August 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] exec: Fix ToCToU between perm check and set-uid/gid usage" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f50733b45d865f91db90919f8311e2127ce5a0cb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081412-caddie-manhandle-397e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: f50733b45d86 ("exec: Fix ToCToU between perm check and set-uid/gid usage") e67fe63341b8 ("fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap") 9452e93e6dae ("fs: port privilege checking helpers to mnt_idmap") f2d40141d5d9 ("fs: port inode_init_owner() to mnt_idmap") 4609e1f18e19 ("fs: port ->permission() to pass mnt_idmap") 13e83a4923be ("fs: port ->set_acl() to pass mnt_idmap") 77435322777d ("fs: port ->get_acl() to pass mnt_idmap") 011e2b717b1b ("fs: port ->tmpfile() to pass mnt_idmap") 5ebb29bee8d5 ("fs: port ->mknod() to pass mnt_idmap") c54bd91e9eab ("fs: port ->mkdir() to pass mnt_idmap") 7a77db95511c ("fs: port ->symlink() to pass mnt_idmap") 6c960e68aaed ("fs: port ->create() to pass mnt_idmap") b74d24f7a74f ("fs: port ->getattr() to pass mnt_idmap") c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") abf08576afe3 ("fs: port vfs_*() helpers to struct mnt_idmap") 6022ec6ee2c3 ("Merge tag 'ntfs3_for_6.2' of https://github.com/Paragon-Software-Group/linux-ntfs3") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f50733b45d865f91db90919f8311e2127ce5a0cb Mon Sep 17 00:00:00 2001 From: Kees Cook <kees(a)kernel.org> Date: Thu, 8 Aug 2024 11:39:08 -0700 Subject: [PATCH] exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. Reported-by: Marco Vanotti <mvanotti(a)google.com> Tested-by: Marco Vanotti <mvanotti(a)google.com> Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: stable(a)vger.kernel.org Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Kees Cook <kees(a)kernel.org> diff --git a/fs/exec.c b/fs/exec.c index a126e3d1cacb..50e76cc633c4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1692,6 +1692,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) unsigned int mode; vfsuid_t vfsuid; vfsgid_t vfsgid; + int err; if (!mnt_may_suid(file->f_path.mnt)) return; @@ -1708,12 +1709,17 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) /* Be careful if suid/sgid is set */ inode_lock(inode); - /* reload atomically mode/uid/gid now that lock held */ + /* Atomically reload and check mode/uid/gid now that lock held. */ mode = inode->i_mode; vfsuid = i_uid_into_vfsuid(idmap, inode); vfsgid = i_gid_into_vfsgid(idmap, inode); + err = inode_permission(idmap, inode, MAY_EXEC); inode_unlock(inode); + /* Did the exec bit vanish out from under us? Give up. */ + if (err) + return; + /* We ignore suid/sgid if there are no mappings for them in the ns */ if (!vfsuid_has_mapping(bprm->cred->user_ns, vfsuid) || !vfsgid_has_mapping(bprm->cred->user_ns, vfsgid))

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] exec: Fix ToCToU between perm check and set-uid/gid usage" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f50733b45d865f91db90919f8311e2127ce5a0cb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081405-fender-shortcut-a18f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: f50733b45d86 ("exec: Fix ToCToU between perm check and set-uid/gid usage") e67fe63341b8 ("fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap") 9452e93e6dae ("fs: port privilege checking helpers to mnt_idmap") f2d40141d5d9 ("fs: port inode_init_owner() to mnt_idmap") 4609e1f18e19 ("fs: port ->permission() to pass mnt_idmap") 13e83a4923be ("fs: port ->set_acl() to pass mnt_idmap") 77435322777d ("fs: port ->get_acl() to pass mnt_idmap") 011e2b717b1b ("fs: port ->tmpfile() to pass mnt_idmap") 5ebb29bee8d5 ("fs: port ->mknod() to pass mnt_idmap") c54bd91e9eab ("fs: port ->mkdir() to pass mnt_idmap") 7a77db95511c ("fs: port ->symlink() to pass mnt_idmap") 6c960e68aaed ("fs: port ->create() to pass mnt_idmap") b74d24f7a74f ("fs: port ->getattr() to pass mnt_idmap") c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") abf08576afe3 ("fs: port vfs_*() helpers to struct mnt_idmap") 6022ec6ee2c3 ("Merge tag 'ntfs3_for_6.2' of https://github.com/Paragon-Software-Group/linux-ntfs3") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f50733b45d865f91db90919f8311e2127ce5a0cb Mon Sep 17 00:00:00 2001 From: Kees Cook <kees(a)kernel.org> Date: Thu, 8 Aug 2024 11:39:08 -0700 Subject: [PATCH] exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. Reported-by: Marco Vanotti <mvanotti(a)google.com> Tested-by: Marco Vanotti <mvanotti(a)google.com> Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: stable(a)vger.kernel.org Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Kees Cook <kees(a)kernel.org> diff --git a/fs/exec.c b/fs/exec.c index a126e3d1cacb..50e76cc633c4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1692,6 +1692,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) unsigned int mode; vfsuid_t vfsuid; vfsgid_t vfsgid; + int err; if (!mnt_may_suid(file->f_path.mnt)) return; @@ -1708,12 +1709,17 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) /* Be careful if suid/sgid is set */ inode_lock(inode); - /* reload atomically mode/uid/gid now that lock held */ + /* Atomically reload and check mode/uid/gid now that lock held. */ mode = inode->i_mode; vfsuid = i_uid_into_vfsuid(idmap, inode); vfsgid = i_gid_into_vfsgid(idmap, inode); + err = inode_permission(idmap, inode, MAY_EXEC); inode_unlock(inode); + /* Did the exec bit vanish out from under us? Give up. */ + if (err) + return; + /* We ignore suid/sgid if there are no mappings for them in the ns */ if (!vfsuid_has_mapping(bprm->cred->user_ns, vfsuid) || !vfsgid_has_mapping(bprm->cred->user_ns, vfsgid))

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] exec: Fix ToCToU between perm check and set-uid/gid usage" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f50733b45d865f91db90919f8311e2127ce5a0cb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081458-grumbly-glance-dff9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: f50733b45d86 ("exec: Fix ToCToU between perm check and set-uid/gid usage") e67fe63341b8 ("fs: port i_{g,u}id_into_vfs{g,u}id() to mnt_idmap") 9452e93e6dae ("fs: port privilege checking helpers to mnt_idmap") f2d40141d5d9 ("fs: port inode_init_owner() to mnt_idmap") 4609e1f18e19 ("fs: port ->permission() to pass mnt_idmap") 13e83a4923be ("fs: port ->set_acl() to pass mnt_idmap") 77435322777d ("fs: port ->get_acl() to pass mnt_idmap") 011e2b717b1b ("fs: port ->tmpfile() to pass mnt_idmap") 5ebb29bee8d5 ("fs: port ->mknod() to pass mnt_idmap") c54bd91e9eab ("fs: port ->mkdir() to pass mnt_idmap") 7a77db95511c ("fs: port ->symlink() to pass mnt_idmap") 6c960e68aaed ("fs: port ->create() to pass mnt_idmap") b74d24f7a74f ("fs: port ->getattr() to pass mnt_idmap") c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") abf08576afe3 ("fs: port vfs_*() helpers to struct mnt_idmap") 6022ec6ee2c3 ("Merge tag 'ntfs3_for_6.2' of https://github.com/Paragon-Software-Group/linux-ntfs3") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f50733b45d865f91db90919f8311e2127ce5a0cb Mon Sep 17 00:00:00 2001 From: Kees Cook <kees(a)kernel.org> Date: Thu, 8 Aug 2024 11:39:08 -0700 Subject: [PATCH] exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. Reported-by: Marco Vanotti <mvanotti(a)google.com> Tested-by: Marco Vanotti <mvanotti(a)google.com> Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: stable(a)vger.kernel.org Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Kees Cook <kees(a)kernel.org> diff --git a/fs/exec.c b/fs/exec.c index a126e3d1cacb..50e76cc633c4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1692,6 +1692,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) unsigned int mode; vfsuid_t vfsuid; vfsgid_t vfsgid; + int err; if (!mnt_may_suid(file->f_path.mnt)) return; @@ -1708,12 +1709,17 @@ static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) /* Be careful if suid/sgid is set */ inode_lock(inode); - /* reload atomically mode/uid/gid now that lock held */ + /* Atomically reload and check mode/uid/gid now that lock held. */ mode = inode->i_mode; vfsuid = i_uid_into_vfsuid(idmap, inode); vfsgid = i_gid_into_vfsgid(idmap, inode); + err = inode_permission(idmap, inode, MAY_EXEC); inode_unlock(inode); + /* Did the exec bit vanish out from under us? Give up. */ + if (err) + return; + /* We ignore suid/sgid if there are no mappings for them in the ns */ if (!vfsuid_has_mapping(bprm->cred->user_ns, vfsuid) || !vfsgid_has_mapping(bprm->cred->user_ns, vfsgid))

10 months, 3 weeks

1
0
0 0

[PATCH net-next 7/9] idpf: fix netdev Tx queue stop/wake

by Tony Nguyen

From: Michal Kubiak <michal.kubiak(a)intel.com> netif_txq_maybe_stop() returns -1, 0, or 1, while idpf_tx_maybe_stop_common() says it returns 0 or -EBUSY. As a result, there sometimes are Tx queue timeout warnings despite that the queue is empty or there is at least enough space to restart it. Make idpf_tx_maybe_stop_common() inline and returning true or false, handling the return of netif_txq_maybe_stop() properly. Use a correct goto in idpf_tx_maybe_stop_splitq() to avoid stopping the queue or incrementing the stops counter twice. Fixes: 6818c4d5b3c2 ("idpf: add splitq start_xmit") Fixes: a5ab9ee0df0b ("idpf: add singleq start_xmit and napi poll") Cc: stable(a)vger.kernel.org # 6.7+ Signed-off-by: Michal Kubiak <michal.kubiak(a)intel.com> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Signed-off-by: Alexander Lobakin <aleksander.lobakin(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> --- .../ethernet/intel/idpf/idpf_singleq_txrx.c | 4 +++ drivers/net/ethernet/intel/idpf/idpf_txrx.c | 35 +++++-------------- drivers/net/ethernet/intel/idpf/idpf_txrx.h | 9 ++++- 3 files changed, 21 insertions(+), 27 deletions(-) diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c index 947d3ff9677c..5ba360abbe66 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c +++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c @@ -375,6 +375,10 @@ netdev_tx_t idpf_tx_singleq_frame(struct sk_buff *skb, IDPF_TX_DESCS_FOR_CTX)) { idpf_tx_buf_hw_update(tx_q, tx_q->next_to_use, false); + u64_stats_update_begin(&tx_q->stats_sync); + u64_stats_inc(&tx_q->q_stats.q_busy); + u64_stats_update_end(&tx_q->stats_sync); + return NETDEV_TX_BUSY; } diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c index c1df4341e9ab..60f875decd8a 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c +++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c @@ -2128,29 +2128,6 @@ void idpf_tx_splitq_build_flow_desc(union idpf_tx_flex_desc *desc, desc->flow.qw1.compl_tag = cpu_to_le16(params->compl_tag); } -/** - * idpf_tx_maybe_stop_common - 1st level check for common Tx stop conditions - * @tx_q: the queue to be checked - * @size: number of descriptors we want to assure is available - * - * Returns 0 if stop is not needed - */ -int idpf_tx_maybe_stop_common(struct idpf_tx_queue *tx_q, unsigned int size) -{ - struct netdev_queue *nq; - - if (likely(IDPF_DESC_UNUSED(tx_q) >= size)) - return 0; - - u64_stats_update_begin(&tx_q->stats_sync); - u64_stats_inc(&tx_q->q_stats.q_busy); - u64_stats_update_end(&tx_q->stats_sync); - - nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); - - return netif_txq_maybe_stop(nq, IDPF_DESC_UNUSED(tx_q), size, size); -} - /** * idpf_tx_maybe_stop_splitq - 1st level check for Tx splitq stop conditions * @tx_q: the queue to be checked @@ -2162,7 +2139,7 @@ static int idpf_tx_maybe_stop_splitq(struct idpf_tx_queue *tx_q, unsigned int descs_needed) { if (idpf_tx_maybe_stop_common(tx_q, descs_needed)) - goto splitq_stop; + goto out; /* If there are too many outstanding completions expected on the * completion queue, stop the TX queue to give the device some time to @@ -2181,10 +2158,12 @@ static int idpf_tx_maybe_stop_splitq(struct idpf_tx_queue *tx_q, return 0; splitq_stop: + netif_stop_subqueue(tx_q->netdev, tx_q->idx); + +out: u64_stats_update_begin(&tx_q->stats_sync); u64_stats_inc(&tx_q->q_stats.q_busy); u64_stats_update_end(&tx_q->stats_sync); - netif_stop_subqueue(tx_q->netdev, tx_q->idx); return -EBUSY; } @@ -2207,7 +2186,11 @@ void idpf_tx_buf_hw_update(struct idpf_tx_queue *tx_q, u32 val, nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx); tx_q->next_to_use = val; - idpf_tx_maybe_stop_common(tx_q, IDPF_TX_DESC_NEEDED); + if (idpf_tx_maybe_stop_common(tx_q, IDPF_TX_DESC_NEEDED)) { + u64_stats_update_begin(&tx_q->stats_sync); + u64_stats_inc(&tx_q->q_stats.q_busy); + u64_stats_update_end(&tx_q->stats_sync); + } /* Force memory writes to complete before letting h/w * know there are new descriptors to fetch. (Only diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h index 2478f71adb95..df3574ac58c2 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h +++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h @@ -1020,7 +1020,6 @@ void idpf_tx_dma_map_error(struct idpf_tx_queue *txq, struct sk_buff *skb, struct idpf_tx_buf *first, u16 ring_idx); unsigned int idpf_tx_desc_count_required(struct idpf_tx_queue *txq, struct sk_buff *skb); -int idpf_tx_maybe_stop_common(struct idpf_tx_queue *tx_q, unsigned int size); void idpf_tx_timeout(struct net_device *netdev, unsigned int txqueue); netdev_tx_t idpf_tx_singleq_frame(struct sk_buff *skb, struct idpf_tx_queue *tx_q); @@ -1029,4 +1028,12 @@ bool idpf_rx_singleq_buf_hw_alloc_all(struct idpf_rx_queue *rxq, u16 cleaned_count); int idpf_tso(struct sk_buff *skb, struct idpf_tx_offload_params *off); +static inline bool idpf_tx_maybe_stop_common(struct idpf_tx_queue *tx_q, + u32 needed) +{ + return !netif_subqueue_maybe_stop(tx_q->netdev, tx_q->idx, + IDPF_DESC_UNUSED(tx_q), + needed, needed); +} + #endif /* !_IDPF_TXRX_H_ */ -- 2.42.0

10 months, 3 weeks

1
0
0 0

[PATCH v3] mm/hugetlb: fix hugetlb vs. core-mm PT locking

by David Hildenbrand

We recently made GUP's common page table walking code to also walk hugetlb VMAs without most hugetlb special-casing, preparing for the future of having less hugetlb-specific page table walking code in the codebase. Turns out that we missed one page table locking detail: page table locking for hugetlb folios that are not mapped using a single PMD/PUD. Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the page tables, will perform a pte_offset_map_lock() to grab the PTE table lock. However, hugetlb that concurrently modifies these page tables would actually grab the mm->page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the locks would differ. Something similar can happen right now with hugetlb folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS. This issue can be reproduced [1], for example triggering: [ 3105.936100] ------------[ cut here ]------------ [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188 [ 3105.944634] Modules linked in: [...] [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1 [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024 [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3105.991108] pc : try_grab_folio+0x11c/0x188 [ 3105.994013] lr : follow_page_pte+0xd8/0x430 [ 3105.996986] sp : ffff80008eafb8f0 [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43 [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48 [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978 [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001 [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000 [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000 [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0 [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080 [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000 [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000 [ 3106.047957] Call trace: [ 3106.049522] try_grab_folio+0x11c/0x188 [ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0 [ 3106.055527] follow_page_mask+0x1a0/0x2b8 [ 3106.058118] __get_user_pages+0xf0/0x348 [ 3106.060647] faultin_page_range+0xb0/0x360 [ 3106.063651] do_madvise+0x340/0x598 Let's make huge_pte_lockptr() effectively use the same PT locks as any core-mm page table walker would. Add ptep_lockptr() to obtain the PTE page table lock using a pte pointer -- unfortunately we cannot convert pte_lockptr() because virt_to_page() doesn't work with kmap'ed page tables we can have with CONFIG_HIGHPTE. Take care of PTE tables possibly spanning multiple pages, and take care of CONFIG_PGTABLE_LEVELS complexity when e.g., PMD_SIZE == PUD_SIZE. For example, with CONFIG_PGTABLE_LEVELS == 2, core-mm would detect with hugepagesize==PMD_SIZE pmd_leaf() and use the pmd_lockptr(), which would end up just mapping to the per-MM PT lock. There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb folio being mapped using two PTE page tables. While hugetlb wants to take the PMD table lock, core-mm would grab the PTE table lock of one of both PTE page tables. In such corner cases, we have to make sure that both locks match, which is (fortunately!) currently guaranteed for 8xx as it does not support SMP and consequently doesn't use split PT locks. [1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/ Fixes: 9cb28da54643 ("mm/gup: handle hugetlb in the generic follow_page_mask code") Reviewed-by: James Houghton <jthoughton(a)google.com> Cc: <stable(a)vger.kernel.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- Third time is the charm? Retested on arm64 and x86-64. Cross-compiled on a bunch of others. v2 -> v3: * Handle CONFIG_PGTABLE_LEVELS oddities as good as possible. It's a mess. Remove the size >= P4D_SIZE check and simply default to the &mm->page_table_lock. * Align the PTE pointer to the start of the page table to handle PTE page tables bigger than a single page (unclear if this could currently trigger). * Extend patch description v1 -> 2: * Extend patch description * Drop "mm: let pte_lockptr() consume a pte_t pointer" * Introduce ptep_lockptr() in this patch --- include/linux/hugetlb.h | 27 +++++++++++++++++++++++++-- include/linux/mm.h | 22 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index c9bf68c239a01..e6437a06e2346 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -944,9 +944,32 @@ static inline bool htlb_allow_alloc_fallback(int reason) static inline spinlock_t *huge_pte_lockptr(struct hstate *h, struct mm_struct *mm, pte_t *pte) { - if (huge_page_size(h) == PMD_SIZE) + unsigned long size = huge_page_size(h); + + VM_WARN_ON(size == PAGE_SIZE); + + /* + * hugetlb must use the exact same PT locks as core-mm page table + * walkers would. When modifying a PTE table, hugetlb must take the + * PTE PT lock, when modifying a PMD table, hugetlb must take the PMD + * PT lock etc. + * + * The expectation is that any hugetlb folio smaller than a PMD is + * always mapped into a single PTE table and that any hugetlb folio + * smaller than a PUD (but at least as big as a PMD) is always mapped + * into a single PMD table. + * + * If that does not hold for an architecture, then that architecture + * must disable split PT locks such that all *_lockptr() functions + * will give us the same result: the per-MM PT lock. + */ + if (size < PMD_SIZE && !IS_ENABLED(CONFIG_HIGHPTE)) + /* pte_alloc_huge() only applies with !CONFIG_HIGHPTE */ + return ptep_lockptr(mm, pte); + else if (size < PUD_SIZE || CONFIG_PGTABLE_LEVELS == 2) return pmd_lockptr(mm, (pmd_t *) pte); - VM_BUG_ON(huge_page_size(h) == PAGE_SIZE); + else if (size < P4D_SIZE || CONFIG_PGTABLE_LEVELS == 3) + return pud_lockptr(mm, (pud_t *) pte); return &mm->page_table_lock; } diff --git a/include/linux/mm.h b/include/linux/mm.h index b100df8cb5857..f6c7fe8f5746f 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -2926,6 +2926,24 @@ static inline spinlock_t *pte_lockptr(struct mm_struct *mm, pmd_t *pmd) return ptlock_ptr(page_ptdesc(pmd_page(*pmd))); } +static inline struct page *ptep_pgtable_page(pte_t *pte) +{ + unsigned long mask = ~(PTRS_PER_PTE * sizeof(pte_t) - 1); + + BUILD_BUG_ON(IS_ENABLED(CONFIG_HIGHPTE)); + return virt_to_page((void *)((unsigned long)pte & mask)); +} + +static inline struct ptdesc *ptep_ptdesc(pte_t *pte) +{ + return page_ptdesc(ptep_pgtable_page(pte)); +} + +static inline spinlock_t *ptep_lockptr(struct mm_struct *mm, pte_t *pte) +{ + return ptlock_ptr(ptep_ptdesc(pte)); +} + static inline bool ptlock_init(struct ptdesc *ptdesc) { /* @@ -2950,6 +2968,10 @@ static inline spinlock_t *pte_lockptr(struct mm_struct *mm, pmd_t *pmd) { return &mm->page_table_lock; } +static inline spinlock_t *ptep_lockptr(struct mm_struct *mm, pte_t *pte) +{ + return &mm->page_table_lock; +} static inline void ptlock_cache_init(void) {} static inline bool ptlock_init(struct ptdesc *ptdesc) { return true; } static inline void ptlock_free(struct ptdesc *ptdesc) {} -- 2.45.2

10 months, 3 weeks

4
10
0 0

[PATCH v5 bpf-next 01/10] lib/buildid: harden build ID parsing logic

by Andrii Nakryiko

Harden build ID parsing logic, adding explicit READ_ONCE() where it's important to have a consistent value read and validated just once. Also, as pointed out by Andi Kleen, we need to make sure that entire ELF note is within a page bounds, so move the overflow check up and add an extra note_size boundaries validation. Fixes tag below points to the code that moved this code into lib/buildid.c, and then subsequently was used in perf subsystem, making this code exposed to perf_event_open() users in v5.12+. Cc: stable(a)vger.kernel.org Cc: Jann Horn <jannh(a)google.com> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Fixes: bd7525dacd7e ("bpf: Move stack_map_get_build_id into lib") Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> --- lib/buildid.c | 74 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 31 deletions(-) diff --git a/lib/buildid.c b/lib/buildid.c index e02b5507418b..61bc5b767064 100644 --- a/lib/buildid.c +++ b/lib/buildid.c @@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id, const void *note_start, Elf32_Word note_size) { - Elf32_Word note_offs = 0, new_offs; - - while (note_offs + sizeof(Elf32_Nhdr) < note_size) { - Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs); + const char note_name[] = "GNU"; + const size_t note_name_sz = sizeof(note_name); + u64 note_off = 0, new_off, name_sz, desc_sz; + const char *data; + + while (note_off + sizeof(Elf32_Nhdr) < note_size && + note_off + sizeof(Elf32_Nhdr) > note_off /* overflow */) { + Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_off); + + name_sz = READ_ONCE(nhdr->n_namesz); + desc_sz = READ_ONCE(nhdr->n_descsz); + + new_off = note_off + sizeof(Elf32_Nhdr); + if (check_add_overflow(new_off, ALIGN(name_sz, 4), &new_off) || + check_add_overflow(new_off, ALIGN(desc_sz, 4), &new_off) || + new_off > note_size) + break; if (nhdr->n_type == BUILD_ID && - nhdr->n_namesz == sizeof("GNU") && - !strcmp((char *)(nhdr + 1), "GNU") && - nhdr->n_descsz > 0 && - nhdr->n_descsz <= BUILD_ID_SIZE_MAX) { - memcpy(build_id, - note_start + note_offs + - ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr), - nhdr->n_descsz); - memset(build_id + nhdr->n_descsz, 0, - BUILD_ID_SIZE_MAX - nhdr->n_descsz); + name_sz == note_name_sz && + strcmp((char *)(nhdr + 1), note_name) == 0 && + desc_sz > 0 && desc_sz <= BUILD_ID_SIZE_MAX) { + data = note_start + note_off + ALIGN(note_name_sz, 4); + memcpy(build_id, data, desc_sz); + memset(build_id + desc_sz, 0, BUILD_ID_SIZE_MAX - desc_sz); if (size) - *size = nhdr->n_descsz; + *size = desc_sz; return 0; } - new_offs = note_offs + sizeof(Elf32_Nhdr) + - ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4); - if (new_offs <= note_offs) /* overflow */ - break; - note_offs = new_offs; + + note_off = new_off; } return -EINVAL; @@ -71,7 +77,7 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, { Elf32_Ehdr *ehdr = (Elf32_Ehdr *)page_addr; Elf32_Phdr *phdr; - int i; + __u32 i, phnum; /* * FIXME @@ -80,9 +86,10 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, */ if (ehdr->e_phoff != sizeof(Elf32_Ehdr)) return -EINVAL; + + phnum = READ_ONCE(ehdr->e_phnum); /* only supports phdr that fits in one page */ - if (ehdr->e_phnum > - (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) + if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) return -EINVAL; phdr = (Elf32_Phdr *)(page_addr + sizeof(Elf32_Ehdr)); @@ -90,8 +97,8 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, for (i = 0; i < ehdr->e_phnum; ++i) { if (phdr[i].p_type == PT_NOTE && !parse_build_id(page_addr, build_id, size, - page_addr + phdr[i].p_offset, - phdr[i].p_filesz)) + page_addr + READ_ONCE(phdr[i].p_offset), + READ_ONCE(phdr[i].p_filesz))) return 0; } return -EINVAL; @@ -103,7 +110,7 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id, { Elf64_Ehdr *ehdr = (Elf64_Ehdr *)page_addr; Elf64_Phdr *phdr; - int i; + __u32 i, phnum; /* * FIXME @@ -112,18 +119,19 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id, */ if (ehdr->e_phoff != sizeof(Elf64_Ehdr)) return -EINVAL; + + phnum = READ_ONCE(ehdr->e_phnum); /* only supports phdr that fits in one page */ - if (ehdr->e_phnum > - (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) + if (phnum > (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) return -EINVAL; phdr = (Elf64_Phdr *)(page_addr + sizeof(Elf64_Ehdr)); - for (i = 0; i < ehdr->e_phnum; ++i) { + for (i = 0; i < phnum; ++i) { if (phdr[i].p_type == PT_NOTE && !parse_build_id(page_addr, build_id, size, - page_addr + phdr[i].p_offset, - phdr[i].p_filesz)) + page_addr + READ_ONCE(phdr[i].p_offset), + READ_ONCE(phdr[i].p_filesz))) return 0; } return -EINVAL; @@ -152,6 +160,10 @@ int build_id_parse(struct vm_area_struct *vma, unsigned char *build_id, page = find_get_page(vma->vm_file->f_mapping, 0); if (!page) return -EFAULT; /* page not mapped */ + if (!PageUptodate(page)) { + put_page(page); + return -EFAULT; + } ret = -EINVAL; page_addr = kmap_local_page(page); -- 2.43.5

10 months, 3 weeks

4
6
0 0

[PATCH] drm/xe: prevent UAF around preempt fence

by Matthew Auld

The fence lock is part of the queue, therefore in the current design anything locking the fence should then also hold a ref to the queue to prevent the queue from being freed. However, currently it looks like we signal the fence and then drop the queue ref, but if something is waiting on the fence, the waiter is kicked to wake up at some later point, where upon waking up it first grabs the lock before checking the fence state. But if we have already dropped the queue ref, then the lock might already be freed as part of the queue, leading to uaf. To prevent this, move the fence lock into the fence itself so we don't run into lifetime issues. Alternative might be to have device level lock, or only release the queue in the fence release callback, however that might require pushing to another worker to avoid locking issues. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_exec_queue.c | 1 - drivers/gpu/drm/xe/xe_exec_queue_types.h | 2 -- drivers/gpu/drm/xe/xe_preempt_fence.c | 3 ++- drivers/gpu/drm/xe/xe_preempt_fence_types.h | 2 ++ 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c index 971e1234b8ea..0f610d273fb6 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue.c +++ b/drivers/gpu/drm/xe/xe_exec_queue.c @@ -614,7 +614,6 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, if (xe_vm_in_preempt_fence_mode(vm)) { q->lr.context = dma_fence_context_alloc(1); - spin_lock_init(&q->lr.lock); err = xe_vm_add_compute_exec_queue(vm, q); if (XE_IOCTL_DBG(xe, err)) diff --git a/drivers/gpu/drm/xe/xe_exec_queue_types.h b/drivers/gpu/drm/xe/xe_exec_queue_types.h index 1408b02eea53..fc2a1a20b7e4 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue_types.h +++ b/drivers/gpu/drm/xe/xe_exec_queue_types.h @@ -126,8 +126,6 @@ struct xe_exec_queue { u32 seqno; /** @lr.link: link into VM's list of exec queues */ struct list_head link; - /** @lr.lock: preemption fences lock */ - spinlock_t lock; } lr; /** @ops: submission backend exec queue operations */ diff --git a/drivers/gpu/drm/xe/xe_preempt_fence.c b/drivers/gpu/drm/xe/xe_preempt_fence.c index 56e709d2fb30..83fbeea5aa20 100644 --- a/drivers/gpu/drm/xe/xe_preempt_fence.c +++ b/drivers/gpu/drm/xe/xe_preempt_fence.c @@ -134,8 +134,9 @@ xe_preempt_fence_arm(struct xe_preempt_fence *pfence, struct xe_exec_queue *q, { list_del_init(&pfence->link); pfence->q = xe_exec_queue_get(q); + spin_lock_init(&pfence->lock); dma_fence_init(&pfence->base, &preempt_fence_ops, - &q->lr.lock, context, seqno); + &pfence->lock, context, seqno); return &pfence->base; } diff --git a/drivers/gpu/drm/xe/xe_preempt_fence_types.h b/drivers/gpu/drm/xe/xe_preempt_fence_types.h index b54b5c29b533..312c3372a49f 100644 --- a/drivers/gpu/drm/xe/xe_preempt_fence_types.h +++ b/drivers/gpu/drm/xe/xe_preempt_fence_types.h @@ -25,6 +25,8 @@ struct xe_preempt_fence { struct xe_exec_queue *q; /** @preempt_work: work struct which issues preemption */ struct work_struct preempt_work; + /** @lock: dma-fence fence lock */ + spinlock_t lock; /** @error: preempt fence is in error state */ int error; }; -- 2.46.0

10 months, 3 weeks

2
1
0 0

[PATCH] phy: qualcomm: Check NULL ptr on data

by Ma Ke

Check NULL ptr on data, verify that data is not NULL before using it. Cc: stable(a)vger.kernel.org Fixes: ef19b117b834 ("phy: qualcomm: add qcom ipq806x dwc usb phy driver") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/phy/qualcomm/phy-qcom-ipq806x-usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/phy/qualcomm/phy-qcom-ipq806x-usb.c b/drivers/phy/qualcomm/phy-qcom-ipq806x-usb.c index 06392ed7c91b..9b9fd9c1b1f7 100644 --- a/drivers/phy/qualcomm/phy-qcom-ipq806x-usb.c +++ b/drivers/phy/qualcomm/phy-qcom-ipq806x-usb.c @@ -492,6 +492,8 @@ static int qcom_ipq806x_usb_phy_probe(struct platform_device *pdev) return -ENOMEM; data = of_device_get_match_data(&pdev->dev); + if (!data) + return -ENODEV; phy_dwc3->dev = &pdev->dev; -- 2.25.1

10 months, 3 weeks

2
1
0 0

[PATCH] memory: tegra186-emc: drop unused to_tegra186_emc()

by Krzysztof Kozlowski

to_tegra186_emc() is not used, W=1 builds: tegra186-emc.c:38:36: error: unused function 'to_tegra186_emc' [-Werror,-Wunused-function] Fixes: 9a38cb27668e ("memory: tegra: Add interconnect support for DRAM scaling in Tegra234") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/memory/tegra/tegra186-emc.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/memory/tegra/tegra186-emc.c b/drivers/memory/tegra/tegra186-emc.c index 57d9ae12fcfe..33d67d251719 100644 --- a/drivers/memory/tegra/tegra186-emc.c +++ b/drivers/memory/tegra/tegra186-emc.c @@ -35,11 +35,6 @@ struct tegra186_emc { struct icc_provider provider; }; -static inline struct tegra186_emc *to_tegra186_emc(struct icc_provider *provider) -{ - return container_of(provider, struct tegra186_emc, provider); -} - /* * debugfs interface * -- 2.43.0

10 months, 3 weeks

1
1
0 0

Linux 6.10.5

by Greg Kroah-Hartman

I'm announcing the release of the 6.10.5 kernel. All users of the 6.10 kernel series must upgrade. The updated 6.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/cifs/usage.rst | 2 Documentation/admin-guide/kernel-parameters.txt | 4 Documentation/arch/arm64/silicon-errata.rst | 34 + Documentation/hwmon/corsair-psu.rst | 6 Documentation/userspace-api/media/v4l/pixfmt-yuv-luma.rst | 4 Makefile | 2 arch/arm64/Kconfig | 62 +- arch/arm64/boot/dts/ti/k3-am62-verdin-dahlia.dtsi | 22 arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 6 arch/arm64/include/asm/cpucaps.h | 2 arch/arm64/include/asm/cputype.h | 10 arch/arm64/kernel/cpu_errata.c | 26 - arch/arm64/kernel/proton-pack.c | 2 arch/loongarch/kernel/efi.c | 6 arch/parisc/Kconfig | 1 arch/parisc/include/asm/cache.h | 11 arch/parisc/net/bpf_jit_core.c | 2 arch/x86/events/amd/core.c | 28 - arch/x86/events/amd/uncore.c | 8 arch/x86/events/core.c | 116 ++-- arch/x86/events/intel/core.c | 164 +++--- arch/x86/events/intel/cstate.c | 35 + arch/x86/events/intel/ds.c | 34 - arch/x86/events/intel/knc.c | 2 arch/x86/events/intel/p4.c | 10 arch/x86/events/intel/p6.c | 2 arch/x86/events/perf_event.h | 62 ++ arch/x86/events/zhaoxin/core.c | 12 arch/x86/include/asm/intel_ds.h | 1 arch/x86/include/asm/qspinlock.h | 12 arch/x86/kernel/cpu/mtrr/mtrr.c | 2 arch/x86/kernel/paravirt.c | 7 arch/x86/mm/pti.c | 8 drivers/acpi/battery.c | 16 drivers/acpi/resource.c | 14 drivers/acpi/sbs.c | 23 drivers/base/core.c | 13 drivers/base/module.c | 4 drivers/base/regmap/regmap-kunit.c | 72 +- drivers/bluetooth/btnxpuart.c | 2 drivers/clocksource/sh_cmt.c | 13 drivers/cpufreq/amd-pstate.c | 32 - drivers/cpufreq/amd-pstate.h | 1 drivers/gpio/gpiolib.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 7 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 6 drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 9 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 9 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 247 ++++++---- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 58 +- drivers/gpu/drm/amd/display/dc/core/dc_state.c | 67 +- drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c | 9 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 49 + drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c | 3 drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_fixed_vs_pe_retimer_dp.c | 5 drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_irq_handler.c | 3 drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c | 9 drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 8 drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 8 drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 57 +- drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 14 drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 36 + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 16 drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 5 drivers/gpu/drm/display/drm_dp_mst_topology.c | 11 drivers/gpu/drm/drm_atomic_uapi.c | 15 drivers/gpu/drm/drm_client_modeset.c | 5 drivers/gpu/drm/i915/display/intel_backlight.c | 3 drivers/gpu/drm/i915/display/intel_pps.c | 3 drivers/gpu/drm/i915/gem/i915_gem_mman.c | 55 +- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 13 drivers/gpu/drm/lima/lima_drv.c | 1 drivers/gpu/drm/mgag200/mgag200_i2c.c | 8 drivers/gpu/drm/radeon/pptable.h | 2 drivers/gpu/drm/tests/drm_gem_shmem_test.c | 11 drivers/gpu/drm/xe/regs/xe_engine_regs.h | 4 drivers/gpu/drm/xe/xe_guc_submit.c | 2 drivers/gpu/drm/xe/xe_hwmon.c | 3 drivers/gpu/drm/xe/xe_lrc.c | 17 drivers/gpu/drm/xe/xe_preempt_fence.c | 14 drivers/gpu/drm/xe/xe_rtp.c | 2 drivers/gpu/drm/xe/xe_sync.c | 2 drivers/hwmon/corsair-psu.c | 7 drivers/i2c/busses/i2c-qcom-geni.c | 5 drivers/i2c/i2c-smbus.c | 64 ++ drivers/irqchip/irq-loongarch-cpu.c | 6 drivers/irqchip/irq-mbigen.c | 20 drivers/irqchip/irq-meson-gpio.c | 14 drivers/irqchip/irq-riscv-aplic-msi.c | 32 + drivers/irqchip/irq-xilinx-intc.c | 2 drivers/md/md.c | 15 drivers/md/md.h | 2 drivers/md/raid1.c | 3 drivers/md/raid10.c | 3 drivers/md/raid5.c | 23 drivers/media/i2c/ov5647.c | 11 drivers/media/pci/intel/ipu6/Kconfig | 3 drivers/media/platform/amphion/vdec.c | 2 drivers/media/platform/amphion/venc.c | 2 drivers/media/tuners/xc2028.c | 9 drivers/media/usb/uvc/uvc_video.c | 37 + drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 2 drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 125 ++--- drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 13 drivers/net/dsa/bcm_sf2.c | 4 drivers/net/dsa/microchip/ksz_common.c | 16 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 14 drivers/net/ethernet/freescale/fec_ptp.c | 3 drivers/net/ethernet/google/gve/gve_ethtool.c | 2 drivers/net/ethernet/google/gve/gve_main.c | 12 drivers/net/ethernet/intel/ice/ice_main.c | 2 drivers/net/ethernet/intel/idpf/idpf_lib.c | 48 - drivers/net/ethernet/intel/idpf/idpf_txrx.c | 43 - drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 drivers/net/ethernet/mellanox/mlxsw/pci.c | 6 drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 23 drivers/net/pse-pd/tps23881.c | 5 drivers/net/usb/qmi_wwan.c | 1 drivers/net/virtio_net.c | 8 drivers/net/wireless/ath/ath12k/dp_rx.c | 1 drivers/net/wireless/ath/ath12k/pci.c | 4 drivers/net/wireless/realtek/rtlwifi/usb.c | 34 + drivers/net/wireless/realtek/rtw89/pci.c | 13 drivers/nvme/host/apple.c | 27 - drivers/nvme/host/pci.c | 6 drivers/platform/chrome/cros_ec_lpc.c | 50 +- drivers/platform/x86/intel/ifs/runtest.c | 2 drivers/platform/x86/intel/vbtn.c | 9 drivers/power/supply/axp288_charger.c | 22 drivers/power/supply/qcom_battmgr.c | 8 drivers/power/supply/rt5033_battery.c | 1 drivers/s390/char/sclp_sd.c | 10 drivers/scsi/mpi3mr/mpi3mr_os.c | 11 drivers/scsi/mpt3sas/mpt3sas_base.c | 20 drivers/scsi/sd.c | 5 drivers/soc/qcom/icc-bwmon.c | 12 drivers/spi/spi-fsl-lpspi.c | 6 drivers/spi/spidev.c | 1 drivers/spmi/spmi-pmic-arb.c | 11 drivers/thermal/intel/intel_hfi.c | 30 - drivers/tty/serial/sc16is7xx.c | 25 - drivers/tty/serial/serial_core.c | 8 drivers/tty/vt/conmakehash.c | 20 drivers/ufs/core/ufshcd-priv.h | 5 drivers/ufs/core/ufshcd.c | 19 drivers/usb/gadget/function/f_fs.c | 6 drivers/usb/gadget/function/f_midi2.c | 21 drivers/usb/gadget/function/u_audio.c | 42 + drivers/usb/gadget/function/u_serial.c | 1 drivers/usb/gadget/udc/core.c | 10 drivers/usb/serial/usb_debug.c | 7 drivers/usb/typec/mux/fsa4480.c | 14 drivers/usb/usbip/vhci_hcd.c | 9 drivers/vhost/vdpa.c | 8 drivers/xen/privcmd.c | 25 - fs/btrfs/ctree.c | 57 +- fs/btrfs/ctree.h | 11 fs/btrfs/defrag.c | 2 fs/btrfs/disk-io.c | 4 fs/btrfs/extent-tree.c | 46 - fs/btrfs/extent-tree.h | 8 fs/btrfs/extent_io.c | 4 fs/btrfs/file.c | 60 +- fs/btrfs/free-space-cache.c | 1 fs/btrfs/free-space-tree.c | 10 fs/btrfs/ioctl.c | 6 fs/btrfs/print-tree.c | 2 fs/btrfs/qgroup.c | 6 fs/btrfs/relocation.c | 8 fs/btrfs/transaction.c | 8 fs/buffer.c | 2 fs/ext4/inline.c | 6 fs/ext4/inode.c | 5 fs/jbd2/journal.c | 1 fs/nfsd/nfsctl.c | 3 fs/smb/client/cifs_debug.c | 2 fs/smb/client/cifsglob.h | 8 fs/smb/client/inode.c | 17 fs/smb/client/misc.c | 9 fs/smb/client/reparse.c | 4 fs/smb/client/reparse.h | 19 fs/smb/client/smb2inode.c | 2 fs/smb/client/smb2pdu.c | 3 fs/tracefs/event_inode.c | 4 fs/tracefs/inode.c | 12 fs/tracefs/internal.h | 5 fs/udf/balloc.c | 36 - include/linux/blk-integrity.h | 16 include/linux/fs.h | 2 include/linux/pci_ids.h | 2 include/linux/profile.h | 1 include/linux/rcupdate.h | 2 include/linux/trace_events.h | 1 include/linux/virtio_net.h | 16 include/sound/cs35l56.h | 14 io_uring/net.c | 7 kernel/bpf/verifier.c | 17 kernel/irq/irqdesc.c | 1 kernel/jump_label.c | 4 kernel/kcov.c | 15 kernel/kprobes.c | 4 kernel/locking/qspinlock_paravirt.h | 2 kernel/module/main.c | 41 + kernel/padata.c | 7 kernel/pid_namespace.c | 17 kernel/profile.c | 11 kernel/rcu/rcutorture.c | 2 kernel/rcu/tasks.h | 16 kernel/rcu/tree.c | 10 kernel/sched/core.c | 68 +- kernel/sched/cputime.c | 6 kernel/sched/stats.c | 10 kernel/time/clocksource.c | 2 kernel/time/ntp.c | 9 kernel/time/tick-broadcast.c | 3 kernel/time/timekeeping.c | 2 kernel/trace/trace.h | 23 kernel/trace/trace_events.c | 33 - kernel/trace/trace_events_hist.c | 4 kernel/trace/trace_events_inject.c | 2 kernel/trace/trace_events_trigger.c | 6 kernel/trace/tracing_map.c | 6 lib/debugobjects.c | 21 mm/list_lru.c | 28 - mm/memcontrol.c | 22 mm/slub.c | 3 net/bluetooth/hci_sync.c | 14 net/bluetooth/l2cap_core.c | 1 net/bridge/br_multicast.c | 4 net/core/link_watch.c | 4 net/ipv4/tcp_ao.c | 43 + net/ipv4/tcp_offload.c | 3 net/ipv4/udp_offload.c | 4 net/l2tp/l2tp_core.c | 15 net/mac80211/agg-tx.c | 4 net/mptcp/options.c | 3 net/mptcp/pm_netlink.c | 47 + net/sctp/input.c | 19 net/smc/smc_stats.h | 2 net/sunrpc/sched.c | 4 net/unix/af_unix.c | 34 - net/wireless/nl80211.c | 37 + sound/pci/hda/patch_hdmi.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/codecs/cs-amp-lib.c | 2 sound/soc/codecs/cs35l56-sdw.c | 77 +++ sound/soc/codecs/cs35l56-shared.c | 101 ---- sound/soc/codecs/cs35l56.c | 205 -------- sound/soc/codecs/cs35l56.h | 1 sound/soc/codecs/wcd938x-sdw.c | 4 sound/soc/codecs/wcd939x-sdw.c | 4 sound/soc/codecs/wsa881x.c | 2 sound/soc/codecs/wsa883x.c | 10 sound/soc/codecs/wsa884x.c | 10 sound/soc/meson/axg-fifo.c | 26 - sound/soc/sof/mediatek/mt8195/mt8195.c | 2 sound/soc/sti/sti_uniperif.c | 2 sound/soc/sti/uniperif.h | 1 sound/soc/sti/uniperif_player.c | 1 sound/soc/sti/uniperif_reader.c | 1 sound/usb/line6/driver.c | 5 sound/usb/quirks-table.h | 4 tools/testing/selftests/bpf/prog_tests/send_signal.c | 3 tools/testing/selftests/devices/ksft.py | 2 tools/testing/selftests/mm/Makefile | 2 tools/testing/selftests/net/mptcp/mptcp_join.sh | 55 +- 274 files changed, 2688 insertions(+), 1723 deletions(-) Abdulrasaq Lawani (1): media: i2c: ov5647: replacing of_node_put with __free(device_node) Alex Hung (1): drm/amd/display: Add null checker before passing variables Alexander Lobakin (2): idpf: fix memory leaks and crashes while performing a soft reset idpf: fix UAFs when destroying the queues Andi Kleen (1): x86/mtrr: Check if fixed MTRRs exist before saving them Andi Shyti (2): drm/i915/gem: Fix Virtual Memory mapping boundaries calculation drm/i915/gem: Adjust vma offset for framebuffer mmap offset Andrey Konovalov (1): kcov: properly check for softirq context Anton Khirnov (1): Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor Arnd Bergmann (2): net: pse-pd: tps23881: include missing bitfield.h header media: ipu-bridge: fix ipu6 Kconfig dependencies Arseniy Krasnov (1): irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' Aurabindo Pillai (1): drm/amd/display: Fix null pointer deref in dcn20_resource.c Baochen Qiang (2): wifi: ath12k: fix race due to setting ATH12K_FLAG_EXT_IRQ_ENABLED too early wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup() Bartosz Golaszewski (1): net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on sa8775p-ride-r3 Ben Walsh (1): platform/chrome: cros_ec_lpc: Add a new quirk for ACPI id Benjamin Coddington (1): SUNRPC: Fix a race to wake a sync task Bill Wendling (1): drm/radeon: Remove __counted_by from StateArray.states[] Bingbu Cao (1): media: intel/ipu6: select AUXILIARY_BUS in Kconfig Bob Zhou (1): drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Breno Leitao (1): debugobjects: Annotate racy debug variables Chen Yu (1): x86/paravirt: Fix incorrect virt spinlock setting on bare metal Chi Zhiling (1): media: xc2028: avoid use-after-free in load_firmware_cb() Chris Wulff (2): usb: gadget: core: Check for unset descriptor usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. Csókás, Bence (1): net: fec: Stop PPS on driver remove Curtis Malainey (1): ASoC: SOF: Remove libraries from topology lookups Damien Le Moal (2): scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES Dan Williams (1): driver core: Fix uevent_show() vs driver detach race Daniele Palmas (1): net: usb: qmi_wwan: fix memory leak for not ip packets Dave Airlie (1): drm/test: fix the gem shmem test to map the sg table. David Collins (1): spmi: pmic-arb: add missing newline in dev_err format strings David Gow (2): drm/i915: Allow evicting to use the requested placement drm/i915: Attempt to get pages without eviction first Dmitry Antipov (1): Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() Dmitry Safonov (1): net/tcp: Disable TCP-AO static key after RCU grace period Dnyaneshwar Bhadane (1): drm/i915/display: correct dual pps handling for MTL_PCH+ Dragan Simic (1): drm/lima: Mark simple_ondemand governor as softdep Dragos Tatulea (1): net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink Dustin L. Howett (1): ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks Eric Dumazet (1): net: linkwatch: use system_unbound_wq FUJITA Tomonori (1): PCI: Add Edimax Vendor ID to pci_ids.h Fangzhi Zuo (1): drm/amd/display: Skip Recompute DSC Params if no Stream on Link Filipe Manana (6): btrfs: do not BUG_ON() when freeing tree block after error btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info() btrfs: fix data race when accessing the last_trans field of a root btrfs: fix bitmap leak when loading free space cache on duplicate entry btrfs: fix corruption after buffer fault in during direct IO append write btrfs: fix double inode unlock for direct IO sync writes Florian Fainelli (1): net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities Francesco Dolcini (1): arm64: dts: ti: k3-am62-verdin-dahlia: Keep CTRL_SLEEP_MOCI# regulator on Frederic Weisbecker (2): Revert "rcu-tasks: Fix synchronize_rcu_tasks() VS zap_pid_ns_processes()" rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation Gaosheng Cui (2): i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Geert Uytterhoeven (1): spi: spidev: Add missing spi_device_id for bh2228fv George Kennedy (1): serial: core: check uartclk for zero to avoid divide by zero Gleb Korobeynikov (1): cifs: cifs_inval_name_dfs_link_error: correct the check for fullpath Greg Kroah-Hartman (1): Linux 6.10.5 Grzegorz Nitka (1): ice: Fix reset handler Guenter Roeck (2): i2c: smbus: Improve handling of stuck alerts i2c: smbus: Send alert notifications to all devices if source not found Hagar Hemdan (1): gpio: prevent potential speculation leaks in gpio_device_get_desc() Hans de Goede (3): platform/x86: intel-vbtn: Protect ACPI notify handler against recursion power: supply: axp288_charger: Fix constant_charge_voltage writes power: supply: axp288_charger: Round constant_charge_voltage writes down Heng Qi (1): virtio-net: unbreak vq resizing when coalescing is not negotiated Huacai Chen (1): irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq() Hugo Villeneuve (2): serial: sc16is7xx: fix TX fifo corruption serial: sc16is7xx: fix invalid FIFO access with special register set Ido Schimmel (1): mlxsw: pci: Lock configuration space of upstream bridge during reset Ivan Lipski (1): Revert "drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update" James Chapman (1): l2tp: fix lockdep splat Jason Wang (1): vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler Jean-Michel Hautbois (1): media: v4l: Fix missing tabular column hint for Y14P format Jeff Layton (1): nfsd: don't set SVC_SOCK_ANONYMOUS when creating nfsd sockets Jens Axboe (4): io_uring/net: ensure expanded bundle recv gets marked for cleanup io_uring/net: ensure expanded bundle send gets marked for cleanup io_uring/net: don't pick multiple buffers for non-bundle send block: use the right type for stub rq_integrity_vec() Jerome Audu (1): ASoC: sti: add missing probe entry for player and reader Jerome Brunet (1): ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT Jesse Zhang (1): drm/admgpu: fix dereferencing null pointer context Joe Hattori (1): net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() Johan Hovold (1): scsi: Revert "scsi: sd: Do not repeat the starting disk message" Johannes Berg (2): wifi: nl80211: disallow setting special AP channel widths wifi: nl80211: don't give key data to userspace Jonathan Cavitt (1): drm/xe/xe_guc_submit: Fix exec queue stop race condition Joshua Ashton (1): drm/amdgpu: Forward soft recovery errors to userspace Justin Stitt (2): ntp: Clamp maxerror and esterror to operating range ntp: Safeguard against time_constant overflow Kan Liang (2): perf/x86/intel: Support the PEBS event mask perf/x86: Support counter mask Karthik Poosa (1): drm/xe/hwmon: Fix PL1 disable flow in xe_hwmon_power_max_write Keith Busch (1): nvme: apple: fix device reference counting Kemeng Shi (1): jbd2: avoid memleak in jbd2_journal_write_metadata_buffer Konrad Dybcio (2): usb: typec: fsa4480: Check if the chip is really there spmi: pmic-arb: Pass the correct of_node to irq_domain_add_tree Krzysztof Kozlowski (5): ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask ASoC: codecs: wcd939x-sdw: Correct Soundwire ports mask ASoC: codecs: wsa881x: Correct Soundwire ports mask ASoC: codecs: wsa883x: Correct Soundwire ports mask ASoC: codecs: wsa884x: Correct Soundwire ports mask Kuniyuki Iwashima (2): sctp: Fix null-ptr-deref in reuseport_add_sock(). af_unix: Don't retry after unix_state_lock_nested() in unix_stream_connect(). Kuppuswamy Sathyanarayanan (1): platform/x86/intel/ifs: Initialize union ifs_status to zero Kyle Swenson (1): net: pse-pd: tps23881: Fix the device ID check Laura Nao (1): selftests: ksft: Fix finished() helper exit code on skipped tests Li Huafei (1): perf/x86: Fix smp_processor_id()-in-preemptible warnings Li Nan (2): md: do not delete safemode_timer in mddev_suspend md: change the return value type of md_write_start to void Linus Torvalds (2): module: warn about excessively long module waits module: make waiting for a concurrent module loader interruptible Lucas De Marchi (1): drm/xe/rtp: Fix off-by-one when processing rules Lucas Stach (1): drm/bridge: analogix_dp: properly handle zero sized AUX transactions Luke Wang (1): Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver unloading Ma Jun (4): drm/amdgpu/pm: Fix the param type of set_power_profile_mode drm/amdgpu/pm: Fix the null pointer dereference for smu7 drm/amdgpu: Fix the null pointer dereference to ras_manager drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Ma Ke (1): drm/client: fix null pointer dereference in drm_client_modeset_probe Manivannan Sadhasivam (1): scsi: ufs: core: Do not set link to OFF state while waking up from hibernation Marc Kleine-Budde (2): can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of mcp2518fd Marek Marczykowski-Górecki (1): USB: serial: debug: do not echo input by default Mario Limonciello (1): cpufreq: amd-pstate: Allow users to write 'default' EPP string Mark Rutland (8): arm64: cputype: Add Cortex-X3 definitions arm64: cputype: Add Cortex-A720 definitions arm64: cputype: Add Cortex-X925 definitions arm64: errata: Unify speculative SSBS errata logic arm64: errata: Expand speculative SSBS workaround arm64: cputype: Add Cortex-X1C definitions arm64: cputype: Add Cortex-A725 definitions arm64: errata: Expand speculative SSBS workaround (again) Martin Whitaker (1): net: dsa: microchip: disable EEE for KSZ8567/KSZ9567/KSZ9896/KSZ9897. Masami Hiramatsu (Google) (1): kprobes: Fix to check symbol prefixes correctly Mathias Krause (3): tracefs: Fix inode allocation eventfs: Don't return NULL in eventfs_create_dir() eventfs: Use SRCU for freeing eventfs_inodes Matt Bobrowski (1): bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses Matthew Auld (1): drm/xe/preempt_fence: enlarge the fence critical section Matthew Brost (2): drm/xe: Use dma_fence_chain_free in chain fence unused as a sync drm/xe: Take ref to VM in delayed snapshot Matthieu Baerts (NGI0) (7): mptcp: fully established after ADD_ADDR echo on MPJ mptcp: pm: deny endp with signal + subflow + port mptcp: pm: reduce indentation blocks mptcp: pm: don't try to create sf if alloc failed mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set selftests: mptcp: join: ability to invert ADD_ADDR check selftests: mptcp: join: test both signal & subflow Max Krummenacher (1): tty: vt: conmakehash: cope with abs_srctree no longer in env Menglong Dong (1): bpf: kprobe: remove unused declaring of bpf_kprobe_override Miao Wang (1): LoongArch: Enable general EFI poweroff method Michael Chan (1): bnxt_en : Fix memory out-of-bounds in bnxt_fill_hw_rss_tbl() Michael Strauss (1): drm/amd/display: Add delay to improve LTTPR UHBR interop Michal Kubiak (1): idpf: fix memleak in vport interrupt configuration Michal Pecio (1): media: uvcvideo: Fix the bandwdith quirk on USB 3.x Mikulas Patocka (3): block: change rq_integrity_vec to respect the iterator parisc: fix unaligned accesses in BPF parisc: fix a possible DMA corruption Ming Qian (1): media: amphion: Remove lock in s_ctrl callback Muchun Song (1): mm: list_lru: fix UAF for memory cgroup Natanel Roizenman (1): drm/amd/display: Add null check in resource_log_pipe_topology_update Neil Armstrong (1): power: supply: qcom_battmgr: return EAGAIN when firmware service is not up Nicholas Kazlauskas (1): drm/amd/display: Wake DMCUB before sending a command for replay feature Nico Pache (1): selftests: mm: add s390 to ARCH check Nikita Travkin (1): power: supply: rt5033: Bring back i2c_set_clientdata Niklas Söderlund (1): clocksource/drivers/sh_cmt: Address race condition for clock events Nikolay Aleksandrov (1): net: bridge: mcast: wait for previous gc cycles when removing port Niranjana Vishwanathapura (1): drm/xe: Minor cleanup in LRC handling Oliver Neukum (1): usb: vhci-hcd: Do not drop references before new references are gained Paul E. McKenney (2): rcutorture: Fix rcu_torture_fwd_cb_cr() data race clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() Paulo Alcantara (1): smb: client: handle lack of FSCTL_GET_REPARSE_POINT support Perry Yuan (1): cpufreq: amd-pstate: auto-load pstate driver by default Peter Oberparleiter (1): s390/sclp: Prevent release of buffer in I/O Peter Wang (1): scsi: ufs: core: Fix deadlock during RTC update Peter Zijlstra (3): jump_label: Fix the fix, brown paper bags galore x86/mm: Fix pti_clone_pgtable() alignment assumption x86/mm: Fix pti_clone_entry_text() for i386 Ping-Ke Shih (2): wifi: rtlwifi: handle return value of usb init TX/RX wifi: rtw89: pci: fix RX tag race condition resulting in wrong RX length Prashanth K (1): usb: gadget: u_serial: Set start_delayed during suspend Praveen Kaligineedi (1): gve: Fix use of netif_carrier_ok() Qu Wenruo (2): btrfs: do not clear page dirty inside extent_write_locked_range() btrfs: avoid using fixed char array size for tree names Radhey Shyam Pandey (1): irqchip/xilinx: Fix shift out of bounds Ramesh Errabolu (1): drm/amd/amdkfd: Fix a resource leak in svm_range_validate_and_map() Ricardo Ribalda (1): media: uvcvideo: Ignore empty TS packets Richard Fitzgerald (4): regmap: kunit: Fix memory leaks in gen_regmap() and gen_raw_regmap() ASoC: cs-amp-lib: Fix NULL pointer crash if efi.get_variable is NULL ASoC: cs35l56: Revert support for dual-ownership of ASP registers ASoC: cs35l56: Handle OTP read latency over SoundWire Rik van Riel (1): mm, slub: do not call do_slab_free for kfence object Rodrigo Siqueira (2): drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401 drm/amd/display: Replace dm_execute_dmub_cmd with dc_wake_and_execute_dmub_cmd Roman Smirnov (1): udf: prevent integer overflow in udf_bitmap_free_blocks() Shakeel Butt (1): memcg: protect concurrent access to mem_cgroup_idr Shay Drory (1): genirq/irqdesc: Honor caller provided affinity in alloc_desc() Sibi Sankar (1): soc: qcom: icc-bwmon: Allow for interrupts to be shared across instances Simon Ser (1): drm/atomic: allow no-op FB_ID updates for async flips Srinivas Kandagatla (2): ASoC: codecs: wsa883x: parse port-mapping information ASoC: codecs: wsa884x: parse port-mapping information Srinivasan Shanmugam (2): drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update Stefan Wahren (1): spi: spi-fsl-lpspi: Fix scldiv calculation Steve French (1): smb3: fix setting SecurityFlags when encryption is required Steven 'Steve' Kendall (1): ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list Steven Rostedt (2): tracefs: Use generic inode RCU for synchronizing freeing tracing: Have format file honor EVENT_FILE_FL_FREED Sung-huai Wang (2): drm/amd/display: Handle HPD_IRQ for internal link Revert "drm/amd/display: Handle HPD_IRQ for internal link" Swapnil Patel (1): drm/amd/display: Change ASSR disable sequence Takashi Iwai (5): ALSA: usb-audio: Re-add ScratchAmp quirk entries ALSA: line6: Fix racy access to midibuf ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 usb: gadget: midi2: Fix the response for FB info with block 0xff ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx Tamim Khan (2): ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MU ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MJ Tetsuo Handa (1): profiling: remove profile=sleep support Thomas Gleixner (2): tick/broadcast: Move per CPU pointer access into the atomic section timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() Thomas Weißschuh (2): ACPI: battery: create alarm sysfs attribute atomically ACPI: SBS: manage alarm sysfs attribute through psy core Thomas Zimmermann (2): drm/mgag200: Set DDC timeout in milliseconds drm/mgag200: Bind I2C lifetime to DRM device Tim Huang (1): drm/amdgpu: fix potential resource leak warning Tristram Ha (1): net: dsa: microchip: Fix Wake-on-LAN check to not return an error Tudor Ambarus (1): usb: gadget: f_fs: restore ffs_func_disable() functionality Tze-nan Wu (1): tracing: Fix overflow in get_free_elt() Uros Bizjak (2): locking/pvqspinlock: Correct the type of "old" variable in pv_kick_node() perf/x86/amd: Use try_cmpxchg() in events/amd/{un,}core.c Vamshi Gajjela (1): scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic Victor Skvortsov (1): drm/amdgpu: Add lock around VF RLCG interface Viresh Kumar (1): xen: privcmd: Switch from mutex to spinlock for irqfds Waiman Long (1): padata: Fix possible divide-by-0 panic in padata_mt_helper() Wayne Lin (3): drm/amd/display: Refactor function dm_dp_mst_is_port_support_mode() drm/amd/display: Don't refer to dc_sink in is_dsc_need_re_compute drm/dp_mst: Skip CSN if topology probing is not done yet Wenjing Liu (2): drm/amd/display: reduce ODM slice count to initial new dc state only when needed drm/amd/display: remove dpp pipes on failure to update pipe params Wilken Gottwalt (1): hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu Willem de Bruijn (1): net: drop bad gso csum_start and offset in virtio_net_hdr Wojciech Gładysz (1): ext4: sanity check for NULL pointer after ext4_force_shutdown Xiaxi Shen (1): ext4: fix uninitialized variable in ext4_inlinedir_to_tree Yang Yingliang (4): sched/smt: Introduce sched_smt_present_inc/dec() helper sched/smt: Fix unbalance sched_smt_present dec/inc sched/core: Introduce sched_set_rq_on/offline() helper sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate() Yipeng Zou (1): irqchip/mbigen: Fix mbigen node address layout Yong-Xuan Wang (1): irqchip/riscv-aplic: Retrigger MSI interrupt on source configuration Yonghong Song (1): selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT Yu Kuai (1): md/raid5: avoid BUG_ON() while continue reshape after reassembling Zhang Rui (3): perf/x86/intel/cstate: Add Arrowlake support perf/x86/intel/cstate: Add Lunarlake support thermal: intel: hfi: Give HFI instances package scope Zheng Zucheng (1): sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime Zhengchao Shao (1): net/smc: add the max value of fallback reason count Zhenyu Wang (1): perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest Zong-Zhe Yang (1): wifi: mac80211: fix NULL dereference at band check in starting tx ba session

10 months, 3 weeks

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2024