May 2025 - Linux-stable-mirror

[PATCH v3 0/4]{topost} dma-mapping: benchmark: Add support for dma_map_sg

by Qinxin Xia

Modify the framework to adapt to more map modes, add benchmark support for dma_map_sg, and add support sg map mode in ioctl. The result: [root@localhost]# ./dma_map_benchmark -m 1 -g 8 -t 8 -s 30 -d 2 dma mapping mode: DMA_MAP_SG_MODE dma mapping benchmark: threads:8 seconds:30 node:-1 dir:FROM_DEVICE granule/sg_nents: 8 average map latency(us):1.4 standard deviation:0.3 average unmap latency(us):1.3 standard deviation:0.3 [root@localhost]# ./dma_map_benchmark -m 0 -g 8 -t 8 -s 30 -d 2 dma mapping mode: DMA_MAP_SINGLE_MODE dma mapping benchmark: threads:8 seconds:30 node:-1 dir:FROM_DEVICE granule/sg_nents: 8 average map latency(us):1.0 standard deviation:0.3 average unmap latency(us):1.3 standard deviation:0.5 --- Changes since V2: - Address the comments from Barry and ALOK, some commit information and function input parameter names are modified to make them more accurate. - Link: https://lore.kernel.org/all/20250506030100.394376-1-xiaqinxin@huawei.com/ Changes since V1: - Address the comments from Barry, added some comments and changed the unmap type to void. - Link: https://lore.kernel.org/lkml/20250212022718.1995504-1-xiaqinxin@huawei.com/ Qinxin Xia (4): dma-mapping: benchmark: Add padding to ensure uABI remained consistent dma-mapping: benchmark: modify the framework to adapt to more map modes dma-mapping: benchmark: add support for dma_map_sg selftests/dma: Add dma_map_sg support include/linux/map_benchmark.h | 46 +++- kernel/dma/map_benchmark.c | 225 ++++++++++++++++-- .../testing/selftests/dma/dma_map_benchmark.c | 16 +- 3 files changed, 252 insertions(+), 35 deletions(-) -- 2.33.0

7 months, 3 weeks

3
7
0 0

[PATCH v3 0/4] clk: qcom: Add camera clock controller support for sc8180x

by Satya Priya Kakitapalli

This series adds support for camera clock controller base driver, bindings and DT support on sc8180x platform. Signed-off-by: Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> --- Changes in v3: - Drop Fixes tag in patch [1/4]. Dropped unused gpu_iref and aggre_ufs_card_2 clk bindings. - Move the allOf block below required block in bindings patch. - Remove the unused cam_cc_parent_data_7 and cam_cc_parent_map_7 in the driver patch. Reported by kernel test bot. - Link to v2: https://lore.kernel.org/r/20250430-sc8180x-camcc-support-v2-0-6bbb514f467c@… Changes in v2: - New patch [1/4] to add all the missing gcc bindings along with the required GCC_CAMERA_AHB_CLOCK - As per Konrad's comments, add the camera AHB clock dependency in the DT and yaml bindings. - As per Vladimir's comments, update the Kconfig to add the SC8180X config in correct alphanumerical order. - Link to v1: https://lore.kernel.org/r/20250422-sc8180x-camcc-support-v1-0-691614d13f06@… --- Satya Priya Kakitapalli (4): dt-bindings: clock: qcom: Add missing bindings on gcc-sc8180x dt-bindings: clock: Add Qualcomm SC8180X Camera clock controller clk: qcom: camcc-sc8180x: Add SC8180X camera clock controller driver arm64: dts: qcom: Add camera clock controller for sc8180x .../bindings/clock/qcom,sc8180x-camcc.yaml | 67 + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 14 + drivers/clk/qcom/Kconfig | 10 + drivers/clk/qcom/Makefile | 1 + drivers/clk/qcom/camcc-sc8180x.c | 2889 ++++++++++++++++++++ include/dt-bindings/clock/qcom,gcc-sc8180x.h | 10 + include/dt-bindings/clock/qcom,sc8180x-camcc.h | 181 ++ 7 files changed, 3172 insertions(+) --- base-commit: bc8aa6cdadcc00862f2b5720e5de2e17f696a081 change-id: 20250422-sc8180x-camcc-support-9a82507d2a39 Best regards, -- Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com>

7 months, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] mm, slab: clean up slab->obj_exts always" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x be8250786ca94952a19ce87f98ad9906448bc9ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050521-crispy-study-e836@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be8250786ca94952a19ce87f98ad9906448bc9ef Mon Sep 17 00:00:00 2001 From: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Date: Mon, 21 Apr 2025 15:52:32 +0800 Subject: [PATCH] mm, slab: clean up slab->obj_exts always When memory allocation profiling is disabled at runtime or due to an error, shutdown_mem_profiling() is called: slab->obj_exts which previously allocated remains. It won't be cleared by unaccount_slab() because of mem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts should always be cleaned up in unaccount_slab() to avoid following error: [...]BUG: Bad page state in process... .. [...]page dumped because: page still charged to cgroup [andriy.shevchenko(a)linux.intel.com: fold need_slab_obj_ext() into its only user] Fixes: 21c690a349ba ("mm: introduce slabobj_ext to support slab object extensions") Cc: stable(a)vger.kernel.org Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Harry Yoo <harry.yoo(a)oracle.com> Tested-by: Harry Yoo <harry.yoo(a)oracle.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Link: https://patch.msgid.link/20250421075232.2165527-1-quic_zhenhuah@quicinc.com Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/slub.c b/mm/slub.c index dc9e729e1d26..be8b09e09d30 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2028,8 +2028,7 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, return 0; } -/* Should be called only if mem_alloc_profiling_enabled() */ -static noinline void free_slab_obj_exts(struct slab *slab) +static inline void free_slab_obj_exts(struct slab *slab) { struct slabobj_ext *obj_exts; @@ -2049,18 +2048,6 @@ static noinline void free_slab_obj_exts(struct slab *slab) slab->obj_exts = 0; } -static inline bool need_slab_obj_ext(void) -{ - if (mem_alloc_profiling_enabled()) - return true; - - /* - * CONFIG_MEMCG creates vector of obj_cgroup objects conditionally - * inside memcg_slab_post_alloc_hook. No other users for now. - */ - return false; -} - #else /* CONFIG_SLAB_OBJ_EXT */ static inline void init_slab_obj_exts(struct slab *slab) @@ -2077,11 +2064,6 @@ static inline void free_slab_obj_exts(struct slab *slab) { } -static inline bool need_slab_obj_ext(void) -{ - return false; -} - #endif /* CONFIG_SLAB_OBJ_EXT */ #ifdef CONFIG_MEM_ALLOC_PROFILING @@ -2129,7 +2111,7 @@ __alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags) static inline void alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags) { - if (need_slab_obj_ext()) + if (mem_alloc_profiling_enabled()) __alloc_tagging_slab_alloc_hook(s, object, flags); } @@ -2601,8 +2583,12 @@ static __always_inline void account_slab(struct slab *slab, int order, static __always_inline void unaccount_slab(struct slab *slab, int order, struct kmem_cache *s) { - if (memcg_kmem_online() || need_slab_obj_ext()) - free_slab_obj_exts(slab); + /* + * The slab object extensions should now be freed regardless of + * whether mem_alloc_profiling_enabled() or not because profiling + * might have been disabled after slab->obj_exts got allocated. + */ + free_slab_obj_exts(slab); mod_node_page_state(slab_pgdat(slab), cache_vmstat_idx(s), -(PAGE_SIZE << order));

7 months, 3 weeks

4
6
0 0

[PATCH net] net: qede: Initialize qede_ll_ops with designated initializer

by Nathan Chancellor

After a recent change [1] in clang's randstruct implementation to randomize structures that only contain function pointers, there is an error because qede_ll_ops get randomized but does not use a designated initializer for the first member: drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer 206 | { | ^ Explicitly initialize the common member using a designated initializer to fix the build. Cc: stable(a)vger.kernel.org Fixes: 035f7f87b729 ("randstruct: Enable Clang support") Link: https://github.com/llvm/llvm-project/commit/04364fb888eea6db9811510607bed4b… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c index 99df00c30b8c..b5d744d2586f 100644 --- a/drivers/net/ethernet/qlogic/qede/qede_main.c +++ b/drivers/net/ethernet/qlogic/qede/qede_main.c @@ -203,7 +203,7 @@ static struct pci_driver qede_pci_driver = { }; static struct qed_eth_cb_ops qede_ll_ops = { - { + .common = { #ifdef CONFIG_RFS_ACCEL .arfs_filter_op = qede_arfs_filter_op, #endif --- base-commit: 9540984da649d46f699c47f28c68bbd3c9d99e4c change-id: 20250507-qede-fix-clang-randstruct-13d8c593cb58 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

7 months, 3 weeks

3
2
0 0

[PATCH] LoongArch: Prevent cond_resched() occurring within kernel-fpu

by Tianyang Zhang

When CONFIG_PREEMPT_COUNT is not configured (i.e. CONFIG_PREEMPT_NONE/ CONFIG_PREEMPT_VOLUNTARY), preempt_disable() / preempt_enable() merely acts as a barrier(). However, in these cases cond_resched() can still trigger a context switch and modify the CSR.EUEN, resulting in do_fpu() exception being activated within the kernel-fpu critical sections, as demonstrated in the following path: dcn32_calculate_wm_and_dlg() DC_FP_START() dcn32_calculate_wm_and_dlg_fpu() dcn32_find_dummy_latency_index_for_fw_based_mclk_switch() dcn32_internal_validate_bw() dcn32_enable_phantom_stream() dc_create_stream_for_sink() kzalloc(GFP_KERNEL) __kmem_cache_alloc_node() __cond_resched() DC_FP_END() This patch is similar to commit d021985 (x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs). It uses local_bh_disable() instead of preempt_disable() for non-RT kernels so it can avoid the cond_resched() issue, and also extend the kernel-fpu application scenarios to the softirq context. Cc: stable(a)vger.kernel.org Signed-off-by: Tianyang Zhang <zhangtianyang(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/kernel/kfpu.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/kernel/kfpu.c b/arch/loongarch/kernel/kfpu.c index ec5b28e570c9..4e469b021cf4 100644 --- a/arch/loongarch/kernel/kfpu.c +++ b/arch/loongarch/kernel/kfpu.c @@ -18,11 +18,28 @@ static unsigned int euen_mask = CSR_EUEN_FPEN; static DEFINE_PER_CPU(bool, in_kernel_fpu); static DEFINE_PER_CPU(unsigned int, euen_current); +static inline void fpregs_lock(void) +{ + if (!IS_ENABLED(CONFIG_PREEMPT_RT)) + local_bh_disable(); + else + preempt_disable(); +} + +static inline void fpregs_unlock(void) +{ + if (!IS_ENABLED(CONFIG_PREEMPT_RT)) + local_bh_enable(); + else + preempt_enable(); +} + void kernel_fpu_begin(void) { unsigned int *euen_curr; - preempt_disable(); + if (!irqs_disabled()) + fpregs_lock(); WARN_ON(this_cpu_read(in_kernel_fpu)); @@ -73,7 +90,8 @@ void kernel_fpu_end(void) this_cpu_write(in_kernel_fpu, false); - preempt_enable(); + if (!irqs_disabled()) + fpregs_unlock(); } EXPORT_SYMBOL_GPL(kernel_fpu_end); -- 2.20.1

7 months, 3 weeks

1
0
0 0

Re: [PATCH] um: work around sched_yield not yielding in time-travel mode

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Summary of potential issues: ⚠️ Found matching upstream commit but patch is missing proper reference to it Found matching upstream commit: 887c5c12e80c8424bd471122d2e8b6b462e12874 WARNING: Author mismatch between patch and found commit: Backport author: Benjamin Berg<benjamin(a)sipsolutions.net> Commit author: Benjamin Berg<benjamin.berg(a)intel.com> Note: The patch differs from the upstream commit: --- 1: 887c5c12e80c8 < -: ------------- um: work around sched_yield not yielding in time-travel mode -: ------------- > 1: aeaee199900ee Linux 6.14.5 --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.14.y | Success | Success | | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Success | Success | | stable/linux-6.1.y | Success | Success | | stable/linux-5.15.y | Success | Success | | stable/linux-5.10.y | Success | Success | | stable/linux-5.4.y | Success | Success |

7 months, 3 weeks

1
0
0 0

[PATCH 6.6.y] btrfs: always fallback to buffered write if the inode requires checksum

by Qu Wenruo

commit 968f19c5b1b7d5595423b0ac0020cc18dfed8cb5 upstream. [BUG] It is a long known bug that VM image on btrfs can lead to data csum mismatch, if the qemu is using direct-io for the image (this is commonly known as cache mode 'none'). [CAUSE] Inside the VM, if the fs is EXT4 or XFS, or even NTFS from Windows, the fs is allowed to dirty/modify the folio even if the folio is under writeback (as long as the address space doesn't have AS_STABLE_WRITES flag inherited from the block device). This is a valid optimization to improve the concurrency, and since these filesystems have no extra checksum on data, the content change is not a problem at all. But the final write into the image file is handled by btrfs, which needs the content not to be modified during writeback, or the checksum will not match the data (checksum is calculated before submitting the bio). So EXT4/XFS/NTRFS assume they can modify the folio under writeback, but btrfs requires no modification, this leads to the false csum mismatch. This is only a controlled example, there are even cases where multi-thread programs can submit a direct IO write, then another thread modifies the direct IO buffer for whatever reason. For such cases, btrfs has no sane way to detect such cases and leads to false data csum mismatch. [FIX] I have considered the following ideas to solve the problem: - Make direct IO to always skip data checksum This not only requires a new incompatible flag, as it breaks the current per-inode NODATASUM flag. But also requires extra handling for no csum found cases. And this also reduces our checksum protection. - Let hardware handle all the checksum AKA, just nodatasum mount option. That requires trust for hardware (which is not that trustful in a lot of cases), and it's not generic at all. - Always fallback to buffered write if the inode requires checksum This was suggested by Christoph, and is the solution utilized by this patch. The cost is obvious, the extra buffer copying into page cache, thus it reduces the performance. But at least it's still user configurable, if the end user still wants the zero-copy performance, just set NODATASUM flag for the inode (which is a common practice for VM images on btrfs). Since we cannot trust user space programs to keep the buffer consistent during direct IO, we have no choice but always falling back to buffered IO. At least by this, we avoid the more deadly false data checksum mismatch error. CC: stable(a)vger.kernel.org # 6.6 Suggested-by: Christoph Hellwig <hch(a)infradead.org> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [ Fix a conflict due to the movement of the function. ] --- fs/btrfs/file.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index e794606e7c78..f1456c745c6d 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -1515,6 +1515,23 @@ static ssize_t btrfs_direct_write(struct kiocb *iocb, struct iov_iter *from) goto buffered; } + /* + * We can't control the folios being passed in, applications can write + * to them while a direct IO write is in progress. This means the + * content might change after we calculated the data checksum. + * Therefore we can end up storing a checksum that doesn't match the + * persisted data. + * + * To be extra safe and avoid false data checksum mismatch, if the + * inode requires data checksum, just fallback to buffered IO. + * For buffered IO we have full control of page cache and can ensure + * no one is modifying the content during writeback. + */ + if (!(BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { + btrfs_inode_unlock(BTRFS_I(inode), ilock_flags); + goto buffered; + } + /* * The iov_iter can be mapped to the same file range we are writing to. * If that's the case, then we will deadlock in the iomap code, because -- 2.49.0

7 months, 3 weeks

4
5
0 0

[PATCH] bcachefs: Change btree_insert_node() assertion to error

by Kent Overstreet

Debug for https://github.com/koverstreet/bcachefs/issues/843 Print useful debug info and go emergency read-only. (cherry picked from commit 63c3b8f616cc95bb1fcc6101c92485d41c535d7c) Signed-off-by: Kent Overstreet <kent.overstreet(a)linux.dev> --- fs/bcachefs/btree_update_interior.c | 17 ++++++++++++++++- fs/bcachefs/error.c | 8 ++++++++ fs/bcachefs/error.h | 2 ++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/fs/bcachefs/btree_update_interior.c b/fs/bcachefs/btree_update_interior.c index e4e7c804625e..e9be8b5571a4 100644 --- a/fs/bcachefs/btree_update_interior.c +++ b/fs/bcachefs/btree_update_interior.c @@ -35,6 +35,8 @@ static const char * const bch2_btree_update_modes[] = { NULL }; +static void bch2_btree_update_to_text(struct printbuf *, struct btree_update *); + static int bch2_btree_insert_node(struct btree_update *, struct btree_trans *, btree_path_idx_t, struct btree *, struct keylist *); static void bch2_btree_update_add_new_node(struct btree_update *, struct btree *); @@ -1782,11 +1784,24 @@ static int bch2_btree_insert_node(struct btree_update *as, struct btree_trans *t int ret; lockdep_assert_held(&c->gc_lock); - BUG_ON(!btree_node_intent_locked(path, b->c.level)); BUG_ON(!b->c.level); BUG_ON(!as || as->b); bch2_verify_keylist_sorted(keys); + if (!btree_node_intent_locked(path, b->c.level)) { + struct printbuf buf = PRINTBUF; + bch2_log_msg_start(c, &buf); + prt_printf(&buf, "%s(): node not locked at level %u\n", + __func__, b->c.level); + bch2_btree_update_to_text(&buf, as); + bch2_btree_path_to_text(&buf, trans, path_idx); + + bch2_print_string_as_lines(KERN_ERR, buf.buf); + printbuf_exit(&buf); + bch2_fs_emergency_read_only(c); + return -EIO; + } + ret = bch2_btree_node_lock_write(trans, path, &b->c); if (ret) return ret; diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c index 038da6a61f6b..6cbf4819e923 100644 --- a/fs/bcachefs/error.c +++ b/fs/bcachefs/error.c @@ -11,6 +11,14 @@ #define FSCK_ERR_RATELIMIT_NR 10 +void bch2_log_msg_start(struct bch_fs *c, struct printbuf *out) +{ +#ifdef BCACHEFS_LOG_PREFIX + prt_printf(out, bch2_log_msg(c, "")); +#endif + printbuf_indent_add(out, 2); +} + bool bch2_inconsistent_error(struct bch_fs *c) { set_bit(BCH_FS_error, &c->flags); diff --git a/fs/bcachefs/error.h b/fs/bcachefs/error.h index 7acf2a27ca28..5730eb6b2f38 100644 --- a/fs/bcachefs/error.h +++ b/fs/bcachefs/error.h @@ -18,6 +18,8 @@ struct work_struct; /* Error messages: */ +void bch2_log_msg_start(struct bch_fs *, struct printbuf *); + /* * Inconsistency errors: The on disk data is inconsistent. If these occur during * initial recovery, they don't indicate a bug in the running code - we walk all -- 2.49.0

7 months, 3 weeks

2
1
0 0

[PATCH 5.10.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 3a547793135c..93f08f18f6b3 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -231,14 +231,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 024a4a45fdf87218e3c0925475b05a27bcea103f -- 2.47.2

7 months, 3 weeks

2
1
0 0

[PATCH 5.15.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 19c42a9dcba9..f503bb10b10b 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -257,14 +257,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 16fdf2c7111bd6927f16c3e811f5086fecebbf00 -- 2.47.2

7 months, 3 weeks

2
1
0 0

[PATCH 5.15.y] btrfs: do not clean up repair bio if submit fails

by bin.lan.cn＠windriver.com

From: Josef Bacik <josef(a)toxicpanda.com> [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [Minor context change fixed.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- fs/btrfs/extent_io.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 346fc46d019b..a1946d62911c 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2624,7 +2624,6 @@ int btrfs_repair_one_sector(struct inode *inode, const int icsum = bio_offset >> fs_info->sectorsize_bits; struct bio *repair_bio; struct btrfs_io_bio *repair_io_bio; - blk_status_t status; btrfs_debug(fs_info, "repair read error: read error at %llu", start); @@ -2664,13 +2663,13 @@ int btrfs_repair_one_sector(struct inode *inode, "repair read error: submitting new read to mirror %d", failrec->this_mirror); - status = submit_bio_hook(inode, repair_bio, failrec->this_mirror, - failrec->bio_flags); - if (status) { - free_io_failure(failure_tree, tree, failrec); - bio_put(repair_bio); - } - return blk_status_to_errno(status); + /* + * At this point we have a bio, so any errors from submit_bio_hook() + * will be handled by the endio on the repair_bio, so we can't return an + * error here. + */ + submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags); + return BLK_STS_OK; } static void end_page_read(struct page *page, bool uptodate, u64 start, u32 len) -- 2.34.1

7 months, 3 weeks

2
1
0 0

[PATCH 5.4.y] of: module: add buffer overflow check in of_modalias()

by Uwe Kleine-König

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> commit cf7385cb26ac4f0ee6c7385960525ad534323252 upstream. In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Uwe Kleine-König <ukleinek(a)debian.org> --- drivers/of/device.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/device.c b/drivers/of/device.c index 7fb870097a84..ee3467730dac 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -213,14 +213,15 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', of_node_get_device_type(dev->of_node)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); base-commit: 2c8115e4757809ffd537ed9108da115026d3581f -- 2.47.2

7 months, 3 weeks

2
1
0 0

+ mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Barry Song <v-songbaohua(a)oppo.com> Subject: mm: userfaultfd: correct dirty flags set for both present and swap pte Date: Fri, 9 May 2025 10:09:12 +1200 As David pointed out, what truly matters for mremap and userfaultfd move operations is the soft dirty bit. The current comment and implementation��which always sets the dirty bit for present PTEs and fails to set the soft dirty bit for swap PTEs��are incorrect. This could break features like Checkpoint-Restore in Userspace (CRIU). This patch updates the behavior to correctly set the soft dirty bit for both present and swap PTEs in accordance with mremap. Link: https://lkml.kernel.org/r/20250508220912.7275-1-21cnbao@gmail.com Fixes: adef440691bab ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/02f14ee1-923f-47e3-a994-4950afb9afcc@redha… Acked-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/userfaultfd.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/mm/userfaultfd.c~mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte +++ a/mm/userfaultfd.c @@ -1064,8 +1064,13 @@ static int move_present_pte(struct mm_st src_folio->index = linear_page_index(dst_vma, dst_addr); orig_dst_pte = mk_pte(&src_folio->page, dst_vma->vm_page_prot); - /* Follow mremap() behavior and treat the entry dirty after the move */ - orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); + /* Set soft dirty bit so userspace can notice the pte was moved */ +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_dst_pte = pte_mksoft_dirty(orig_dst_pte); +#endif + if (pte_dirty(orig_src_pte)) + orig_dst_pte = pte_mkdirty(orig_dst_pte); + orig_dst_pte = pte_mkwrite(orig_dst_pte, dst_vma); set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte); out: @@ -1100,6 +1105,9 @@ static int move_swap_pte(struct mm_struc } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_src_pte = pte_swp_mksoft_dirty(orig_src_pte); +#endif set_pte_at(mm, dst_addr, dst_pte, orig_src_pte); double_pt_unlock(dst_ptl, src_ptl); _ Patches currently in -mm which might be from v-songbaohua(a)oppo.com are mm-userfaultfd-correct-dirty-flags-set-for-both-present-and-swap-pte.patch

7 months, 3 weeks

1
0
0 0

[PATCH v3] block, scsi: sd_zbc: Respect bio vector limits for report zones buffer

by Steve Siwinski

The report zones buffer size is currently limited by the HBA's maximum segment count to ensure the buffer can be mapped. However, the block layer further limits the number of iovec entries to 1024 when allocating a bio. To avoid allocation of buffers too large to be mapped, further restrict the maximum buffer size to BIO_MAX_INLINE_VECS. Replace the UIO_MAXIOV symbolic name with the more contextually appropriate BIO_MAX_INLINE_VECS. Fixes: b091ac616846 ("sd_zbc: Fix report zones buffer allocation") Cc: stable(a)vger.kernel.org Signed-off-by: Steve Siwinski <ssiwinski(a)atto.com> --- block/bio.c | 2 +- drivers/scsi/sd_zbc.c | 6 +++++- include/linux/bio.h | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/block/bio.c b/block/bio.c index 4e6c85a33d74..4be592d37fb6 100644 --- a/block/bio.c +++ b/block/bio.c @@ -611,7 +611,7 @@ struct bio *bio_kmalloc(unsigned short nr_vecs, gfp_t gfp_mask) { struct bio *bio; - if (nr_vecs > UIO_MAXIOV) + if (nr_vecs > BIO_MAX_INLINE_VECS) return NULL; return kmalloc(struct_size(bio, bi_inline_vecs, nr_vecs), gfp_mask); } diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c index 7a447ff600d2..a8db66428f80 100644 --- a/drivers/scsi/sd_zbc.c +++ b/drivers/scsi/sd_zbc.c @@ -169,6 +169,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, unsigned int nr_zones, size_t *buflen) { struct request_queue *q = sdkp->disk->queue; + unsigned int max_segments; size_t bufsize; void *buf; @@ -180,12 +181,15 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, * Furthermore, since the report zone command cannot be split, make * sure that the allocated buffer can always be mapped by limiting the * number of pages allocated to the HBA max segments limit. + * Since max segments can be larger than the max inline bio vectors, + * further limit the allocated buffer to BIO_MAX_INLINE_VECS. */ nr_zones = min(nr_zones, sdkp->zone_info.nr_zones); bufsize = roundup((nr_zones + 1) * 64, SECTOR_SIZE); bufsize = min_t(size_t, bufsize, queue_max_hw_sectors(q) << SECTOR_SHIFT); - bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); + max_segments = min(BIO_MAX_INLINE_VECS, queue_max_segments(q)); + bufsize = min_t(size_t, bufsize, max_segments << PAGE_SHIFT); while (bufsize >= SECTOR_SIZE) { buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); diff --git a/include/linux/bio.h b/include/linux/bio.h index cafc7c215de8..b786ec5bcc81 100644 --- a/include/linux/bio.h +++ b/include/linux/bio.h @@ -11,6 +11,7 @@ #include <linux/uio.h> #define BIO_MAX_VECS 256U +#define BIO_MAX_INLINE_VECS UIO_MAXIOV struct queue_limits; -- 2.43.5

7 months, 3 weeks

2
1
0 0

[PATCH v2] mm: userfaultfd: correct dirty flags set for both present and swap pte

by Barry Song

From: Barry Song <v-songbaohua(a)oppo.com> As David pointed out, what truly matters for mremap and userfaultfd move operations is the soft dirty bit. The current comment and implementation—which always sets the dirty bit for present PTEs and fails to set the soft dirty bit for swap PTEs—are incorrect. This could break features like Checkpoint-Restore in Userspace (CRIU). This patch updates the behavior to correctly set the soft dirty bit for both present and swap PTEs in accordance with mremap. Reported-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/linux-mm/02f14ee1-923f-47e3-a994-4950afb9afcc@redha… Acked-by: Peter Xu <peterx(a)redhat.com> Reviewed-by: Suren Baghdasaryan <surenb(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Fixes: adef440691bab ("userfaultfd: UFFDIO_MOVE uABI") Cc: stable(a)vger.kernel.org Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> --- mm/userfaultfd.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index e8ce92dc105f..bc473ad21202 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1064,8 +1064,13 @@ static int move_present_pte(struct mm_struct *mm, src_folio->index = linear_page_index(dst_vma, dst_addr); orig_dst_pte = folio_mk_pte(src_folio, dst_vma->vm_page_prot); - /* Follow mremap() behavior and treat the entry dirty after the move */ - orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); + /* Set soft dirty bit so userspace can notice the pte was moved */ +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_dst_pte = pte_mksoft_dirty(orig_dst_pte); +#endif + if (pte_dirty(orig_src_pte)) + orig_dst_pte = pte_mkdirty(orig_dst_pte); + orig_dst_pte = pte_mkwrite(orig_dst_pte, dst_vma); set_pte_at(mm, dst_addr, dst_pte, orig_dst_pte); out: @@ -1100,6 +1105,9 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); +#ifdef CONFIG_MEM_SOFT_DIRTY + orig_src_pte = pte_swp_mksoft_dirty(orig_src_pte); +#endif set_pte_at(mm, dst_addr, dst_pte, orig_src_pte); double_pt_unlock(dst_ptl, src_ptl); -- 2.39.3 (Apple Git-146)

7 months, 3 weeks

1
0
0 0

[PATCH v2] wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> The hdr_trans_tlv function call has been moved inside the conditional block to ensure it is executed when info->enable is true. Cc: stable(a)vger.kernel.org Fixes: cb1353ef3473 ("wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> Tested-by: Niklas Schnelle <niks(a)kernel.org> --- v2: add tested-by tag --- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index a42b584634ab..fd756f0d18f8 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -2183,14 +2183,14 @@ mt7925_mcu_sta_cmd(struct mt76_phy *phy, mt7925_mcu_sta_mld_tlv(skb, info->vif, info->link_sta->sta); mt7925_mcu_sta_eht_mld_tlv(skb, info->vif, info->link_sta->sta); } - - mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } if (!info->enable) { mt7925_mcu_sta_remove_tlv(skb); mt76_connac_mcu_add_tlv(skb, STA_REC_MLD_OFF, sizeof(struct tlv)); + } else { + mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta); } return mt76_mcu_skb_send_msg(dev, skb, info->cmd, true); -- 2.34.1

7 months, 3 weeks

2
1
0 0

[PATCH] clk: s2mps11: initialise clk_hw_onecell_data::num before accessing ::hws[] in probe()

by André Draszik

With UBSAN enabled, we're getting the following trace: UBSAN: array-index-out-of-bounds in .../drivers/clk/clk-s2mps11.c:186:3 index 0 is out of range for type 'struct clk_hw *[] __counted_by(num)' (aka 'struct clk_hw *[]') This is because commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of that struct with __counted_by, which informs the bounds sanitizer about the number of elements in hws, so that it can warn when hws is accessed out of bounds. As noted in that change, the __counted_by member must be initialised with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialisation because the number of elements is zero. This occurs in s2mps11_clk_probe() due to ::num being assigned after ::hws access. Move the assignment to satisfy the requirement of assign-before-access. Cc: stable(a)vger.kernel.org Fixes: f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") Signed-off-by: André Draszik <andre.draszik(a)linaro.org> --- drivers/clk/clk-s2mps11.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/clk/clk-s2mps11.c b/drivers/clk/clk-s2mps11.c index 014db6386624071e173b5b940466301d2596400a..8ddf3a9a53dfd5bb52a05a3e02788a357ea77ad3 100644 --- a/drivers/clk/clk-s2mps11.c +++ b/drivers/clk/clk-s2mps11.c @@ -137,6 +137,8 @@ static int s2mps11_clk_probe(struct platform_device *pdev) if (!clk_data) return -ENOMEM; + clk_data->num = S2MPS11_CLKS_NUM; + switch (hwid) { case S2MPS11X: s2mps11_reg = S2MPS11_REG_RTC_CTRL; @@ -186,7 +188,6 @@ static int s2mps11_clk_probe(struct platform_device *pdev) clk_data->hws[i] = &s2mps11_clks[i].hw; } - clk_data->num = S2MPS11_CLKS_NUM; of_clk_add_hw_provider(s2mps11_clks->clk_np, of_clk_hw_onecell_get, clk_data); --- base-commit: 9388ec571cb1adba59d1cded2300eeb11827679c change-id: 20250326-s2mps11-ubsan-c90978e7bc04 Best regards, -- André Draszik <andre.draszik(a)linaro.org>

7 months, 3 weeks

3
2
0 0

perf r5101c4 counter regression

by Salvatore Bonaccorso

Hi, Pasi Kallinen reported in Debian a regression with perf r5101c4 counter, initially it was found in https://github.com/rr-debugger/rr/issues/3949 but said to be a kernel problem. On Tue, May 06, 2025 at 07:18:39PM +0300, Pasi Kallinen wrote: > Package: src:linux > Version: 6.12.25-1 > Severity: normal > X-Debbugs-Cc: debian-amd64(a)lists.debian.org, paxed(a)alt.org > User: debian-amd64(a)lists.debian.org > Usertags: amd64 > > Dear Maintainer, > > perf stat -e r5101c4 true > > reports "not supported". > > The counters worked in kernel 6.11.10. > > I first noticed this not working when updating to 6.12.22. > Booting back to 6.11.10, the counters work correctly. Does this ring a bell? Would you be able to bisect the changes to identify where the behaviour changed? Regards, Salvatore

7 months, 3 weeks

2
1
0 0

[PATCH] xenbus: Use kref to track req lifetime

by Jason Andryuk

Marek reported seeing a NULL pointer fault in the xenbus_thread callstack: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: e030:__wake_up_common+0x4c/0x180 Call Trace: <TASK> __wake_up_common_lock+0x82/0xd0 process_msg+0x18e/0x2f0 xenbus_thread+0x165/0x1c0 process_msg+0x18e is req->cb(req). req->cb is set to xs_wake_up(), a thin wrapper around wake_up(), or xenbus_dev_queue_reply(). It seems like it was xs_wake_up() in this case. It seems like req may have woken up the xs_wait_for_reply(), which kfree()ed the req. When xenbus_thread resumes, it faults on the zero-ed data. Linux Device Drivers 2nd edition states: "Normally, a wake_up call can cause an immediate reschedule to happen, meaning that other processes might run before wake_up returns." ... which would match the behaviour observed. Change to keeping two krefs on each request. One for the caller, and one for xenbus_thread. Each will kref_put() when finished, and the last will free it. This use of kref matches the description in Documentation/core-api/kref.rst Link: https://lore.kernel.org/xen-devel/ZO0WrR5J0xuwDIxW@mail-itl/ Reported-by: "Marek Marczykowski-Górecki" <marmarek(a)invisiblethingslab.com> Fixes: fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> --- Kinda RFC-ish as I don't know if it fixes Marek's issue. This does seem like the correct approach if we are seeing req free()ed out from under xenbus_thread. drivers/xen/xenbus/xenbus.h | 2 ++ drivers/xen/xenbus/xenbus_comms.c | 9 ++++----- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_xs.c | 18 ++++++++++++++++-- 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/drivers/xen/xenbus/xenbus.h b/drivers/xen/xenbus/xenbus.h index 13821e7e825e..9ac0427724a3 100644 --- a/drivers/xen/xenbus/xenbus.h +++ b/drivers/xen/xenbus/xenbus.h @@ -77,6 +77,7 @@ enum xb_req_state { struct xb_req_data { struct list_head list; wait_queue_head_t wq; + struct kref kref; struct xsd_sockmsg msg; uint32_t caller_req_id; enum xsd_sockmsg_type type; @@ -103,6 +104,7 @@ int xb_init_comms(void); void xb_deinit_comms(void); int xs_watch_msg(struct xs_watch_event *event); void xs_request_exit(struct xb_req_data *req); +void xs_free_req(struct kref *kref); int xenbus_match(struct device *_dev, const struct device_driver *_drv); int xenbus_dev_probe(struct device *_dev); diff --git a/drivers/xen/xenbus/xenbus_comms.c b/drivers/xen/xenbus/xenbus_comms.c index e5fda0256feb..82df2da1b880 100644 --- a/drivers/xen/xenbus/xenbus_comms.c +++ b/drivers/xen/xenbus/xenbus_comms.c @@ -309,8 +309,8 @@ static int process_msg(void) virt_wmb(); req->state = xb_req_state_got_reply; req->cb(req); - } else - kfree(req); + } + kref_put(&req->kref, xs_free_req); } mutex_unlock(&xs_response_mutex); @@ -386,14 +386,13 @@ static int process_writes(void) state.req->msg.type = XS_ERROR; state.req->err = err; list_del(&state.req->list); - if (state.req->state == xb_req_state_aborted) - kfree(state.req); - else { + if (state.req->state != xb_req_state_aborted) { /* write err, then update state */ virt_wmb(); state.req->state = xb_req_state_got_reply; wake_up(&state.req->wq); } + kref_put(&state.req->kref, xs_free_req); mutex_unlock(&xb_write_mutex); diff --git a/drivers/xen/xenbus/xenbus_dev_frontend.c b/drivers/xen/xenbus/xenbus_dev_frontend.c index 46f8916597e5..f5c21ba64df5 100644 --- a/drivers/xen/xenbus/xenbus_dev_frontend.c +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c @@ -406,7 +406,7 @@ void xenbus_dev_queue_reply(struct xb_req_data *req) mutex_unlock(&u->reply_mutex); kfree(req->body); - kfree(req); + kref_put(&req->kref, xs_free_req); kref_put(&u->kref, xenbus_file_free); diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c index d32c726f7a12..dcf9182c8451 100644 --- a/drivers/xen/xenbus/xenbus_xs.c +++ b/drivers/xen/xenbus/xenbus_xs.c @@ -112,6 +112,12 @@ static void xs_suspend_exit(void) wake_up_all(&xs_state_enter_wq); } +void xs_free_req(struct kref *kref) +{ + struct xb_req_data *req = container_of(kref, struct xb_req_data, kref); + kfree(req); +} + static uint32_t xs_request_enter(struct xb_req_data *req) { uint32_t rq_id; @@ -237,6 +243,12 @@ static void xs_send(struct xb_req_data *req, struct xsd_sockmsg *msg) req->caller_req_id = req->msg.req_id; req->msg.req_id = xs_request_enter(req); + /* + * Take 2nd ref. One for this thread, and the second for the + * xenbus_thread. + */ + kref_get(&req->kref); + mutex_lock(&xb_write_mutex); list_add_tail(&req->list, &xb_write_list); notify = list_is_singular(&xb_write_list); @@ -261,8 +273,8 @@ static void *xs_wait_for_reply(struct xb_req_data *req, struct xsd_sockmsg *msg) if (req->state == xb_req_state_queued || req->state == xb_req_state_wait_reply) req->state = xb_req_state_aborted; - else - kfree(req); + + kref_put(&req->kref, xs_free_req); mutex_unlock(&xb_write_mutex); return ret; @@ -291,6 +303,7 @@ int xenbus_dev_request_and_reply(struct xsd_sockmsg *msg, void *par) req->cb = xenbus_dev_queue_reply; req->par = par; req->user_req = true; + kref_init(&req->kref); xs_send(req, msg); @@ -319,6 +332,7 @@ static void *xs_talkv(struct xenbus_transaction t, req->num_vecs = num_vecs; req->cb = xs_wake_up; req->user_req = false; + kref_init(&req->kref); msg.req_id = 0; msg.tx_id = t.id; -- 2.34.1

7 months, 3 weeks

3
3
0 0

[PATCH 6.6 000/129] 6.6.90-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.90 release. There are 129 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.90-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.90-rc1 Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix possible null pointer dereference at secondary interrupter removal Marc Zyngier <maz(a)kernel.org> usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup() Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Jason Gunthorpe <jgg(a)ziepe.ca> iommu/arm-smmu-v3: Use the new rb tree helpers Shyam Saini <shyamsaini(a)linux.microsoft.com> drivers: base: handle module_kobject creation Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: globalize lookup_or_create_module_kobject() Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: param: rename locate_module_kobject Björn Töpel <bjorn(a)rivosinc.com> riscv: uprobes: Add missing fence.i after building the XOL buffer Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Limit time spent with xHC interrupts disabled during bus resume Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: support setting interrupt moderation IMOD for secondary interrupters Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: check if 'requested segments' exceeds ERST capacity Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Add helper to set an interrupters interrupt moderation interval Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: add support to allocate several interrupters Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: split free interrupter into separate remove and free parts Lukas Wunner <lukas(a)wunner.de> xhci: Clean up stale comment on ERST_SIZE macro Jonathan Bell <jonathan(a)raspberrypi.com> xhci: Use more than one Event Ring segment Lukas Wunner <lukas(a)wunner.de> xhci: Set DESI bits in ERDP register correctly Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Samuel Holland <samuel.holland(a)sifive.com> riscv: Pass patch_text() the length in bytes Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Rob Herring (Arm) <robh(a)kernel.org> ASoC: Use of_property_read_bool() Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Sathesh B Edara <sedara(a)marvell.com> octeon_ep: Fix host hang issue during device reboot Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Chad Monroe <chad(a)monroe.io> net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Jacob Keller <jacob.e.keller(a)intel.com> igc: fix lock order in igc_ptp_reset Da Xue <da(a)libre.computer> net: mdio: mux-meson-gxl: set reversed bit when using internal phy Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Keith Busch <kbusch(a)kernel.org> nvme-pci: fix queue unquiesce check on slot_reset Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Shannon Nelson <shannon.nelson(a)amd.com> pds_core: remove write-after-free of client_id Shannon Nelson <shannon.nelson(a)amd.com> pds_core: specify auxiliary_device to be created Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make pdsc_auxbus_dev_del() void Shannon Nelson <shannon.nelson(a)amd.com> pds_core: delete VF dev on reset Shannon Nelson <shannon.nelson(a)amd.com> pds_core: check health in devcmd wait Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: copy RX timestamp to new fragments Abhishek Chauhan <quic_abchauha(a)quicinc.com> net: Rename mono_delivery_time to tstamp_type for scalabilty En-Wei Wu <en-wei.wu(a)canonical.com> Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Fix dash warning Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Chen Linxuan <chenlinxuan(a)uniontech.com> drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Check for ld-option support Donet Tom <donettom(a)linux.ibm.com> book3s64/radix : Align section vmemmap start address to PAGE_SIZE Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Robin Murphy <robin.murphy(a)arm.com> iommu: Handle race with default domain setup Sean Christopherson <seanjc(a)google.com> KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Ryan Matthews <ryanmatthews(a)fastmail.com> Revert "PCI: imx6: Skip controller_id generation logic for i.MX7D" Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: extend changes_pkt_data with cases w/o subprograms Eduard Zingerman <eddyz87(a)gmail.com> bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: validate that tail call invalidates packet pointers Eduard Zingerman <eddyz87(a)gmail.com> bpf: consider that tail calls invalidate packet pointers Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: freplace tests for tracking of changes_packet_data Eduard Zingerman <eddyz87(a)gmail.com> bpf: check changes_pkt_data property for extension programs Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: test for changing packet data from global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: track changes_pkt_data property for global functions Eduard Zingerman <eddyz87(a)gmail.com> bpf: refactor bpf_helper_changes_pkt_data to use helper number Eduard Zingerman <eddyz87(a)gmail.com> bpf: add find_containing_subprog() utility function Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Jethro Donaldson <devel(a)jro.nz> smb: client: fix zero length for mkdir POSIX create context Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not take trace_event_sem in print_event_fields() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: repeat setting reserved region nid if array is doubled Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: pass size instead of end to memblock_set_node() Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/fdinfo: Protect against driver unbind Dave Chen <davechen(a)synology.com> btrfs: fix COW handling in run_delalloc_nocow() Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Geoffrey D. Bennett <g(a)b4.vu> ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" ------------- Diffstat: Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 +- arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/boot/wrapper | 6 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 17 +- arch/riscv/include/asm/patch.h | 2 +- arch/riscv/kernel/patch.c | 14 +- arch/riscv/kernel/probes/kprobes.c | 18 +- arch/riscv/kernel/probes/uprobes.c | 10 +- arch/riscv/net/bpf_jit_comp64.c | 7 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/kvm-x86-ops.h | 1 + arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/svm/svm.c | 13 +- arch/x86/kvm/vmx/vmx.c | 11 +- arch/x86/kvm/x86.c | 3 + drivers/base/module.c | 13 +- drivers/bluetooth/btusb.c | 101 ++++++++--- drivers/cpufreq/cpufreq.c | 42 ++++- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 6 +- drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 +++--- drivers/gpu/drm/drm_file.c | 6 + drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 79 +++++---- drivers/iommu/intel/iommu.c | 4 +- drivers/iommu/iommu.c | 18 ++ drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 9 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 49 +++--- drivers/net/ethernet/amd/pds_core/core.h | 7 +- drivers/net/ethernet/amd/pds_core/dev.c | 11 +- drivers/net/ethernet/amd/pds_core/devlink.c | 7 +- drivers/net/ethernet/amd/pds_core/main.c | 23 ++- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 ++- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 ++-- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 36 +++- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 +++++---- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 ++- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/igc/igc_ptp.c | 6 +- .../net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 14 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 194 +++++++++++++++++++-- drivers/net/ethernet/mscc/ocelot_vcap.c | 1 + drivers/net/ethernet/vertexcom/mse102x.c | 36 +++- drivers/net/mdio/mdio-mux-meson-gxl.c | 3 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/pci.c | 2 +- drivers/nvme/host/tcp.c | 31 +++- drivers/pci/controller/dwc/pci-imx6.c | 3 +- drivers/platform/x86/amd/pmc/pmc.c | 7 +- .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- drivers/spi/spi-tegra114.c | 6 +- drivers/usb/host/xhci-debugfs.c | 2 +- drivers/usb/host/xhci-hub.c | 30 ++-- drivers/usb/host/xhci-mem.c | 175 +++++++++++++++---- drivers/usb/host/xhci-ring.c | 4 +- drivers/usb/host/xhci.c | 80 ++++++--- drivers/usb/host/xhci.h | 20 ++- fs/btrfs/inode.c | 9 +- fs/smb/client/smb2pdu.c | 1 + fs/smb/server/auth.c | 14 +- fs/smb/server/smb2pdu.c | 5 - include/linux/bpf.h | 1 + include/linux/bpf_verifier.h | 1 + include/linux/cpufreq.h | 83 ++++++--- include/linux/filter.h | 2 +- include/linux/module.h | 2 + include/linux/pds/pds_core_if.h | 1 + include/linux/skbuff.h | 52 ++++-- include/net/inet_frag.h | 4 +- include/soc/mscc/ocelot_vcap.h | 2 + include/sound/ump_convert.h | 2 +- kernel/bpf/core.c | 2 +- kernel/bpf/verifier.c | 81 +++++++-- kernel/params.c | 6 +- kernel/trace/trace.c | 5 +- kernel/trace/trace_output.c | 4 +- mm/memblock.c | 12 +- mm/memcontrol.c | 9 + net/bluetooth/l2cap_core.c | 3 + net/bridge/netfilter/nf_conntrack_bridge.c | 6 +- net/core/dev.c | 2 +- net/core/filter.c | 73 ++++---- net/ieee802154/6lowpan/reassembly.c | 2 +- net/ipv4/inet_fragment.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_output.c | 9 +- net/ipv4/tcp_output.c | 14 +- net/ipv4/udp_offload.c | 61 ++++++- net/ipv6/ip6_output.c | 6 +- net/ipv6/netfilter.c | 6 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- net/ipv6/tcp_ipv6.c | 2 +- net/sched/act_bpf.c | 4 +- net/sched/cls_bpf.c | 4 +- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- sound/soc/codecs/ak4613.c | 4 +- sound/soc/soc-core.c | 36 ++-- sound/soc/soc-pcm.c | 5 +- sound/usb/endpoint.c | 7 + sound/usb/format.c | 3 +- .../selftests/bpf/prog_tests/changes_pkt_data.c | 107 ++++++++++++ .../testing/selftests/bpf/progs/changes_pkt_data.c | 39 +++++ .../bpf/progs/changes_pkt_data_freplace.c | 18 ++ tools/testing/selftests/bpf/progs/verifier_sock.c | 56 ++++++ 144 files changed, 1772 insertions(+), 662 deletions(-)

7 months, 3 weeks

6
134
0 0

[to-be-updated] x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: x86/kexec: fix potential cmem->ranges out of bounds has been removed from the -mm tree. Its filename was x86-kexec-fix-potential-cmem-ranges-out-of-bounds.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: fuqiang wang <fuqiang.wang(a)easystack.cn> Subject: x86/kexec: fix potential cmem->ranges out of bounds Date: Mon, 8 Jan 2024 21:06:47 +0800 In memmap_exclude_ranges(), elfheader will be excluded from crashk_res. In the current x86 architecture code, the elfheader is always allocated at crashk_res.start. It seems that there won't be a new split range. But it depends on the allocation position of elfheader in crashk_res. To avoid potential out of bounds in future, add a extra slot. The similar issue also exists in fill_up_crash_elf_data(). The range to be excluded is [0, 1M], start (0) is special and will not appear in the middle of existing cmem->ranges[]. But in cast the low 1M could be changed in the future, add a extra slot too. Without this patch, kdump kernel will fail to be loaded by kexec_file_load, [ 139.736948] UBSAN: array-index-out-of-bounds in arch/x86/kernel/crash.c:350:25 [ 139.742360] index 0 is out of range for type 'range [*]' [ 139.745695] CPU: 0 UID: 0 PID: 5778 Comm: kexec Not tainted 6.15.0-0.rc3.20250425git02ddfb981de8.32.fc43.x86_64 #1 PREEMPT(lazy) [ 139.745698] Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 [ 139.745699] Call Trace: [ 139.745700] <TASK> [ 139.745701] dump_stack_lvl+0x5d/0x80 [ 139.745706] ubsan_epilogue+0x5/0x2b [ 139.745709] __ubsan_handle_out_of_bounds.cold+0x54/0x59 [ 139.745711] crash_setup_memmap_entries+0x2d9/0x330 [ 139.745716] setup_boot_parameters+0xf8/0x6a0 [ 139.745720] bzImage64_load+0x41b/0x4e0 [ 139.745722] ? find_next_iomem_res+0x109/0x140 [ 139.745727] ? locate_mem_hole_callback+0x109/0x170 [ 139.745737] kimage_file_alloc_init+0x1ef/0x3e0 [ 139.745740] __do_sys_kexec_file_load+0x180/0x2f0 [ 139.745742] do_syscall_64+0x7b/0x160 [ 139.745745] ? do_user_addr_fault+0x21a/0x690 [ 139.745747] ? exc_page_fault+0x7e/0x1a0 [ 139.745749] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 139.745751] RIP: 0033:0x7f7712c84e4d Previously discussed link: [1] https://lore.kernel.org/kexec/ZXk2oBf%2FT1Ul6o0c@MiWiFi-R3L-srv/ [2] https://lore.kernel.org/kexec/273284e8-7680-4f5f-8065-c5d780987e59@easystac… [3] https://lore.kernel.org/kexec/ZYQ6O%2F57sHAPxTHm@MiWiFi-R3L-srv/ Link: https://lkml.kernel.org/r/20240108130720.228478-1-fuqiang.wang@easystack.cn Signed-off-by: fuqiang wang <fuqiang.wang(a)easystack.cn> Acked-by: Baoquan He <bhe(a)redhat.com> Reported-by: Coiby Xu <coxu(a)redhat.com> Closes: https://lkml.kernel.org/r/4de3c2onosr7negqnfhekm4cpbklzmsimgdfv33c52dktqpza… Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: <x86(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/kernel/crash.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) --- a/arch/x86/kernel/crash.c~x86-kexec-fix-potential-cmem-ranges-out-of-bounds +++ a/arch/x86/kernel/crash.c @@ -165,8 +165,18 @@ static struct crash_mem *fill_up_crash_e /* * Exclusion of crash region and/or crashk_low_res may cause * another range split. So add extra two slots here. + * + * Exclusion of low 1M may not cause another range split, because the + * range of exclude is [0, 1M] and the condition for splitting a new + * region is that the start, end parameters are both in a certain + * existing region in cmem and cannot be equal to existing region's + * start or end. Obviously, the start of [0, 1M] cannot meet this + * condition. + * + * But in order to lest the low 1M could be changed in the future, + * (e.g. [stare, 1M]), add a extra slot. */ - nr_ranges += 2; + nr_ranges += 3; cmem = vzalloc(struct_size(cmem, ranges, nr_ranges)); if (!cmem) return NULL; @@ -298,9 +308,16 @@ int crash_setup_memmap_entries(struct ki struct crash_memmap_data cmd; struct crash_mem *cmem; - cmem = vzalloc(struct_size(cmem, ranges, 1)); + /* + * In the current x86 architecture code, the elfheader is always + * allocated at crashk_res.start. But it depends on the allocation + * position of elfheader in crashk_res. To avoid potential out of + * bounds in future, add a extra slot. + */ + cmem = vzalloc(struct_size(cmem, ranges, 2)); if (!cmem) return -ENOMEM; + cmem->max_nr_ranges = 2; memset(&cmd, 0, sizeof(struct crash_memmap_data)); cmd.params = params; _ Patches currently in -mm which might be from fuqiang.wang(a)easystack.cn are

7 months, 3 weeks

1
0
0 0

[PATCH 1/2] iio: Fix scan mask subset check logic

by Fabio Estevam

From: Fabio Estevam <festevam(a)denx.de> Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"), verbose and misleading warnings are printed for devices like the MAX11601: max1363 1-0064: available_scan_mask 8 subset of 0. Never used max1363 1-0064: available_scan_mask 9 subset of 0. Never used max1363 1-0064: available_scan_mask 10 subset of 0. Never used max1363 1-0064: available_scan_mask 11 subset of 0. Never used max1363 1-0064: available_scan_mask 12 subset of 0. Never used max1363 1-0064: available_scan_mask 13 subset of 0. Never used ... [warnings continue] Fix the available_scan_masks sanity check logic so that it only prints the warning when an element of available_scan_mask is in fact a subset of a previous one. These warnings incorrectly report that later scan masks are subsets of the first one, even when they are not. The issue lies in the logic that checks for subset relationships between scan masks. Fix the subset detection to correctly compare each mask only against previous masks, and only warn when a true subset is found. With this fix, the warning output becomes both correct and more informative: max1363 1-0064: Mask 7 (0xc) is a subset of mask 6 (0xf) and will be ignored Cc: stable(a)vger.kernel.org Fixes: 2718f15403fb ("iio: sanity check available_scan_masks array") Signed-off-by: Fabio Estevam <festevam(a)denx.de> --- drivers/iio/industrialio-core.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index 6a6568d4a2cb..855d5fd3e6b2 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -1904,6 +1904,11 @@ static int iio_check_extended_name(const struct iio_dev *indio_dev) static const struct iio_buffer_setup_ops noop_ring_setup_ops; +static int is_subset(unsigned long a, unsigned long b) +{ + return (a & ~b) == 0; +} + static void iio_sanity_check_avail_scan_masks(struct iio_dev *indio_dev) { unsigned int num_masks, masklength, longs_per_mask; @@ -1947,21 +1952,13 @@ static void iio_sanity_check_avail_scan_masks(struct iio_dev *indio_dev) * available masks in the order of preference (presumably the least * costy to access masks first). */ - for (i = 0; i < num_masks - 1; i++) { - const unsigned long *mask1; - int j; - mask1 = av_masks + i * longs_per_mask; - for (j = i + 1; j < num_masks; j++) { - const unsigned long *mask2; - - mask2 = av_masks + j * longs_per_mask; - if (bitmap_subset(mask2, mask1, masklength)) + for (i = 1; i < num_masks; ++i) + for (int j = 0; j < i; ++j) + if (is_subset(av_masks[i], av_masks[j])) dev_warn(indio_dev->dev.parent, - "available_scan_mask %d subset of %d. Never used\n", - j, i); - } - } + "Mask %d (0x%lx) is a subset of mask %d (0x%lx) and will be ignored\n", + i, av_masks[i], j, av_masks[j]); } /** -- 2.34.1

7 months, 3 weeks

3
17
0 0

[PATCH v2] drm/bridge: cdns-dsi: Replace deprecated UNIVERSAL_DEV_PM_OPS()

by Vitor Soares

From: Vitor Soares <vitor.soares(a)toradex.com> The deprecated UNIVERSAL_DEV_PM_OPS() macro uses the provided callbacks for both runtime PM and system sleep. This causes the DSI clocks to be disabled twice: once during runtime suspend and again during system suspend, resulting in a WARN message from the clock framework when attempting to disable already-disabled clocks. [ 84.384540] clk:231:5 already disabled [ 84.388314] WARNING: CPU: 2 PID: 531 at /drivers/clk/clk.c:1181 clk_core_disable+0xa4/0xac ... [ 84.579183] Call trace: [ 84.581624] clk_core_disable+0xa4/0xac [ 84.585457] clk_disable+0x30/0x4c [ 84.588857] cdns_dsi_suspend+0x20/0x58 [cdns_dsi] [ 84.593651] pm_generic_suspend+0x2c/0x44 [ 84.597661] ti_sci_pd_suspend+0xbc/0x15c [ 84.601670] dpm_run_callback+0x8c/0x14c [ 84.605588] __device_suspend+0x1a0/0x56c [ 84.609594] dpm_suspend+0x17c/0x21c [ 84.613165] dpm_suspend_start+0xa0/0xa8 [ 84.617083] suspend_devices_and_enter+0x12c/0x634 [ 84.621872] pm_suspend+0x1fc/0x368 To address this issue, replace UNIVERSAL_DEV_PM_OPS() with SET_RUNTIME_PM_OPS(), enabling suspend/resume handling through the _enable()/_disable() hooks managed by the DRM framework for both runtime and system-wide PM. Cc: <stable(a)vger.kernel.org> # 6.1.x Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Signed-off-by: Vitor Soares <vitor.soares(a)toradex.com> --- v1 -> v2 - Rely only on SET_RUNTIME_PM_OPS() for the PM. drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index b022dd6e6b6e..5a31783fe856 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -1258,7 +1258,7 @@ static const struct mipi_dsi_host_ops cdns_dsi_ops = { .transfer = cdns_dsi_transfer, }; -static int __maybe_unused cdns_dsi_resume(struct device *dev) +static int cdns_dsi_resume(struct device *dev) { struct cdns_dsi *dsi = dev_get_drvdata(dev); @@ -1269,7 +1269,7 @@ static int __maybe_unused cdns_dsi_resume(struct device *dev) return 0; } -static int __maybe_unused cdns_dsi_suspend(struct device *dev) +static int cdns_dsi_suspend(struct device *dev) { struct cdns_dsi *dsi = dev_get_drvdata(dev); @@ -1279,8 +1279,9 @@ static int __maybe_unused cdns_dsi_suspend(struct device *dev) return 0; } -static UNIVERSAL_DEV_PM_OPS(cdns_dsi_pm_ops, cdns_dsi_suspend, cdns_dsi_resume, - NULL); +static const struct dev_pm_ops cdns_dsi_pm_ops = { + SET_RUNTIME_PM_OPS(cdns_dsi_suspend, cdns_dsi_resume, NULL) +}; static int cdns_dsi_drm_probe(struct platform_device *pdev) { -- 2.34.1

7 months, 3 weeks

2
1
0 0

Missing patch in 6.12.27 - breaks UM target builds

by Christian Lamparter

Hi, On 3/14/25 2:08 PM, Benjamin Berg wrote: > From: Benjamin Berg <benjamin.berg(a)intel.com> > um: work around sched_yield not yielding in time-travel mode > > sched_yield by a userspace may not actually cause scheduling in > time-travel mode as no time has passed. In the case seen it appears to > be a badly implemented userspace spinlock in ASAN. Unfortunately, with > time-travel it causes an extreme slowdown or even deadlock depending on > the kernel configuration (CONFIG_UML_MAX_USERSPACE_ITERATIONS). > > Work around it by accounting time to the process whenever it executes a > sched_yield syscall. > > Signed-off-by: Benjamin Berg <benjamin.berg(a)intel.com> From what I can tell the patch mentioned above was backported to 6.12.27 by: <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/arc…> but without the upstream |Commit 0b8b2668f9981c1fefc2ef892bd915288ef01f33 |Author: Benjamin Berg <benjamin.berg(a)intel.com> |Date: Thu Oct 10 16:25:37 2024 +0200 | um: insert scheduler ticks when userspace does not yield | | In time-travel mode userspace can do a lot of work without any time | passing. Unfortunately, this can result in OOM situations as the RCU | core code will never be run. [...] the kernel build for 6.12.27 for the UM-Target will fail: | /usr/bin/ld: arch/um/kernel/skas/syscall.o: in function `handle_syscall': linux-6.12.27/arch/um/kernel/skas/syscall.c:43:(.text+0xa2): undefined reference to `tt_extra_sched_jiffies' | collect2: error: ld returned 1 exit status is it possible to backport 0b8b2668f9981c1fefc2ef892bd915288ef01f33 too? Or is it better to revert 887c5c12e80c8424bd471122d2e8b6b462e12874 again in the stable releases? Best Regards, Christian Lamparter > > --- > > I suspect it is this code in ASAN that uses sched_yield > https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_co… > though there are also some other places that use sched_yield. > > I doubt that code is reasonable. At the same time, not sure that > sched_yield is behaving as advertised either as it obviously is not > necessarily relinquishing the CPU. > --- > arch/um/include/linux/time-internal.h | 2 ++ > arch/um/kernel/skas/syscall.c | 11 +++++++++++ > 2 files changed, 13 insertions(+) > > diff --git a/arch/um/include/linux/time-internal.h b/arch/um/include/linux/time-internal.h > index b22226634ff6..138908b999d7 100644 > --- a/arch/um/include/linux/time-internal.h > +++ b/arch/um/include/linux/time-internal.h > @@ -83,6 +83,8 @@ extern void time_travel_not_configured(void); > #define time_travel_del_event(...) time_travel_not_configured() > #endif /* CONFIG_UML_TIME_TRAVEL_SUPPORT */ > > +extern unsigned long tt_extra_sched_jiffies; > + > /* > * Without CONFIG_UML_TIME_TRAVEL_SUPPORT this is a linker error if used, > * which is intentional since we really shouldn't link it in that case. > diff --git a/arch/um/kernel/skas/syscall.c b/arch/um/kernel/skas/syscall.c > index b09e85279d2b..a5beaea2967e 100644 > --- a/arch/um/kernel/skas/syscall.c > +++ b/arch/um/kernel/skas/syscall.c > @@ -31,6 +31,17 @@ void handle_syscall(struct uml_pt_regs *r) > goto out; > > syscall = UPT_SYSCALL_NR(r); > + > + /* > + * If no time passes, then sched_yield may not actually yield, causing > + * broken spinlock implementations in userspace (ASAN) to hang for long > + * periods of time. > + */ > + if ((time_travel_mode == TT_MODE_INFCPU || > + time_travel_mode == TT_MODE_EXTERNAL) && > + syscall == __NR_sched_yield) > + tt_extra_sched_jiffies += 1; > + > if (syscall >= 0 && syscall < __NR_syscalls) { > unsigned long ret = EXECUTE_SYSCALL(syscall, regs); >

7 months, 3 weeks

2
1
0 0

[PATCH] riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL

by Nam Cao

When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra : ffffffff80011a30 sp : ffffffc60039be10 [snip] status: 0000000200000120 badaddr: 0000000010a79073 cause: 0000000000000002 set_tagged_addr_ctrl+0x112/0x15a __riscv_sys_prctl+0x352/0x73c do_trap_ecall_u+0x17c/0x20c andle_exception+0x150/0x15c Fix it by checking if Supm is available. Fixes: 09d6775f503b ("riscv: Add support for userspace pointer masking") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- arch/riscv/kernel/process.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index 7c244de77180..3db2c0c07acd 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -275,6 +275,9 @@ long set_tagged_addr_ctrl(struct task_struct *task, unsigned long arg) unsigned long pmm; u8 pmlen; + if (!riscv_has_extension_unlikely(RISCV_ISA_EXT_SUPM)) + return -EINVAL; + if (is_compat_thread(ti)) return -EINVAL; -- 2.39.5

7 months, 3 weeks

4
7
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2025