July 2025 - Linux-stable-mirror

[PATCH v2 RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.25.1

1 month, 1 week

1
0
0 0

[PATCH RESEND] fsi/core: fix error handling in fsi_slave_init()

by Ma Ke

Once cdev_device_add() failed, we should use put_device() to decrement reference count for cleanup. Or it could cause memory leak. Although operations in err_free_ida are similar to the operations in callback function fsi_slave_release(), put_device() is a correct handling operation as comments require when cdev_device_add() fails. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 371975b0b075 ("fsi/core: Fix error paths on CFAM init") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/fsi/fsi-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index 50e8736039fe..c494fc0bd747 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -1084,7 +1084,8 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) rc = cdev_device_add(&slave->cdev, &slave->dev); if (rc) { dev_err(&slave->dev, "Error %d creating slave device\n", rc); - goto err_free_ida; + put_device(&slave->dev); + return rc; } /* Now that we have the cdev registered with the core, any fatal @@ -1110,8 +1111,6 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) return 0; -err_free_ida: - fsi_free_minor(slave->dev.devt); err_free: of_node_put(slave->dev.of_node); kfree(slave); -- 2.25.1

1 month, 1 week

1
0
0 0

[PATCH 2/2] eventpoll: Fix epoll_wait() report false negative

by Nam Cao

ep_events_available() checks for available events by looking at ep->rdllist and ep->ovflist. However, this is done without a lock, therefore the returned value is not reliable. Because it is possible that both checks on ep->rdllist and ep->ovflist are false while ep_start_scan() or ep_done_scan() is being executed on other CPUs, despite events are available. This bug can be observed by: 1. Create an eventpoll with at least one ready level-triggered event 2. Create multiple threads who do epoll_wait() with zero timeout. The threads do not consume the events, therefore all epoll_wait() should return at least one event. If one thread is executing ep_events_available() while another thread is executing ep_start_scan() or ep_done_scan(), epoll_wait() may wrongly return no event for the former thread. This reproducer is implemented as TEST(epoll65) in tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c Fix it by skipping ep_events_available(), just call ep_try_send_events() directly. epoll_sendevents() (io_uring) suffers the same problem, fix that as well. There is still ep_busy_loop() who uses ep_events_available() without lock, but it is probably okay (?) for busy-polling. Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") Fixes: ae3a4f1fdc2c ("eventpoll: add epoll_sendevents() helper") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- fs/eventpoll.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0fbf5dfedb24..541481eafc20 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -2022,7 +2022,7 @@ static int ep_schedule_timeout(ktime_t *to) static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, int maxevents, struct timespec64 *timeout) { - int res, eavail, timed_out = 0; + int res, eavail = 1, timed_out = 0; u64 slack = 0; wait_queue_entry_t wait; ktime_t expires, *to = NULL; @@ -2041,16 +2041,6 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, timed_out = 1; } - /* - * This call is racy: We may or may not see events that are being added - * to the ready list under the lock (e.g., in IRQ callbacks). For cases - * with a non-zero timeout, this thread will check the ready list under - * lock and will add to the wait queue. For cases with a zero - * timeout, the user by definition should not care and will have to - * recheck again. - */ - eavail = ep_events_available(ep); - while (1) { if (eavail) { res = ep_try_send_events(ep, events, maxevents); @@ -2496,9 +2486,7 @@ int epoll_sendevents(struct file *file, struct epoll_event __user *events, * Racy call, but that's ok - it should get retried based on * poll readiness anyway. */ - if (ep_events_available(ep)) - return ep_try_send_events(ep, events, maxevents); - return 0; + return ep_try_send_events(ep, events, maxevents); } /* -- 2.39.5

1 month, 1 week

2
2
0 0

[PATCH] vhost/net: Replace wait_queue with completion in ubufs reference

by Nikolay Kuratov

When operating on struct vhost_net_ubuf_ref, the following execution sequence is theoretically possible: CPU0 is finalizing DMA operation CPU1 is doing VHOST_NET_SET_BACKEND // &ubufs->refcount == 2 vhost_net_ubuf_put() vhost_net_ubuf_put_wait_and_free(oldubufs) vhost_net_ubuf_put_and_wait() vhost_net_ubuf_put() int r = atomic_sub_return(1, &ubufs->refcount); // r = 1 int r = atomic_sub_return(1, &ubufs->refcount); // r = 0 wait_event(ubufs->wait, !atomic_read(&ubufs->refcount)); // no wait occurs here because condition is already true kfree(ubufs); if (unlikely(!r)) wake_up(&ubufs->wait); // use-after-free This leads to use-after-free on ubufs access. This happens because CPU1 skips waiting for wake_up() when refcount is already zero. To prevent that use a completion instead of wait_queue as the ubufs notification mechanism. wait_for_completion() guarantees that there will be complete() call prior to its return. We also need to reinit completion because refcnt == 0 does not mean freeing in case of vhost_net_flush() - it then sets refcnt back to 1. AFAIK concurrent calls to vhost_net_ubuf_put_and_wait() with the same ubufs object aren't possible since those calls (through vhost_net_flush() or vhost_net_set_backend()) are protected by the device mutex. So reinit_completion() right after wait_for_completion() should be fine. Cc: stable(a)vger.kernel.org Fixes: 0ad8b480d6ee9 ("vhost: fix ref cnt checking deadlock") Reported-by: Andrey Ryabinin <arbn(a)yandex-team.com> Suggested-by: Andrey Smetanin <asmetanin(a)yandex-team.ru> Signed-off-by: Nikolay Kuratov <kniv(a)yandex-team.ru> --- drivers/vhost/net.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 7cbfc7d718b3..454d179fffeb 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -94,7 +94,7 @@ struct vhost_net_ubuf_ref { * >1: outstanding ubufs */ atomic_t refcount; - wait_queue_head_t wait; + struct completion wait; struct vhost_virtqueue *vq; }; @@ -240,7 +240,7 @@ vhost_net_ubuf_alloc(struct vhost_virtqueue *vq, bool zcopy) if (!ubufs) return ERR_PTR(-ENOMEM); atomic_set(&ubufs->refcount, 1); - init_waitqueue_head(&ubufs->wait); + init_completion(&ubufs->wait); ubufs->vq = vq; return ubufs; } @@ -249,14 +249,15 @@ static int vhost_net_ubuf_put(struct vhost_net_ubuf_ref *ubufs) { int r = atomic_sub_return(1, &ubufs->refcount); if (unlikely(!r)) - wake_up(&ubufs->wait); + complete_all(&ubufs->wait); return r; } static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) { vhost_net_ubuf_put(ubufs); - wait_event(ubufs->wait, !atomic_read(&ubufs->refcount)); + wait_for_completion(&ubufs->wait); + reinit_completion(&ubufs->wait); } static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) -- 2.34.1

1 month, 1 week

2
1
0 0

Re: [PATCH bpf-next v5 2/2] selftests/bpf: Add tests with stack ptr register in conditional jmp

by Shung-Hsi Yu

Hi Andrii and Yonghong, On Fri, May 23, 2025 at 09:13:40PM -0700, Yonghong Song wrote: > Add two tests: > - one test has 'rX <op> r10' where rX is not r10, and > - another test has 'rX <op> rY' where rX and rY are not r10 > but there is an early insn 'rX = r10'. > > Without previous verifier change, both tests will fail. > > Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> > --- > .../selftests/bpf/progs/verifier_precision.c | 53 +++++++++++++++++++ > 1 file changed, 53 insertions(+) I was looking this commit (5ffb537e416e) since it was a BPF selftest test for CVE-2025-38279, but upon looking I found that the commit differs from the patch, there is an extra hunk that changed kernel/bpf/verifier.c that wasn't found the Yonghong's original patch. I suppose it was meant to be squashed into the previous commit e2d2115e56c4 "bpf: Do not include stack ptr register in precision backtracking bookkeeping"? Since stable backports got only e2d2115e56c4, but not the 5ffb537e416e here with the extra change for kernel/bpf/verifier.c, I'd guess the backtracking logic in the stable kernel isn't correct at the moment, so I'll send 5ffb537e416e "selftests/bpf: Add tests with stack ptr register in conditional jmp" to stable as well. Let me know if that's not the right thing to do. Shung-Hsi diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 98c52829936e..a7d6e0c5928b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16456,6 +16456,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, if (src_reg->type == PTR_TO_STACK) insn_flags |= INSN_F_SRC_REG_STACK; + if (dst_reg->type == PTR_TO_STACK) + insn_flags |= INSN_F_DST_REG_STACK; } else { if (insn->src_reg != BPF_REG_0) { verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); @@ -16465,10 +16467,11 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, memset(src_reg, 0, sizeof(*src_reg)); src_reg->type = SCALAR_VALUE; __mark_reg_known(src_reg, insn->imm); + + if (dst_reg->type == PTR_TO_STACK) + insn_flags |= INSN_F_DST_REG_STACK; } - if (dst_reg->type == PTR_TO_STACK) - insn_flags |= INSN_F_DST_REG_STACK; if (insn_flags) { err = push_insn_history(env, this_branch, insn_flags, 0); if (err) > diff --git a/tools/testing/selftests/bpf/progs/verifier_precision.c b/tools/testing/selftests/bpf/progs/verifier_precision.c ...

1 month, 1 week

2
2
0 0

[PATCH] cifs: reset iface weights when we cannot find a candidate

by nspmangalore＠gmail.com

From: Shyam Prasad N <sprasad(a)microsoft.com> We now do a weighted selection of server interfaces when allocating new channels. The weights are decided based on the speed advertised. The fulfilled weight for an interface is a counter that is used to track the interface selection. It should be reset back to zero once all interfaces fulfilling their weight. In cifs_chan_update_iface, this reset logic was missing. As a result when the server interface list changes, the client may not be able to find a new candidate for other channels after all interfaces have been fulfilled. Fixes: a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed") Cc: <stable(a)vger.kernel.org> Signed-off-by: Shyam Prasad N <sprasad(a)microsoft.com> --- fs/smb/client/sess.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c index 330bc3d25bad..0a8c2fcc9ded 100644 --- a/fs/smb/client/sess.c +++ b/fs/smb/client/sess.c @@ -332,6 +332,7 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) struct cifs_server_iface *old_iface = NULL; struct cifs_server_iface *last_iface = NULL; struct sockaddr_storage ss; + int retry = 0; spin_lock(&ses->chan_lock); chan_index = cifs_ses_get_chan_index(ses, server); @@ -360,6 +361,7 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) return; } +try_again: last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface, iface_head); iface_min_speed = last_iface->speed; @@ -397,6 +399,13 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) } if (list_entry_is_head(iface, &ses->iface_list, iface_head)) { + list_for_each_entry(iface, &ses->iface_list, iface_head) + iface->weight_fulfilled = 0; + + /* see if it can be satisfied in second attempt */ + if (!retry++) + goto try_again; + iface = NULL; cifs_dbg(FYI, "unable to find a suitable iface\n"); } -- 2.43.0

1 month, 1 week

2
1
0 0

[PATCH 5.4.y 0/6] Backport few sch_sfq fixes

by Harshit Mogalapalli

commit: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit") fixes CVE-2024-57996 and commit: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation") fixes CVE-2025-37752 and commit: 7ca52541c05c ("net_sched: sch_sfq: reject invalid perturb period") fixes CVE-2025-38193. Patches 3, 5, 6 are CVE fixes for above mentioned CVEs. Patch 1,2 and 4 are pulled in as stable-deps. Testing performed on the patched 5.4.295 kernel with the above 5 patches: (Used latest upstream kselftests for tc-testing) $ uname -a Linux hamogala-kdevoci8-1 5.4.295-master.20250717.el8.rc2.x86_64 #1 SMP Thu Jul 17 00:57:21 PDT 2025 x86_64 x86_64 x86_64 GNU/Linux $ python3.12 ./tdc.py -f tc-tests/qdiscs/sfq.json -- ns/SubPlugin.__init__ Test 7482: Create SFQ with default setting Test c186: Create SFQ with limit setting Test ae23: Create SFQ with perturb setting Test a430: Create SFQ with quantum setting Test 4539: Create SFQ with divisor setting Test b089: Create SFQ with flows setting Test 99a0: Create SFQ with depth setting Test 7389: Create SFQ with headdrop setting Test 6472: Create SFQ with redflowlimit setting Test 8929: Show SFQ class Test 4d6f: Check that limit of 1 is rejected Test 7f8f: Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) Test 5168: Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) All test results: 1..13 ok 1 7482 - Create SFQ with default setting ok 2 c186 - Create SFQ with limit setting ok 3 ae23 - Create SFQ with perturb setting ok 4 a430 - Create SFQ with quantum setting ok 5 4539 - Create SFQ with divisor setting ok 6 b089 - Create SFQ with flows setting ok 7 99a0 - Create SFQ with depth setting ok 8 7389 - Create SFQ with headdrop setting ok 9 6472 - Create SFQ with redflowlimit setting ok 10 8929 - Show SFQ class ok 11 4d6f - Check that limit of 1 is rejected ok 12 7f8f - Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) ok 13 5168 - Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) Thanks, Harshit Eric Dumazet (3): net_sched: sch_sfq: annotate data-races around q->perturb_period net_sched: sch_sfq: handle bigger packets net_sched: sch_sfq: reject invalid perturb period Octavian Purdila (3): net_sched: sch_sfq: don't allow 1 packet limit net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: move the limit validation net/sched/sch_sfq.c | 114 +++++++++++++++++++++++++++++--------------- 1 file changed, 75 insertions(+), 39 deletions(-) -- 2.47.1

1 month, 1 week

2
12
0 0

[PATCH stable 6.6 0/2] selftests/bpf: revert changes from "check bpf_dummy_struct_ops program params for test runs"

by Shung-Hsi Yu

This patchset reverts BPF selftests changes backported from "check bpf_dummy_struct_ops program params for test runs" series[1]. The changes are causing BPF selftests to fail on stable 6.6 kernel due to missing dependencies (mainly the "Support PTR_MAYBE_NULL for struct_ops arguments." series[2]). Please see individual patch for detail. 1: https://lore.kernel.org/bpf/20240424012821.595216-1-eddyz87@gmail.com/ 2: https://lore.kernel.org/bpf/20240209023750.1153905-1-thinker.li@gmail.com/ Shung-Hsi Yu (2): Revert "selftests/bpf: adjust dummy_st_ops_success to detect additional error" Revert "selftests/bpf: dummy_st_ops should reject 0 for non-nullable params" .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 ------------------- .../bpf/progs/dummy_st_ops_success.c | 13 ++------- 2 files changed, 2 insertions(+), 38 deletions(-) -- 2.50.1

1 month, 1 week

2
4
0 0

[to-be-updated] mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary has been removed from the -mm tree. Its filename was mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Harry Yoo <harry.yoo(a)oracle.com> Subject: mm: check if folio has valid mapcount before folio_test_{anon,ksm}() when necessary Date: Mon, 7 Jul 2025 21:07:40 +0900 folio_test_anon() and folio_test_ksm() may return false positives when the folio is a typed page (except hugetlb), because lower bits of folio->mapping field can be set even if it doesn't mean FOLIO_MAPPING_* flags. To avoid false positives, folio_test_{anon,ksm}() should be called only if !page_has_type(&folio->page) || folio_test_hugetlb(folio). However, the check can be skipped if a folio is or will be mapped to userspace because typed pages that are not hugetlb folios cannot be mapped to userspace. As folio_expected_ref_count() already does the check, introduce a helper function folio_has_mapcount() and use it in folio_expected_ref_count() and stable_page_flags(). Update the comment in FOLIO_MAPPING_* flags accordingly. This fixes tools/mm/page-types reporting pages with KPF_SLAB, KPF_ANON and KPF_SLAB (with flags, page-counts, MB omitted): $ sudo ./page-types | grep slab _______S___________________________________ slab _______S____a________x_____________________ slab,anonymous,ksm Link: https://lkml.kernel.org/r/20250707120740.4413-1-harry.yoo@oracle.com Fixes: 130d4df57390 ("mm/sl[au]b: rearrange struct slab fields to allow larger rcu_head") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/page.c | 19 +++++++++++-------- include/linux/mm.h | 2 +- include/linux/page-flags.h | 20 ++++++++++++++------ 3 files changed, 26 insertions(+), 15 deletions(-) --- a/fs/proc/page.c~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/fs/proc/page.c @@ -148,18 +148,21 @@ u64 stable_page_flags(const struct page folio = page_folio(page); k = folio->flags; - mapping = (unsigned long)folio->mapping; - is_anon = mapping & FOLIO_MAPPING_ANON; /* * pseudo flags for the well known (anonymous) memory mapped pages */ - if (page_mapped(page)) - u |= 1 << KPF_MMAP; - if (is_anon) { - u |= 1 << KPF_ANON; - if (mapping & FOLIO_MAPPING_KSM) - u |= 1 << KPF_KSM; + if (folio_has_mapcount(folio)) { + mapping = (unsigned long)folio->mapping; + is_anon = mapping & FOLIO_MAPPING_ANON; + + if (page_mapped(page)) + u |= 1 << KPF_MMAP; + if (is_anon) { + u |= 1 << KPF_ANON; + if (mapping & FOLIO_MAPPING_KSM) + u |= 1 << KPF_KSM; + } } /* --- a/include/linux/mm.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/mm.h @@ -2169,7 +2169,7 @@ static inline int folio_expected_ref_cou const int order = folio_order(folio); int ref_count = 0; - if (WARN_ON_ONCE(page_has_type(&folio->page) && !folio_test_hugetlb(folio))) + if (WARN_ON_ONCE(!folio_has_mapcount(folio))) return 0; if (folio_test_anon(folio)) { --- a/include/linux/page-flags.h~mm-check-if-folio-has-valid-mapcount-before-folio_test_anonksm-when-necessary +++ a/include/linux/page-flags.h @@ -706,12 +706,15 @@ PAGEFLAG_FALSE(VmemmapSelfHosted, vmemma * address_space which maps the folio from disk; whereas "folio_mapped" * refers to user virtual address space into which the folio is mapped. * - * For slab pages, since slab reuses the bits in struct page to store its - * internal states, the folio->mapping does not exist as such, nor do - * these flags below. So in order to avoid testing non-existent bits, - * please make sure that folio_test_slab(folio) actually evaluates to - * false before calling the following functions (e.g., folio_test_anon). - * See mm/slab.h. + * For certain typed pages like slabs, since they reuse bits in struct page + * to store internal states, folio->mapping does not point to a valid + * mapping, nor do these flags exist. To avoid testing non-existent bits, + * make sure folio_has_mapcount() actually evaluates to true before calling + * the following functions (e.g., folio_test_anon). + * + * The folio_has_mapcount() check can be skipped if the folio is mapped + * to userspace, since a folio with !folio_has_mapcount() cannot be mapped + * to userspace at all. */ #define FOLIO_MAPPING_ANON 0x1 #define FOLIO_MAPPING_ANON_KSM 0x2 @@ -1092,6 +1095,11 @@ static inline bool PageHuge(const struct return folio_test_hugetlb(page_folio(page)); } +static inline bool folio_has_mapcount(const struct folio *folio) +{ + return !page_has_type(&folio->page) || folio_test_hugetlb(folio); +} + /* * Check if a page is currently marked HWPoisoned. Note that this check is * best effort only and inherently racy: there is no way to synchronize with _ Patches currently in -mm which might be from harry.yoo(a)oracle.com are mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction=n.patch

1 month, 1 week

1
0
0 0

[ath10k][QCA9377] Firmware crashes on Dell Inspiron 5567 (IRQ #16, all modern distro kernels)

by Bandhan Pramanik

Hello, This is to inform all that constant firmware crashes have been seen in the "Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter", which was shipped with the Dell Inspiron 5567 laptops. This affects every kernel release, including the stable and the longterm ones. All the logs have been taken after livebooting an Arch Linux ISO. Every distro has been tried, and it has been confirmed that some error of this kind is shown in every distro. ## Steps to reproduce the issue 1. Boot/liveboot any Linux ISO through this card (and possibly, this laptop). 2. Wi-Fi network interface appears. 3. Connect the Wi-Fi router to the computer. 4. A few moments/minutes after that, the touchpad stops working, and the network interface cannot even access the Internet anymore (BUT, the network interface might disappear, might not disappear). ## Affected distros and the necessary workarounds This has been the pattern on every distro and their corresponding kernels (LMDE, Linux Mint, Pop!_OS, Zorin, Kubuntu, KDE Neon, elementaryOS, Fedora, and even Arch). The fix which made these distros usable is to add two things: - Adding "options ath10k_core skip_otp=y" to a new conf file in /etc/modprobe.d. - Adding "pci=noaer" in GRUB kernel parameters so that the logs are not flooded with Multiple Correctable Errors. To defend my case (that it occurs in the other models of Inspiron 5567 too), I have recently contacted someone running Linux Mint on the same model. The answer was the same: the touchpad and the Wi-Fi stop simultaneously. ## Some of the limitations The kernel was tainted, but the other things have been properly noted in case they might provide some useful details. As stated, investigating why IRQ #16 is disabled will probably give us the answer. ## Logs provided All the logs in a combined manner can be found here: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180 - Full dmesg: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Hostnamectl: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - lspci: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Modinfo of the driver: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - Ping command: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - /proc/interrupts: https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… - IP addr command (Heavily Redacted): https://gist.github.com/BandhanPramanik/ddb0cb23eca03ca2ea43a1d832a16180#fi… Lastly, this issue on the GitHub repository of Pop!_OS 'might' be relevant: https://github.com/pop-os/pop/issues/1470 It would be highly appreciated if the matter were looked into. Thanks, Bandhan Pramanik

1 month, 1 week

1
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2025