __func__, err); + if (err == -EBUSY) { + netif_stop_queue(ndev); + priv->tx_work_obj = tx_obj; + queue_work(priv->wq, &priv->tx_work); + } else if (err) { + mcp251xfd_tx_failure_drop(priv, tx_ring, err); + } return NETDEV_TX_OK; } diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h index 24510b3b8020..b35bfebd23f2 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h @@ -633,6 +633,10 @@ struct mcp251xfd_priv { struct mcp251xfd_rx_ring *rx[MCP251XFD_FIFO_RX_NUM]; struct mcp251xfd_tx_ring tx[MCP251XFD_FIFO_TX_NUM]; + struct workqueue_struct *wq; + struct work_struct tx_work; + struct mcp251xfd_tx_obj *tx_work_obj; + DECLARE_BITMAP(flags, __MCP251XFD_FLAGS_SIZE__); u8 rx_ring_num; @@ -952,6 +956,7 @@ void mcp251xfd_skb_set_timestamp(const struct mcp251xfd_priv *priv, void mcp251xfd_timestamp_init(struct mcp251xfd_priv *priv); void mcp251xfd_timestamp_stop(struct mcp251xfd_priv *priv); +void mcp251xfd_tx_obj_write_sync(struct work_struct *work); netdev_tx_t mcp251xfd_start_xmit(struct sk_buff *skb, struct net_device *ndev); -- 2.34.1

4 months, 1 week

4
3
0 0

[PATCH 00/10] MIPS: Loongson64: Loongson-2K1000 fixes

by Jiaxun Yang

Hi all, This series fixed various problems I meet when I was trying to boot kernel on my Loongson-2K PI2 system. Although most of the series are taged for stable, please apply it to mips-next tree as it has dependency to commits in next and I'm not in rush to get them into linus tree. I have some future works planed based on this series that may get into this cycle. Thanks - Jiaxun Signed-off-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com> --- Jiaxun Yang (10): MIPS: Loongson64: Remove memory node for builtin-dtb MIPS: dts: loongson: Fix liointc IRQ polarity MIPS: dts: loongson: Fix ls2k1000-rtc interrupt MIPS: dts: loongson: Fix GMAC phy node MIPS: dts: loongson: Add ISA node MIPS: Loongson64: Test register availability before use platform: mips: cpu_hwmon: Disable driver on unsupported hardware MIPS: Loongson64: reset: Prioritise firmware service MIPS: Loongson64: sleeper: Pass ra and sp as arguments MIPS: Loongson64: env: Hook up Loongsson-2K arch/mips/boot/dts/loongson/loongson64-2k1000.dtsi | 65 +++++++++++----------- arch/mips/include/asm/mach-loongson64/boot_param.h | 2 + arch/mips/loongson64/env.c | 8 +++ arch/mips/loongson64/reset.c | 38 ++++++------- arch/mips/loongson64/sleeper.S | 8 ++- arch/mips/loongson64/smp.c | 23 +++++++- drivers/platform/mips/cpu_hwmon.c | 3 + 7 files changed, 89 insertions(+), 58 deletions(-) --- base-commit: 6906a84c482f098d31486df8dc98cead21cce2d0 change-id: 20240613-ls3k-mips-52eb3fb3e917 Best regards, -- Jiaxun Yang <jiaxun.yang(a)flygoat.com>

4 months, 1 week

2
10
0 0

[PATCH 01/15] ftruncate: pass a signed offset

by Arnd Bergmann

From: Arnd Bergmann <arnd(a)arndb.de> The old ftruncate() syscall, using the 32-bit off_t misses a sign extension when called in compat mode on 64-bit architectures. As a result, passing a negative length accidentally succeeds in truncating to file size between 2GiB and 4GiB. Changing the type of the compat syscall to the signed compat_off_t changes the behavior so it instead returns -EINVAL. The native entry point, the truncate() syscall and the corresponding loff_t based variants are all correct already and do not suffer from this mistake. Fixes: 3f6d078d4acc ("fix compat truncate/ftruncate") Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- fs/open.c | 4 ++-- include/linux/compat.h | 2 +- include/linux/syscalls.h | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/open.c b/fs/open.c index 89cafb572061..50e45bc7c4d8 100644 --- a/fs/open.c +++ b/fs/open.c @@ -202,13 +202,13 @@ long do_sys_ftruncate(unsigned int fd, loff_t length, int small) return error; } -SYSCALL_DEFINE2(ftruncate, unsigned int, fd, unsigned long, length) +SYSCALL_DEFINE2(ftruncate, unsigned int, fd, off_t, length) { return do_sys_ftruncate(fd, length, 1); } #ifdef CONFIG_COMPAT -COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_ulong_t, length) +COMPAT_SYSCALL_DEFINE2(ftruncate, unsigned int, fd, compat_off_t, length) { return do_sys_ftruncate(fd, length, 1); } diff --git a/include/linux/compat.h b/include/linux/compat.h index 233f61ec8afc..56cebaff0c91 100644 --- a/include/linux/compat.h +++ b/include/linux/compat.h @@ -608,7 +608,7 @@ asmlinkage long compat_sys_fstatfs(unsigned int fd, asmlinkage long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf); asmlinkage long compat_sys_truncate(const char __user *, compat_off_t); -asmlinkage long compat_sys_ftruncate(unsigned int, compat_ulong_t); +asmlinkage long compat_sys_ftruncate(unsigned int, compat_off_t); /* No generic prototype for truncate64, ftruncate64, fallocate */ asmlinkage long compat_sys_openat(int dfd, const char __user *filename, int flags, umode_t mode); diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 9104952d323d..ba9337709878 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -418,7 +418,7 @@ asmlinkage long sys_listmount(const struct mnt_id_req __user *req, u64 __user *mnt_ids, size_t nr_mnt_ids, unsigned int flags); asmlinkage long sys_truncate(const char __user *path, long length); -asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length); +asmlinkage long sys_ftruncate(unsigned int fd, off_t length); #if BITS_PER_LONG == 32 asmlinkage long sys_truncate64(const char __user *path, loff_t length); asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length); -- 2.39.2

4 months, 1 week

2
1
0 0

[PATCH] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14AHP9

by Pablo Caño

Lenovo Yoga Pro 7 14AHP9 (PCI SSID 17aa:3891) seems requiring a similar workaround like Yoga 9 model and Yoga 7 Pro 14APH8 for the bass speaker. Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/all/20231207182035.30248-1-tiwai@suse.de/ Signed-off-by: Pablo Caño <pablocpascual(a)gmail.com> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index aa76d1c88589..7663e715890d 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10527,6 +10527,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x17aa, 0x3882, "Lenovo Yoga Pro 7 14APH8", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), SND_PCI_QUIRK(0x17aa, 0x3884, "Y780 YG DUAL", ALC287_FIXUP_TAS2781_I2C), SND_PCI_QUIRK(0x17aa, 0x3886, "Y780 VECO DUAL", ALC287_FIXUP_TAS2781_I2C), + SND_PCI_QUIRK(0x17aa, 0x3891, "Lenovo Yoga Pro 7 14AHP9", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), SND_PCI_QUIRK(0x17aa, 0x38a7, "Y780P AMD YG dual", ALC287_FIXUP_TAS2781_I2C), SND_PCI_QUIRK(0x17aa, 0x38a8, "Y780P AMD VECO dual", ALC287_FIXUP_TAS2781_I2C), SND_PCI_QUIRK(0x17aa, 0x38a9, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), -- 2.45.2

4 months, 1 week

2
1
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2024