May 2025 - Linux-stable-mirror

[PATCH] x86/its: Fix build errors when CONFIG_MODULES=n

by Pawan Gupta

From: Eric Biggers <ebiggers(a)google.com> commit 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65 upstream. Fix several build errors when CONFIG_MODULES=n, including the following: ../arch/x86/kernel/alternative.c:195:25: error: incomplete definition of type 'struct module' 195 | for (int i = 0; i < mod->its_num_pages; i++) { Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Acked-by: Dave Hansen <dave.hansen(a)intel.com> Tested-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Reviewed-by: Alexandre Chartre <alexandre.chartre(a)oracle.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- This patch applies on top of patches in stable-queue with ITS mitigation. arch/x86/kernel/alternative.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 01aa5a73c82fd8fe33a14a73ebace6d4e3b6b169..29482c52086577757d512942147db7f8d65a34bd 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -129,7 +129,9 @@ const unsigned char * const x86_nops[ASM_NOP_MAX+1] = #ifdef CONFIG_MITIGATION_ITS +#ifdef CONFIG_MODULES static struct module *its_mod; +#endif static void *its_page; static unsigned int its_offset; @@ -150,6 +152,7 @@ static void *its_init_thunk(void *thunk, int reg) return thunk; } +#ifdef CONFIG_MODULES void its_init_mod(struct module *mod) { if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) @@ -188,6 +191,7 @@ void its_free_mod(struct module *mod) } kfree(mod->its_page_array); } +#endif /* CONFIG_MODULES */ static void *its_alloc(void) { @@ -196,6 +200,7 @@ static void *its_alloc(void) if (!page) return NULL; +#ifdef CONFIG_MODULES if (its_mod) { void *tmp = krealloc(its_mod->its_page_array, (its_mod->its_num_pages+1) * sizeof(void *), @@ -206,6 +211,7 @@ static void *its_alloc(void) its_mod->its_page_array = tmp; its_mod->its_page_array[its_mod->its_num_pages++] = page; } +#endif /* CONFIG_MODULES */ return no_free_ptr(page); } --- change-id: 20250513-its-fixes-6-12-0a495cd71de4

1 month, 3 weeks

2
1
0 0

[PATCH] xhci: dbc: Avoid event polling busyloop if pending rx transfers are inactive.

by Mathias Nyman

[ Upstream commit cab63934c33b12c0d1e9f4da7450928057f2c142 ] Backport for linux-6.12.y stable 6.12 kernel used older poll_interval of 1ms instead of 0 as described in the original commit message below. CPU hogging is not that bad with 1ms delay, fix it anyways, but don't touch poll_interval. Event polling delay is set to 0 if there are any pending requests in either rx or tx requests lists. Checking for pending requests does not work well for "IN" transfers as the tty driver always queues requests to the list and TRBs to the ring, preparing to receive data from the host. This causes unnecessary busylooping and cpu hogging. Only set the event polling delay to 0 if there are pending tx "write" transfers, or if it was less than 10ms since last active data transfer in any direction. Cc: Łukasz Bartosik <ukaszb(a)chromium.org> Fixes: fb18e5bb9660 ("xhci: dbc: poll at different rate depending on data transfer activity") Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-dbgcap.c | 19 ++++++++++++++++--- drivers/usb/host/xhci-dbgcap.h | 3 +++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-dbgcap.c b/drivers/usb/host/xhci-dbgcap.c index 241d7aa1fbc2..b12273f72c93 100644 --- a/drivers/usb/host/xhci-dbgcap.c +++ b/drivers/usb/host/xhci-dbgcap.c @@ -822,6 +822,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) { dma_addr_t deq; union xhci_trb *evt; + enum evtreturn ret = EVT_DONE; u32 ctrl, portsc; bool update_erdp = false; @@ -906,6 +907,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) break; case TRB_TYPE(TRB_TRANSFER): dbc_handle_xfer_event(dbc, evt); + ret = EVT_XFER_DONE; break; default: break; @@ -924,7 +926,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) lo_hi_writeq(deq, &dbc->regs->erdp); } - return EVT_DONE; + return ret; } static void xhci_dbc_handle_events(struct work_struct *work) @@ -933,6 +935,7 @@ static void xhci_dbc_handle_events(struct work_struct *work) struct xhci_dbc *dbc; unsigned long flags; unsigned int poll_interval; + unsigned long busypoll_timelimit; dbc = container_of(to_delayed_work(work), struct xhci_dbc, event_work); poll_interval = dbc->poll_interval; @@ -951,11 +954,21 @@ static void xhci_dbc_handle_events(struct work_struct *work) dbc->driver->disconnect(dbc); break; case EVT_DONE: - /* set fast poll rate if there are pending data transfers */ + /* + * Set fast poll rate if there are pending out transfers, or + * a transfer was recently processed + */ + busypoll_timelimit = dbc->xfer_timestamp + + msecs_to_jiffies(DBC_XFER_INACTIVITY_TIMEOUT); + if (!list_empty(&dbc->eps[BULK_OUT].list_pending) || - !list_empty(&dbc->eps[BULK_IN].list_pending)) + time_is_after_jiffies(busypoll_timelimit)) poll_interval = 1; break; + case EVT_XFER_DONE: + dbc->xfer_timestamp = jiffies; + poll_interval = 1; + break; default: dev_info(dbc->dev, "stop handling dbc events\n"); return; diff --git a/drivers/usb/host/xhci-dbgcap.h b/drivers/usb/host/xhci-dbgcap.h index 9dc8f4d8077c..47ac72c2286d 100644 --- a/drivers/usb/host/xhci-dbgcap.h +++ b/drivers/usb/host/xhci-dbgcap.h @@ -96,6 +96,7 @@ struct dbc_ep { #define DBC_WRITE_BUF_SIZE 8192 #define DBC_POLL_INTERVAL_DEFAULT 64 /* milliseconds */ #define DBC_POLL_INTERVAL_MAX 5000 /* milliseconds */ +#define DBC_XFER_INACTIVITY_TIMEOUT 10 /* milliseconds */ /* * Private structure for DbC hardware state: */ @@ -142,6 +143,7 @@ struct xhci_dbc { enum dbc_state state; struct delayed_work event_work; unsigned int poll_interval; /* ms */ + unsigned long xfer_timestamp; unsigned resume_required:1; struct dbc_ep eps[2]; @@ -187,6 +189,7 @@ struct dbc_request { enum evtreturn { EVT_ERR = -1, EVT_DONE, + EVT_XFER_DONE, EVT_GSER, EVT_DISC, }; -- 2.43.0

1 month, 3 weeks

2
1
0 0

[PATCH] x86/its: Fix build errors when CONFIG_MODULES=n

by Pawan Gupta

From: Eric Biggers <ebiggers(a)google.com> commit 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65 upstream. Fix several build errors when CONFIG_MODULES=n, including the following: ../arch/x86/kernel/alternative.c:195:25: error: incomplete definition of type 'struct module' 195 | for (int i = 0; i < mod->its_num_pages; i++) { Fixes: 872df34d7c51 ("x86/its: Use dynamic thunks for indirect branches") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> Acked-by: Dave Hansen <dave.hansen(a)intel.com> Tested-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Reviewed-by: Alexandre Chartre <alexandre.chartre(a)oracle.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> --- arch/x86/kernel/alternative.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 6085919d3b3ebbf57b4c6f257eb30d0781569fe4..5a0b84e21285d16b7869b59c7d9e622a99c7ad7a 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -129,7 +129,9 @@ const unsigned char * const x86_nops[ASM_NOP_MAX+1] = #ifdef CONFIG_MITIGATION_ITS +#ifdef CONFIG_MODULES static struct module *its_mod; +#endif static void *its_page; static unsigned int its_offset; @@ -150,6 +152,7 @@ static void *its_init_thunk(void *thunk, int reg) return thunk; } +#ifdef CONFIG_MODULES void its_init_mod(struct module *mod) { if (!cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS)) @@ -188,6 +191,7 @@ void its_free_mod(struct module *mod) } kfree(mod->its_page_array); } +#endif /* CONFIG_MODULES */ DEFINE_FREE(its_execmem, void *, if (_T) module_memfree(_T)); @@ -198,6 +202,7 @@ static void *its_alloc(void) if (!page) return NULL; +#ifdef CONFIG_MODULES if (its_mod) { void *tmp = krealloc(its_mod->its_page_array, (its_mod->its_num_pages+1) * sizeof(void *), @@ -208,6 +213,7 @@ static void *its_alloc(void) its_mod->its_page_array = tmp; its_mod->its_page_array[its_mod->its_num_pages++] = page; } +#endif /* CONFIG_MODULES */ return no_free_ptr(page); } --- change-id: 20250513-its-fixes-6-6-990e444d4d67

1 month, 3 weeks

3
3
0 0

[PATCH 6.1.y] platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it

by Zhaoyang Li

From: "Maciej S. Szmigiero" <mail(a)maciej.szmigiero.name> [ Upstream commit dd410d784402c5775f66faf8b624e85e41c38aaf ] Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Maciej S. Szmigiero <mail(a)maciej.szmigiero.name> Link: https://lore.kernel.org/r/c8f28c002ca3c66fbeeb850904a1f43118e17200.17361846… [ij: edited the commit message.] Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Zhaoyang Li <lizy04(a)hust.edu.cn> --- drivers/platform/x86/amd/pmc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/amd/pmc.c b/drivers/platform/x86/amd/pmc.c index f237c1ea8d35..8eaeb1e8f975 100644 --- a/drivers/platform/x86/amd/pmc.c +++ b/drivers/platform/x86/amd/pmc.c @@ -834,6 +834,10 @@ static int __maybe_unused amd_pmc_suspend_handler(struct device *dev) { struct amd_pmc_dev *pdev = dev_get_drvdata(dev); + /* + * Must be called only from the same set of dev_pm_ops handlers + * as i8042_pm_suspend() is called: currently just from .suspend. + */ if (pdev->cpu_id == AMD_CPU_ID_CZN) { int rc = amd_pmc_czn_wa_irq1(pdev); @@ -846,7 +850,9 @@ static int __maybe_unused amd_pmc_suspend_handler(struct device *dev) return 0; } -static SIMPLE_DEV_PM_OPS(amd_pmc_pm, amd_pmc_suspend_handler, NULL); +static const struct dev_pm_ops amd_pmc_pm = { + .suspend = amd_pmc_suspend_handler, +}; #endif -- 2.25.1

1 month, 3 weeks

2
1
0 0

[PATCH 5.10] bpf: Avoid overflows involving hash elem_size

by Daniil Dulov

From: Eric Dumazet <edumazet(a)google.com> commit e1868b9e36d0ca52e4e7c6c06953f191446e44df upstream. Use of bpf_map_charge_init() was making sure hash tables would not use more than 4GB of memory. Since the implicit check disappeared, we have to be more careful about overflows, to support big hash tables. syzbot triggers a panic using : bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_LRU_HASH, key_size=16384, value_size=8, max_entries=262200, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0}, 64) = ... BUG: KASAN: vmalloc-out-of-bounds in bpf_percpu_lru_populate kernel/bpf/bpf_lru_list.c:594 [inline] BUG: KASAN: vmalloc-out-of-bounds in bpf_lru_populate+0x4ef/0x5e0 kernel/bpf/bpf_lru_list.c:611 Write of size 2 at addr ffffc90017e4a020 by task syz-executor.5/19786 CPU: 0 PID: 19786 Comm: syz-executor.5 Not tainted 5.10.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 bpf_percpu_lru_populate kernel/bpf/bpf_lru_list.c:594 [inline] bpf_lru_populate+0x4ef/0x5e0 kernel/bpf/bpf_lru_list.c:611 prealloc_init kernel/bpf/hashtab.c:319 [inline] htab_map_alloc+0xf6e/0x1230 kernel/bpf/hashtab.c:507 find_and_alloc_map kernel/bpf/syscall.c:123 [inline] map_create kernel/bpf/syscall.c:829 [inline] __do_sys_bpf+0xa81/0x5170 kernel/bpf/syscall.c:4336 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd93fbc0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000001a40 RCX: 000000000045deb9 RDX: 0000000000000040 RSI: 0000000020000280 RDI: 0000000000000000 RBP: 000000000119bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf2c R13: 00007ffc08a7be8f R14: 00007fd93fbc19c0 R15: 000000000119bf2c Fixes: 755e5d55367a ("bpf: Eliminate rlimit-based memory accounting for hashtab maps") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Roman Gushchin <guro(a)fb.com> Link: https://lore.kernel.org/bpf/20201207182821.3940306-1-eric.dumazet@gmail.com Signed-off-by: Daniil Dulov <d.dulov(a)aladdin.ru> --- kernel/bpf/hashtab.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 4c7cab79d90e..829d6d3a8495 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -199,7 +199,7 @@ static void *fd_htab_map_get_ptr(const struct bpf_map *map, struct htab_elem *l) static struct htab_elem *get_htab_elem(struct bpf_htab *htab, int i) { - return (struct htab_elem *) (htab->elems + i * htab->elem_size); + return (struct htab_elem *) (htab->elems + i * (u64)htab->elem_size); } static void htab_free_elems(struct bpf_htab *htab) @@ -255,7 +255,7 @@ static int prealloc_init(struct bpf_htab *htab) if (!htab_is_percpu(htab) && !htab_is_lru(htab)) num_entries += num_possible_cpus(); - htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries, + htab->elems = bpf_map_area_alloc((u64)htab->elem_size * num_entries, htab->map.numa_node); if (!htab->elems) return -ENOMEM; -- 2.34.1

1 month, 3 weeks

1
0
0 0

[RFC PATCH 1/7] efi: Add missing static initializer for efi_mm::cpus_allowed_lock

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> Initialize the cpus_allowed_lock struct member of efi_mm. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 7309394b8fc9..59a56661937c 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -73,6 +73,9 @@ struct mm_struct efi_mm = { .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, +#ifdef CONFIG_SCHED_MM_CID + .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), +#endif }; struct workqueue_struct *efi_rts_wq; -- 2.49.0.1101.gccaa498523-goog

1 month, 3 weeks

1
0
0 0

[PATCH 5.15 00/54] 5.15.183-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.183 release. There are 54 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.183-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.183-rc1 Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Eric Dumazet <edumazet(a)google.com> can: gw: use call_rcu() instead of costly synchronize_rcu() Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls ------------- Diffstat: Makefile | 4 +- arch/mips/include/asm/ptrace.h | 3 +- arch/x86/kernel/cpu/bugs.c | 5 +- arch/x86/kernel/cpu/common.c | 9 +- arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 52 +++++++ .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 +++- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/input/mouse/synaptics.c | 5 + drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- drivers/net/dsa/b53/b53_common.c | 36 +++-- drivers/net/phy/microchip.c | 46 +++++- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 ++++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++++--- drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 ++- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 +++++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 ++- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + include/linux/rcupdate.h | 3 + include/linux/types.h | 3 +- include/uapi/linux/types.h | 1 + kernel/params.c | 4 +- net/can/gw.c | 167 +++++++++++++-------- net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/openvswitch/actions.c | 3 +- 49 files changed, 538 insertions(+), 204 deletions(-)

1 month, 3 weeks

9
62
0 0

[PATCH 6.1 00/92] 6.1.139-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.139 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.139-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.139-rc1 Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "net: phy: microchip: force IRQ polling mode for lan88xx" Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are posted for multishot Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Guillaume Nault <gnault(a)redhat.com> ipv4: Drop tos parameter from flowi4_update_output() Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Uladzislau Rezki (Sony) <urezki(a)gmail.com> rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 ++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 15 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 ++++--- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/ptrace.h | 3 +- arch/x86/Kconfig | 11 + arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 38 ++-- arch/x86/kernel/alternative.c | 226 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 144 ++++++++++++- arch/x86/kernel/cpu/common.c | 72 +++++-- arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/module.c | 7 + arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 60 +++++- drivers/base/cpu.c | 8 + drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 36 ++-- drivers/net/phy/microchip.c | 46 ++++- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 ++++++-- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/smb/server/oplock.c | 7 +- fs/smb/server/vfs.c | 7 + include/linux/cpu.h | 2 + include/linux/module.h | 5 + include/linux/rcupdate.h | 3 + include/linux/types.h | 3 +- include/net/flow.h | 3 +- include/net/route.h | 6 +- include/uapi/linux/types.h | 1 + io_uring/io_uring.c | 61 +++--- kernel/params.c | 4 +- net/can/gw.c | 151 ++++++++------ net/core/filter.c | 1 + net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 29 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/sctp/protocol.c | 4 +- 93 files changed, 1554 insertions(+), 395 deletions(-)

1 month, 3 weeks

10
101
0 0

[PATCH 6.6 000/113] 6.6.91-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.91 release. There are 113 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.91-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.91-rc1 Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for RSB stuffing mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are posted for multishot Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Move r4k_wait() to .cpuidle.text section Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Fix idle VS timer enqueue Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Use get_status callback to set remote wakeup capability Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: f_ecm: Add get_status callback Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode: Consolidate the loader enablement checking Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime John Ernberg <john.ernberg(a)actia.se> xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Paul Aurich <paul(a)darkrain42.org> smb: client: Avoid race in open_cached_dir with lease breaks Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: more liberal vmin/vmax update for freesync Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Simon Xue <xxm(a)rock-chips.com> iio: adc: rockchip: Fix clock initialization sequence Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Vicki Pfau <vi(a)endrift.com> Input: xpad - fix two controller table values Lode Willems <me(a)lodewillems.com> Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - fix Share button on Xbox One controllers Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> Input: cyttsp5 - fix power control issue on wakeup Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Input: cyttsp5 - ensure minimum reset pulse width Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Alexander Lobakin <aleksander.lobakin(a)intel.com> netdevice: add netdev_tx_reset_subqueue() shorthand Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix UAF in __close_file_table_ids Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent rename with empty string Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Veerendranath Jakkam <quic_vjakkam(a)quicinc.com> wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 168 +++++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 ++++---- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/idle.h | 3 +- arch/mips/include/asm/ptrace.h | 3 +- arch/mips/kernel/genex.S | 63 ++++--- arch/mips/kernel/idle.c | 7 - arch/x86/Kconfig | 11 ++ arch/x86/entry/entry_64.S | 20 ++- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/microcode.h | 2 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 44 +++-- arch/x86/kernel/alternative.c | 198 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 178 +++++++++++++++++- arch/x86/kernel/cpu/common.c | 72 ++++++-- arch/x86/kernel/cpu/microcode/amd.c | 6 +- arch/x86/kernel/cpu/microcode/core.c | 60 ++++--- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/cpu/microcode/internal.h | 1 - arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/head32.c | 4 - arch/x86/kernel/module.c | 7 + arch/x86/kernel/static_call.c | 4 +- arch/x86/kernel/vmlinux.lds.S | 10 ++ arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 61 ++++++- drivers/base/cpu.c | 3 + drivers/clocksource/i8253.c | 4 +- drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 ++-- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 17 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/joystick/xpad.c | 40 +++-- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/input/touchscreen/cyttsp5.c | 7 +- drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 ++++- drivers/net/dsa/b53/b53_common.c | 36 ++-- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 16 +- drivers/nvme/host/core.c | 3 +- drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 31 ++++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/gadget/composite.c | 12 +- drivers/usb/gadget/function/f_ecm.c | 7 + drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/xen/swiotlb-xen.c | 1 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 ++++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/smb/client/cached_dir.c | 10 +- fs/smb/server/oplock.c | 7 +- fs/smb/server/smb2pdu.c | 5 + fs/smb/server/vfs.c | 7 + fs/smb/server/vfs_cache.c | 33 +++- include/linux/cpu.h | 2 + include/linux/module.h | 5 + include/linux/netdevice.h | 13 +- include/linux/types.h | 3 +- include/uapi/linux/types.h | 1 + io_uring/io_uring.c | 61 +++---- kernel/params.c | 4 +- net/can/gw.c | 151 +++++++++------- net/core/filter.c | 1 + net/ipv6/addrconf.c | 15 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 27 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/wireless/scan.c | 2 +- 113 files changed, 1733 insertions(+), 529 deletions(-)

1 month, 3 weeks

10
122
0 0

[PATCH 1/3] highmem: Add folio_test_partial_kmap()

by Matthew Wilcox (Oracle)

In commit c749d9b7ebbc (iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP), Hugh correctly noted that if KMAP_LOCAL_FORCE_MAP is enabled, we must limit ourselves to PAGE_SIZE bytes per call to kmap_local(). The same problem exists in memcpy_from_folio(), memcpy_to_folio(), folio_zero_tail(), folio_fill_tail() and memcpy_from_file_folio(), so add folio_test_partial_kmap() to do this more succinctly. Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Fixes: 00cdf76012ab (mm: add memcpy_from_file_folio()) Cc: stable(a)vger.kernel.org --- include/linux/highmem.h | 10 +++++----- include/linux/page-flags.h | 7 +++++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/linux/highmem.h b/include/linux/highmem.h index 5c6bea81a90e..c698f8415675 100644 --- a/include/linux/highmem.h +++ b/include/linux/highmem.h @@ -461,7 +461,7 @@ static inline void memcpy_from_folio(char *to, struct folio *folio, const char *from = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -489,7 +489,7 @@ static inline void memcpy_to_folio(struct folio *folio, size_t offset, char *to = kmap_local_folio(folio, offset); size_t chunk = len; - if (folio_test_highmem(folio) && + if (folio_test_partial_kmap(folio) && chunk > PAGE_SIZE - offset_in_page(offset)) chunk = PAGE_SIZE - offset_in_page(offset); memcpy(to, from, chunk); @@ -522,7 +522,7 @@ static inline __must_check void *folio_zero_tail(struct folio *folio, { size_t len = folio_size(folio) - offset; - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -560,7 +560,7 @@ static inline void folio_fill_tail(struct folio *folio, size_t offset, VM_BUG_ON(offset + len > folio_size(folio)); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { size_t max = PAGE_SIZE - offset_in_page(offset); while (len > max) { @@ -597,7 +597,7 @@ static inline size_t memcpy_from_file_folio(char *to, struct folio *folio, size_t offset = offset_in_folio(folio, pos); char *from = kmap_local_folio(folio, offset); - if (folio_test_highmem(folio)) { + if (folio_test_partial_kmap(folio)) { offset = offset_in_page(offset); len = min_t(size_t, len, PAGE_SIZE - offset); } else diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index e6a21b62dcce..3b814ce08331 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -615,6 +615,13 @@ FOLIO_FLAG(dropbehind, FOLIO_HEAD_PAGE) PAGEFLAG_FALSE(HighMem, highmem) #endif +/* Does kmap_local_folio() only allow access to one page of the folio? */ +#ifdef CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP +#define folio_test_partial_kmap(f) true +#else +#define folio_test_partial_kmap(f) folio_test_highmem(f) +#endif + #ifdef CONFIG_SWAP static __always_inline bool folio_test_swapcache(const struct folio *folio) { -- 2.47.2

1 month, 3 weeks

1
0
0 0

[PATCH 6.12 000/184] 6.12.29-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.29 release. There are 184 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 14 May 2025 17:19:58 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.29-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.29-rc1 Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> selftest/x86/bugs: Add selftests for ITS Peter Zijlstra <peterz(a)infradead.org> x86/its: Use dynamic thunks for indirect branches Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/ibt: Keep IBT disabled during alternative patching Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Align RETs in BHB clear sequence to avoid thunking Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for RSB stuffing mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add "vmexit" option to skip mitigation on some CPUs Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enable Indirect Target Selection mitigation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe return thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Add support for ITS-safe indirect thunk Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/its: Enumerate Indirect Target Selection (ITS) bug Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Documentation: x86/bugs/its: Add ITS documentation Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Add a conditional CS prefix to CALL_NOSPEC Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/speculation: Simplify and make CALL_NOSPEC consistent Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bhi: Do not set BHI_DIS_S in 32-bit mode Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Add IBHF call at end of classic BPF Daniel Sneddon <daniel.sneddon(a)linux.intel.com> x86/bpf: Call branch history clearing sequence on exit James Morse <james.morse(a)arm.com> arm64: proton-pack: Add new CPUs 'k' values for branch mitigation James Morse <james.morse(a)arm.com> arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users James Morse <james.morse(a)arm.com> arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the branchy loop k value James Morse <james.morse(a)arm.com> arm64: proton-pack: Expose whether the platform is mitigated by firmware James Morse <james.morse(a)arm.com> arm64: insn: Add support for encoding DSB Omar Sandoval <osandov(a)fb.com> sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: speed up fallbacks in rmqueue_bulk() Johannes Weiner <hannes(a)cmpxchg.org> mm: page_alloc: don't steal single pages from biggest buddy Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove the resetting step before downloading the fw Hao Qin <hao.qin(a)mediatek.com> Bluetooth: btmtk: Remove resetting mt7921 before downloading the fw Jens Axboe <axboe(a)kernel.dk> io_uring: always arm linked timeouts prior to issue Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint Miguel Ojeda <ojeda(a)kernel.org> rust: allow Rust 1.87.0's `clippy::ptr_eq` lint Christian Lamparter <chunkeey(a)gmail.com> Revert "um: work around sched_yield not yielding in time-travel mode" Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Gabriel Krisman Bertazi <krisman(a)suse.de> io_uring/sqpoll: Increase task_work submission batch size Tejas Upadhyay <tejas.upadhyay(a)intel.com> drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs Himal Prasad Ghimiray <himal.prasad.ghimiray(a)intel.com> drm/xe/tests/mocs: Update xe_force_wake_get() return handling Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: enable IRQs while handling misaligned accesses Clément Léger <cleger(a)rivosinc.com> riscv: misaligned: factorize trap handling Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Kevin Baker <kevinb(a)ventureresearch.com> drm/panel: simple: Update timings for AUO G101EVN010 Lizhi Xu <lizhi.xu(a)windriver.com> loop: Add sanity check for read/write_iter Christoph Hellwig <hch(a)lst.de> loop: factor out a loop_assign_backing_file helper Christoph Hellwig <hch(a)lst.de> loop: refactor queue limits updates OGAWA Hirofumi <hirofumi(a)mail.parknet.co.jp> loop: Fix ABBA locking race John Garry <john.g.garry(a)oracle.com> loop: Simplify discard granularity calc John Garry <john.g.garry(a)oracle.com> loop: Use bdev limit helpers for configuring discard Nylon Chen <nylon.chen(a)sifive.com> riscv: misaligned: Add handling for ZCB instructions Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Move r4k_wait() to .cpuidle.text section Marco Crivellari <marco.crivellari(a)suse.com> MIPS: Fix idle VS timer enqueue Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. Lothar Rubusch <l.rubusch(a)gmail.com> iio: accel: adxl367: fix setting odr for activity time update Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs Jim Lin <jilin(a)nvidia.com> usb: host: tegra: Prevent host controller crash when OTG port is used Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: Use get_status callback to set remote wakeup capability Wayne Chang <waynec(a)nvidia.com> usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: gadget: f_ecm: Add get_status callback Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fix issue with resuming from L1 Prashanth K <prashanth.k(a)oss.qualcomm.com> usb: dwc3: gadget: Make gadget_wakeup asynchronous Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Heming Zhao <heming.zhao(a)suse.com> ocfs2: fix the issue with discontiguous allocation in the global_bitmap Borislav Petkov (AMD) <bp(a)alien8.de> x86/microcode: Consolidate the loader enablement checking Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Tom Lendacky <thomas.lendacky(a)amd.com> memblock: Accept allocated memory before use in memblock_double_array() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Yeoreum Yun <yeoreum.yun(a)arm.com> arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to prevent wrong idmap generation Jacek Lawrynowicz <jacek.lawrynowicz(a)linux.intel.com> accel/ivpu: Increase state dump msg timeout Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime John Ernberg <john.ernberg(a)actia.se> xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it Paul Aurich <paul(a)darkrain42.org> smb: client: Avoid race in open_cached_dir with lease breaks Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Copy AUX read reply data whenever length > 0 Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix wrong handling for AUX_DEFER case Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Remove incorrect checking in dmub aux handler Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Fix the checking condition in dmub aux handling Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: more liberal vmin/vmax update for freesync Roman Li <Roman.Li(a)amd.com> drm/amd/display: Fix invalid context error in dml helper Ruijing Dong <ruijing.dong(a)amd.com> drm/amdgpu/vcn: using separate VCN1_AON_SOC offset Matthew Brost <matthew.brost(a)intel.com> drm/xe: Add page queue multiplier Maíra Canal <mcanal(a)igalia.com> drm/v3d: Add job to pending list if the reset was skipped Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo David Lechner <dlechner(a)baylibre.com> iio: imu: inv_mpu6050: align buffer for timestamp Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Simon Xue <xxm(a)rock-chips.com> iio: adc: rockchip: Fix clock initialization sequence Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Jens Axboe <axboe(a)kernel.dk> io_uring: ensure deferred completions are flushed for multishot Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Shift DMUB AUX reply command if necessary Mikhail Lobanov <m.lobanov(a)rosa.ru> KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception Nysal Jan K.A. <nysal(a)linux.ibm.com> selftests/mm: fix a build failure on powerpc Feng Tang <feng.tang(a)linux.alibaba.com> selftests/mm: compaction_test: support platform with huge mount of memory Peter Xu <peterx(a)redhat.com> mm/userfaultfd: fix uninitialized output field for -EAGAIN race Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Kees Cook <kees(a)kernel.org> mm: vmalloc: support more granular vrealloc() sizing Petr Vaněk <arkamar(a)atlas.cz> mm: fix folio_pte_batch() on XEN PV Dave Hansen <dave.hansen(a)linux.intel.com> x86/mm: Eliminate window where TLB flushes may be inadvertently skipped Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Dave Stevenson <dave.stevenson(a)raspberrypi.com> staging: bcm2835-camera: Initialise dev in v4l2_dev Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration Miguel Ojeda <ojeda(a)kernel.org> objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0 Miguel Ojeda <ojeda(a)kernel.org> rust: clean Rust 1.88.0's `unnecessary_transmutes` lint Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Vicki Pfau <vi(a)endrift.com> Input: xpad - fix two controller table values Lode Willems <me(a)lodewillems.com> Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller Vicki Pfau <vi(a)endrift.com> Input: xpad - fix Share button on Xbox One controllers Gary Bisson <bisson.gary(a)gmail.com> Input: mtk-pmic-keys - fix possible null pointer dereference Mikael Gonella-Bolduc <mgonellabolduc(a)dimonoff.com> Input: cyttsp5 - fix power control issue on wakeup Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Input: cyttsp5 - ensure minimum reset pulse width Jakub Kicinski <kuba(a)kernel.org> virtio-net: fix total qstat values Jakub Kicinski <kuba(a)kernel.org> net: export a helper for adding up queue stats Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Do not allow mailbox to toggle to ready outside fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Actually flush_tx instead of stalling out Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Gate AXI read/write enabling on FW mailbox Alexander Duyck <alexanderduyck(a)fb.com> fbnic: Fix initialization of mailbox descriptor rings Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not set learning and unicast/multicast on up Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix toggling vlan_filtering Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not program vlans when vlan filtering is off Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not allow to configure VLAN 0 Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: always rejoin default untagged VLAN on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix flushing old pvid VLAN on pvid change Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix clearing PVID of a port Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: keep CPU port always tagged again Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: allow leaky reserved multicast Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Scrub packet on bpf_redirect_peer Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Julian Anastasov <ja(a)ssi.bg> ipvs: fix uninit-value for saddr in do_output_route4 Gao Xiang <xiang(a)kernel.org> erofs: ensure the extra temporary copy is valid for shortened bvecs Przemek Kitszel <przemyslaw.kitszel(a)intel.com> ice: use DSN instead of PCI BDF for ice_adapter index Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Initial support for E825C hardware in ice_adapter Michael-CY Lee <michael-cy.lee(a)mediatek.com> wifi: mac80211: fix the type of status_code for negotiated TID to Link Mapping Oliver Hartkopp <socketcan(a)hartkopp.net> can: gw: fix RCU/BH usage in cgw_create_job() Kelsey Maes <kelsey(a)vpprocess.com> can: mcp251xfd: fix TDC setting for low data bit rates Antonios Salios <antonios(a)mwa.re> can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe Frank Wunderlich <frank-w(a)public-files.de> net: ethernet: mtk_eth_soc: do not reset PSE when setting FE Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: reset all TX queues on DMA free Guillaume Nault <gnault(a)redhat.com> gre: Fix again IPv6 link-local address generation. Jakub Kicinski <kuba(a)kernel.org> virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> virtio_net: xsk: bind/unbind xsk for tx Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Wang Zhaolong <wangzhaolong1(a)huawei.com> ksmbd: fix memory leak in parse_lease_state() Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Sean Heelan <seanheelan(a)gmail.com> ksmbd: Fix UAF in __close_file_table_ids Norbert Szetei <norbert(a)doyensec.com> ksmbd: prevent out-of-bounds stream writes by validating *pos Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: prevent rename with empty string Marc Kleine-Budde <mkl(a)pengutronix.de> can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has child VFs Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Align huge faults to order Veerendranath Jakkam <quic_vjakkam(a)quicinc.com> wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Fix missing check for zpci_create_device() error return Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcan: m_can_class_unregister(): fix order of unregistration calls Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Fix timeout checks on polling path Wojciech Dubowik <Wojciech.Dubowik(a)mt.com> arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 Qu Wenruo <wqu(a)suse.com> Revert "btrfs: canonicalize the device path before adding it" Max Kellermann <max.kellermann(a)ionos.com> fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() Dan Carpenter <dan.carpenter(a)linaro.org> dm: add missing unlock on in dm_keyslot_evict() ------------- Diffstat: .clippy.toml | 2 +- Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 168 ++++++++++++++++ Documentation/admin-guide/kernel-parameters.txt | 18 ++ Makefile | 4 +- arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi | 25 ++- arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/insn.h | 1 + arch/arm64/include/asm/spectre.h | 3 + arch/arm64/kernel/cpufeature.c | 9 +- arch/arm64/kernel/proton-pack.c | 13 +- arch/arm64/lib/insn.c | 76 +++++--- arch/arm64/net/bpf_jit_comp.c | 57 +++++- arch/mips/include/asm/idle.h | 3 +- arch/mips/include/asm/ptrace.h | 3 +- arch/mips/kernel/genex.S | 63 +++--- arch/mips/kernel/idle.c | 7 - arch/riscv/kernel/traps.c | 64 ++++--- arch/riscv/kernel/traps_misaligned.c | 17 ++ arch/s390/kernel/entry.S | 3 +- arch/s390/pci/pci_clp.c | 2 + arch/um/include/linux/time-internal.h | 2 - arch/um/kernel/skas/syscall.c | 11 -- arch/x86/Kconfig | 12 ++ arch/x86/entry/entry_64.S | 20 +- arch/x86/include/asm/alternative.h | 24 +++ arch/x86/include/asm/cpufeatures.h | 3 + arch/x86/include/asm/microcode.h | 2 + arch/x86/include/asm/msr-index.h | 8 + arch/x86/include/asm/nospec-branch.h | 38 ++-- arch/x86/kernel/alternative.c | 195 ++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 176 ++++++++++++++++- arch/x86/kernel/cpu/common.c | 72 +++++-- arch/x86/kernel/cpu/microcode/amd.c | 6 +- arch/x86/kernel/cpu/microcode/core.c | 60 +++--- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/cpu/microcode/internal.h | 1 - arch/x86/kernel/ftrace.c | 2 +- arch/x86/kernel/head32.c | 4 - arch/x86/kernel/module.c | 6 + arch/x86/kernel/static_call.c | 4 +- arch/x86/kernel/vmlinux.lds.S | 10 + arch/x86/kvm/smm.c | 1 + arch/x86/kvm/svm/svm.c | 4 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 ++++ arch/x86/mm/tlb.c | 23 ++- arch/x86/net/bpf_jit_comp.c | 58 +++++- drivers/accel/ivpu/ivpu_hw.c | 2 +- drivers/base/cpu.c | 3 + drivers/block/loop.c | 104 ++++++---- drivers/bluetooth/btmtk.c | 12 +- drivers/clocksource/i8253.c | 4 +- drivers/firmware/arm_scmi/driver.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 - drivers/gpu/drm/amd/amdgpu/hdp_v4_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v5_2.c | 12 +- drivers/gpu/drm/amd/amdgpu/hdp_v6_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/hdp_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 1 + drivers/gpu/drm/amd/amdgpu/vcn_v5_0_0.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 36 ++-- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 28 ++- .../amd/display/dc/dml2/dml2_translation_helper.c | 14 +- drivers/gpu/drm/panel/panel-simple.c | 25 +-- drivers/gpu/drm/v3d/v3d_sched.c | 28 ++- drivers/gpu/drm/xe/tests/xe_mocs.c | 21 +- drivers/gpu/drm/xe/xe_gt_pagefault.c | 11 +- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/accel/adxl355_core.c | 2 +- drivers/iio/accel/adxl367.c | 10 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 17 +- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/iio/temperature/maxim_thermocouple.c | 2 +- drivers/input/joystick/xpad.c | 40 ++-- drivers/input/keyboard/mtk-pmic-keys.c | 4 +- drivers/input/mouse/synaptics.c | 5 + drivers/input/touchscreen/cyttsp5.c | 7 +- drivers/md/dm-table.c | 3 +- drivers/net/can/m_can/m_can.c | 3 +- drivers/net/can/rockchip/rockchip_canfd-core.c | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 42 +++- drivers/net/dsa/b53/b53_common.c | 213 +++++++++++++++------ drivers/net/dsa/b53/b53_priv.h | 3 + drivers/net/dsa/bcm_sf2.c | 1 + drivers/net/ethernet/intel/ice/ice_adapter.c | 39 ++-- drivers/net/ethernet/intel/ice/ice_adapter.h | 6 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 +- drivers/net/ethernet/meta/fbnic/fbnic_csr.h | 2 + drivers/net/ethernet/meta/fbnic/fbnic_fw.c | 180 +++++++++-------- drivers/net/ethernet/meta/fbnic/fbnic_mac.c | 6 - drivers/net/virtio_net.c | 61 ++++++ drivers/nvme/host/core.c | 3 +- drivers/pci/hotplug/s390_pci_hpc.c | 1 - drivers/staging/axis-fifo/axis-fifo.c | 14 +- drivers/staging/iio/adc/ad7816.c | 2 +- .../vc04_services/bcm2835-camera/bcm2835-camera.c | 1 + drivers/usb/cdns3/cdnsp-gadget.c | 31 +++ drivers/usb/cdns3/cdnsp-gadget.h | 6 + drivers/usb/cdns3/cdnsp-pci.c | 12 +- drivers/usb/cdns3/cdnsp-ring.c | 3 +- drivers/usb/cdns3/core.h | 3 + drivers/usb/class/usbtmc.c | 59 +++--- drivers/usb/dwc3/core.h | 4 + drivers/usb/dwc3/gadget.c | 60 +++--- drivers/usb/gadget/composite.c | 12 +- drivers/usb/gadget/function/f_ecm.c | 7 + drivers/usb/gadget/udc/tegra-xudc.c | 4 + drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/host/xhci-tegra.c | 3 + drivers/usb/misc/onboard_usb_dev.c | 10 +- drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/vfio/pci/vfio_pci_core.c | 12 +- drivers/xen/swiotlb-xen.c | 1 + drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/btrfs/volumes.c | 91 +-------- fs/erofs/fileio.c | 4 +- fs/erofs/zdata.c | 29 ++- fs/namespace.c | 3 +- fs/ocfs2/journal.c | 80 +++++--- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/suballoc.c | 38 +++- fs/ocfs2/suballoc.h | 1 + fs/ocfs2/super.c | 3 + fs/smb/client/cached_dir.c | 10 +- fs/smb/server/oplock.c | 7 +- fs/smb/server/smb2pdu.c | 5 + fs/smb/server/vfs.c | 7 + fs/smb/server/vfs_cache.c | 33 +++- fs/userfaultfd.c | 28 ++- include/linux/cpu.h | 2 + include/linux/execmem.h | 3 + include/linux/ieee80211.h | 2 +- include/linux/module.h | 5 + include/linux/types.h | 3 +- include/linux/vmalloc.h | 1 + include/net/netdev_queues.h | 6 + include/uapi/linux/types.h | 1 + init/Kconfig | 3 + io_uring/io_uring.c | 58 +++--- io_uring/sqpoll.c | 2 +- kernel/params.c | 4 +- kernel/sched/fair.c | 4 +- mm/huge_memory.c | 11 +- mm/internal.h | 27 ++- mm/memblock.c | 9 +- mm/page_alloc.c | 159 +++++++++------ mm/vmalloc.c | 31 ++- net/can/gw.c | 151 +++++++++------ net/core/filter.c | 1 + net/core/netdev-genl.c | 69 +++++-- net/ipv6/addrconf.c | 15 +- net/mac80211/mlme.c | 12 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/ipvs/ip_vs_xmit.c | 27 +-- net/openvswitch/actions.c | 3 +- net/sched/sch_htb.c | 15 +- net/wireless/scan.c | 2 +- rust/bindings/lib.rs | 1 + rust/kernel/alloc/kvec.rs | 3 + rust/kernel/list.rs | 3 + rust/kernel/str.rs | 46 ++--- rust/macros/module.rs | 19 +- rust/macros/pinned_drop.rs | 3 +- rust/uapi/lib.rs | 1 + tools/objtool/check.c | 1 + tools/testing/selftests/Makefile | 1 + tools/testing/selftests/mm/compaction_test.c | 19 +- tools/testing/selftests/mm/pkey-powerpc.h | 12 +- tools/testing/selftests/x86/bugs/Makefile | 3 + tools/testing/selftests/x86/bugs/common.py | 164 ++++++++++++++++ .../selftests/x86/bugs/its_indirect_alignment.py | 150 +++++++++++++++ .../testing/selftests/x86/bugs/its_permutations.py | 109 +++++++++++ .../selftests/x86/bugs/its_ret_alignment.py | 139 ++++++++++++++ tools/testing/selftests/x86/bugs/its_sysfs.py | 65 +++++++ 191 files changed, 3250 insertions(+), 1134 deletions(-)

1 month, 3 weeks

10
193
0 0

[PATCH v2] dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()

by Qiu-ji Chen

Fix a potential deadlock bug. Observe that in the mtk-cqdma.c file, functions like mtk_cqdma_issue_pending() and mtk_cqdma_free_active_desc() properly acquire the pc lock before the vc lock when handling pc and vc fields. However, mtk_cqdma_tx_status() violates this order by first acquiring the vc lock before invoking mtk_cqdma_find_active_desc(), which subsequently takes the pc lock. This reversed locking sequence (vc → pc) contradicts the established pc → vc order and creates deadlock risks. Fix the issue by moving the vc lock acquisition code from mtk_cqdma_find_active_desc() to mtk_cqdma_tx_status(). Ensure the pc lock is acquired before the vc lock in the calling function to maintain correct locking hierarchy. Note that since mtk_cqdma_find_active_desc() is a static function with only one caller (mtk_cqdma_tx_status()), this modification safely eliminates the deadlock possibility without affecting other components. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including deadlocks, data races and atomicity violations. Fixes: b1f01e48df5a ("dmaengine: mediatek: Add MediaTek Command-Queue DMA controller for MT6765 SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: Revised the fix approach and updated the description to address the reduced protection scope of the vc lock in the V1 solution. --- drivers/dma/mediatek/mtk-cqdma.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c index d5ddb4e30e71..e35271ac1eed 100644 --- a/drivers/dma/mediatek/mtk-cqdma.c +++ b/drivers/dma/mediatek/mtk-cqdma.c @@ -422,13 +422,10 @@ static struct virt_dma_desc *mtk_cqdma_find_active_desc(struct dma_chan *c, struct virt_dma_desc *vd; unsigned long flags; - spin_lock_irqsave(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->pc->queue, node) if (vd->tx.cookie == cookie) { - spin_unlock_irqrestore(&cvc->pc->lock, flags); return vd; } - spin_unlock_irqrestore(&cvc->pc->lock, flags); list_for_each_entry(vd, &cvc->vc.desc_issued, node) if (vd->tx.cookie == cookie) @@ -452,9 +449,11 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, if (ret == DMA_COMPLETE || !txstate) return ret; + spin_lock_irqsave(&cvc->pc->lock, flags); spin_lock_irqsave(&cvc->vc.lock, flags); vd = mtk_cqdma_find_active_desc(c, cookie); spin_unlock_irqrestore(&cvc->vc.lock, flags); + spin_unlock_irqrestore(&cvc->pc->lock, flags); if (vd) { cvd = to_cqdma_vdesc(vd); -- 2.34.1

1 month, 3 weeks

3
2
0 0

[PATCH] ASoC: Intel: avs: Add null pointer check for es8366

by Wentao Liang

The avs_card_suspend_pre() and avs_card_resume_post() in es8336 calls the snd_soc_card_get_codec_dai(), but does not check its return value which is a null pointer if the function fails. This can result in a null pointer dereference. A proper implementation can be found in acp5x_nau8821_hw_params() and card_suspend_pre(). Add a null pointer check for snd_soc_card_get_codec_dai() to avoid null pointer dereference when the function fails. Fixes: 32e40c8d6ff9 ("ASoC: Intel: avs: Add es8336 machine board") Cc: stable(a)vger.kernel.org # v6.6 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- sound/soc/intel/avs/boards/es8336.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sound/soc/intel/avs/boards/es8336.c b/sound/soc/intel/avs/boards/es8336.c index 426ce37105ae..e31cc656f076 100644 --- a/sound/soc/intel/avs/boards/es8336.c +++ b/sound/soc/intel/avs/boards/es8336.c @@ -243,6 +243,9 @@ static int avs_card_suspend_pre(struct snd_soc_card *card) { struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, ES8336_CODEC_DAI); + if (!codec_dai) + return -EINVAL; + return snd_soc_component_set_jack(codec_dai->component, NULL, NULL); } @@ -251,6 +254,9 @@ static int avs_card_resume_post(struct snd_soc_card *card) struct snd_soc_dai *codec_dai = snd_soc_card_get_codec_dai(card, ES8336_CODEC_DAI); struct avs_card_drvdata *data = snd_soc_card_get_drvdata(card); + if (!codec_dai) + return -EINVAL; + return snd_soc_component_set_jack(codec_dai->component, &data->jack, NULL); } -- 2.42.0.windows.2

1 month, 3 weeks

2
1
0 0

[for-linus][PATCH 4/4] ring-buffer: Fix persistent buffer when commit page is the reader page

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> The ring buffer is made up of sub buffers (sometimes called pages as they are by default PAGE_SIZE). It has the following "pages": "tail page" - this is the page that the next write will write to "head page" - this is the page that the reader will swap the reader page with. "reader page" - This belongs to the reader, where it will swap the head page from the ring buffer so that the reader does not race with the writer. The writer may end up on the "reader page" if the ring buffer hasn't written more than one page, where the "tail page" and the "head page" are the same. The persistent ring buffer has meta data that points to where these pages exist so on reboot it can re-create the pointers to the cpu_buffer descriptor. But when the commit page is on the reader page, the logic is incorrect. The check to see if the commit page is on the reader page checked if the head page was the reader page, which would never happen, as the head page is always in the ring buffer. The correct check would be to test if the commit page is on the reader page. If that's the case, then it can exit out early as the commit page is only on the reader page when there's only one page of data in the buffer. There's no reason to iterate the ring buffer pages to find the "commit page" as it is already found. To trigger this bug: # echo 1 > /sys/kernel/tracing/instances/boot_mapped/events/syscalls/sys_enter_fchownat/enable # touch /tmp/x # chown sshd /tmp/x # reboot On boot up, the dmesg will have: Ring buffer meta [0] is from previous boot! Ring buffer meta [1] is from previous boot! Ring buffer meta [2] is from previous boot! Ring buffer meta [3] is from previous boot! Ring buffer meta [4] commit page not found Ring buffer meta [5] is from previous boot! Ring buffer meta [6] is from previous boot! Ring buffer meta [7] is from previous boot! Where the buffer on CPU 4 had a "commit page not found" error and that buffer is cleared and reset causing the output to be empty and the data lost. When it works correctly, it has: # cat /sys/kernel/tracing/instances/boot_mapped/trace_pipe <...>-1137 [004] ..... 998.205323: sys_enter_fchownat: __syscall_nr=0x104 (260) dfd=0xffffff9c (4294967196) filename=(0xffffc90000a0002c) user=0x3e8 (1000) group=0xffffffff (4294967295) flag=0x0 (0 Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Link: https://lore.kernel.org/20250513115032.3e0b97f7@gandalf.local.home Fixes: 5f3b6e839f3ce ("ring-buffer: Validate boot range memory events") Reported-by: Tasos Sahanidis <tasos(a)tasossah.com> Tested-by: Tasos Sahanidis <tasos(a)tasossah.com> Reviewed-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/ring_buffer.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index c0f877d39a24..3f9bf562beea 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -1887,10 +1887,12 @@ static void rb_meta_validate_events(struct ring_buffer_per_cpu *cpu_buffer) head_page = cpu_buffer->head_page; - /* If both the head and commit are on the reader_page then we are done. */ - if (head_page == cpu_buffer->reader_page && - head_page == cpu_buffer->commit_page) + /* If the commit_buffer is the reader page, update the commit page */ + if (meta->commit_buffer == (unsigned long)cpu_buffer->reader_page->page) { + cpu_buffer->commit_page = cpu_buffer->reader_page; + /* Nothing more to do, the only page is the reader page */ goto done; + } /* Iterate until finding the commit page */ for (i = 0; i < meta->nr_subbufs + 1; i++, rb_inc_page(&head_page)) { -- 2.47.2

1 month, 3 weeks

1
0
0 0

[for-linus][PATCH 3/4] ftrace: Fix preemption accounting for stacktrace filter command

by Steven Rostedt

From: pengdonglin <pengdonglin(a)xiaomi.com> The preemption count of the stacktrace filter command to trace ksys_read is consistently incorrect: $ echo ksys_read:stacktrace > set_ftrace_filter <...>-453 [004] ...1. 38.308956: <stack trace> => ksys_read => do_syscall_64 => entry_SYSCALL_64_after_hwframe The root cause is that the trace framework disables preemption when invoking the filter command callback in function_trace_probe_call: preempt_disable_notrace(); probe_ops->func(ip, parent_ip, probe_opsbe->tr, probe_ops, probe->data); preempt_enable_notrace(); Use tracing_gen_ctx_dec() to account for the preempt_disable_notrace(), which will output the correct preemption count: $ echo ksys_read:stacktrace > set_ftrace_filter <...>-410 [006] ..... 31.420396: <stack trace> => ksys_read => do_syscall_64 => entry_SYSCALL_64_after_hwframe Cc: stable(a)vger.kernel.org Fixes: 36590c50b2d07 ("tracing: Merge irqflags + preempt counter.") Link: https://lore.kernel.org/20250512094246.1167956-2-dolinux.peng@gmail.com Signed-off-by: pengdonglin <dolinux.peng(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_functions.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/kernel/trace/trace_functions.c b/kernel/trace/trace_functions.c index 98ccf3f00c51..4e37a0f6aaa3 100644 --- a/kernel/trace/trace_functions.c +++ b/kernel/trace/trace_functions.c @@ -633,11 +633,7 @@ ftrace_traceoff(unsigned long ip, unsigned long parent_ip, static __always_inline void trace_stack(struct trace_array *tr) { - unsigned int trace_ctx; - - trace_ctx = tracing_gen_ctx(); - - __trace_stack(tr, trace_ctx, FTRACE_STACK_SKIP); + __trace_stack(tr, tracing_gen_ctx_dec(), FTRACE_STACK_SKIP); } static void -- 2.47.2

1 month, 3 weeks

1
0
0 0

[for-linus][PATCH 2/4] ftrace: Fix preemption acounting for stacktrace trigger command

by Steven Rostedt

From: pengdonglin <pengdonglin(a)xiaomi.com> When using the stacktrace trigger command to trace syscalls, the preemption count was consistently reported as 1 when the system call event itself had 0 ("."). For example: root@ubuntu22-vm:/sys/kernel/tracing/events/syscalls/sys_enter_read $ echo stacktrace > trigger $ echo 1 > enable sshd-416 [002] ..... 232.864910: sys_read(fd: a, buf: 556b1f3221d0, count: 8000) sshd-416 [002] ...1. 232.864913: <stack trace> => ftrace_syscall_enter => syscall_trace_enter => do_syscall_64 => entry_SYSCALL_64_after_hwframe The root cause is that the trace framework disables preemption in __DO_TRACE before invoking the trigger callback. Use the tracing_gen_ctx_dec() that will accommodate for the increase of the preemption count in __DO_TRACE when calling the callback. The result is the accurate reporting of: sshd-410 [004] ..... 210.117660: sys_read(fd: 4, buf: 559b725ba130, count: 40000) sshd-410 [004] ..... 210.117662: <stack trace> => ftrace_syscall_enter => syscall_trace_enter => do_syscall_64 => entry_SYSCALL_64_after_hwframe Cc: stable(a)vger.kernel.org Fixes: ce33c845b030c ("tracing: Dump stacktrace trigger to the corresponding instance") Link: https://lore.kernel.org/20250512094246.1167956-1-dolinux.peng@gmail.com Signed-off-by: pengdonglin <dolinux.peng(a)gmail.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_trigger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index b66b6d235d91..6e87ae2a1a66 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1560,7 +1560,7 @@ stacktrace_trigger(struct event_trigger_data *data, struct trace_event_file *file = data->private_data; if (file) - __trace_stack(file->tr, tracing_gen_ctx(), STACK_SKIP); + __trace_stack(file->tr, tracing_gen_ctx_dec(), STACK_SKIP); else trace_dump_stack(STACK_SKIP); } -- 2.47.2

1 month, 3 weeks

1
0
0 0

[for-linus][PATCH 1/4] tracing: samples: Initialize trace_array_printk() with the correct function

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> When using trace_array_printk() on a created instance, the correct function to use to initialize it is: trace_array_init_printk() Not trace_printk_init_buffer() The former is a proper function to use, the latter is for initializing trace_printk() and causes the NOTICE banner to be displayed. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Divya Indi <divya.indi(a)oracle.com> Link: https://lore.kernel.org/20250509152657.0f6744d9@gandalf.local.home Fixes: 89ed42495ef4a ("tracing: Sample module to demonstrate kernel access to Ftrace instances.") Fixes: 38ce2a9e33db6 ("tracing: Add trace_array_init_printk() to initialize instance trace_printk() buffers") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- samples/ftrace/sample-trace-array.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/ftrace/sample-trace-array.c b/samples/ftrace/sample-trace-array.c index dac67c367457..4147616102f9 100644 --- a/samples/ftrace/sample-trace-array.c +++ b/samples/ftrace/sample-trace-array.c @@ -112,7 +112,7 @@ static int __init sample_trace_array_init(void) /* * If context specific per-cpu buffers havent already been allocated. */ - trace_printk_init_buffers(); + trace_array_init_printk(tr); simple_tsk = kthread_run(simple_thread, NULL, "sample-instance"); if (IS_ERR(simple_tsk)) { -- 2.47.2

1 month, 3 weeks

1
0
0 0

[PATCH] usb: Flush altsetting 0 endpoints before reinitializating them after reset.

by Mathias Nyman

usb core avoids sending a Set-Interface altsetting 0 request after device reset, and instead relies on calling usb_disable_interface() and usb_enable_interface() to flush and reset host-side of those endpoints. xHCI hosts allocate and set up endpoint ring buffers and host_ep->hcpriv during usb_hcd_alloc_bandwidth() callback, which in this case is called before flushing the endpoint in usb_disable_interface(). Call usb_disable_interface() before usb_hcd_alloc_bandwidth() to ensure URBs are flushed before new ring buffers for the endpoints are allocated. Otherwise host driver will attempt to find and remove old stale URBs from a freshly allocated new ringbuffer. Cc: stable(a)vger.kernel.org Fixes: 4fe0387afa89 ("USB: don't send Set-Interface after reset") Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/core/hub.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 0e1dd6ef60a7..9f19fc7494e0 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -6133,6 +6133,7 @@ static int usb_reset_and_verify_device(struct usb_device *udev) struct usb_hub *parent_hub; struct usb_hcd *hcd = bus_to_hcd(udev->bus); struct usb_device_descriptor descriptor; + struct usb_interface *intf; struct usb_host_bos *bos; int i, j, ret = 0; int port1 = udev->portnum; @@ -6190,6 +6191,18 @@ static int usb_reset_and_verify_device(struct usb_device *udev) if (!udev->actconfig) goto done; + /* + * Some devices can't handle setting default altsetting 0 with a + * Set-Interface request. Disable host-side endpoints of those + * interfaces here. Enable and reset them back after host has set + * its internal endpoint structures during usb_hcd_alloc_bandwith() + */ + for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) { + intf = udev->actconfig->interface[i]; + if (intf->cur_altsetting->desc.bAlternateSetting == 0) + usb_disable_interface(udev, intf, true); + } + mutex_lock(hcd->bandwidth_mutex); ret = usb_hcd_alloc_bandwidth(udev, udev->actconfig, NULL, NULL); if (ret < 0) { @@ -6221,12 +6234,11 @@ static int usb_reset_and_verify_device(struct usb_device *udev) */ for (i = 0; i < udev->actconfig->desc.bNumInterfaces; i++) { struct usb_host_config *config = udev->actconfig; - struct usb_interface *intf = config->interface[i]; struct usb_interface_descriptor *desc; + intf = config->interface[i]; desc = &intf->cur_altsetting->desc; if (desc->bAlternateSetting == 0) { - usb_disable_interface(udev, intf, true); usb_enable_interface(udev, intf, true); ret = 0; } else { -- 2.43.0

1 month, 3 weeks

1
0
0 0

[PATCH] ACPI: PPTT: Fix processor subtable walk

by Jeremy Linton

The original PPTT code had a bug where the processor subtable length was not correctly validated when encountering a truncated acpi_pptt_processor node. Commit 7ab4f0e37a0f4 ("ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls") attempted to fix this by validating the size is as large as the acpi_pptt_processor node structure. This introduced a regression where the last processor node in the PPTT table is ignored if it doesn't contain any private resources. That results errors like: ACPI PPTT: PPTT table found, but unable to locate core XX (XX) ACPI: SPE must be homogeneous Furthermore, it fail in a common case where the node length isn't equal to the acpi_pptt_processor structure size, leaving the original bug in a modified form. Correct the regression by adjusting the loop termination conditions as suggested by the bug reporters. An additional check performed after the subtable node type is detected, validates the acpi_pptt_processor node is fully contained in the PPTT table. Repeating the check in acpi_pptt_leaf_node() is largely redundant as the node is already known to be fully contained in the table. The case where a final truncated node's parent property is accepted, but the node itself is rejected should not be considered a bug. Fixes: 7ab4f0e37a0f4 ("ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls") Reported-by: Maximilian Heyne <mheyne(a)amazon.de> Closes: https://lore.kernel.org/linux-acpi/20250506-draco-taped-15f475cd@mheyne-ama… Reported-by: Yicong Yang <yangyicong(a)hisilicon.com> Closes: https://lore.kernel.org/linux-acpi/20250507035124.28071-1-yangyicong@huawei… Signed-off-by: Jeremy Linton <jeremy.linton(a)arm.com> Cc: Jean-Marc Eurin <jmeurin(a)google.com> Cc: <stable(a)vger.kernel.org> --- drivers/acpi/pptt.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c index f73ce6e13065..54676e3d82dd 100644 --- a/drivers/acpi/pptt.c +++ b/drivers/acpi/pptt.c @@ -231,16 +231,18 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr, sizeof(struct acpi_table_pptt)); proc_sz = sizeof(struct acpi_pptt_processor); - while ((unsigned long)entry + proc_sz < table_end) { + /* ignore subtable types that are smaller than a processor node */ + while ((unsigned long)entry + proc_sz <= table_end) { cpu_node = (struct acpi_pptt_processor *)entry; + if (entry->type == ACPI_PPTT_TYPE_PROCESSOR && cpu_node->parent == node_entry) return 0; if (entry->length == 0) return 0; + entry = ACPI_ADD_PTR(struct acpi_subtable_header, entry, entry->length); - } return 1; } @@ -273,15 +275,18 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he proc_sz = sizeof(struct acpi_pptt_processor); /* find the processor structure associated with this cpuid */ - while ((unsigned long)entry + proc_sz < table_end) { + while ((unsigned long)entry + proc_sz <= table_end) { cpu_node = (struct acpi_pptt_processor *)entry; if (entry->length == 0) { pr_warn("Invalid zero length subtable\n"); break; } + /* entry->length may not equal proc_sz, revalidate the processor structure length */ if (entry->type == ACPI_PPTT_TYPE_PROCESSOR && acpi_cpu_id == cpu_node->acpi_processor_id && + (unsigned long)entry + entry->length <= table_end && + entry->length == proc_sz + cpu_node->number_of_priv_resources * sizeof(u32) && acpi_pptt_leaf_node(table_hdr, cpu_node)) { return (struct acpi_pptt_processor *)entry; } -- 2.49.0

1 month, 3 weeks

6
5
0 0

6.14.7-rc1: undefined reference to `__x86_indirect_its_thunk_array' when CONFIG_CPU_MITIGATIONS is off

by Holger Hoffstätte

While trying to build 6.14.7-rc1 with CONFIG_CPU_MITIGATIONS unset: LD .tmp_vmlinux1 ld: arch/x86/net/bpf_jit_comp.o: in function `emit_indirect_jump': /tmp/linux-6.14.7/arch/x86/net/bpf_jit_comp.c:660:(.text+0x97e): undefined reference to `__x86_indirect_its_thunk_array' make[2]: *** [scripts/Makefile.vmlinux:77: vmlinux] Error 1 make[1]: *** [/tmp/linux-6.14.7/Makefile:1234: vmlinux] Error 2 make: *** [Makefile:251: __sub-make] Error 2 - applying 9f35e33144ae aka "x86/its: Fix build errors when CONFIG_MODULES=n" did not help - mainline at 9f35e33144ae does not have this problem (same config) Are we missing a commit in stable? I temporarily threw "if (IS_ENABLED(CONFIG_MITIGATION_ITS))" around the problematic feature check and that made it work, but I get the feeling that cpu_feature_enabled(X86_FEATURE_INDIRECT_THUNK_ITS) is implemented differently than the other feature checks and/or is missing something. thanks Holger

1 month, 3 weeks

4
5
0 0

[PATCH] ASoC: amd: acp: Add null pointer check in acp_max98388_hw_paramsi()

by Wentao Liang

The acp_max98388_hw_params() calls the snd_soc_card_get_codec_dai(), but does not check its return value which is a null pointer if the function fails. This can result in a null pointer dereference. Add a null pointer check for snd_soc_card_get_codec_dai() to avoid null pointer dereference when the function fails. Fixes: ac91c8c89782 ("ASoC: amd: acp: Add machine driver support for max98388 codec") Cc: stable(a)vger.kernel.org # v6.6 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- sound/soc/amd/acp/acp-mach-common.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/soc/amd/acp/acp-mach-common.c b/sound/soc/amd/acp/acp-mach-common.c index f7602c1769bf..a795cc1836cc 100644 --- a/sound/soc/amd/acp/acp-mach-common.c +++ b/sound/soc/amd/acp/acp-mach-common.c @@ -918,6 +918,9 @@ static int acp_max98388_hw_params(struct snd_pcm_substream *substream, MAX98388_CODEC_DAI); int ret; + if (codec_dai) + return -EINVAL; + ret = snd_soc_dai_set_fmt(codec_dai, SND_SOC_DAIFMT_CBS_CFS | SND_SOC_DAIFMT_I2S | SND_SOC_DAIFMT_NB_NF); -- 2.42.0.windows.2

1 month, 3 weeks

1
0
0 0

[PATCH v2 RESEND] phy: Fix error handling in tegra_xusb_port_init

by Ma Ke

If device_add() fails, do not use device_unregister() for error handling. device_unregister() consists two functions: device_del() and put_device(). device_unregister() should only be called after device_add() succeeded because device_del() undoes what device_add() does if successful. Change device_unregister() to put_device() call before returning from the function. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the bug description as suggestions. --- drivers/phy/tegra/xusb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c index 79d4814d758d..c89df95aa6ca 100644 --- a/drivers/phy/tegra/xusb.c +++ b/drivers/phy/tegra/xusb.c @@ -548,16 +548,16 @@ static int tegra_xusb_port_init(struct tegra_xusb_port *port, err = dev_set_name(&port->dev, "%s-%u", name, index); if (err < 0) - goto unregister; + goto put_device; err = device_add(&port->dev); if (err < 0) - goto unregister; + goto put_device; return 0; -unregister: - device_unregister(&port->dev); +put_device: + put_device(&port->dev); return err; } -- 2.25.1

1 month, 3 weeks

3
3
0 0

[PATCH] ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()

by Wentao Liang

The function snd_es1968_capture_open() calls the function snd_pcm_hw_constraint_pow2(), but does not check its return value. A proper implementation can be found in snd_cx25821_pcm_open(). Add error handling for snd_pcm_hw_constraint_pow2() and propagate its error code. Fixes: b942cf815b57 ("[ALSA] es1968 - Fix stuttering capture") Cc: stable(a)vger.kernel.org # v2.6.22 Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- sound/pci/es1968.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sound/pci/es1968.c b/sound/pci/es1968.c index c6c018b40c69..4e0693f0ab0f 100644 --- a/sound/pci/es1968.c +++ b/sound/pci/es1968.c @@ -1561,7 +1561,7 @@ static int snd_es1968_capture_open(struct snd_pcm_substream *substream) struct snd_pcm_runtime *runtime = substream->runtime; struct es1968 *chip = snd_pcm_substream_chip(substream); struct esschan *es; - int apu1, apu2; + int err, apu1, apu2; apu1 = snd_es1968_alloc_apu_pair(chip, ESM_APU_PCM_CAPTURE); if (apu1 < 0) @@ -1605,7 +1605,9 @@ static int snd_es1968_capture_open(struct snd_pcm_substream *substream) runtime->hw = snd_es1968_capture; runtime->hw.buffer_bytes_max = runtime->hw.period_bytes_max = calc_available_memory_size(chip) - 1024; /* keep MIXBUF size */ - snd_pcm_hw_constraint_pow2(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES); + err = snd_pcm_hw_constraint_pow2(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES); + if (err < 0) + return err; spin_lock_irq(&chip->substream_lock); list_add(&es->list, &chip->substream_list); -- 2.42.0.windows.2

1 month, 3 weeks

2
1
0 0

[PATCH v2 2/2] fs: minix: Fix handling of corrupted directories

by Andrey Kriulin

If the directory is corrupted and the number of nlinks is less than 2 (valid nlinks have at least 2), then when the directory is deleted, the minix_rmdir will try to reduce the nlinks(unsigned int) to a negative value. Make nlinks validity check for directory in minix_lookup. Signed-off-by: Andrey Kriulin <kitotavrik.s(a)gmail.com> --- v2: Move nlinks validaty check to V[12]_minix_iget() per Jan Kara <jack(a)suse.cz> request. Change return error code to EUCLEAN. Don't block directory in r/o mode per Al Viro <viro(a)zeniv.linux.org.uk> request. fs/minix/inode.c | 16 ++++++++++++++++ fs/minix/namei.c | 7 +------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/fs/minix/inode.c b/fs/minix/inode.c index f007e389d5d2..d815397b8b0d 100644 --- a/fs/minix/inode.c +++ b/fs/minix/inode.c @@ -517,6 +517,14 @@ static struct inode *V1_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-ESTALE); } + if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks < 2) { + printk("MINIX-fs: inode directory with corrupted number of links"); + if (!sb_rdonly(inode->i_sb)) { + brelse(bh); + iget_failed(inode); + return ERR_PTR(-EUCLEAN); + } + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); @@ -555,6 +563,14 @@ static struct inode *V2_minix_iget(struct inode *inode) iget_failed(inode); return ERR_PTR(-ESTALE); } + if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks < 2) { + printk("MINIX-fs: inode directory with corrupted number of links"); + if (!sb_rdonly(inode->i_sb)) { + brelse(bh); + iget_failed(inode); + return ERR_PTR(-EUCLEAN); + } + } inode->i_mode = raw_inode->i_mode; i_uid_write(inode, raw_inode->i_uid); i_gid_write(inode, raw_inode->i_gid); diff --git a/fs/minix/namei.c b/fs/minix/namei.c index 5717a56fa01a..8938536d8d3c 100644 --- a/fs/minix/namei.c +++ b/fs/minix/namei.c @@ -28,13 +28,8 @@ static struct dentry *minix_lookup(struct inode * dir, struct dentry *dentry, un return ERR_PTR(-ENAMETOOLONG); ino = minix_inode_by_name(dentry); - if (ino) { + if (ino) inode = minix_iget(dir->i_sb, ino); - if (S_ISDIR(inode->i_mode) && inode->i_nlink < 2) { - iput(inode); - return ERR_PTR(-EIO); - } - } return d_splice_alias(inode, dentry); } -- 2.47.2

1 month, 3 weeks

2
1
0 0

[PATCH v3] x86/sev: Do not touch VMSA pages during kdump of SNP guest memory

by Ashish Kalra

From: Ashish Kalra <ashish.kalra(a)amd.com> When kdump is running makedumpfile to generate vmcore and dumping SNP guest memory it touches the VMSA page of the vCPU executing kdump which then results in unrecoverable #NPF/RMP faults as the VMSA page is marked busy/in-use when the vCPU is running and subsequently causes guest softlockup/hang. Additionally other APs may be halted in guest mode and their VMSA pages are marked busy and touching these VMSA pages during guest memory dump will also cause #NPF. Issue AP_DESTROY GHCB calls on other APs to ensure they are kicked out of guest mode and then clear the VMSA bit on their VMSA pages. If the vCPU running kdump is an AP, mark it's VMSA page as offline to ensure that makedumpfile excludes that page while dumping guest memory. Cc: stable(a)vger.kernel.org Fixes: 3074152e56c9 ("x86/sev: Convert shared memory back to private on kexec") Signed-off-by: Ashish Kalra <ashish.kalra(a)amd.com> --- arch/x86/coco/sev/core.c | 241 +++++++++++++++++++++++++-------------- 1 file changed, 155 insertions(+), 86 deletions(-) diff --git a/arch/x86/coco/sev/core.c b/arch/x86/coco/sev/core.c index dcfaa698d6cf..f4eb5b645239 100644 --- a/arch/x86/coco/sev/core.c +++ b/arch/x86/coco/sev/core.c @@ -877,6 +877,99 @@ void snp_accept_memory(phys_addr_t start, phys_addr_t end) set_pages_state(vaddr, npages, SNP_PAGE_STATE_PRIVATE); } +static int vmgexit_ap_control(u64 event, struct sev_es_save_area *vmsa, u32 apic_id) +{ + struct ghcb_state state; + unsigned long flags; + struct ghcb *ghcb; + int ret = 0; + + local_irq_save(flags); + + ghcb = __sev_get_ghcb(&state); + + vc_ghcb_invalidate(ghcb); + if (event == SVM_VMGEXIT_AP_CREATE) + ghcb_set_rax(ghcb, vmsa->sev_features); + ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_AP_CREATION); + ghcb_set_sw_exit_info_1(ghcb, + ((u64)apic_id << 32) | + ((u64)snp_vmpl << 16) | + event); + ghcb_set_sw_exit_info_2(ghcb, __pa(vmsa)); + + sev_es_wr_ghcb_msr(__pa(ghcb)); + VMGEXIT(); + + if (!ghcb_sw_exit_info_1_is_valid(ghcb) || + lower_32_bits(ghcb->save.sw_exit_info_1)) { + pr_err("SNP AP %s error\n", (event == SVM_VMGEXIT_AP_CREATE ? "CREATE" : "DESTROY")); + ret = -EINVAL; + } + + __sev_put_ghcb(&state); + + local_irq_restore(flags); + + return ret; +} + +static int snp_set_vmsa(void *va, void *caa, int apic_id, bool make_vmsa) +{ + int ret; + + if (snp_vmpl) { + struct svsm_call call = {}; + unsigned long flags; + + local_irq_save(flags); + + call.caa = this_cpu_read(svsm_caa); + call.rcx = __pa(va); + + if (make_vmsa) { + /* Protocol 0, Call ID 2 */ + call.rax = SVSM_CORE_CALL(SVSM_CORE_CREATE_VCPU); + call.rdx = __pa(caa); + call.r8 = apic_id; + } else { + /* Protocol 0, Call ID 3 */ + call.rax = SVSM_CORE_CALL(SVSM_CORE_DELETE_VCPU); + } + + ret = svsm_perform_call_protocol(&call); + + local_irq_restore(flags); + } else { + /* + * If the kernel runs at VMPL0, it can change the VMSA + * bit for a page using the RMPADJUST instruction. + * However, for the instruction to succeed it must + * target the permissions of a lesser privileged (higher + * numbered) VMPL level, so use VMPL1. + */ + u64 attrs = 1; + + if (make_vmsa) + attrs |= RMPADJUST_VMSA_PAGE_BIT; + + ret = rmpadjust((unsigned long)va, RMP_PG_SIZE_4K, attrs); + } + + return ret; +} + +static void snp_cleanup_vmsa(struct sev_es_save_area *vmsa, int apic_id) +{ + int err; + + err = snp_set_vmsa(vmsa, NULL, apic_id, false); + if (err) + pr_err("clear VMSA page failed (%u), leaking page\n", err); + else + free_page((unsigned long)vmsa); +} + static void set_pte_enc(pte_t *kpte, int level, void *va) { struct pte_enc_desc d = { @@ -973,6 +1066,65 @@ void snp_kexec_begin(void) pr_warn("Failed to stop shared<->private conversions\n"); } +/* + * Shutdown all APs except the one handling kexec/kdump and clearing + * the VMSA tag on AP's VMSA pages as they are not being used as + * VMSA page anymore. + */ +static void shutdown_all_aps(void) +{ + struct sev_es_save_area *vmsa; + int apic_id, this_cpu, cpu; + + this_cpu = get_cpu(); + + /* + * APs are already in HLT loop when enc_kexec_finish() callback + * is invoked. + */ + for_each_present_cpu(cpu) { + vmsa = per_cpu(sev_vmsa, cpu); + + /* + * BSP does not have guest allocated VMSA and there is no need + * to clear the VMSA tag for this page. + */ + if (!vmsa) + continue; + + /* + * Cannot clear the VMSA tag for the currently running vCPU. + */ + if (this_cpu == cpu) { + unsigned long pa; + struct page *p; + + pa = __pa(vmsa); + /* + * Mark the VMSA page of the running vCPU as offline + * so that is excluded and not touched by makedumpfile + * while generating vmcore during kdump. + */ + p = pfn_to_online_page(pa >> PAGE_SHIFT); + if (p) + __SetPageOffline(p); + continue; + } + + apic_id = cpuid_to_apicid[cpu]; + + /* + * Issue AP destroy to ensure AP gets kicked out of guest mode + * to allow using RMPADJUST to remove the VMSA tag on it's + * VMSA page. + */ + vmgexit_ap_control(SVM_VMGEXIT_AP_DESTROY, vmsa, apic_id); + snp_cleanup_vmsa(vmsa, apic_id); + } + + put_cpu(); +} + void snp_kexec_finish(void) { struct sev_es_runtime_data *data; @@ -987,6 +1139,8 @@ void snp_kexec_finish(void) if (!IS_ENABLED(CONFIG_KEXEC_CORE)) return; + shutdown_all_aps(); + unshare_all_memory(); /* @@ -1008,51 +1162,6 @@ void snp_kexec_finish(void) } } -static int snp_set_vmsa(void *va, void *caa, int apic_id, bool make_vmsa) -{ - int ret; - - if (snp_vmpl) { - struct svsm_call call = {}; - unsigned long flags; - - local_irq_save(flags); - - call.caa = this_cpu_read(svsm_caa); - call.rcx = __pa(va); - - if (make_vmsa) { - /* Protocol 0, Call ID 2 */ - call.rax = SVSM_CORE_CALL(SVSM_CORE_CREATE_VCPU); - call.rdx = __pa(caa); - call.r8 = apic_id; - } else { - /* Protocol 0, Call ID 3 */ - call.rax = SVSM_CORE_CALL(SVSM_CORE_DELETE_VCPU); - } - - ret = svsm_perform_call_protocol(&call); - - local_irq_restore(flags); - } else { - /* - * If the kernel runs at VMPL0, it can change the VMSA - * bit for a page using the RMPADJUST instruction. - * However, for the instruction to succeed it must - * target the permissions of a lesser privileged (higher - * numbered) VMPL level, so use VMPL1. - */ - u64 attrs = 1; - - if (make_vmsa) - attrs |= RMPADJUST_VMSA_PAGE_BIT; - - ret = rmpadjust((unsigned long)va, RMP_PG_SIZE_4K, attrs); - } - - return ret; -} - #define __ATTR_BASE (SVM_SELECTOR_P_MASK | SVM_SELECTOR_S_MASK) #define INIT_CS_ATTRIBS (__ATTR_BASE | SVM_SELECTOR_READ_MASK | SVM_SELECTOR_CODE_MASK) #define INIT_DS_ATTRIBS (__ATTR_BASE | SVM_SELECTOR_WRITE_MASK) @@ -1084,24 +1193,10 @@ static void *snp_alloc_vmsa_page(int cpu) return page_address(p + 1); } -static void snp_cleanup_vmsa(struct sev_es_save_area *vmsa, int apic_id) -{ - int err; - - err = snp_set_vmsa(vmsa, NULL, apic_id, false); - if (err) - pr_err("clear VMSA page failed (%u), leaking page\n", err); - else - free_page((unsigned long)vmsa); -} - static int wakeup_cpu_via_vmgexit(u32 apic_id, unsigned long start_ip) { struct sev_es_save_area *cur_vmsa, *vmsa; - struct ghcb_state state; struct svsm_ca *caa; - unsigned long flags; - struct ghcb *ghcb; u8 sipi_vector; int cpu, ret; u64 cr4; @@ -1215,33 +1310,7 @@ static int wakeup_cpu_via_vmgexit(u32 apic_id, unsigned long start_ip) } /* Issue VMGEXIT AP Creation NAE event */ - local_irq_save(flags); - - ghcb = __sev_get_ghcb(&state); - - vc_ghcb_invalidate(ghcb); - ghcb_set_rax(ghcb, vmsa->sev_features); - ghcb_set_sw_exit_code(ghcb, SVM_VMGEXIT_AP_CREATION); - ghcb_set_sw_exit_info_1(ghcb, - ((u64)apic_id << 32) | - ((u64)snp_vmpl << 16) | - SVM_VMGEXIT_AP_CREATE); - ghcb_set_sw_exit_info_2(ghcb, __pa(vmsa)); - - sev_es_wr_ghcb_msr(__pa(ghcb)); - VMGEXIT(); - - if (!ghcb_sw_exit_info_1_is_valid(ghcb) || - lower_32_bits(ghcb->save.sw_exit_info_1)) { - pr_err("SNP AP Creation error\n"); - ret = -EINVAL; - } - - __sev_put_ghcb(&state); - - local_irq_restore(flags); - - /* Perform cleanup if there was an error */ + ret = vmgexit_ap_control(SVM_VMGEXIT_AP_CREATE, vmsa, apic_id); if (ret) { snp_cleanup_vmsa(vmsa, apic_id); vmsa = NULL; -- 2.34.1

1 month, 3 weeks

6
8
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2025