September 2025 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.8 release. There are 189 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.8-rc1 Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Stephan Gerhold <stephan.gerhold(a)linaro.org> phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix MIDI2 IN EP max packet size Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix missing UMP group attributes initialization RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: properly deliver cable vdms to altmode drivers Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix memory leak regression when freeing xhci vdev devices depth first Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Yuezhang Mo <Yuezhang.Mo(a)sony.com> erofs: fix runtime warning on truncate_folio_batch_exceptionals() Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Gao Xiang <xiang(a)kernel.org> erofs: fix invalid algorithm for encoded extents Gao Xiang <xiang(a)kernel.org> erofs: unify meta buffers in z_erofs_fill_inode() Gao Xiang <xiang(a)kernel.org> erofs: remove need_kmap in erofs_read_metabuf() Gao Xiang <xiang(a)kernel.org> erofs: get rid of {get,put}_page() for ztailpacking data Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Fix refcount underflow on module unload Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Remove improper idxd_free Pengyu Luo <mitltlatltl(a)gmail.com> phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Hangbin Liu <liuhangbin(a)gmail.com> hsr: hold rcu and dev lock for hsr_get_port_ndev Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: restart set lookup on base_seq change Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: make nft_set_do_lookup available unconditionally Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: place base_seq in struct net Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Reintroduce shortened deletion notifications Florian Westphal <fw(a)strlen.de> netfilter: nft_set_rbtree: continue traversal if element is inactive Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't check genbit from packetpath lookups Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't return bogus extension pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: merge pipapo_get/lookup Florian Westphal <fw(a)strlen.de> netfilter: nft_set: remove one argument from lookup and update functions Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove unused arguments Florian Westphal <fw(a)strlen.de> netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: implement NETDEV_UNREGISTER notification handler Davide Caratti <dcaratti(a)redhat.com> selftests: can: enable CONFIG_CAN_VCAN as a module Stanislav Fomichev <sdf(a)fomichev.me> macsec: sync features on RTM_NEWLINK Carolina Jubran <cjubran(a)nvidia.com> net: dev_ioctl: take ops lock in hwtstamp lower paths Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: use udelay rather than fsleep Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/configfs: Don't touch survivability_mode on fini Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Tianyu Xu <tianyxu(a)cisco.com> igb: Fix NULL pointer dereference in ethtool loopback test Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Petr Machata <petrm(a)nvidia.com> net: bridge: Bounce invalid boolopts Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix ageing time for BCM53101 Alok Tiwari <alok.a.tiwari(a)oracle.com> genetlink: fix genl_bind() invoking bind() after -EPERM Klaus Kudielka <klaus.kudielka(a)gmail.com> PCI: mvebu: Fix use of for_each_of_range() iterator Miaoqing Pan <miaoqing.pan(a)oss.qualcomm.com> wifi: ath12k: fix WMI TLV header misalignment Sriram R <quic_srirrama(a)quicinc.com> wifi: ath12k: Add support to enqueue management frame at MLD level Sarika Sharma <quic_sarishar(a)quicinc.com> wifi: ath12k: add link support for multi-link in arsta Miaoqing Pan <miaoqing.pan(a)oss.qualcomm.com> wifi: ath12k: Fix missing station power save configuration Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: transfer phy_config_inband() locking responsibility to phylink Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phylink: add lock for serializing concurrent pl->phydev writes with resolver Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Chia-I Wu <olvaffe(a)gmail.com> drm/panthor: validate group queue count Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mtd: rawnand: nuvoton: Fix an error handling path in ma35_nand_chips_init() Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for Flydigi Apex 5 Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts K Prateek Nayak <kprateek.nayak(a)amd.com> x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Reinette Chatre <reinette.chatre(a)intel.com> fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Pratap Nirujogi <pratap.nirujogi(a)amd.com> drm/amd/amdgpu: Declare isp firmware binary file Mario Limonciello (AMD) <mario.limonciello(a)amd.com> drm/amd/display: Drop dm_prepare_suspend() and dm_complete() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Destroy cached state in complete() callback Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Santhosh Kumar K <s-k6(a)ti.com> mtd: spinand: winbond: Fix oob_layout for W25N01JW Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: winbond: Enable high-speed modes on w25n0xjw Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: Add a ->configure_chip() hook Max Kellermann <max.kellermann(a)ionos.com> ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error Max Kellermann <max.kellermann(a)ionos.com> ceph: always call ceph_shift_unused_folios_left() Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition where r_parent becomes stale before sending message Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition validating r_parent before applying state Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Qu Wenruo <wqu(a)suse.com> btrfs: fix corruption reading compressed range when block size is smaller than page size Boris Burkov <boris(a)bur.io> btrfs: use readahead_expand() on compressed extents Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Disable DPCD Probe Quirk Imre Deak <imre.deak(a)intel.com> drm/dp: Add an EDID quirk for the DPCD register access probe Imre Deak <imre.deak(a)intel.com> drm/edid: Add support for quirks visible to DRM core and drivers Imre Deak <imre.deak(a)intel.com> drm/edid: Define the quirks in an enum list Geoffrey McRae <geoffrey.mcrae(a)amd.com> drm/amd/display: remove oem i2c adapter on finish Ovidiu Bunea <ovidiu.bunea(a)amd.com> drm/amd/display: Correct sequences and delays for DCN35 PG & RCG David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Block exec and rebind worker while evicting for suspend / hibernate Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Allow the pm notifier to continue on failure Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Attempt to bring bos back to VRAM after eviction Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Johan Hovold <johan(a)kernel.org> drm/mediatek: fix potential OF node use-after-free Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Sang-Heon Jeon <ekffu200098(a)gmail.com> mm/damon/core: set quota->charged_from to jiffies at first charge window Kyle Meyer <kyle.meyer(a)hpe.com> mm/memory-failure: fix redundant updates for already poisoned pages Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Uladzislau Rezki (Sony) <urezki(a)gmail.com> mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Jeongjun Park <aha310510(a)gmail.com> mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Amir Goldstein <amir73il(a)gmail.com> fuse: do not allow mapping a non-regular backing file Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Alexander Sverdlin <alexander.sverdlin(a)gmail.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Paulo Alcantara <pc(a)manguebit.org> smb: client: fix data loss due to broken rename(2) Paulo Alcantara <pc(a)manguebit.org> smb: client: fix compound alignment with encryption Breno Leitao <leitao(a)debian.org> s390: kexec: initialize kexec_buf struct Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: fix 130/1030 configs Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: hibernate: Restrict GFP mask in hibernation_snapshot() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: EM: Add function for registering a PD without capacity update Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix to enable RSS Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: remove broken SMBus Quick operation support Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: ensure data length is within supported range Chiasheng Lee <chiasheng.lee(a)linux.intel.com> i2c: i801: Hide Intel Birch Stream SoC TCO WDT Omar Sandoval <osandov(a)fb.com> btrfs: fix subvolume deletion lockup caused by inodes xarray race Boris Burkov <boris(a)bur.io> btrfs: fix squota compressed stats leak Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Matthieu Baerts (NGI0) <matttbe(a)kernel.org> netlink: specs: mptcp: fix if-idx attribute type Matthieu Baerts (NGI0) <matttbe(a)kernel.org> doc: mptcp: net.mptcp.pm_type is deprecated Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Breno Leitao <leitao(a)debian.org> arm64: kexec: initialize kexec_buf struct in load_other_segments() Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: fix channel number bound check Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Peilin Ye <yepeilin(a)google.com> bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() KaFai Wan <kafai.wan(a)linux.dev> bpf: Allow fall back to interpreter for programs with stack size <= 512 Kumar Kartikeya Dwivedi <memxor(a)gmail.com> rqspinlock: Choose trylock fallback for NMI waiters Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> xsk: Fix immature cq descriptor production Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Mario Limonciello (AMD) <superm1(a)kernel.org> cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Thomas Richter <tmricht(a)linux.ibm.com> s390/pai: Deny all events not handled by this PMU Gautham R. Shenoy <gautham.shenoy(a)amd.com> cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor Jesper Dangaard Brouer <hawk(a)kernel.org> bpf, cpumap: Disable page_pool direct xdp_return need larger scope Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: nfs_invalidate_folio() must observe the offset and size arguments Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and copy range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and clone range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and fallocate() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Serialise O_DIRECT i/o and truncate() Wang Liang <wangliang74(a)huawei.com> tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Scott Mayhew <smayhew(a)redhat.com> nfs/localio: restore creds before releasing pageio data Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Guenter Roeck <linux(a)roeck-us.net> trace/fgraph: Fix error handling Xiao Ni <xni(a)redhat.com> md: keep recovery_cp in mdp_superblock_s Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Justin Worrell <jworrell(a)gmail.com> SUNRPC: call xs_sock_process_cmsg for all cmsg Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Add more checks to PSP mailbox" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix getname not returning broadcast fields Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix running bis_cleanup for hci_conn->type PA_LINK Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Split paging_domain_compatible() Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Create unique domain ops for each stage Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not cleaning up Broadcaster/Broadcast Source Dan Carpenter <dan.carpenter(a)linaro.org> irqchip/mvebu-gicp: Fix an IS_ERR() vs NULL check in probe() Kan Liang <kan.liang(a)linux.intel.com> perf: Fix the POLL_HUP delivery breakage Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> dma-debug: don't enforce dma mapping check on noncoherent allocations Amir Goldstein <amir73il(a)gmail.com> fhandle: use more consistent rules for decoding file handle from userns Edward Adam Davis <eadavis(a)qq.com> fuse: Block access to folio overlimit Christian Brauner <brauner(a)kernel.org> coredump: don't pointlessly check and spew warnings Christoph Hellwig <hch(a)lst.de> block: don't silently ignore metadata for sync read/write Christoph Hellwig <hch(a)lst.de> fs: add a FMODE_ flag to indicate IOCB_HAS_METADATA availability ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/netlink/specs/mptcp_pm.yaml | 2 +- Documentation/networking/can.rst | 2 +- Documentation/networking/mptcp.rst | 8 +- Makefile | 4 +- arch/arm64/kernel/machine_kexec_file.c | 2 +- arch/s390/kernel/kexec_elf.c | 2 +- arch/s390/kernel/kexec_image.c | 2 +- arch/s390/kernel/machine_kexec_file.c | 6 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/s390/kernel/perf_pai_crypto.c | 4 +- arch/s390/kernel/perf_pai_ext.c | 2 +- arch/x86/kernel/cpu/topology_amd.c | 25 +- block/fops.c | 13 +- drivers/cpufreq/amd-pstate.c | 19 +- drivers/cpufreq/intel_pstate.c | 4 +- drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 39 +-- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 - drivers/gpu/drm/amd/amdgpu/isp_v4_1_1.c | 2 + drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 +-- drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 +- drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 60 +++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 106 +++++---- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 + drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 74 +++--- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 +- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 115 ++------- .../gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 3 - .../drm/amd/display/dc/hwss/dcn351/dcn351_init.c | 3 - drivers/gpu/drm/amd/display/dc/inc/hw/pg_cntl.h | 1 + .../drm/amd/display/dc/pg/dcn35/dcn35_pg_cntl.c | 78 +++--- drivers/gpu/drm/display/drm_dp_helper.c | 42 +++- drivers/gpu/drm/drm_edid.c | 232 +++++++++--------- drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +- drivers/gpu/drm/panthor/panthor_drv.c | 2 +- drivers/gpu/drm/xe/tests/xe_bo.c | 2 +- drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 +- drivers/gpu/drm/xe/xe_bo.c | 16 +- drivers/gpu/drm/xe/xe_bo.h | 2 +- drivers/gpu/drm/xe/xe_device_types.h | 6 + drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- drivers/gpu/drm/xe/xe_exec.c | 9 + drivers/gpu/drm/xe/xe_pm.c | 42 +++- drivers/gpu/drm/xe/xe_survivability_mode.c | 3 +- drivers/gpu/drm/xe/xe_vm.c | 42 +++- drivers/gpu/drm/xe/xe_vm.h | 2 + drivers/gpu/drm/xe/xe_vm_types.h | 5 + drivers/i2c/busses/i2c-i801.c | 2 +- drivers/i2c/busses/i2c-rtl9300.c | 22 +- drivers/input/joystick/xpad.c | 2 + drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/iommu/intel/cache.c | 5 +- drivers/iommu/intel/iommu.c | 263 ++++++++++++++------- drivers/iommu/intel/iommu.h | 12 + drivers/iommu/intel/nested.c | 4 +- drivers/iommu/intel/svm.c | 1 - drivers/irqchip/irq-mvebu-gicp.c | 2 +- drivers/md/md.c | 6 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 16 +- .../mtd/nand/raw/nuvoton-ma35d1-nand-controller.c | 4 +- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 ++-- drivers/mtd/nand/spi/core.c | 18 +- drivers/mtd/nand/spi/winbond.c | 80 ++++++- drivers/net/can/xilinx_can.c | 16 +- drivers/net/dsa/b53/b53_common.c | 17 +- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- drivers/net/ethernet/intel/igb/igb_main.c | 3 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 4 - drivers/net/macsec.c | 1 + drivers/net/phy/phy.c | 12 +- drivers/net/phy/phylink.c | 28 ++- drivers/net/wireless/ath/ath12k/core.h | 1 + drivers/net/wireless/ath/ath12k/dp_mon.c | 22 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 11 +- drivers/net/wireless/ath/ath12k/hw.c | 55 +++++ drivers/net/wireless/ath/ath12k/hw.h | 2 + drivers/net/wireless/ath/ath12k/mac.c | 127 +++++----- drivers/net/wireless/ath/ath12k/peer.c | 2 +- drivers/net/wireless/ath/ath12k/peer.h | 28 +++ drivers/net/wireless/ath/ath12k/wmi.c | 58 ++++- drivers/net/wireless/ath/ath12k/wmi.h | 16 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 +- drivers/pci/controller/pci-mvebu.c | 21 +- drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 +- drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-omap-usb2.c | 13 + drivers/phy/ti/phy-ti-pipe3.c | 13 + drivers/regulator/sy7636a-regulator.c | 7 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/function/f_midi2.c | 11 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/host/xhci-dbgcap.c | 94 +++++--- drivers/usb/host/xhci-mem.c | 2 +- drivers/usb/serial/option.c | 17 ++ drivers/usb/typec/tcpm/tcpm.c | 12 +- fs/btrfs/extent_io.c | 73 +++++- fs/btrfs/inode.c | 12 +- fs/btrfs/qgroup.c | 6 +- fs/ceph/addr.c | 9 +- fs/ceph/debugfs.c | 14 +- fs/ceph/dir.c | 17 +- fs/ceph/file.c | 24 +- fs/ceph/inode.c | 88 +++++-- fs/ceph/mds_client.c | 172 ++++++++------ fs/ceph/mds_client.h | 18 +- fs/coredump.c | 4 + fs/erofs/data.c | 8 +- fs/erofs/fileio.c | 2 +- fs/erofs/fscache.c | 2 +- fs/erofs/inode.c | 8 +- fs/erofs/internal.h | 2 +- fs/erofs/super.c | 16 +- fs/erofs/zdata.c | 17 +- fs/erofs/zmap.c | 98 ++++---- fs/exec.c | 2 +- fs/fhandle.c | 8 + fs/fuse/dev.c | 2 +- fs/fuse/file.c | 5 +- fs/fuse/passthrough.c | 5 + fs/kernfs/file.c | 58 +++-- fs/nfs/client.c | 2 + fs/nfs/file.c | 7 +- fs/nfs/flexfilelayout/flexfilelayout.c | 21 +- fs/nfs/inode.c | 4 +- fs/nfs/internal.h | 10 + fs/nfs/io.c | 13 +- fs/nfs/localio.c | 12 +- fs/nfs/nfs42proc.c | 2 + fs/nfs/nfs4file.c | 2 + fs/nfs/nfs4proc.c | 7 +- fs/nfs/write.c | 1 + fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- fs/resctrl/ctrlmondata.c | 2 +- fs/resctrl/internal.h | 4 +- fs/resctrl/monitor.c | 6 +- fs/smb/client/cifsglob.h | 13 +- fs/smb/client/file.c | 18 +- fs/smb/client/inode.c | 86 +++++-- fs/smb/client/smb2glob.h | 3 +- fs/smb/client/smb2inode.c | 204 ++++++++++++---- fs/smb/client/smb2ops.c | 32 ++- fs/smb/client/smb2proto.h | 3 + fs/smb/client/trace.h | 9 +- include/drm/display/drm_dp_helper.h | 6 + include/drm/drm_connector.h | 4 +- include/drm/drm_edid.h | 8 + include/linux/compiler-clang.h | 31 ++- include/linux/energy_model.h | 10 + include/linux/fs.h | 3 +- include/linux/kasan.h | 6 +- include/linux/mtd/spinand.h | 8 + include/net/netfilter/nf_tables.h | 11 +- include/net/netfilter/nf_tables_core.h | 49 ++-- include/net/netns/nftables.h | 1 + include/uapi/linux/raid/md_p.h | 2 +- io_uring/rw.c | 3 + kernel/bpf/Makefile | 1 + kernel/bpf/core.c | 16 +- kernel/bpf/cpumap.c | 4 +- kernel/bpf/crypto.c | 2 +- kernel/bpf/helpers.c | 7 +- kernel/bpf/rqspinlock.c | 2 +- kernel/dma/debug.c | 48 +++- kernel/dma/debug.h | 20 ++ kernel/dma/mapping.c | 4 +- kernel/events/core.c | 1 + kernel/power/energy_model.c | 29 ++- kernel/power/hibernate.c | 1 + kernel/time/hrtimer.c | 11 +- kernel/trace/fgraph.c | 3 +- kernel/trace/trace.c | 10 +- kernel/trace/trace_osnoise.c | 3 + mm/damon/core.c | 4 + mm/damon/lru_sort.c | 5 + mm/damon/reclaim.c | 5 + mm/damon/sysfs.c | 14 +- mm/hugetlb.c | 9 +- mm/kasan/shadow.c | 31 ++- mm/khugepaged.c | 4 +- mm/memory-failure.c | 20 +- mm/vmalloc.c | 8 +- net/bluetooth/hci_conn.c | 14 +- net/bluetooth/hci_event.c | 7 +- net/bluetooth/iso.c | 2 +- net/bridge/br.c | 7 + net/can/j1939/bus.c | 5 +- net/can/j1939/j1939-priv.h | 1 + net/can/j1939/main.c | 3 + net/can/j1939/socket.c | 52 ++++ net/ceph/messenger.c | 7 +- net/core/dev_ioctl.c | 22 +- net/hsr/hsr_device.c | 28 ++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 3 + net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/netfilter/nf_tables_api.c | 123 ++++++---- net/netfilter/nft_dynset.c | 5 +- net/netfilter/nft_lookup.c | 67 ++++-- net/netfilter/nft_objref.c | 5 +- net/netfilter/nft_set_bitmap.c | 14 +- net/netfilter/nft_set_hash.c | 54 ++--- net/netfilter/nft_set_pipapo.c | 211 ++++++----------- net/netfilter/nft_set_pipapo_avx2.c | 29 +-- net/netfilter/nft_set_rbtree.c | 46 ++-- net/netlink/genetlink.c | 3 + net/sunrpc/sched.c | 2 - net/sunrpc/xprtsock.c | 6 +- net/xdp/xsk.c | 113 +++++++-- net/xdp/xsk_queue.h | 12 + samples/ftrace/ftrace-direct-modify.c | 2 +- tools/testing/selftests/net/can/config | 3 + 234 files changed, 3151 insertions(+), 1711 deletions(-)

2 days, 7 hours

15
204
0 0

[PATCH v5] mm: Fix possible deadlock in kmemleak

by Gu Bowen

There are some AA deadlock issues in kmemleak, similar to the situation reported by Breno [1]. The deadlock path is as follows: mem_pool_alloc() -> raw_spin_lock_irqsave(&kmemleak_lock, flags); -> pr_warn() -> netconsole subsystem -> netpoll -> __alloc_skb -> __create_object -> raw_spin_lock_irqsave(&kmemleak_lock, flags); To solve this problem, switch to printk_safe mode before printing warning message, this will redirect all printk()-s to a special per-CPU buffer, which will be flushed later from a safe context (irq work), and this deadlock problem can be avoided. The proper API to use should be printk_deferred_enter()/printk_deferred_exit() [2]. Another way is to place the warn print after kmemleak is released. [1] https://lore.kernel.org/all/20250731-kmemleak_lock-v1-1-728fd470198f@debian… [2] https://lore.kernel.org/all/5ca375cd-4a20-4807-b897-68b289626550@redhat.com/ ==================== Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- mm/kmemleak.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/mm/kmemleak.c b/mm/kmemleak.c index 84265983f239..1ac56ceb29b6 100644 --- a/mm/kmemleak.c +++ b/mm/kmemleak.c @@ -437,9 +437,15 @@ static struct kmemleak_object *__lookup_object(unsigned long ptr, int alias, else if (untagged_objp == untagged_ptr || alias) return object; else { + /* + * Printk deferring due to the kmemleak_lock held. + * This is done to avoid deadlock. + */ + printk_deferred_enter(); kmemleak_warn("Found object by alias at 0x%08lx\n", ptr); dump_object_info(object); + printk_deferred_exit(); break; } } @@ -736,6 +742,11 @@ static int __link_object(struct kmemleak_object *object, unsigned long ptr, else if (untagged_objp + parent->size <= untagged_ptr) link = &parent->rb_node.rb_right; else { + /* + * Printk deferring due to the kmemleak_lock held. + * This is done to avoid deadlock. + */ + printk_deferred_enter(); kmemleak_stop("Cannot insert 0x%lx into the object search tree (overlaps existing)\n", ptr); /* @@ -743,6 +754,7 @@ static int __link_object(struct kmemleak_object *object, unsigned long ptr, * be freed while the kmemleak_lock is held. */ dump_object_info(parent); + printk_deferred_exit(); return -EEXIST; } } @@ -856,13 +868,8 @@ static void delete_object_part(unsigned long ptr, size_t size, raw_spin_lock_irqsave(&kmemleak_lock, flags); object = __find_and_remove_object(ptr, 1, objflags); - if (!object) { -#ifdef DEBUG - kmemleak_warn("Partially freeing unknown object at 0x%08lx (size %zu)\n", - ptr, size); -#endif + if (!object) goto unlock; - } /* * Create one or two objects that may result from the memory block @@ -882,8 +889,14 @@ static void delete_object_part(unsigned long ptr, size_t size, unlock: raw_spin_unlock_irqrestore(&kmemleak_lock, flags); - if (object) + if (object) { __delete_object(object); + } else { +#ifdef DEBUG + kmemleak_warn("Partially freeing unknown object at 0x%08lx (size %zu)\n", + ptr, size); +#endif + } out: if (object_l) -- 2.43.0

2 days, 8 hours

5
5
0 0

New September Order. 73275 Friday, September 19, 2025 at 12:16:32 PM

by Info - Albinayah 293

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: September Thanks! Kamal Prasad Albinayah Trading

2 days, 8 hours

1
0
0 0

[PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()

by Thorsten Blum

Replace kmalloc() followed by copy_from_user() with memdup_user() to fix a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using memdup_user() avoids this by freeing the memory internally. Since memdup_user() already allocates memory, use kzalloc() in the else branch instead of manually zeroing 'buff[sg_used]' using memset(0). Cc: stable(a)vger.kernel.org Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- drivers/scsi/hpsa.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index c73a71ac3c29..1c6161d0b85c 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, while (left) { sz = (left > ioc->malloc_size) ? ioc->malloc_size : left; buff_size[sg_used] = sz; - buff[sg_used] = kmalloc(sz, GFP_KERNEL); - if (buff[sg_used] == NULL) { - status = -ENOMEM; - goto cleanup1; - } + if (ioc->Request.Type.Direction & XFER_WRITE) { - if (copy_from_user(buff[sg_used], data_ptr, sz)) { - status = -EFAULT; + buff[sg_used] = memdup_user(data_ptr, sz); + if (IS_ERR(buff[sg_used])) { + status = PTR_ERR(buff[sg_used]); goto cleanup1; } - } else - memset(buff[sg_used], 0, sz); + } else { + buff[sg_used] = kzalloc(sz, GFP_KERNEL); + if (!buff[sg_used]) { + status = -ENOMEM; + goto cleanup1; + } + } + left -= sz; data_ptr += sz; sg_used++; -- 2.51.0

2 days, 9 hours

1
0
0 0

Reminder: 20% Discount on Fruit Attraction 2025 Verified Business Contacts

by Juanita Garcia

Hi, We’re offering verified business contact data for the upcoming Fruit Attraction 2025 (FA), tailored for effective outreach before and after the event. Place:  Madrid, Spain Date:SEP 30 - OCT 02, 2025 Contact Overview: 1,01,351 Attendees 2,179 Exhibiting Companies 6,537 Verified Exhibitor Contacts Total: 107,885 Business Contacts Each entry includes: Name, Job Title, Company, Website, Address, Phone, Official Email, LinkedIn Profile, and more. Get your list in just 48 hours—100% GDPR-compliant Data. If you'd like more details, just reply: “Send me pricing” Best regards, Juanita Garcia Sr. Marketing Manager To opt out reply “Not Interested.”

2 days, 9 hours

1
0
0 0

[PATCH 1/4] locking/spinlock/debug: Fix data-race in do_raw_write_lock

by Boqun Feng

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork value changed: 0xffffffff -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has adressed most of these races, but seems to be not consistent/not complete. From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now. Cc: stable(a)vger.kernel.org Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races") Reported-by: Adrian Freihofer <adrian.freihofer(a)siemens.com> Acked-by: Waiman Long <longman(a)redhat.com> Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Reviewed-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> --- Notes: SubmissionLink: https://lore.kernel.org/all/20250826102731.52507-1-alexander.sverdlin@sieme… kernel/locking/spinlock_debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c index 87b03d2e41db..2338b3adfb55 100644 --- a/kernel/locking/spinlock_debug.c +++ b/kernel/locking/spinlock_debug.c @@ -184,8 +184,8 @@ void do_raw_read_unlock(rwlock_t *lock) static inline void debug_write_lock_before(rwlock_t *lock) { RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); - RWLOCK_BUG_ON(lock->owner == current, lock, "recursion"); - RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), + RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); + RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), lock, "cpu recursion"); } -- 2.51.0

2 days, 9 hours

1
0
0 0

[PATCH iwl-net v1 0/4] ixgbe/ixgbevf: fix PF/VF communication issues

by Jedrzej Jagielski

Within two-step API update let's provide 2 new MBX operations: 1) request PF's link state (speed & up/down) - as legacy approach became obsolete for new E610 adapter and link state data can't be correctly provided - increasing API to 1.6 2) ask PF about supported features - for some time there is quite a mess in negotiating API versions caused by too loose approach in adding new specific (not supported by all of the drivers capable of linking with ixgbevf) feature and corresponding API versions. Now list of supported features is provided by MBX operation - increasing API to 1.7 Jedrzej Jagielski (4): ixgbevf: fix getting link speed data for E610 devices ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation ixgbevf: fix mailbox API compatibility by negotiating supported features ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 15 ++ .../net/ethernet/intel/ixgbe/ixgbe_sriov.c | 79 ++++++++ drivers/net/ethernet/intel/ixgbevf/defines.h | 1 + drivers/net/ethernet/intel/ixgbevf/ipsec.c | 10 + drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 7 + .../net/ethernet/intel/ixgbevf/ixgbevf_main.c | 34 +++- drivers/net/ethernet/intel/ixgbevf/mbx.h | 8 + drivers/net/ethernet/intel/ixgbevf/vf.c | 182 +++++++++++++++--- drivers/net/ethernet/intel/ixgbevf/vf.h | 1 + 9 files changed, 304 insertions(+), 33 deletions(-) -- 2.31.1

2 days, 10 hours

3
9
0 0

Re: [PATCH v2] arm64: dts: qcom: sdm845-shift-axolotl: Fix typo of compatible

by Joel Selvaraj

Hi Luca Weiss and Tamura Dai, On 9/12/25 02:24, Luca Weiss wrote: > Hi Tamura, > > On Fri Sep 12, 2025 at 9:01 AM CEST, Tamura Dai wrote: >> The bug is a typo in the compatible string for the touchscreen node. >> According to Documentation/devicetree/bindings/input/touchscreen/edt-ft5x06.yaml, >> the correct compatible is "focaltech,ft8719", but the device tree used >> "focaltech,fts8719". > > +Joel > > I don't think this patch is really correct, in the sdm845-mainline fork > there's a different commit which has some more changes to make the > touchscreen work: > > https://gitlab.com/sdm845-mainline/linux/-/commit/2ca76ac2e046158814b043fd4… Yes, this patch is not correct. My commit from the gitlab repo is the correct one. But I personally don't have the shiftmq6 device to smoke test before sending the patch. That's why I was hesitant to send it upstream. I have now requested someone to confirm if the touchscreen works with my gitlab commit. If if its all good, I will send the correct patch later. Regards, Joel

2 days, 10 hours

2
1
0 0

[PATCH rtw v4 2/4] wifi: rtw89: fix tx_wait initialization race

by Fedor Pchelkin

Now that nullfunc skbs are recycled in a separate work item in the driver, the following race during initialization and processing of those skbs might lead to noticeable bugs: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ The value of skb_data->wait indicates whether skb is passed on to the core ieee80211 stack or released by the driver itself. So assure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated tx_wait-related data (in case it's needed). Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v4: - use wiphy_dereference (Zong-Zhe) - move wait->skb assignment place drivers/net/wireless/realtek/rtw89/core.c | 35 ++++++++++++++--------- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 438930b65631..1efe4bb09262 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1094,22 +1094,13 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk int qsel, unsigned int timeout) { struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; + struct rtw89_tx_wait_info *wait = wiphy_dereference(rtwdev->hw->wiphy, + skb_data->wait); unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - wait->skb = skb; - rcu_assign_pointer(skb_data->wait, wait); - rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1171,10 +1162,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1191,6 +1184,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1227,7 +1222,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3425,6 +3421,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3434,6 +3431,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3448,6 +3451,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } + wait->skb = skb; + hdr = (struct ieee80211_hdr *)skb->data; if (ps) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -3458,7 +3463,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3471,6 +3477,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 4e3034b44f56..cb9682f306a6 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1372,7 +1372,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1388,7 +1387,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.51.0

2 days, 10 hours

2
5
0 0

[PATCH v2] iommu/amd/pgtbl: Fix possible race while increase page table level

by Vasant Hegde

The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE; -- 2.31.1

2 days, 11 hours

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror September 2025