- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.28 release. There are 164 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 09 May 2025 18:37:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.28-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.28-rc1 Chris Bainbridge <chris.bainbridge(a)gmail.com> drm/amd/display: Fix slab-use-after-free in hdcp Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp Shyam Saini <shyamsaini(a)linux.microsoft.com> drivers: base: handle module_kobject creation Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: globalize lookup_or_create_module_kobject() Shyam Saini <shyamsaini(a)linux.microsoft.com> kernel: param: rename locate_module_kobject Christian Hewitt <christianshewitt(a)gmail.com> Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Use 128kB size for aliased GIC400 register access on stm32mp25 SoCs Christian Bruel <christian.bruel(a)foss.st.com> arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> ARM: dts: opos6ul: add ksz8081 phy properties Richard Zhu <hongxing.zhu(a)nxp.com> arm64: dts: imx95: Correct the range of PCIe app-reg region Sudeep Holla <sudeep.holla(a)arm.com> firmware: arm_ffa: Skip Rx buffer ownership release if not acquired Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Balance device refcount when destroying devices Niranjana Vishwanathapura <niranjana.vishwanathapura(a)intel.com> drm/xe: Ensure fixed_slice_mode gets set after ccs_mode change Cong Wang <xiyou.wangcong(a)gmail.com> sch_ets: make est_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_qfq: make qfq_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: make hfsc_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_drr: make drr_qlen_notify() idempotent Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Fix locking order in ivpu_job_submit Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Abort all jobs after command queue unregister Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Update VPU FW API headers Andrew Kreimer <algonell(a)gmail.com> accel/ivpu: Fix a typo Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Use xa_alloc_cyclic() instead of custom function Tomasz Rusinowicz <tomasz.rusinowicz(a)intel.com> accel/ivpu: Make DB_ID and JOB_ID allocations incremental Pranjal Shrivastava <praan(a)google.com> net: Fix the devmem sock opts and msgs for parisc Alan Huang <mmpgouride(a)gmail.com> bcachefs: Remove incorrect __counted_by annotation Zhenhua Huang <quic_zhenhuah(a)quicinc.com> mm, slab: clean up slab->obj_exts always Daniel Wagner <wagi(a)kernel.org> blk-mq: create correct map for fallback case Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix RX error handling Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Add range check for CMD_RTS Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix LEN_MASK Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible stuck of SPI interrupt Jian Shen <shenjian15(a)huawei.com> net: hns3: defer calling ptp_clock_register() Hao Lan <lanhao(a)huawei.com> net: hns3: fixed debugfs tm_qset size Yonglong Liu <liuyonglong(a)huawei.com> net: hns3: fix an interrupt residual problem Jian Shen <shenjian15(a)huawei.com> net: hns3: store rx VLAN tag offload state for VF Sathesh B Edara <sedara(a)marvell.com> octeon_ep: Fix host hang issue during device reboot Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Sagi Maimon <sagi.maimon(a)adtran.com> ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations Jibin Zhang <jibin.zhang(a)mediatek.com> net: use sock_gen_put() when sk_state is TCP_TIME_WAIT Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: fix module unload sequence Alexander Stein <alexander.stein(a)ew.tq-group.com> ASoC: simple-card-utils: Fix pointer check in graph_util_parse_link_direction Alistair Francis <alistair.francis(a)wdc.com> nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS Alistair Francis <alistair23(a)gmail.com> nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix ethtool -d byte order for 32-bit values Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix out-of-bound memcpy() during ethtool -w Shruti Parab <shruti.parab(a)broadcom.com> bnxt_en: Fix coredump logic to free allocated buffer Kashyap Desai <kashyap.desai(a)broadcom.com> bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings() Somnath Kotur <somnath.kotur(a)broadcom.com> bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan() Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix ethtool selftest output in one of the failure cases Shravya KN <shravya.k-n(a)broadcom.com> bnxt_en: Fix error handling path in bnxt_init_chip() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Fix built-mic regression on other ASUS models Felix Fietkau <nbd(a)nbd.name> net: ipv6: fix UDPv6 GSO segmentation with NAT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: fix broken taprio gate states after clock jump Chad Monroe <chad(a)monroe.io> net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM Jacob Keller <jacob.e.keller(a)intel.com> igc: fix lock order in igc_ptp_reset Larysa Zaremba <larysa.zaremba(a)intel.com> idpf: protect shutdown from reset Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> idpf: fix potential memory leak on kcalloc() failure Da Xue <da(a)libre.computer> net: mdio: mux-meson-gxl: set reversed bit when using internal phy Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Russell Cloran <rcloran(a)gmail.com> drm/mipi-dbi: Fix blanking for non-16 bit formats Maxime Ripard <mripard(a)kernel.org> drm/tests: shmem: Fix memleak Keith Busch <kbusch(a)kernel.org> nvme-pci: fix queue unquiesce check on slot_reset Takashi Iwai <tiwai(a)suse.de> ALSA: ump: Fix buffer overflow at UMP SysEx message conversion Keoseong Park <keosung.park(a)samsung.com> scsi: ufs: core: Remove redundant query_complete trace Madhu Chittim <madhu.chittim(a)intel.com> idpf: fix offloads support for encapsulated packets Xuanqiang Luo <luoxuanqiang(a)kylinos.cn> ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: ets: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Shannon Nelson <shannon.nelson(a)amd.com> pds_core: remove write-after-free of client_id Shannon Nelson <shannon.nelson(a)amd.com> pds_core: specify auxiliary_device to be created Shannon Nelson <shannon.nelson(a)amd.com> pds_core: make pdsc_auxbus_dev_del() void Daniel Golle <daniel(a)makrotopia.org> net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll Justin Lai <justinlai0215(a)realtek.com> rtase: Modify the condition used to detect overflow in rtase_calc_time_mitigation Vadim Fedorenko <vadim.fedorenko(a)linux.dev> bnxt_en: improve TX timestamping FIFO configuration Sathesh B Edara <sedara(a)marvell.com> octeon_ep_vf: Resolve netdevice usage count issue Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID Pauli Virtanen <pav(a)iki.fi> Bluetooth: L2CAP: copy RX timestamp to new fragments Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths En-Wei Wu <en-wei.wu(a)canonical.com> Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue() Kiran K <kiran.k(a)intel.com> Bluetooth: btintel_pcie: Avoid redundant buffer allocation Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver Iulia Tanasescu <iulia.tanasescu(a)nxp.com> Bluetooth: hci_conn: Remove alloc from critical section Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Correct DCT interrupt handling Chris Mi <cmi(a)nvidia.com> net/mlx5: E-switch, Fix error handling for enabling roce Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: TC, Continue the attr process even if encap entry is invalid Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5e: Use custom tunnel header for vxlan gbp e.kubanski <e.kubanski(a)partner.samsung.com> xsk: Fix race condition in AF_XDP generic RX path Ido Schimmel <idosch(a)nvidia.com> vxlan: vnifilter: Fix unlocked deletion of default FDB entry Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Fix dash warning Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: fix the check for the SCRATCH register upon resume Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: don't warn if the NIC is gone in resume Chen Linxuan <chenlinxuan(a)uniontech.com> drm/i915/pxp: fix undefined reference to `intel_pxp_gsccs_is_ready_for_sessions' Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Enable speaker for HP platform Chenyuan Yang <chenyuan0y(a)gmail.com> ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init() Madhavan Srinivasan <maddy(a)linux.ibm.com> powerpc/boot: Check for ld-option support Hui Wang <hui.wang(a)canonical.com> pinctrl: imx: Return NULL if no group is matched and found Donet Tom <donettom(a)linux.ibm.com> book3s64/radix : Align section vmemmap start address to PAGE_SIZE Sheetal <sheetal(a)nvidia.com> ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB Geert Uytterhoeven <geert+renesas(a)glider.be> ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Fix setting policy limits when frequency tables are used Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: Avoid using inconsistent policy->min and policy->max Jethro Donaldson <devel(a)jro.nz> smb: client: fix zero length for mkdir POSIX create context Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in session logoff Sean Heelan <seanheelan(a)gmail.com> ksmbd: fix use-after-free in kerberos authentication Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix use-after-free in ksmbd_session_rpc_open Shouye Liu <shouyeliu(a)tencent.com> platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep cycles Nicolin Chen <nicolinc(a)nvidia.com> iommu: Fix two issues in iommu_copy_struct_from_user() Mingcong Bai <jeffbai(a)aosc.io> iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) Balbir Singh <balbirs(a)nvidia.com> iommu/arm-smmu-v3: Fix pgsize_bit for sva domains Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Janne Grunau <j(a)jannau.net> drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Fix offset for HDP remap in nbio v7.11 Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line LongPing Wei <weilongping(a)oppo.com> dm-bufio: don't schedule in atomic context Ard Biesheuvel <ardb(a)kernel.org> x86/boot/sev: Support memory acceptance in the EFI stub under SVSM Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Steven Rostedt <rostedt(a)goodmis.org> tracing: Do not take trace_event_sem in print_event_fields() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Ruslan Piasetskyi <ruslan.piasetskyi(a)gmail.com> mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: repeat setting reserved region nid if array is doubled Wei Yang <richard.weiyang(a)gmail.com> mm/memblock: pass size instead of end to memblock_set_node() Stephan Gerhold <stephan.gerhold(a)linaro.org> irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Sean Christopherson <seanjc(a)google.com> perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Only check the group flag for X86 leader Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Will Deacon <will(a)kernel.org> arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset Philipp Stanner <phasta(a)kernel.org> drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/fdinfo: Protect against driver unbind Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Dave Chen <davechen(a)synology.com> btrfs: fix COW handling in run_delalloc_nocow() Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Carlos Llamas <cmllamas(a)google.com> binder: fix offset calculation in debug log Joachim Priesner <joachim.priesner(a)web.de> ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset Geoffrey D. Bennett <g(a)b4.vu> ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface() Christian Heusel <christian(a)heusel.eu> Revert "rndis_host: Flag RNDIS modems as WWAN devices" Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add 13 USB device IDs for Qualcomm WCN785x Dorian Cruveiller <doriancruveiller(a)gmail.com> Bluetooth: btusb: Add new VID/PID for WCN785x Mark Dietzer <git(a)doridian.net> Bluetooth: btusb: Add ID 0x2c7c:0x0130 for Qualcomm WCN785x Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add one more ID 0x13d3:0x3623 for Qualcomm WCN785x Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Add one more ID 0x0489:0xe0f3 for Qualcomm WCN785x Aaron Ma <aaron.ma(a)canonical.com> Bluetooth: btusb: add Foxconn 0xe0fc for Qualcomm WCN785x ------------- Diffstat: Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-imx6ull-opos6ul.dtsi | 3 + arch/arm64/boot/dts/freescale/imx95.dtsi | 8 +- arch/arm64/boot/dts/st/stm32mp251.dtsi | 9 +- arch/arm64/kernel/proton-pack.c | 2 + arch/parisc/include/uapi/asm/socket.h | 10 +- arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/boot/wrapper | 6 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 17 +- arch/x86/boot/compressed/mem.c | 5 +- arch/x86/boot/compressed/sev.c | 40 +++ arch/x86/boot/compressed/sev.h | 2 + arch/x86/events/core.c | 2 +- arch/x86/events/intel/core.c | 2 +- arch/x86/events/perf_event.h | 9 +- block/blk-mq-cpumap.c | 3 +- drivers/accel/ivpu/ivpu_drv.c | 38 +-- drivers/accel/ivpu/ivpu_drv.h | 9 + drivers/accel/ivpu/ivpu_hw_btrs.h | 2 +- drivers/accel/ivpu/ivpu_job.c | 125 ++++++--- drivers/accel/ivpu/ivpu_job.h | 1 + drivers/accel/ivpu/ivpu_jsm_msg.c | 3 +- drivers/accel/ivpu/ivpu_mmu.c | 3 +- drivers/accel/ivpu/ivpu_pm.c | 18 +- drivers/accel/ivpu/ivpu_sysfs.c | 5 +- drivers/accel/ivpu/vpu_boot_api.h | 45 +-- drivers/accel/ivpu/vpu_jsm_api.h | 303 ++++++++++++++++++--- drivers/android/binder.c | 2 +- drivers/base/module.c | 13 +- drivers/bluetooth/btintel_pcie.c | 57 ++-- drivers/bluetooth/btusb.c | 137 ++++++++-- drivers/cpufreq/cpufreq.c | 42 ++- drivers/cpufreq/cpufreq_ondemand.c | 3 +- drivers/cpufreq/freq_table.c | 6 +- drivers/cpufreq/intel_pstate.c | 3 + drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/firmware/arm_ffa/driver.c | 3 +- drivers/firmware/arm_scmi/bus.c | 3 + drivers/gpu/drm/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_11.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 20 -- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 56 ++-- drivers/gpu/drm/drm_file.c | 6 + drivers/gpu/drm/drm_mipi_dbi.c | 6 +- drivers/gpu/drm/i915/pxp/intel_pxp_gsccs.h | 8 +- drivers/gpu/drm/meson/meson_vclk.c | 6 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +- drivers/gpu/drm/tests/drm_gem_shmem_test.c | 3 + drivers/gpu/drm/xe/xe_hw_engine.c | 12 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/iommu/amd/init.c | 8 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 6 + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 +- drivers/iommu/intel/iommu.c | 4 +- drivers/irqchip/irq-qcom-mpm.c | 3 + drivers/md/dm-bufio.c | 9 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 5 +- drivers/mmc/host/renesas_sdhi_core.c | 10 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 5 +- drivers/net/ethernet/amd/pds_core/auxbus.c | 39 ++- drivers/net/ethernet/amd/pds_core/core.h | 7 +- drivers/net/ethernet/amd/pds_core/devlink.c | 7 +- drivers/net/ethernet/amd/pds_core/main.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 18 +- drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c | 30 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 38 ++- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 29 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 1 + drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 82 +++--- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 13 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 25 +- .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 1 + drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 5 + drivers/net/ethernet/intel/idpf/idpf.h | 18 +- drivers/net/ethernet/intel/idpf/idpf_lib.c | 76 ++---- drivers/net/ethernet/intel/idpf/idpf_main.c | 1 + drivers/net/ethernet/intel/igc/igc_ptp.c | 6 +- .../net/ethernet/marvell/octeon_ep/octep_main.c | 2 +- .../ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 18 +- drivers/net/ethernet/mediatek/mtk_star_emac.c | 13 +- .../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 +- .../ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 32 ++- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +- .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/rdma.h | 4 +- drivers/net/ethernet/microchip/lan743x_main.c | 8 +- drivers/net/ethernet/microchip/lan743x_main.h | 1 + drivers/net/ethernet/mscc/ocelot.c | 6 + drivers/net/ethernet/realtek/rtase/rtase_main.c | 4 +- drivers/net/ethernet/vertexcom/mse102x.c | 36 ++- drivers/net/mdio/mdio-mux-meson-gxl.c | 3 +- drivers/net/usb/rndis_host.c | 16 +- drivers/net/vxlan/vxlan_vnifilter.c | 8 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 1 + drivers/net/wireless/intel/iwlwifi/iwl-trans.c | 1 - drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 24 +- drivers/net/wireless/intel/iwlwifi/pcie/internal.h | 9 +- drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 13 +- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 1 - drivers/nvme/host/Kconfig | 1 + drivers/nvme/host/pci.c | 2 +- drivers/nvme/host/tcp.c | 31 ++- drivers/nvme/target/Kconfig | 1 + drivers/pinctrl/freescale/pinctrl-imx.c | 6 +- drivers/platform/x86/amd/pmc/pmc.c | 7 +- .../x86/intel/uncore-frequency/uncore-frequency.c | 13 +- drivers/ptp/ptp_ocp.c | 52 +++- drivers/spi/spi-tegra114.c | 6 +- drivers/ufs/core/ufshcd.c | 2 - fs/bcachefs/xattr_format.h | 8 +- fs/btrfs/extent_io.c | 2 +- fs/btrfs/inode.c | 9 +- fs/smb/client/smb2pdu.c | 1 + fs/smb/server/auth.c | 14 +- fs/smb/server/mgmt/user_session.c | 20 +- fs/smb/server/mgmt/user_session.h | 1 + fs/smb/server/smb2pdu.c | 9 - include/linux/cpufreq.h | 83 ++++-- include/linux/iommu.h | 8 +- include/linux/module.h | 2 + include/net/bluetooth/hci.h | 4 +- include/net/bluetooth/hci_core.h | 20 +- include/net/bluetooth/hci_sync.h | 3 + include/net/xdp_sock.h | 3 - include/net/xsk_buff_pool.h | 2 + include/sound/ump_convert.h | 2 +- kernel/params.c | 6 +- kernel/trace/trace.c | 5 +- kernel/trace/trace_output.c | 4 +- mm/memblock.c | 12 +- mm/slub.c | 27 +- net/bluetooth/hci_conn.c | 189 +------------ net/bluetooth/hci_event.c | 15 +- net/bluetooth/hci_sync.c | 150 +++++++++- net/bluetooth/iso.c | 26 +- net/bluetooth/l2cap_core.c | 3 + net/ipv4/tcp_offload.c | 2 +- net/ipv4/udp_offload.c | 61 ++++- net/ipv6/tcpv6_offload.c | 2 +- net/sched/sch_drr.c | 16 +- net/sched/sch_ets.c | 17 +- net/sched/sch_hfsc.c | 10 +- net/sched/sch_htb.c | 2 + net/sched/sch_qfq.c | 18 +- net/xdp/xsk.c | 6 +- net/xdp/xsk_buff_pool.c | 1 + sound/pci/hda/patch_realtek.c | 20 +- sound/soc/amd/acp/acp-i2s.c | 2 +- sound/soc/codecs/Kconfig | 5 +- sound/soc/generic/simple-card-utils.c | 4 +- sound/soc/sdw_utils/soc_sdw_rt_dmic.c | 2 + sound/soc/soc-core.c | 32 +-- sound/soc/soc-pcm.c | 5 +- sound/usb/endpoint.c | 7 + sound/usb/format.c | 3 +- 169 files changed, 1851 insertions(+), 988 deletions(-)

1 day, 4 hours

10
173
0 0

[PATCH v3 0/4]{topost} dma-mapping: benchmark: Add support for dma_map_sg

by Qinxin Xia

Modify the framework to adapt to more map modes, add benchmark support for dma_map_sg, and add support sg map mode in ioctl. The result: [root@localhost]# ./dma_map_benchmark -m 1 -g 8 -t 8 -s 30 -d 2 dma mapping mode: DMA_MAP_SG_MODE dma mapping benchmark: threads:8 seconds:30 node:-1 dir:FROM_DEVICE granule/sg_nents: 8 average map latency(us):1.4 standard deviation:0.3 average unmap latency(us):1.3 standard deviation:0.3 [root@localhost]# ./dma_map_benchmark -m 0 -g 8 -t 8 -s 30 -d 2 dma mapping mode: DMA_MAP_SINGLE_MODE dma mapping benchmark: threads:8 seconds:30 node:-1 dir:FROM_DEVICE granule/sg_nents: 8 average map latency(us):1.0 standard deviation:0.3 average unmap latency(us):1.3 standard deviation:0.5 --- Changes since V2: - Address the comments from Barry and ALOK, some commit information and function input parameter names are modified to make them more accurate. - Link: https://lore.kernel.org/all/20250506030100.394376-1-xiaqinxin@huawei.com/ Changes since V1: - Address the comments from Barry, added some comments and changed the unmap type to void. - Link: https://lore.kernel.org/lkml/20250212022718.1995504-1-xiaqinxin@huawei.com/ Qinxin Xia (4): dma-mapping: benchmark: Add padding to ensure uABI remained consistent dma-mapping: benchmark: modify the framework to adapt to more map modes dma-mapping: benchmark: add support for dma_map_sg selftests/dma: Add dma_map_sg support include/linux/map_benchmark.h | 46 +++- kernel/dma/map_benchmark.c | 225 ++++++++++++++++-- .../testing/selftests/dma/dma_map_benchmark.c | 16 +- 3 files changed, 252 insertions(+), 35 deletions(-) -- 2.33.0

1 day, 5 hours

3
7
0 0

[PATCH v3 0/4] clk: qcom: Add camera clock controller support for sc8180x

by Satya Priya Kakitapalli

This series adds support for camera clock controller base driver, bindings and DT support on sc8180x platform. Signed-off-by: Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com> --- Changes in v3: - Drop Fixes tag in patch [1/4]. Dropped unused gpu_iref and aggre_ufs_card_2 clk bindings. - Move the allOf block below required block in bindings patch. - Remove the unused cam_cc_parent_data_7 and cam_cc_parent_map_7 in the driver patch. Reported by kernel test bot. - Link to v2: https://lore.kernel.org/r/20250430-sc8180x-camcc-support-v2-0-6bbb514f467c@… Changes in v2: - New patch [1/4] to add all the missing gcc bindings along with the required GCC_CAMERA_AHB_CLOCK - As per Konrad's comments, add the camera AHB clock dependency in the DT and yaml bindings. - As per Vladimir's comments, update the Kconfig to add the SC8180X config in correct alphanumerical order. - Link to v1: https://lore.kernel.org/r/20250422-sc8180x-camcc-support-v1-0-691614d13f06@… --- Satya Priya Kakitapalli (4): dt-bindings: clock: qcom: Add missing bindings on gcc-sc8180x dt-bindings: clock: Add Qualcomm SC8180X Camera clock controller clk: qcom: camcc-sc8180x: Add SC8180X camera clock controller driver arm64: dts: qcom: Add camera clock controller for sc8180x .../bindings/clock/qcom,sc8180x-camcc.yaml | 67 + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 14 + drivers/clk/qcom/Kconfig | 10 + drivers/clk/qcom/Makefile | 1 + drivers/clk/qcom/camcc-sc8180x.c | 2889 ++++++++++++++++++++ include/dt-bindings/clock/qcom,gcc-sc8180x.h | 10 + include/dt-bindings/clock/qcom,sc8180x-camcc.h | 181 ++ 7 files changed, 3172 insertions(+) --- base-commit: bc8aa6cdadcc00862f2b5720e5de2e17f696a081 change-id: 20250422-sc8180x-camcc-support-9a82507d2a39 Best regards, -- Satya Priya Kakitapalli <quic_skakitap(a)quicinc.com>

1 day, 5 hours

2
2
0 0

[PATCH 5.10.y 1/2] usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

by bin.lan.cn＠windriver.com

From: Dan Carpenter <dan.carpenter(a)linaro.org> [ Upstream commit e56aac6e5a25630645607b6856d4b2a17b2311a5 ] The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/c69ef0b3-61b0-4dde-98dd-97b97f81d912@stanley.moun… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [The function ucsi_ccg_sync_write() is renamed to ucsi_ccg_sync_control() in commit 13f2ec3115c8 ("usb: typec: ucsi:simplify command sending API"). Apply this patch to ucsi_ccg_sync_write() in 5.10.y accordingly.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/typec/ucsi/ucsi_ccg.c b/drivers/usb/typec/ucsi/ucsi_ccg.c index fb6211efb5d8..3983bf21a580 100644 --- a/drivers/usb/typec/ucsi/ucsi_ccg.c +++ b/drivers/usb/typec/ucsi/ucsi_ccg.c @@ -573,6 +573,10 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, uc->has_multiple_dp) { con_index = (uc->last_cmd_sent >> 16) & UCSI_CMD_CONNECTOR_MASK; + if (con_index == 0) { + ret = -EINVAL; + goto unlock; + } con = &uc->ucsi->connector[con_index - 1]; ucsi_ccg_update_set_new_cam_cmd(uc, con, (u64 *)val); } @@ -588,6 +592,7 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, err_clear_bit: clear_bit(DEV_CMD_PENDING, &uc->flags); pm_runtime_put_sync(uc->dev); +unlock: mutex_unlock(&uc->lock); return ret; -- 2.34.1

1 day, 5 hours

1
1
0 0

[PATCH 5.15.y 1/2] usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

by bin.lan.cn＠windriver.com

From: Dan Carpenter <dan.carpenter(a)linaro.org> [ Upstream commit e56aac6e5a25630645607b6856d4b2a17b2311a5 ] The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/c69ef0b3-61b0-4dde-98dd-97b97f81d912@stanley.moun… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [The function ucsi_ccg_sync_write() is renamed to ucsi_ccg_sync_control() in commit 13f2ec3115c8 ("usb: typec: ucsi:simplify command sending API"). Apply this patch to ucsi_ccg_sync_write() in 5.15.y accordingly.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/typec/ucsi/ucsi_ccg.c b/drivers/usb/typec/ucsi/ucsi_ccg.c index fb6211efb5d8..3983bf21a580 100644 --- a/drivers/usb/typec/ucsi/ucsi_ccg.c +++ b/drivers/usb/typec/ucsi/ucsi_ccg.c @@ -573,6 +573,10 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, uc->has_multiple_dp) { con_index = (uc->last_cmd_sent >> 16) & UCSI_CMD_CONNECTOR_MASK; + if (con_index == 0) { + ret = -EINVAL; + goto unlock; + } con = &uc->ucsi->connector[con_index - 1]; ucsi_ccg_update_set_new_cam_cmd(uc, con, (u64 *)val); } @@ -588,6 +592,7 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, err_clear_bit: clear_bit(DEV_CMD_PENDING, &uc->flags); pm_runtime_put_sync(uc->dev); +unlock: mutex_unlock(&uc->lock); return ret; -- 2.34.1

1 day, 5 hours

1
1
0 0

FAILED: patch "[PATCH] mm, slab: clean up slab->obj_exts always" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x be8250786ca94952a19ce87f98ad9906448bc9ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025050521-crispy-study-e836@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be8250786ca94952a19ce87f98ad9906448bc9ef Mon Sep 17 00:00:00 2001 From: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Date: Mon, 21 Apr 2025 15:52:32 +0800 Subject: [PATCH] mm, slab: clean up slab->obj_exts always When memory allocation profiling is disabled at runtime or due to an error, shutdown_mem_profiling() is called: slab->obj_exts which previously allocated remains. It won't be cleared by unaccount_slab() because of mem_alloc_profiling_enabled() not true. It's incorrect, slab->obj_exts should always be cleaned up in unaccount_slab() to avoid following error: [...]BUG: Bad page state in process... .. [...]page dumped because: page still charged to cgroup [andriy.shevchenko(a)linux.intel.com: fold need_slab_obj_ext() into its only user] Fixes: 21c690a349ba ("mm: introduce slabobj_ext to support slab object extensions") Cc: stable(a)vger.kernel.org Signed-off-by: Zhenhua Huang <quic_zhenhuah(a)quicinc.com> Acked-by: David Rientjes <rientjes(a)google.com> Acked-by: Harry Yoo <harry.yoo(a)oracle.com> Tested-by: Harry Yoo <harry.yoo(a)oracle.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Link: https://patch.msgid.link/20250421075232.2165527-1-quic_zhenhuah@quicinc.com Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> diff --git a/mm/slub.c b/mm/slub.c index dc9e729e1d26..be8b09e09d30 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2028,8 +2028,7 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, return 0; } -/* Should be called only if mem_alloc_profiling_enabled() */ -static noinline void free_slab_obj_exts(struct slab *slab) +static inline void free_slab_obj_exts(struct slab *slab) { struct slabobj_ext *obj_exts; @@ -2049,18 +2048,6 @@ static noinline void free_slab_obj_exts(struct slab *slab) slab->obj_exts = 0; } -static inline bool need_slab_obj_ext(void) -{ - if (mem_alloc_profiling_enabled()) - return true; - - /* - * CONFIG_MEMCG creates vector of obj_cgroup objects conditionally - * inside memcg_slab_post_alloc_hook. No other users for now. - */ - return false; -} - #else /* CONFIG_SLAB_OBJ_EXT */ static inline void init_slab_obj_exts(struct slab *slab) @@ -2077,11 +2064,6 @@ static inline void free_slab_obj_exts(struct slab *slab) { } -static inline bool need_slab_obj_ext(void) -{ - return false; -} - #endif /* CONFIG_SLAB_OBJ_EXT */ #ifdef CONFIG_MEM_ALLOC_PROFILING @@ -2129,7 +2111,7 @@ __alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags) static inline void alloc_tagging_slab_alloc_hook(struct kmem_cache *s, void *object, gfp_t flags) { - if (need_slab_obj_ext()) + if (mem_alloc_profiling_enabled()) __alloc_tagging_slab_alloc_hook(s, object, flags); } @@ -2601,8 +2583,12 @@ static __always_inline void account_slab(struct slab *slab, int order, static __always_inline void unaccount_slab(struct slab *slab, int order, struct kmem_cache *s) { - if (memcg_kmem_online() || need_slab_obj_ext()) - free_slab_obj_exts(slab); + /* + * The slab object extensions should now be freed regardless of + * whether mem_alloc_profiling_enabled() or not because profiling + * might have been disabled after slab->obj_exts got allocated. + */ + free_slab_obj_exts(slab); mod_node_page_state(slab_pgdat(slab), cache_vmstat_idx(s), -(PAGE_SIZE << order));

1 day, 5 hours

4
6
0 0

[PATCH 6.1.y 1/2] usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

by bin.lan.cn＠windriver.com

From: Dan Carpenter <dan.carpenter(a)linaro.org> [ Upstream commit e56aac6e5a25630645607b6856d4b2a17b2311a5 ] The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/c69ef0b3-61b0-4dde-98dd-97b97f81d912@stanley.moun… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [The function ucsi_ccg_sync_write() is renamed to ucsi_ccg_sync_control() in commit 13f2ec3115c8 ("usb: typec: ucsi:simplify command sending API"). Apply this patch to ucsi_ccg_sync_write() in 6.1.y accordingly.] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Build test passed. --- drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/typec/ucsi/ucsi_ccg.c b/drivers/usb/typec/ucsi/ucsi_ccg.c index 8e500fe41e78..4801d783bd0c 100644 --- a/drivers/usb/typec/ucsi/ucsi_ccg.c +++ b/drivers/usb/typec/ucsi/ucsi_ccg.c @@ -585,6 +585,10 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, uc->has_multiple_dp) { con_index = (uc->last_cmd_sent >> 16) & UCSI_CMD_CONNECTOR_MASK; + if (con_index == 0) { + ret = -EINVAL; + goto unlock; + } con = &uc->ucsi->connector[con_index - 1]; ucsi_ccg_update_set_new_cam_cmd(uc, con, (u64 *)val); } @@ -600,6 +604,7 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, err_clear_bit: clear_bit(DEV_CMD_PENDING, &uc->flags); pm_runtime_put_sync(uc->dev); +unlock: mutex_unlock(&uc->lock); return ret; -- 2.34.1

1 day, 5 hours

1
1
0 0

[PATCH 5.10.y/5.15.y] ELF: fix kernel.randomize_va_space double read

by Feng Liu

From: Alexey Dobriyan <adobriyan(a)gmail.com> [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Feng Liu <Feng.Liu3(a)windriver.com> Signed-off-by: He Zhe <Zhe.He(a)windriver.com> --- Verified the build test. --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 11dc833ca2c4..a1f0dff2f818 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1008,7 +1008,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1278,7 +1279,7 @@ static int load_elf_binary(struct linux_binprm *bprm) mm->end_data = end_data; mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.34.1

1 day, 5 hours

1
0
0 0

[PATCH] memblock: Accept allocated memory before use in memblock_double_array()

by Tom Lendacky

When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest: RIP: 0010:memcpy_orig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblock_double_array+0xff/0x310 memblock_add_range+0x1fb/0x2f0 memblock_reserve+0x4f/0xa0 memblock_alloc_range_nid+0xac/0x130 memblock_alloc_internal+0x53/0xc0 memblock_alloc_try_nid+0x3d/0xa0 swiotlb_init_remap+0x149/0x2f0 mem_init+0xb/0xb0 mm_core_init+0x8f/0x350 start_kernel+0x17e/0x5d0 x86_64_start_reservations+0x14/0x30 x86_64_start_kernel+0x92/0xa0 secondary_startup_64_no_verify+0x194/0x19b Mitigate this by calling accept_memory() on the memory range returned before the slab is available. Prior to v6.12, the accept_memory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the accept_memory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12. Cc: <stable(a)vger.kernel.org> # see patch description, needs adjustments for <= 6.11 Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> --- mm/memblock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mm/memblock.c b/mm/memblock.c index 0a53db4d9f7b..30fa553e9634 100644 --- a/mm/memblock.c +++ b/mm/memblock.c @@ -457,7 +457,14 @@ static int __init_memblock memblock_double_array(struct memblock_type *type, min(new_area_start, memblock.current_limit), new_alloc_size, PAGE_SIZE); - new_array = addr ? __va(addr) : NULL; + if (addr) { + /* The memory may not have been accepted, yet. */ + accept_memory(addr, new_alloc_size); + + new_array = __va(addr); + } else { + new_array = NULL; + } } if (!addr) { pr_err("memblock: Failed to double %s array from %ld to %ld entries !\n", base-commit: fc96b232f8e7c0a6c282f47726b2ff6a5fb341d2 -- 2.46.2

1 day, 5 hours

2
1
0 0

[PATCH 6.1.y] f2fs: fix to cover read extent cache access with lock

by jianqi.ren.cn＠windriver.com

From: Chao Yu <chao(a)kernel.org> [ Upstream commit d7409b05a64f212735f0d33f5f1602051a886eab ] syzbot reports a f2fs bug as below: BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097 CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 do_read_inode fs/f2fs/inode.c:509 [inline] f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584 do_handle_to_path fs/fhandle.c:155 [inline] handle_to_path fs/fhandle.c:210 [inline] do_handle_open+0x495/0x650 fs/fhandle.c:226 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f We missed to cover sanity_check_extent_cache() w/ extent cache lock, so, below race case may happen, result in use after free issue. - f2fs_iget - do_read_inode - f2fs_init_read_extent_tree : add largest extent entry in to cache - shrink - f2fs_shrink_read_extent_tree - __shrink_extent_tree - __detach_extent_node : drop largest extent entry - sanity_check_extent_cache : access et->largest w/o lock let's refactor sanity_check_extent_cache() to avoid extent cache access and call it before f2fs_init_read_extent_tree() to fix this issue. Reported-by: syzbot+74ebe2104433e9dc610d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/00000000000009beea061740a531@googl… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> [Minor conflict resolved due to code context change.] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- fs/f2fs/extent_cache.c | 45 ++++++++++++++++++++---------------------- fs/f2fs/f2fs.h | 2 +- fs/f2fs/inode.c | 8 ++++---- 3 files changed, 26 insertions(+), 29 deletions(-) diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c index f13143efc4b1..d7202de5401e 100644 --- a/fs/f2fs/extent_cache.c +++ b/fs/f2fs/extent_cache.c @@ -15,26 +15,23 @@ #include "node.h" #include <trace/events/f2fs.h> -bool sanity_check_extent_cache(struct inode *inode) +bool sanity_check_extent_cache(struct inode *inode, struct page *ipage) { struct f2fs_sb_info *sbi = F2FS_I_SB(inode); - struct f2fs_inode_info *fi = F2FS_I(inode); - struct extent_info *ei; + struct f2fs_extent *i_ext = &F2FS_INODE(ipage)->i_ext; + struct extent_info ei; - if (!fi->extent_tree[EX_READ]) - return true; + get_read_extent_info(&ei, i_ext); - ei = &fi->extent_tree[EX_READ]->largest; + if (!ei.len) + return true; - if (ei->len && - (!f2fs_is_valid_blkaddr(sbi, ei->blk, - DATA_GENERIC_ENHANCE) || - !f2fs_is_valid_blkaddr(sbi, ei->blk + ei->len - 1, - DATA_GENERIC_ENHANCE))) { - set_sbi_flag(sbi, SBI_NEED_FSCK); + if (!f2fs_is_valid_blkaddr(sbi, ei.blk, DATA_GENERIC_ENHANCE) || + !f2fs_is_valid_blkaddr(sbi, ei.blk + ei.len - 1, + DATA_GENERIC_ENHANCE)) { f2fs_warn(sbi, "%s: inode (ino=%lx) extent info [%u, %u, %u] is incorrect, run fsck to fix", __func__, inode->i_ino, - ei->blk, ei->fofs, ei->len); + ei.blk, ei.fofs, ei.len); return false; } return true; @@ -444,24 +441,22 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct page *ipage) if (!__may_extent_tree(inode, EX_READ)) { /* drop largest read extent */ - if (i_ext && i_ext->len) { + if (i_ext->len) { f2fs_wait_on_page_writeback(ipage, NODE, true, true); i_ext->len = 0; set_page_dirty(ipage); } - goto out; + set_inode_flag(inode, FI_NO_EXTENT); + return; } et = __grab_extent_tree(inode, EX_READ); - if (!i_ext || !i_ext->len) - goto out; - get_read_extent_info(&ei, i_ext); write_lock(&et->lock); - if (atomic_read(&et->node_cnt)) - goto unlock_out; + if (atomic_read(&et->node_cnt) || !ei.len) + goto skip; en = __attach_extent_node(sbi, et, &ei, NULL, &et->root.rb_root.rb_node, true); @@ -473,11 +468,13 @@ void f2fs_init_read_extent_tree(struct inode *inode, struct page *ipage) list_add_tail(&en->list, &eti->extent_list); spin_unlock(&eti->extent_lock); } -unlock_out: +skip: + /* Let's drop, if checkpoint got corrupted. */ + if (f2fs_cp_error(sbi)) { + et->largest.len = 0; + et->largest_updated = true; + } write_unlock(&et->lock); -out: - if (!F2FS_I(inode)->extent_tree[EX_READ]) - set_inode_flag(inode, FI_NO_EXTENT); } void f2fs_init_extent_tree(struct inode *inode) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 840a45855451..c9f401b5c706 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -4130,7 +4130,7 @@ void f2fs_leave_shrinker(struct f2fs_sb_info *sbi); /* * extent_cache.c */ -bool sanity_check_extent_cache(struct inode *inode); +bool sanity_check_extent_cache(struct inode *inode, struct page *ipage); struct rb_entry *f2fs_lookup_rb_tree(struct rb_root_cached *root, struct rb_entry *cached_re, unsigned int ofs); struct rb_node **f2fs_lookup_rb_tree_for_insert(struct f2fs_sb_info *sbi, diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index b8296b0414fc..b4aa0b88e668 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -448,15 +448,15 @@ static int do_read_inode(struct inode *inode) init_idisk_time(inode); - /* Need all the flag bits */ - f2fs_init_read_extent_tree(inode, node_page); - - if (!sanity_check_extent_cache(inode)) { + if (!sanity_check_extent_cache(inode, node_page)) { f2fs_put_page(node_page, 1); f2fs_handle_error(sbi, ERROR_CORRUPTED_INODE); return -EFSCORRUPTED; } + /* Need all the flag bits */ + f2fs_init_read_extent_tree(inode, node_page); + f2fs_put_page(node_page, 1); stat_inc_inline_xattr(inode); -- 2.34.1

1 day, 9 hours

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror