December 2025 - Linux-stable-mirror

[PATCH v2 0/2] hfsplus: avoid re-allocating header node 0 and stop on already-hashed nodes

by Shardul Bankar

Hi, syzbot reported a warning and crash when mounting a corrupted HFS+ image where the on-disk B-tree bitmap has node 0 (header node) marked free. In that case hfs_bmap_alloc() can try to allocate node 0 and reach hfs_bnode_create() with an already-hashed node number. Patch 1 prevents allocating the reserved header node (node 0) even if the bitmap is corrupted. Patch 2 follows Slava's review suggestion and changes the "already hashed" path in hfs_bnode_create() to return ERR_PTR(-EEXIST) instead of returning the existing node pointer, so we don't continue in a non-"business as usual" situation. v2 changes: - Implement Slava's suggestion: return ERR_PTR(-EEXIST) for already-hashed nodes. - Keep the node-0 allocation guard as a minimal, targeted hardening measure. Reported-by: syzbot+1c8ff72d0cd8a50dfeaa(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=1c8ff72d0cd8a50dfeaa Link: https://lore.kernel.org/all/20251213233215.368558-1-shardul.b@mpiricsoftwar… Shardul Bankar (2): hfsplus: skip node 0 in hfs_bmap_alloc hfsplus: return error when node already exists in hfs_bnode_create fs/hfsplus/bnode.c | 2 +- fs/hfsplus/btree.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.34.1

20 minutes

1
2
0 0

[report] Performance regressions introduced via "cpuidle: menu: Remove iowait influence" on 6.12.y

by ALOK TIWARI

Hi, I’m reporting a performance regression of up to 6% sequential I/O vdbench regression observed on 6.12.y kernel. While running performance benchmarks on v6.12.60 kernel the sequential I/O vdbench metrics are showing a 5-6% performance regression when compared to v6.12.48 Bisect root cause commit ======================== - commit b39b62075ab4 ("cpuidle: menu: Remove iowait influence") Things work fine again when the previously removed performance-multiplier code is added back. Test details ============ The system is connected to a number of disks in disk array using multipathing and directio configuration in the vdbench profile. wd=wd1,sd=sd*,rdpct=0,seekpct=sequential,xfersize=128k rd=128k64T,wd=wd1,iorate=max,elapsed=600,interval=1,warmup=300,threads=64 Thanks, Alok

2 hours, 8 minutes

2
2
0 0

[PATCH v3] virtio: console: fix lost wakeup when device is written and polled

by Lorenz Bauer

A process issuing blocking writes to a virtio console may get stuck indefinitely if another thread polls the device. Here is how to trigger the bug: - Thread A writes to the port until the virtqueue is full. - Thread A calls wait_port_writable() and goes to sleep, waiting on port->waitqueue. - The host processes some of the write, marks buffers as used and raises an interrupt. - Before the interrupt is serviced, thread B executes port_fops_poll(). This calls reclaim_consumed_buffers() via will_write_block() and consumes all used buffers. - The interrupt is serviced. vring_interrupt() finds no used buffers via more_used() and returns without waking port->waitqueue. - Thread A is still in wait_event(port->waitqueue), waiting for a wakeup that never arrives. The crux is that invoking reclaim_consumed_buffers() may cause vring_interrupt() to omit wakeups. Fix this by calling reclaim_consumed_buffers() in out_int() before waking. This is similar to the call to discard_port_data() in in_intr() which also frees buffer from a non-sleepable context. This in turn guarantees that port->outvq_full is up to date when handling polling. Since in_intr() already populates port->inbuf we use that to avoid changing reader state. Cc: stable(a)vger.kernel.org Signed-off-by: Lorenz Bauer <lmb(a)isovalent.com> --- As far as I can tell all currently maintained stable series kernels need this commit. Applies and builds cleanly on 5.10.247, verified to fix the issue. --- Changes in v3: - Use spin_lock_irq in port_fops_poll (Arnd) - Use spin_lock in out_intr (Arnd) - Link to v2: https://lore.kernel.org/r/20251222-virtio-console-lost-wakeup-v2-1-5de93cb3… Changes in v2: - Call reclaim_consumed_buffers() in out_intr instead of issuing another wake. - Link to v1: https://lore.kernel.org/r/20251215-virtio-console-lost-wakeup-v1-1-79a5c578… --- drivers/char/virtio_console.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 088182e54debd6029ea2c2a5542d7a28500e67b8..e6048e04c3b23d008caa2a1d31d4ac6b2841045f 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -971,10 +971,17 @@ static __poll_t port_fops_poll(struct file *filp, poll_table *wait) return EPOLLHUP; } ret = 0; - if (!will_read_block(port)) + + spin_lock_irq(&port->inbuf_lock); + if (port->inbuf) ret |= EPOLLIN | EPOLLRDNORM; - if (!will_write_block(port)) + spin_unlock_irq(&port->inbuf_lock); + + spin_lock_irq(&port->outvq_lock); + if (!port->outvq_full) ret |= EPOLLOUT; + spin_unlock_irq(&port->outvq_lock); + if (!port->host_connected) ret |= EPOLLHUP; @@ -1705,6 +1712,10 @@ static void out_intr(struct virtqueue *vq) return; } + spin_lock(&port->outvq_lock); + reclaim_consumed_buffers(port); + spin_unlock(&port->outvq_lock); + wake_up_interruptible(&port->waitqueue); } --- base-commit: d358e5254674b70f34c847715ca509e46eb81e6f change-id: 20251215-virtio-console-lost-wakeup-0f566c5cd35f Best regards, -- Lorenz Bauer <lmb(a)isovalent.com>

4 hours, 39 minutes

1
0
0 0

[PATCH RESEND v5 0/3] phy: qcom: edp: Add missing ref clock to x1e80100

by Abel Vesa

According to documentation, the DP PHY on x1e80100 has another clock called ref. The current X Elite devices supported upstream work fine without this clock, because the boot firmware leaves this clock enabled. But we should not rely on that. Also, when it comes to power management, this clock needs to be also disabled on suspend. So even though this change breaks the ABI, it is needed in order to make we disable this clock on runtime PM, when that is going to be enabled in the driver. So rework the driver to allow different number of clocks, fix the dt-bindings schema and add the clock to the DT node as well. Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- Changes in v5: - Picked-up Bjorn's R-b tags. - Replaced "parse" with "get" on clocks acquiring failure. - Link to v4: https://lore.kernel.org/r/20251029-phy-qcom-edp-add-missing-refclk-v4-0-adb… Changes in v4: - Picked Dmitry's R-b tag for the driver patch - Added x1e80100 substring to subject of dts patch - Link to v3 (resend): https://lore.kernel.org/r/20251014-phy-qcom-edp-add-missing-refclk-v3-0-078… Changes in v3 (resend) - picked-up Krzysztof's R-b tag for bindings patch - Link to v3: https://lore.kernel.org/r/20250909-phy-qcom-edp-add-missing-refclk-v3-0-4ec… Changes in v3: - Use dev_err_probe() on clocks parsing failure. - Explain why the ABI break is necessary. - Drop the extra 'clk' suffix from the clock name. So ref instead of refclk. - Link to v2: https://lore.kernel.org/r/20250903-phy-qcom-edp-add-missing-refclk-v2-0-d88… Changes in v2: - Fix schema by adding the minItems, as suggested by Krzysztof. - Use devm_clk_bulk_get_all, as suggested by Konrad. - Rephrase the commit messages to reflect the flexible number of clocks. - Link to v1: https://lore.kernel.org/r/20250730-phy-qcom-edp-add-missing-refclk-v1-0-6f7… --- Abel Vesa (3): dt-bindings: phy: qcom-edp: Add missing clock for X Elite phy: qcom: edp: Make the number of clocks flexible arm64: dts: qcom: x1e80100: Add missing TCSR ref clock to the DP PHYs .../devicetree/bindings/phy/qcom,edp-phy.yaml | 28 +++++++++++++++++++++- arch/arm64/boot/dts/qcom/hamoa.dtsi | 12 ++++++---- drivers/phy/qualcomm/phy-qcom-edp.c | 16 ++++++------- 3 files changed, 43 insertions(+), 13 deletions(-) --- base-commit: 131f3d9446a6075192cdd91f197989d98302faa6 change-id: 20250730-phy-qcom-edp-add-missing-refclk-5ab82828f8e7 Best regards, -- Abel Vesa <abel.vesa(a)oss.qualcomm.com>

4 hours, 41 minutes

1
3
0 0

[PATCH v6.1 0/2] x86/mm/pat: fix VM_PAT handling

by Ajay Kaher

[PATCH v6.1 1/2]: required to backport [PATCH v6.1 2/2]. [PATCH v6.1 2/2]: backport to fix VM_PAT handling when fork() fails in copy_page_range(). arch/x86/mm/pat/memtype.c | 50 +++++++++++++++++++++++---------------- include/linux/pgtable.h | 31 ++++++++++++++++++------ kernel/fork.c | 4 ++++ mm/memory.c | 10 ++++---- mm/mremap.c | 2 +- 5 files changed, 62 insertions(+), 35 deletions(-) -- 2.40.4

5 hours, 9 minutes

1
2
0 0

[PATCH] usb: cdns3: fix a null pointer dereference in cdns3_gadget_ep_queue()

by Haoxiang Li

If cdns3_gadget_ep_alloc_request() fails, a null pointer dereference occurs. Add a check to prevent it. Found by code review and compiled on ubuntu 20.04. Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/usb/cdns3/cdns3-gadget.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index 168707213ed9..cc2421a34588 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -2659,6 +2659,8 @@ static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, struct cdns3_request *priv_req; zlp_request = cdns3_gadget_ep_alloc_request(ep, GFP_ATOMIC); + if (!zlp_request) + return -ENOMEM; zlp_request->buf = priv_dev->zlp_buf; zlp_request->length = 0; -- 2.25.1

5 hours, 48 minutes

2
1
0 0

[PATCH] usb: cdns2: fix a null pointer dereference in cdns2_gadget_ep_queue()

by Haoxiang Li

If cdns2_gadget_ep_alloc_request() fails, a null pointer dereference occurs. Add a check to prevent it. Fixes: 3eb1f1efe204 ("usb: cdns2: Add main part of Cadence USBHS driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/usb/gadget/udc/cdns2/cdns2-gadget.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c index 9b53daf76583..c5b9dae743d8 100644 --- a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c +++ b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c @@ -1725,6 +1725,8 @@ static int cdns2_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, struct cdns2_request *preq; zlp_request = cdns2_gadget_ep_alloc_request(ep, GFP_ATOMIC); + if (!zlp_request) + return -ENOMEM; zlp_request->buf = pdev->zlp_buf; zlp_request->length = 0; -- 2.25.1

5 hours, 49 minutes

2
1
0 0

[PATCH] drm/msm/dpu: Add missing NULL pointer check for pingpong interface

by Nikolay Kuratov

It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Cc: stable(a)vger.kernel.org Fixes: d7d0e73f7de33 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback") Signed-off-by: Nikolay Kuratov <kniv(a)yandex-team.ru> --- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c index 46f348972a97..6d28f2281c76 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c @@ -247,14 +247,12 @@ static void dpu_encoder_phys_wb_setup_ctl(struct dpu_encoder_phys *phys_enc) if (hw_cdm) intf_cfg.cdm = hw_cdm->idx; - if (phys_enc->hw_pp->merge_3d && phys_enc->hw_pp->merge_3d->ops.setup_3d_mode) - phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d, - mode_3d); + if (hw_pp && hw_pp->merge_3d && hw_pp->merge_3d->ops.setup_3d_mode) + hw_pp->merge_3d->ops.setup_3d_mode(hw_pp->merge_3d, mode_3d); /* setup which pp blk will connect to this wb */ - if (hw_pp && phys_enc->hw_wb->ops.bind_pingpong_blk) - phys_enc->hw_wb->ops.bind_pingpong_blk(phys_enc->hw_wb, - phys_enc->hw_pp->idx); + if (hw_pp && hw_wb->ops.bind_pingpong_blk) + hw_wb->ops.bind_pingpong_blk(hw_wb, hw_pp->idx); phys_enc->hw_ctl->ops.setup_intf_cfg(phys_enc->hw_ctl, &intf_cfg); } else if (phys_enc->hw_ctl && phys_enc->hw_ctl->ops.setup_intf_cfg) { -- 2.34.1

6 hours, 6 minutes

2
3
0 0

[PATCH V2 0/2] LoongArch: KVM: fix "unreliable stack" issue

by Xianglai Li

When starting multi-core loongarch virtualization on loongarch physical machine, loading livepatch on the physical machine will cause an error similar to the following: [ 411.686289] livepatch: klp_try_switch_task: CPU 31/KVM:3116 has an unreliable stack The specific test steps are as follows: 1.Start a multi-core virtual machine on a physical machine 2.Enter the following command on the physical machine to turn on the debug switch: echo "file kernel/livepatch/transition.c +p" > /sys/kernel/debug/\ dynamic_debug/control 3.Load livepatch: modprobe livepatch-sample Through the above steps, similar prints can be viewed in dmesg. The reason for this issue is that the code of the kvm_exc_entry function was copied in the function kvm_loongarch_env_init. When the cpu needs to execute kvm_exc_entry, it will switch to the copied address for execution. The new address of the kvm_exc_entry function cannot be recognized in ORC, which eventually leads to the arch_stack_walk_reliable function returning an error and printing an exception message. To solve the above problems, we directly compile the switch.S file into the kernel instead of the module. In this way, the function kvm_exc_entry will no longer need to be copied. changlog: V2<-V1: 1.Rollback the modification of function parameter types such as kvm_save_fpu. In the asm-prototypes.h header file, only the parameter types it depends on are included Cc: Huacai Chen <chenhuacai(a)kernel.org> Cc: WANG Xuerui <kernel(a)xen0n.name> Cc: Tianrui Zhao <zhaotianrui(a)loongson.cn> Cc: Bibo Mao <maobibo(a)loongson.cn> Cc: Charlie Jenkins <charlie(a)rivosinc.com> Cc: Xianglai Li <lixianglai(a)loongson.cn> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Xianglai Li (2): LoongArch: KVM: Compile the switch.S file directly into the kernel LoongArch: KVM: fix "unreliable stack" issue arch/loongarch/Kbuild | 2 +- arch/loongarch/include/asm/asm-prototypes.h | 21 +++++++++++++ arch/loongarch/include/asm/kvm_host.h | 3 -- arch/loongarch/kvm/Makefile | 2 +- arch/loongarch/kvm/main.c | 35 ++------------------- arch/loongarch/kvm/switch.S | 24 +++++++++++--- 6 files changed, 45 insertions(+), 42 deletions(-) base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 -- 2.39.1

6 hours, 21 minutes

4
12
0 0

[PATCH] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()

by Haoxiang Li

In vmw_compat_shader_add(), the return value check of vmw_shader_alloc() is not proper. Modify the check for the return pointer 'res'. Found by code review and compiled on ubuntu 20.04. Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c index 69dfe69ce0f8..7ed938710342 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c @@ -923,8 +923,10 @@ int vmw_compat_shader_add(struct vmw_private *dev_priv, ttm_bo_unreserve(&buf->tbo); res = vmw_shader_alloc(dev_priv, buf, size, 0, shader_type); - if (unlikely(ret != 0)) + if (IS_ERR(res)) { + ret = PTR_ERR(res); goto no_reserve; + } ret = vmw_cmdbuf_res_add(man, vmw_cmdbuf_res_shader, vmw_shader_key(user_key, shader_type), -- 2.25.1

6 hours, 23 minutes

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2025