- Linux-stable-mirror - lists.linaro.org

[PATCH 1/2] Revert "usb: gadget: u_serial: Add null pointer check in gs_start_io"

by Kuen-Han Tsai

This reverts commit ffd603f214237e250271162a5b325c6199a65382. Commit ffd603f21423 ("usb: gadget: u_serial: Add null pointer check in gs_start_io") adds null pointer checks at the beginning of the gs_start_io() function to prevent a null pointer dereference. However, these checks are redundant because the function's comment already requires callers to hold the port_lock and ensure port.tty and port_usb are not null. All existing callers already follow these rules. The true cause of the null pointer dereference is a race condition. When gs_start_io() calls either gs_start_rx() or gs_start_tx(), the port_lock is temporarily released for usb_ep_queue(). This allows port.tty and port_usb to be cleared. Cc: stable(a)vger.kernel.org Fixes: ffd603f21423 ("usb: gadget: u_serial: Add null pointer check in gs_start_io") Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> --- drivers/usb/gadget/function/u_serial.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index ab544f6824be..c043bdc30d8a 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -544,20 +544,16 @@ static int gs_alloc_requests(struct usb_ep *ep, struct list_head *head, static int gs_start_io(struct gs_port *port) { struct list_head *head = &port->read_pool; - struct usb_ep *ep; + struct usb_ep *ep = port->port_usb->out; int status; unsigned started; - if (!port->port_usb || !port->port.tty) - return -EIO; - /* Allocate RX and TX I/O buffers. We can't easily do this much * earlier (with GFP_KERNEL) because the requests are coupled to * endpoints, as are the packet sizes we'll be using. Different * configurations may use different endpoints with a given port; * and high speed vs full speed changes packet sizes too. */ - ep = port->port_usb->out; status = gs_alloc_requests(ep, head, gs_read_complete, &port->read_allocated); if (status) -- 2.50.0.rc2.692.g299adb8693-goog

10 minutes

2
3
0 0

[PATCH v7 0/4] media: pisp-be: Split jobs creation and scheduling

by Jacopo Mondi

Currently the 'pispbe_schedule()' function does two things: 1) Tries to assemble a job by inspecting all the video node queues to make sure all the required buffers are available 2) Submit the job to the hardware The pispbe_schedule() function is called at: - video device start_streaming() time - video device qbuf() time - irq handler As assembling a job requires inspecting all queues, it is a rather time consuming operation which is better not run in IRQ context. To avoid executing the time consuming job creation in interrupt context, split the job creation and job scheduling in two distinct operations. When a well-formed job is created, append it to the newly introduced 'pispbe->job_queue' where it will be dequeued from by the scheduling routine. At start_streaming() and qbuf() time immediately try to schedule a job if one has been created as the irq handler routine is only called when a job has completed, and we can't solely rely on it for scheduling new jobs. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Changes in v7: - Rebased on media-committers/next - Fix lockdep warning by using the proper spinlock_irq() primitive in pispbe_prepare_job() which can race with the IRQ handler - Link to v6: https://lore.kernel.org/r/20240930-pispbe-mainline-split-jobs-handling-v6-v… v5->v6: - Make the driver depend on PM - Simplify the probe() routine by using pm_runtime_ - Remove suspend call from remove() v4->v5: - Use appropriate locking constructs: - spin_lock_irq() for pispbe_prepare_job() called from non irq context - spin_lock_irqsave() for pispbe_schedule() called from irq context - Remove hw_lock from ready_queue accesses in stop_streaming and start_streaming - Fix trivial indentation mistake in 4/4 v3->v4: - Expand commit message in 2/4 to explain why removing validation in schedule() is safe - Drop ready_lock spinlock - Use non _irqsave version of safe_guard(spinlock - Support !CONFIG_PM in 4/4 by calling the enable/disable routines directly and adjust pm_runtime usage as suggested by Laurent v2->v3: - Mark pispbe_runtime_resume() as __maybe_unused - Add fixes tags where appropriate v1->v2: - Add two patches to address Laurent's comments separately - use scoped_guard() when possible - Add patch to fix runtime_pm imbalance --- Jacopo Mondi (4): media: pisp_be: Drop reference to non-existing function media: pisp_be: Remove config validation from schedule() media: pisp_be: Split jobs creation and scheduling media: pisp_be: Fix pm_runtime underrun in probe drivers/media/platform/raspberrypi/pisp_be/Kconfig | 1 + .../media/platform/raspberrypi/pisp_be/pisp_be.c | 187 ++++++++++----------- 2 files changed, 90 insertions(+), 98 deletions(-) --- base-commit: 5e1ff2314797bf53636468a97719a8222deca9ae change-id: 20240930-pispbe-mainline-split-jobs-handling-v6-15dc16e11e3a Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

11 minutes

2
2
0 0

[PATCH 0/2] media: qcom: camss: Fix two bugs in mainline

by Bryan O'Donoghue

Two bug fixes here. First up SDM630/SDM660 hasn't been probing because moving the CSIPHY gen2 init sequence into a common location also moved the default case of the switch statement which rejects non-gen2 devices. Second is a fix for a very longstanding bug which is a race-condition between fully enumerating /dev/videoX devices along with all of their dependent data-structures and gating user-space access to those devices. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> --- Bryan O'Donoghue (2): media: qcom: camss: csiphy-3ph: Fix inadvertent dropping of SDM660/SDM670 phy init media: qcom: camss: vfe: Fix registration sequencing bug drivers/media/platform/qcom/camss/camss-csiphy-3ph-1-0.c | 3 +-- drivers/media/platform/qcom/camss/camss-vfe.c | 8 ++++++++ drivers/media/platform/qcom/camss/camss-vfe.h | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) --- base-commit: 8666245114d979b963dc23894a03c74ecab8a7a6 change-id: 20250610-linux-next-25-05-30-daily-reviews-47ef54eee7ea Best regards, -- Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>

19 minutes

3
5
0 0

[PATCH v2 0/3] soc: qcom: mdt_loader: Validation and cleanup fixes

by Bjorn Andersson

Signed-off-by: Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> --- Changes in v2: - Validate e_phentsize and and e_shentsize as well --- Bjorn Andersson (3): soc: qcom: mdt_loader: Ensure we don't read past the ELF header soc: qcom: mdt_loader: Rename mdt_phdr_valid() soc: qcom: mdt_loader: Actually use the e_phoff drivers/soc/qcom/mdt_loader.c | 63 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 53 insertions(+), 10 deletions(-) --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250604-mdt-loader-validation-and-fixes-5c3267f5b19f Best regards, -- Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com>

22 minutes

2
2
0 0

[PATCH] drm/etnaviv: Protect the scheduler's pending list with its lock

by Maíra Canal

Commit 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still active") ensured that active jobs are returned to the pending list when extending the timeout. However, it didn't use the pending list's lock to manipulate the list, which causes a race condition as the scheduler's workqueues are running. Hold the lock while manipulating the scheduler's pending list to prevent a race. Cc: stable(a)vger.kernel.org Fixes: 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still active") Signed-off-by: Maíra Canal <mcanal(a)igalia.com> --- Hi, I'm proposing this workaround patch to address the race-condition caused by manipulating the pending list without using its lock. Although I understand this isn't a complete solution (see [1]), it's not reasonable to backport the new DRM stat series [2] to the stable branches. Therefore, I believe the best solution is backporting this fix to the stable branches, which will fix the race and will keep adding the job back to the pending list (which will avoid most memory leaks). [1] https://lore.kernel.org/dri-devel/bcc0ed477f8a6f3bb06665b1756bcb98fb7af871.… [2] https://lore.kernel.org/dri-devel/20250530-sched-skip-reset-v2-0-c40a8d2d8d… Best Regards, - Maíra --- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/etnaviv/etnaviv_sched.c b/drivers/gpu/drm/etnaviv/etnaviv_sched.c index 76a3a3e517d8..71e2e6b9d713 100644 --- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c @@ -35,6 +35,7 @@ static enum drm_gpu_sched_stat etnaviv_sched_timedout_job(struct drm_sched_job *sched_job) { struct etnaviv_gem_submit *submit = to_etnaviv_submit(sched_job); + struct drm_gpu_scheduler *sched = sched_job->sched; struct etnaviv_gpu *gpu = submit->gpu; u32 dma_addr, primid = 0; int change; @@ -89,7 +90,9 @@ static enum drm_gpu_sched_stat etnaviv_sched_timedout_job(struct drm_sched_job return DRM_GPU_SCHED_STAT_NOMINAL; out_no_timeout: - list_add(&sched_job->list, &sched_job->sched->pending_list); + spin_lock(&sched->job_list_lock); + list_add(&sched_job->list, &sched->pending_list); + spin_unlock(&sched->job_list_lock); return DRM_GPU_SCHED_STAT_NOMINAL; } -- 2.49.0

23 minutes

3
2
0 0

Re: Patch "net: sch_ets: Add a new Qdisc" has been added to the 5.4-stable tree

by Petr Machata

Sasha Levin <sashal(a)kernel.org> writes: > This is a note to let you know that I've just added the patch titled > > net: sch_ets: Add a new Qdisc > > to the 5.4-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > net-sch_ets-add-a-new-qdisc.patch > and it can be found in the queue-5.4 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Not sure what the motivation is to include a pure added feature to a stable tree. But if you truly want the patch, then there were a couple follow up fixes over the years. At least the following look like patches to code that would be problematic in 5.4.y as well: cd9b50adc6bb ("net/sched: ets: fix crash when flipping from 'strict' to 'quantum'") 454d3e1ae057 ("net/sched: sch_ets: properly init all active DRR list handles") de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'") c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list") d62b04fca434 ("net: sched: fix ets qdisc OOB Indexing") 1a6d0c00fa07 ("net_sched: ets: Fix double list add in class with netem as child qdisc")

38 minutes

1
0
0 0

Unplayable framerates in game but specific kernel versions work, maybe amdgpu problem

by machion＠disroot.org

Hello kernel/driver developers, I hope, with my information it's possible to find a bug/problem in the kernel. Otherwise I am sorry, that I disturbed you. I only use LTS kernels, but I can narrow it down to a hand full of them, where it works. The PC: Manjaro Stable/Cinnamon/X11/AMD Ryzen 5 2600/Radeon HD 7790/8GB RAM I already asked the Manjaro community, but with no luck. The game: Hellpoint (GOG Linux latest version, Unity3D-Engine v2021), uses vulkan --- I came a long road of kernels. I had many versions of 5.4, 5.10, 5.15, 6.1 and 6.6 and and the game was always unplayable, because the frames where around 1fps (performance of PC is not the problem). I asked the mesa and cinnamon team for help in the past, but also with no luck. It never worked, till on 2025-03-29 when I installed 6.12.19 for the first time and it worked! But it only worked with 6.12.19, 6.12.20 and 6.12.21 When I updated to 6.12.25, it was back to unplayable. For testing I installed 6.14.4 with the same result. It doesn't work. I also compared file /proc/config.gz of both kernels (6.12.21 <> 6.14.4), but can't seem to see drastic changes to the graphical part. I presume it has something to do with amdgpu. If you need more information, I would be happy to help. Kind regards, Marion

59 minutes

2
3
0 0

[PATCH] net/9p: Fix buffer overflow in USB transport layer

by Yuhao Jiang

A buffer overflow vulnerability exists in the USB 9pfs transport layer where inconsistent size validation between packet header parsing and actual data copying allows a malicious USB host to overflow heap buffers. The issue occurs because: - usb9pfs_rx_header() validates only the declared size in packet header - usb9pfs_rx_complete() uses req->actual (actual received bytes) for memcpy This allows an attacker to craft packets with small declared size (bypassing validation) but large actual payload (triggering overflow in memcpy). Add validation in usb9pfs_rx_complete() to ensure req->actual does not exceed the buffer capacity before copying data. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Fixes: a3be076dc174 ("net/9p/usbg: Add new usb gadget function transport") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- net/9p/trans_usbg.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/9p/trans_usbg.c b/net/9p/trans_usbg.c index 6b694f117aef..047a2862fc84 100644 --- a/net/9p/trans_usbg.c +++ b/net/9p/trans_usbg.c @@ -242,6 +242,15 @@ static void usb9pfs_rx_complete(struct usb_ep *ep, struct usb_request *req) if (!p9_rx_req) return; + /* Validate actual received size against buffer capacity */ + if (req->actual > p9_rx_req->rc.capacity) { + dev_err(&cdev->gadget->dev, + "received data size %u exceeds buffer capacity %zu\n", + req->actual, p9_rx_req->rc.capacity); + p9_req_put(usb9pfs->client, p9_rx_req); + return; + } + memcpy(p9_rx_req->rc.sdata, req->buf, req->actual); p9_rx_req->rc.size = req->actual; -- 2.43.0

1 hour, 3 minutes

1
0
0 0

[PATCH] net/9p: Fix buffer overflow in USB transport layer

by Yuhao Jiang

A buffer overflow vulnerability exists in the USB 9pfs transport layer where inconsistent size validation between packet header parsing and actual data copying allows a malicious USB host to overflow heap buffers. The issue occurs because: - usb9pfs_rx_header() validates only the declared size in packet header - usb9pfs_rx_complete() uses req->actual (actual received bytes) for memcpy This allows an attacker to craft packets with small declared size (bypassing validation) but large actual payload (triggering overflow in memcpy). Add validation in usb9pfs_rx_complete() to ensure req->actual does not exceed the buffer capacity before copying data. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Fixes: a3be076dc174 ("net/9p/usbg: Add new usb gadget function transport") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- net/9p/trans_usbg.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/9p/trans_usbg.c b/net/9p/trans_usbg.c index 6b694f117aef..047a2862fc84 100644 --- a/net/9p/trans_usbg.c +++ b/net/9p/trans_usbg.c @@ -242,6 +242,15 @@ static void usb9pfs_rx_complete(struct usb_ep *ep, struct usb_request *req) if (!p9_rx_req) return; + /* Validate actual received size against buffer capacity */ + if (req->actual > p9_rx_req->rc.capacity) { + dev_err(&cdev->gadget->dev, + "received data size %u exceeds buffer capacity %zu\n", + req->actual, p9_rx_req->rc.capacity); + p9_req_put(usb9pfs->client, p9_rx_req); + return; + } + memcpy(p9_rx_req->rc.sdata, req->buf, req->actual); p9_rx_req->rc.size = req->actual; -- 2.43.0

1 hour, 7 minutes

1
0
0 0

[PATCH v2 00/10] soc: aspeed: lpc-snoop: Miscellaneous fixes

by Andrew Jeffery

Henry's bug[1] and fix[2] prompted some further inspection by Jean. This series provides fixes for the remaining issues Jean identified, as well as reworking the channel paths to reduce cleanup required in error paths. It is based on v6.16-rc1. Lightly tested under qemu and on an AST2600 EVB. Further testing on platforms designed around the snoop device appreciated. [1]: https://bugzilla.kernel.org/show_bug.cgi?id=219934 [2]: https://lore.kernel.org/all/20250401074647.21300-1-bsdhenrymartin@gmail.com/ Signed-off-by: Andrew Jeffery <andrew(a)codeconstruct.com.au> --- Changes in v2: - Address comments on v1 from Jean - Implement channel indexing using enums to avoid unnecessary tests - Switch to devm_clk_get_enabled() - Use dev_err_probe() where possible - Link to v1: https://patch.msgid.link/20250411-aspeed-lpc-snoop-fixes-v1-0-64f522e3ad6f@… --- Andrew Jeffery (10): soc: aspeed: lpc-snoop: Cleanup resources in stack-order soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled soc: aspeed: lpc-snoop: Ensure model_data is valid soc: aspeed: lpc-snoop: Constrain parameters in channel paths soc: aspeed: lpc-snoop: Rename 'channel' to 'index' in channel paths soc: aspeed: lpc-snoop: Rearrange channel paths soc: aspeed: lpc-snoop: Switch to devm_clk_get_enabled() soc: aspeed: lpc-snoop: Use dev_err_probe() where possible soc: aspeed: lpc-snoop: Consolidate channel initialisation soc: aspeed: lpc-snoop: Lift channel config to const structs drivers/soc/aspeed/aspeed-lpc-snoop.c | 224 +++++++++++++++++----------------- 1 file changed, 110 insertions(+), 114 deletions(-) --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250401-aspeed-lpc-snoop-fixes-e5d2883da3a3 Best regards, -- Andrew Jeffery <andrew(a)codeconstruct.com.au>

1 hour, 15 minutes

1
2
0 0

temporary hung tasks on XFS since updating to 6.6.92

by Christian Theune

Hi, in the last week, after updating to 6.6.92, we’ve encountered a number of VMs reporting temporarily hung tasks blocking the whole system for a few minutes. They unblock by themselves and have similar tracebacks. The IO PSIs show 100% pressure for that time, but the underlying devices are still processing read and write IO (well within their capacity). I’ve eliminated the underlying storage (Ceph) as the source of problems as I couldn’t find any latency outliers or significant queuing during that time. I’ve seen somewhat similar reports on 6.6.88 and 6.6.77, but those might have been different outliers. I’m attaching 3 logs - my intuition and the data so far leads me to consider this might be a kernel bug. I haven’t found a way to reproduce this, yet. Regards, Christian -- Christian Theune · ct(a)flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

2 hours, 13 minutes

2
5
0 0

[PATCH v2] zynq_fpga: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of statterlists related calls. dma_unmap_sg() function has to be called with the number of elements originally passed to the dma_map_sg() function, not the one returned in sgtable's nents. CC: stable(a)vger.kernel.org Fixes: 425902f5c8e3 ("fpga zynq: Use the scatterlist interface") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- v2: - fixed build break (missing flags parameter) --- drivers/fpga/zynq-fpga.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git drivers/fpga/zynq-fpga.c drivers/fpga/zynq-fpga.c index f7e08f7ea9ef..0be0d569589d 100644 --- drivers/fpga/zynq-fpga.c +++ drivers/fpga/zynq-fpga.c @@ -406,7 +406,7 @@ static int zynq_fpga_ops_write(struct fpga_manager *mgr, struct sg_table *sgt) } priv->dma_nelms = - dma_map_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE); + dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0); if (priv->dma_nelms == 0) { dev_err(&mgr->dev, "Unable to DMA map (TO_DEVICE)\n"); return -ENOMEM; @@ -478,7 +478,7 @@ static int zynq_fpga_ops_write(struct fpga_manager *mgr, struct sg_table *sgt) clk_disable(priv->clk); out_free: - dma_unmap_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE); + dma_unmap_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0); return err; } -- 2.34.1

2 hours, 19 minutes

1
0
0 0

[PATCH v2 1/4] wifi: ath12k: fix dest ring-buffer corruption

by Johan Hovold

Add the missing memory barrier to make sure that destination ring descriptors are read after the head pointers to avoid using stale data on weakly ordered architectures like aarch64. The barrier is added to the ath12k_hal_srng_access_begin() helper for symmetry with follow-on fixes for source ring buffer corruption which will add barriers to ath12k_hal_srng_access_end(). Note that this may fix the empty descriptor issue recently worked around by commit 51ad34a47e9f ("wifi: ath12k: Add drop descriptor handling for monitor ring"). Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Cc: stable(a)vger.kernel.org # 6.3 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- drivers/net/wireless/ath/ath12k/ce.c | 3 --- drivers/net/wireless/ath/ath12k/hal.c | 17 ++++++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/ce.c b/drivers/net/wireless/ath/ath12k/ce.c index 740586fe49d1..b66d23d6b2bd 100644 --- a/drivers/net/wireless/ath/ath12k/ce.c +++ b/drivers/net/wireless/ath/ath12k/ce.c @@ -343,9 +343,6 @@ static int ath12k_ce_completed_recv_next(struct ath12k_ce_pipe *pipe, goto err; } - /* Make sure descriptor is read after the head pointer. */ - dma_rmb(); - *nbytes = ath12k_hal_ce_dst_status_get_length(desc); *skb = pipe->dest_ring->skb[sw_index]; diff --git a/drivers/net/wireless/ath/ath12k/hal.c b/drivers/net/wireless/ath/ath12k/hal.c index 91d5126ca149..9eea13ed5565 100644 --- a/drivers/net/wireless/ath/ath12k/hal.c +++ b/drivers/net/wireless/ath/ath12k/hal.c @@ -2126,13 +2126,24 @@ void *ath12k_hal_srng_src_get_next_reaped(struct ath12k_base *ab, void ath12k_hal_srng_access_begin(struct ath12k_base *ab, struct hal_srng *srng) { + u32 hp; + lockdep_assert_held(&srng->lock); - if (srng->ring_dir == HAL_SRNG_DIR_SRC) + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { srng->u.src_ring.cached_tp = *(volatile u32 *)srng->u.src_ring.tp_addr; - else - srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + } else { + hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + + if (hp != srng->u.dst_ring.cached_hp) { + srng->u.dst_ring.cached_hp = hp; + /* Make sure descriptor is read after the head + * pointer. + */ + dma_rmb(); + } + } } /* Update cached ring head/tail pointers to HW. ath12k_hal_srng_access_begin() -- 2.49.0

3 hours, 29 minutes

4
5
0 0

[PATCH v2] scsi: ufs: core: Fix clk scaling to be conditional in reset and restore

by Anvith Dosapati

From: anvithdosapati <anvithdosapati(a)google.com> In ufshcd_host_reset_and_restore, scale up clocks only when clock scaling is supported. Without this change cpu latency is voted for 0 (ufshcd_pm_qos_update) during resume unconditionally. Signed-off-by: anvithdosapati <anvithdosapati(a)google.com> Fixes: a3cd5ec55f6c7 ("scsi: ufs: add load based scaling of UFS gear") Cc: stable(a)vger.kernel.org --- v2: - Update commit message - Add Fixes and Cc stable drivers/ufs/core/ufshcd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 4410e7d93b7d..fac381ea2b3a 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -7802,7 +7802,8 @@ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba) hba->silence_err_logs = false; /* scale up clocks to max frequency before full reinitialization */ - ufshcd_scale_clks(hba, ULONG_MAX, true); + if (ufshcd_is_clkscaling_supported(hba)) + ufshcd_scale_clks(hba, ULONG_MAX, true); err = ufshcd_hba_enable(hba); -- 2.50.0.rc1.591.g9c95f17f64-goog

5 hours, 31 minutes

1
0
0 0

[PATCH] pinctrl: nuvoton: Fix boot on ma35dx platforms

by Miquel Raynal

As part of a wider cleanup trying to get rid of OF specific APIs, an incorrect (and partially unrelated) cleanup was introduced. The goal was to replace a device_for_each_chil_node() loop including an additional condition inside by a macro doing both the loop and the check on a single line. The snippet: device_for_each_child_node(dev, child) if (fwnode_property_present(child, "gpio-controller")) continue; was replaced by: for_each_gpiochip_node(dev, child) which expands into: device_for_each_child_node(dev, child) for_each_if(fwnode_property_present(child, "gpio-controller")) This change is actually doing the opposite of what was initially expected, breaking the probe of this driver, breaking at the same time the whole boot of Nuvoton platforms (no more console, the kernel WARN()). Revert these two changes to roll back to the correct behavior. Fixes: 693c9ecd8326 ("pinctrl: nuvoton: Reduce use of OF-specific APIs") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/pinctrl/nuvoton/pinctrl-ma35.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/pinctrl/nuvoton/pinctrl-ma35.c b/drivers/pinctrl/nuvoton/pinctrl-ma35.c index 06ae1fe8b8c5..b51704bafd81 100644 --- a/drivers/pinctrl/nuvoton/pinctrl-ma35.c +++ b/drivers/pinctrl/nuvoton/pinctrl-ma35.c @@ -1074,7 +1074,10 @@ static int ma35_pinctrl_probe_dt(struct platform_device *pdev, struct ma35_pinct u32 idx = 0; int ret; - for_each_gpiochip_node(dev, child) { + device_for_each_child_node(dev, child) { + if (fwnode_property_present(child, "gpio-controller")) + continue; + npctl->nfunctions++; npctl->ngroups += of_get_child_count(to_of_node(child)); } @@ -1092,7 +1095,10 @@ static int ma35_pinctrl_probe_dt(struct platform_device *pdev, struct ma35_pinct if (!npctl->groups) return -ENOMEM; - for_each_gpiochip_node(dev, child) { + device_for_each_child_node(dev, child) { + if (fwnode_property_present(child, "gpio-controller")) + continue; + ret = ma35_pinctrl_parse_functions(child, npctl, idx++); if (ret) { fwnode_handle_put(child); -- 2.48.1

5 hours, 37 minutes

2
2
0 0

Re: [PATCH] drm/i915/snps_hdmi_pll: Fix 64-bit divisor truncation by using div64_u64

by Jani Nikula

On Sun, 15 Jun 2025, "Nautiyal, Ankit K" <ankit.k.nautiyal(a)intel.com> wrote: > On 6/13/2025 3:06 PM, Jani Nikula wrote: >> On Fri, 13 Jun 2025, Ankit Nautiyal<ankit.k.nautiyal(a)intel.com> wrote: >>> *ana_cp_int = max(1, min(ana_cp_int_temp, 127)); >> Unrelated to this patch, but this should be: >> >> *ana_cp_int = clamp(ana_cp_int_temp, 1, 127); >> >> There's a similar issue with ana_cp_prop also in the file. >> > Agreed. Should there be a separate patch for this? Yes. That's why I emphasized "unrelated to this patch". ;) BR, Jani. -- Jani Nikula, Intel

6 hours, 10 minutes

1
0
0 0

[PATCH] fpga: zynq-fpga: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of statterlists related calls. dma_unmap_sg() function has to be called with the number of elements originally passed to the dma_map_sg() function, not the one returned in sgtable's nents. CC: stable(a)vger.kernel.org Fixes: 425902f5c8e3 ("fpga zynq: Use the scatterlist interface") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- drivers/fpga/zynq-fpga.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/fpga/zynq-fpga.c b/drivers/fpga/zynq-fpga.c index f7e08f7ea9ef..9bd39d1d4048 100644 --- a/drivers/fpga/zynq-fpga.c +++ b/drivers/fpga/zynq-fpga.c @@ -406,7 +406,7 @@ static int zynq_fpga_ops_write(struct fpga_manager *mgr, struct sg_table *sgt) } priv->dma_nelms = - dma_map_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE); + dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE); if (priv->dma_nelms == 0) { dev_err(&mgr->dev, "Unable to DMA map (TO_DEVICE)\n"); return -ENOMEM; @@ -478,7 +478,7 @@ static int zynq_fpga_ops_write(struct fpga_manager *mgr, struct sg_table *sgt) clk_disable(priv->clk); out_free: - dma_unmap_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE); + dma_unmap_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE); return err; } -- 2.34.1

6 hours, 19 minutes

3
3
0 0

BLOCK_LEGACY_AUTOLOAD not default y in Linux 5.15.179+

by Sebastian Priebe

Hello, we're facing a regression after updating to 5.15.179+. I've found that fbdee71bb5d8d054e1bdb5af4c540f2cb86fe296 (block: deprecate autoloading based on dev_t) was merged that disabled autoloading of modules. This broke mounting loopback devices on our side. Why wasn't 451f0b6f4c44d7b649ae609157b114b71f6d7875 (block: default BLOCK_LEGACY_AUTOLOAD to y) merged, too? This commit was merged for 6.1.y, 6.6.y and 6.12y, but not for 5.15.y. Please consider merging this for 5.15.y soon. Thanks. Sebastian

7 hours

1
0
0 0

Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel

by Aaron Lu

Hello, Wei reported when loading his bpf prog in 5.10.200 kernel, host would panic, this didn't happen in 5.10.135 kernel. Test on latest v5.10.238 still has this panic. [ 26.531718] BUG: kernel NULL pointer dereference, address: 0000000000000168 [ 26.538093] #PF: supervisor read access in kernel mode [ 26.542727] #PF: error_code(0x0000) - not-present page [ 26.548093] PGD 10f3e9067 P4D 10f332067 PUD 10f0c5067 PMD 0 [ 26.553211] Oops: 0000 [#1] SMP NOPTI [ 26.556531] CPU: 2 PID: 541 Comm: main Not tainted 5.10.238-00267-g01e7e36b8606 #63 [ 26.563816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 26.572357] RIP: 0010:__mark_chain_precision+0x24b/0x4d0 [ 26.576572] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6 [ 26.589100] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216 [ 26.592612] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003 [ 26.597416] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78 [ 26.601362] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004 [ 26.604261] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000 [ 26.607202] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140 [ 26.610327] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000 [ 26.613678] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.616105] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0 [ 26.619059] Call Trace: [ 26.620118] adjust_reg_min_max_vals+0x133/0x340 [ 26.622048] ? krealloc+0x63/0xe0 [ 26.623435] do_check+0x38c/0xa80 [ 26.624859] do_check_common+0x15b/0x280 [ 26.626496] bpf_check+0xbe1/0xd30 [ 26.627939] ? srso_alias_return_thunk+0x5/0x7f [ 26.629796] ? trace_hardirqs_on+0x1a/0xd0 [ 26.631503] ? srso_alias_return_thunk+0x5/0x7f [ 26.633402] bpf_prog_load+0x422/0x8a0 [ 26.634987] ? srso_alias_return_thunk+0x5/0x7f [ 26.636864] ? __handle_mm_fault+0x3cb/0x6d0 [ 26.638658] ? srso_alias_return_thunk+0x5/0x7f [ 26.640543] ? lock_release+0xe3/0x110 [ 26.642114] __do_sys_bpf+0x485/0xdf0 [ 26.643624] do_syscall_64+0x33/0x40 [ 26.645110] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ 26.647190] RIP: 0033:0x409a6e [ 26.648470] Code: 24 28 44 8b 44 24 2c e9 70 ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48 [ 26.656154] RSP: 002b:000000c00199edc0 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 [ 26.659451] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000409a6e [ 26.662375] RDX: 0000000000000098 RSI: 000000c00199f290 RDI: 0000000000000005 [ 26.665267] RBP: 000000c00199ee00 R08: 0000000000000000 R09: 0000000000000000 [ 26.668204] R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 [ 26.671125] R13: 0000000000000080 R14: 000000c000002380 R15: 8080808080808080 [ 26.674085] Modules linked in: [ 26.675363] CR2: 0000000000000168 [ 26.676772] ---[ end trace 3fc192ee4dabbf12 ]--- [ 26.678667] RIP: 0010:__mark_chain_precision+0x24b/0x4d0 [ 26.680926] Code: 51 01 be 20 00 00 00 4c 89 ef 48 63 d2 e8 bd df 31 00 89 c1 83 f8 1f 7f 29 48 63 d1 48 89 d0 48 c1 e0 04 48 29 d0 48 8d 04 c3 <83> 38 01 75 c3 0f b6 74 24 06 80 78 74 00 c6 40 74 01 44 0f 44 f6 [ 26.688665] RSP: 0018:ffa0000000ff7b60 EFLAGS: 00010216 [ 26.690828] RAX: 0000000000000168 RBX: 0000000000000000 RCX: 0000000000000003 [ 26.693777] RDX: 0000000000000003 RSI: 0000000000000020 RDI: ffa0000000ff7b78 [ 26.696680] RBP: 0000000000000003 R08: ffa0000000ff7b70 R09: 0000000000000004 [ 26.699651] R10: 0000000000000007 R11: ffa0000000425000 R12: ff11000102ee2000 [ 26.702561] R13: ffa0000000ff7b78 R14: 0000000000000000 R15: ff1100010ee37140 [ 26.705522] FS: 00000000007a0630(0000) GS:ff1100081c400000(0000) knlGS:0000000000000000 [ 26.708806] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.711179] CR2: 0000000000000168 CR3: 0000000115e72002 CR4: 0000000000371ee0 [ 26.714143] Kernel panic - not syncing: Fatal exception [ 26.716893] Kernel Offset: disabled [ 26.718911] Rebooting in 5 seconds.. I did a bisect in linux-5.10.y branch and found the fbc is commit 2474ec58b96d("bpf: allow precision tracking for programs with subprogs"). I noticed there is a commit in Linus master branch that has a fix tag for this bisected commit: commit 81335f90e8a8("bpf: unconditionally reset backtrack_state masks on global func exit"), I tried to apply it in this 5.10.y branch but since the bases are quite different, clean apply is not possible, I end up with the following diff: diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 40ac67a04ab75..71da33fb96552 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2118,11 +2118,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int r bitmap_from_u64(mask, reg_mask); for_each_set_bit(i, mask, 32) { reg = &st->frame[0]->regs[i]; - if (reg->type != SCALAR_VALUE) { - reg_mask &= ~(1u << i); - continue; - } - reg->precise = true; + reg_mask &= ~(1u << i); + if (reg->type == SCALAR_VALUE) + reg->precise = true; } return 0; } But it didn't make any difference. Here are the reproduce steps: 1 clone this repo https://github.com/bytedance/vArmor-ebpf and switch to panic-analysis branch; 2 make build A binary named main should be built. I used golang compiler downloaded here: https://go.dev/dl/go1.24.3.linux-amd64.tar.gz but other golang compiler may also work. Run main as root and it will panic the host(kernel needs CONFIG_BPF_LSM). Full dmesg and config are attached, feel free to let me know if you need any additional info, thanks. P.S. linux-5.15.y has the same situation.

7 hours, 22 minutes

1
1
0 0

[PATCH] wifi: mt76: mt7925: fix incorrect scan probe IE handling for hw_scan

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> The IEs should be processed and filled into the command tlv separately according to each band. Cc: stable(a)vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- .../net/wireless/mediatek/mt76/mt7925/main.c | 2 +- .../net/wireless/mediatek/mt76/mt7925/mcu.c | 75 +++++++++++++++---- .../net/wireless/mediatek/mt76/mt7925/mcu.h | 5 +- 3 files changed, 63 insertions(+), 19 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c index 555ef302ae97..506387b4ce13 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1540,7 +1540,7 @@ mt7925_start_sched_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif, mt792x_mutex_acquire(dev); - err = mt7925_mcu_sched_scan_req(mphy, vif, req); + err = mt7925_mcu_sched_scan_req(mphy, vif, req, ies); if (err < 0) goto out; diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index ef1d42af96f7..9993d47e643c 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -192,6 +192,7 @@ mt7925_connac_mcu_set_wow_ctrl(struct mt76_phy *phy, struct ieee80211_vif *vif, bool suspend, struct cfg80211_wowlan *wowlan) { struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv; + struct ieee80211_scan_ies ies = {}; struct mt76_dev *dev = phy->dev; struct { struct { @@ -227,7 +228,7 @@ mt7925_connac_mcu_set_wow_ctrl(struct mt76_phy *phy, struct ieee80211_vif *vif, req.wow_ctrl_tlv.trigger |= (UNI_WOW_DETECT_TYPE_DISCONNECT | UNI_WOW_DETECT_TYPE_BCN_LOST); if (wowlan->nd_config) { - mt7925_mcu_sched_scan_req(phy, vif, wowlan->nd_config); + mt7925_mcu_sched_scan_req(phy, vif, wowlan->nd_config, &ies); req.wow_ctrl_tlv.trigger |= UNI_WOW_DETECT_TYPE_SCH_SCAN_HIT; mt7925_mcu_sched_scan_enable(phy, vif, suspend); } @@ -3085,6 +3086,54 @@ int mt7925_mcu_set_dbdc(struct mt76_phy *phy, bool enable) return err; } +static void +mt7925_mcu_build_scan_ie_tlv(struct mt76_dev *mdev, + struct sk_buff *skb, + struct ieee80211_scan_ies *scan_ies) +{ + u32 max_len = sizeof(struct scan_ie_tlv) + MT76_CONNAC_SCAN_IE_LEN; + struct scan_ie_tlv *ie; + enum nl80211_band i; + struct tlv *tlv; + const u8 *ies; + u16 ies_len; + + for (i = 0; i <= NL80211_BAND_6GHZ; i++) { + if (i == NL80211_BAND_60GHZ) + continue; + + ies = scan_ies->ies[i]; + ies_len = scan_ies->len[i]; + + if (!ies || !ies_len) + continue; + + if (ies_len > max_len) + return; + + tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_IE, + sizeof(*ie) + ies_len); + ie = (struct scan_ie_tlv *)tlv; + + memcpy(ie->ies, ies, ies_len); + ie->ies_len = cpu_to_le16(ies_len); + + switch (i) { + case NL80211_BAND_2GHZ: + ie->band = 1; + break; + case NL80211_BAND_6GHZ: + ie->band = 3; + break; + default: + ie->band = 2; + break; + } + + max_len -= (sizeof(*ie) + ies_len); + } +} + int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, struct ieee80211_scan_request *scan_req) { @@ -3110,7 +3159,8 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, max_len = sizeof(*hdr) + sizeof(*req) + sizeof(*ssid) + sizeof(*bssid) * MT7925_RNR_SCAN_MAX_BSSIDS + - sizeof(*chan_info) + sizeof(*misc) + sizeof(*ie); + sizeof(*chan_info) + sizeof(*misc) + sizeof(*ie) + + MT76_CONNAC_SCAN_IE_LEN; skb = mt76_mcu_msg_alloc(mdev, NULL, max_len); if (!skb) @@ -3192,13 +3242,6 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, } chan_info->channel_type = sreq->n_channels ? 4 : 0; - tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_IE, sizeof(*ie)); - ie = (struct scan_ie_tlv *)tlv; - if (sreq->ie_len > 0) { - memcpy(ie->ies, sreq->ie, sreq->ie_len); - ie->ies_len = cpu_to_le16(sreq->ie_len); - } - req->scan_func |= SCAN_FUNC_SPLIT_SCAN; tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_MISC, sizeof(*misc)); @@ -3209,6 +3252,9 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, req->scan_func |= SCAN_FUNC_RANDOM_MAC; } + /* Append scan probe IEs as the last tlv */ + mt7925_mcu_build_scan_ie_tlv(mdev, skb, &scan_req->ies); + err = mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), true); if (err < 0) @@ -3220,7 +3266,8 @@ EXPORT_SYMBOL_GPL(mt7925_mcu_hw_scan); int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, struct ieee80211_vif *vif, - struct cfg80211_sched_scan_request *sreq) + struct cfg80211_sched_scan_request *sreq, + struct ieee80211_scan_ies *ies) { struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv; struct ieee80211_channel **scan_list = sreq->channels; @@ -3308,12 +3355,8 @@ int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, } chan_info->channel_type = sreq->n_channels ? 4 : 0; - tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_IE, sizeof(*ie)); - ie = (struct scan_ie_tlv *)tlv; - if (sreq->ie_len > 0) { - memcpy(ie->ies, sreq->ie, sreq->ie_len); - ie->ies_len = cpu_to_le16(sreq->ie_len); - } + /* Append scan probe IEs as the last tlv */ + mt7925_mcu_build_scan_ie_tlv(mdev, skb, ies); return mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), true); diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h index 3dddadb7457b..c34b28769782 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h @@ -269,7 +269,7 @@ struct scan_ie_tlv { __le16 ies_len; u8 band; u8 pad; - u8 ies[MT76_CONNAC_SCAN_IE_LEN]; + u8 ies[]; }; struct scan_misc_tlv { @@ -674,7 +674,8 @@ int mt7925_mcu_cancel_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif); int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, struct ieee80211_vif *vif, - struct cfg80211_sched_scan_request *sreq); + struct cfg80211_sched_scan_request *sreq, + struct ieee80211_scan_ies *ies); int mt7925_mcu_sched_scan_enable(struct mt76_phy *phy, struct ieee80211_vif *vif, bool enable); -- 2.34.1

7 hours, 52 minutes

1
0
0 0

[PATCH v2 0/5] drm/xe: enable driver usage on non-4KiB kernels

by Mingcong Bai via B4 Relay

This patch series attempts to enable the use of xe DRM driver on non-4KiB kernel page platforms. This involves fixing the ttm/bo interface, as well as parts of the userspace API to make use of kernel `PAGE_SIZE' for alignment instead of the assumed `SZ_4K', it also fixes incorrect usage of `PAGE_SIZE' in the GuC and ring buffer interface code to make sure all instructions/commands were aligned to 4KiB barriers (per the Programmer's Manual for the GPUs covered by this DRM driver). This issue was first discovered and reported by members of the LoongArch user communities, whose hardware commonly ran on 16KiB-page kernels. The patch series began on an unassuming branch of a downstream kernel tree maintained by Shang Yatsen.[^1] It worked well but remained sparsely documented, a lot of the work done here relied on Shang Yatsen's original patch. AOSC OS then picked it up[^2] to provide Intel Xe/Arc support for users of its LoongArch port, for which I worked extensively on. After months of positive user feedback and from encouragement from Kexy Biscuit, my colleague at the community, I decided to examine its potential for upstreaming, cross-reference kernel and Intel documentation to better document and revise this patch. Now that this series has been tested good (for boot up, OpenGL, and playback of a standardised set of video samples[^3] on the following platforms (motherboard + GPU model): - x86-64, 4KiB kernel page: - MS-7D42 + Intel Arc A580 - COLORFIRE B760M-MEOW WIFI D5 + Intel Arc B580 - LoongArch, 16KiB kernel page: - XA61200 + GUNNIR DG1 Blue Halberd (Intel DG1) - XA61200 + GUNNIR Iris Xe Index 4 (Intel DG1) - XA61200 + GUNNIR Intel Iris Xe Max Index V2 (Intel DG1) - XA61200 + GUNNIR Intel Arc A380 Index 6G (Intel Arc A380) - XA61200 + ASRock Arc A380 Challenger ITX OC (Intel Arc A380) - XA61200 + Intel Arc A580 - XA61200 + GUNNIR Intel Arc A750 Photon 8G OC (Intel Arc A750) - XA61200 + Intel Arc B580 - XB612B0 + GUNNIR Intel Iris Xe Max Index V2 (Intel DG1) - XB612B0 + GUNNIR Intel Arc A380 Index 6G (Intel Arc A380) - ASUS XC-LS3A6M + GUNNIR Intel Arc B580 INDEX 12G (Intel Arc B580) On these platforms, basic functionalities tested good but the driver was unstable with occasional resets (I do suspect however, that this platform suffers from PCIe coherence issues, as instability only occurs under heavy VRAM I/O load): - AArch64, 4KiB/64KiB kernel pages: - ERUN-FD3000 (Phytium D3000) + GUNNIR Intel Iris Xe Max Index V2 (Intel DG1) - ERUN-FD3000 (Phytium D3000) + GUNNIR Intel Arc A380 Index 6G (Intel Arc A380) - ERUN-FD3000 (Phytium D3000) + GUNNIR Intel Arc A750 Photon 8G OC (Intel Arc A750) I think that this patch series is now ready for your comment and review. Please forgive me if I made any simple mistake or used wrong terminologies, but I have never worked on a patch for the DRM subsystem and my experience is still quite thin. But anyway, just letting you all know that Intel Xe/Arc works on non-4KiB kernel page platforms (and honestly, it's great to use, especially for games and media playback)! [^1]: https://github.com/FanFansfan/loongson-linux/tree/loongarch-xe [^2]: We maintained Shang Yatsen's patch until our v6.13.3 tree, until we decided to test and send this series upstream, https://github.com/AOSC-Tracking/linux/tree/aosc/v6.13.3 [^3]: Delicious hot pot! https://repo.aosc.io/ahvl/sample-videos-20250223.tar.zst --- Matthew(s), Lucas, and Francois: Thanks again for your patience and review. I recently had a job change and it put me off this series for months, but I'm back (and should be a lot more responsive now) - sorry! Let's get this ball rolling again. I was unfortunately unable to revise 1/5 from v1 as you requested, neither of your suggestions to allow allocation of VRAM smaller than page size worked... So I kept that part as is. As for the your comment in 5/5, I'm not sure about what the right approach to implement a SZ_64K >= PAGE_SIZE assert was, as there are many other instances of similar ternary conditional operators in the xe code. Correct me if I'm wrong but I felt that it might be better handled in a separate patch series? --- Changes in v2: - Define `GUC_ALIGN' and use them in GuC code to improve clarity. - Update documentation on `DRM_XE_QUERY_CONFIG_MIN_ALIGNMENT'. - Rebase, and other minor changes. - Link to v1: https://lore.kernel.org/all/20250226-xe-non-4k-fix-v1-0-80f23b5ee40e@aosc.i… To: Lucas De Marchi <lucas.demarchi(a)intel.com> To: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> To: Rodrigo Vivi <rodrigo.vivi(a)intel.com> To: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> To: Maxime Ripard <mripard(a)kernel.org> To: Thomas Zimmermann <tzimmermann(a)suse.de> To: David Airlie <airlied(a)gmail.com> To: Simona Vetter <simona(a)ffwll.ch> To: José Roberto de Souza <jose.souza(a)intel.com> To: Francois Dugast <francois.dugast(a)intel.com> To: Matthew Brost <matthew.brost(a)intel.com> To: Alan Previn <alan.previn.teres.alexis(a)intel.com> To: Zhanjun Dong <zhanjun.dong(a)intel.com> To: Matt Roper <matthew.d.roper(a)intel.com> To: Mateusz Naklicki <mateusz.naklicki(a)intel.com> Cc: Mauro Carvalho Chehab <mauro.chehab(a)linux.intel.com> Cc: Zbigniew Kempczyński <zbigniew.kempczynski(a)intel.com> Cc: intel-xe(a)lists.freedesktop.org Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Suggested-by: Kexy Biscuit <kexybiscuit(a)aosc.io> Co-developed-by: Shang Yatsen <429839446(a)qq.com> Signed-off-by: Shang Yatsen <429839446(a)qq.com> Signed-off-by: Mingcong Bai <jeffbai(a)aosc.io> --- Mingcong Bai (5): drm/xe/bo: fix alignment with non-4KiB kernel page sizes drm/xe/guc: use GUC_SIZE (SZ_4K) for alignment drm/xe/regs: fix RING_CTL_SIZE(size) calculation drm/xe: use 4KiB alignment for cursor jumps drm/xe/query: use PAGE_SIZE as the minimum page alignment drivers/gpu/drm/xe/regs/xe_engine_regs.h | 2 +- drivers/gpu/drm/xe/xe_bo.c | 8 ++++---- drivers/gpu/drm/xe/xe_guc.c | 4 ++-- drivers/gpu/drm/xe/xe_guc.h | 3 +++ drivers/gpu/drm/xe/xe_guc_ads.c | 32 ++++++++++++++++---------------- drivers/gpu/drm/xe/xe_guc_capture.c | 8 ++++---- drivers/gpu/drm/xe/xe_guc_ct.c | 2 +- drivers/gpu/drm/xe/xe_guc_log.c | 5 +++-- drivers/gpu/drm/xe/xe_guc_pc.c | 4 ++-- drivers/gpu/drm/xe/xe_migrate.c | 4 ++-- drivers/gpu/drm/xe/xe_query.c | 2 +- include/uapi/drm/xe_drm.h | 7 +++++-- 12 files changed, 44 insertions(+), 37 deletions(-) --- base-commit: 546b1c9e93c2bb8cf5ed24e0be1c86bb089b3253 change-id: 20250603-upstream-xe-non-4k-v2-4acf253c9bfd Best regards, -- Mingcong Bai <jeffbai(a)aosc.io>

8 hours, 35 minutes

2
6
0 0

[PATCH] crypto: qat - lower priority for skcipher and aead algorithms

by Giovanni Cabiddu

Most kernel applications utilizing the crypto API operate synchronously and on small buffer sizes, therefore do not benefit from QAT acceleration. Reduce the priority of QAT implementations for both skcipher and aead algorithms, allowing more suitable alternatives to be selected by default. Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Link: https://lore.kernel.org/all/20250613012357.GA3603104@google.com/ Cc: stable(a)vger.kernel.org --- drivers/crypto/intel/qat/qat_common/qat_algs.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/crypto/intel/qat/qat_common/qat_algs.c b/drivers/crypto/intel/qat/qat_common/qat_algs.c index 3c4bba4a8779..d69cc1e5e023 100644 --- a/drivers/crypto/intel/qat/qat_common/qat_algs.c +++ b/drivers/crypto/intel/qat/qat_common/qat_algs.c @@ -1277,7 +1277,7 @@ static struct aead_alg qat_aeads[] = { { .base = { .cra_name = "authenc(hmac(sha1),cbc(aes))", .cra_driver_name = "qat_aes_cbc_hmac_sha1", - .cra_priority = 4001, + .cra_priority = 100, .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, .cra_blocksize = AES_BLOCK_SIZE, .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), @@ -1294,7 +1294,7 @@ static struct aead_alg qat_aeads[] = { { .base = { .cra_name = "authenc(hmac(sha256),cbc(aes))", .cra_driver_name = "qat_aes_cbc_hmac_sha256", - .cra_priority = 4001, + .cra_priority = 100, .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, .cra_blocksize = AES_BLOCK_SIZE, .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), @@ -1311,7 +1311,7 @@ static struct aead_alg qat_aeads[] = { { .base = { .cra_name = "authenc(hmac(sha512),cbc(aes))", .cra_driver_name = "qat_aes_cbc_hmac_sha512", - .cra_priority = 4001, + .cra_priority = 100, .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, .cra_blocksize = AES_BLOCK_SIZE, .cra_ctxsize = sizeof(struct qat_alg_aead_ctx), @@ -1329,7 +1329,7 @@ static struct aead_alg qat_aeads[] = { { static struct skcipher_alg qat_skciphers[] = { { .base.cra_name = "cbc(aes)", .base.cra_driver_name = "qat_aes_cbc", - .base.cra_priority = 4001, + .base.cra_priority = 100, .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, .base.cra_blocksize = AES_BLOCK_SIZE, .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx), @@ -1347,7 +1347,7 @@ static struct skcipher_alg qat_skciphers[] = { { }, { .base.cra_name = "ctr(aes)", .base.cra_driver_name = "qat_aes_ctr", - .base.cra_priority = 4001, + .base.cra_priority = 100, .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY, .base.cra_blocksize = 1, .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx), @@ -1365,7 +1365,7 @@ static struct skcipher_alg qat_skciphers[] = { { }, { .base.cra_name = "xts(aes)", .base.cra_driver_name = "qat_aes_xts", - .base.cra_priority = 4001, + .base.cra_priority = 100, .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_ALLOCATES_MEMORY, .base.cra_blocksize = AES_BLOCK_SIZE, -- 2.49.0

10 hours, 11 minutes

3
3
0 0

FAILED: patch "[PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051202-nutrient-upswing-4a86@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 Mon Sep 17 00:00:00 2001 From: Gavin Guo <gavinguo(a)igalia.com> Date: Mon, 21 Apr 2025 19:35:36 +0800 Subject: [PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream. Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Cc: Florent Revest <revest(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2a47682d1ab7..47d76d03ce30 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, bool freeze, struct folio *folio) { + bool pmd_migration = is_pmd_migration_entry(*pmd); + VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); @@ -3085,9 +3087,12 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, * require a folio to check the PMD against. Otherwise, there * is a risk of replacing the wrong folio. */ - if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || - is_pmd_migration_entry(*pmd)) { - if (folio && folio != pmd_folio(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { + /* + * Do not apply pmd_folio() to a migration entry; and folio lock + * guarantees that it must be of the wrong folio anyway. + */ + if (folio && (pmd_migration || folio != pmd_folio(*pmd))) return; __split_huge_pmd_locked(vma, pmd, address, freeze); }

11 hours, 39 minutes

2
1
0 0

FAILED: patch "[PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051203-thrift-spool-ebc8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 Mon Sep 17 00:00:00 2001 From: Gavin Guo <gavinguo(a)igalia.com> Date: Mon, 21 Apr 2025 19:35:36 +0800 Subject: [PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream. Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Cc: Florent Revest <revest(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2a47682d1ab7..47d76d03ce30 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, bool freeze, struct folio *folio) { + bool pmd_migration = is_pmd_migration_entry(*pmd); + VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); @@ -3085,9 +3087,12 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, * require a folio to check the PMD against. Otherwise, there * is a risk of replacing the wrong folio. */ - if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || - is_pmd_migration_entry(*pmd)) { - if (folio && folio != pmd_folio(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { + /* + * Do not apply pmd_folio() to a migration entry; and folio lock + * guarantees that it must be of the wrong folio anyway. + */ + if (folio && (pmd_migration || folio != pmd_folio(*pmd))) return; __split_huge_pmd_locked(vma, pmd, address, freeze); }

11 hours, 41 minutes

2
1
0 0

FAILED: patch "[PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051204-tidal-lake-6ae7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 Mon Sep 17 00:00:00 2001 From: Gavin Guo <gavinguo(a)igalia.com> Date: Mon, 21 Apr 2025 19:35:36 +0800 Subject: [PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream. Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Cc: Florent Revest <revest(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2a47682d1ab7..47d76d03ce30 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, bool freeze, struct folio *folio) { + bool pmd_migration = is_pmd_migration_entry(*pmd); + VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); @@ -3085,9 +3087,12 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, * require a folio to check the PMD against. Otherwise, there * is a risk of replacing the wrong folio. */ - if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || - is_pmd_migration_entry(*pmd)) { - if (folio && folio != pmd_folio(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { + /* + * Do not apply pmd_folio() to a migration entry; and folio lock + * guarantees that it must be of the wrong folio anyway. + */ + if (folio && (pmd_migration || folio != pmd_folio(*pmd))) return; __split_huge_pmd_locked(vma, pmd, address, freeze); }

11 hours, 47 minutes

2
1
0 0

FAILED: patch "[PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051205-work-bronze-e167@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 Mon Sep 17 00:00:00 2001 From: Gavin Guo <gavinguo(a)igalia.com> Date: Mon, 21 Apr 2025 19:35:36 +0800 Subject: [PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream. Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Cc: Florent Revest <revest(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2a47682d1ab7..47d76d03ce30 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, bool freeze, struct folio *folio) { + bool pmd_migration = is_pmd_migration_entry(*pmd); + VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); @@ -3085,9 +3087,12 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, * require a folio to check the PMD against. Otherwise, there * is a risk of replacing the wrong folio. */ - if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || - is_pmd_migration_entry(*pmd)) { - if (folio && folio != pmd_folio(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { + /* + * Do not apply pmd_folio() to a migration entry; and folio lock + * guarantees that it must be of the wrong folio anyway. + */ + if (folio && (pmd_migration || folio != pmd_folio(*pmd))) return; __split_huge_pmd_locked(vma, pmd, address, freeze); }

11 hours, 49 minutes

2
1
0 0

FAILED: patch "[PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025051206-t-shirt-wrist-ad33@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be6e843fc51a584672dfd9c4a6a24c8cb81d5fb7 Mon Sep 17 00:00:00 2001 From: Gavin Guo <gavinguo(a)igalia.com> Date: Mon, 21 Apr 2025 19:35:36 +0800 Subject: [PATCH] mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target. Mailing list discussion and explanation from Hugh Dickins: "An anon_vma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for." BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60 Call Trace: <TASK> try_to_migrate_one+0x28c/0x3730 rmap_walk_anon+0x4f6/0x770 unmap_folio+0x196/0x1f0 split_huge_page_to_list_to_order+0x9f6/0x1560 deferred_split_scan+0xac5/0x12a0 shrinker_debugfs_scan_write+0x376/0x470 full_proxy_write+0x15c/0x220 vfs_write+0x2fc/0xcb0 ksys_write+0x146/0x250 do_syscall_64+0x6a/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug is found by syzkaller on an internal kernel, then confirmed on upstream. Link: https://lkml.kernel.org/r/20250421113536.3682201-1-gavinguo@igalia.com Link: https://lore.kernel.org/all/20250414072737.1698513-1-gavinguo@igalia.com/ Link: https://lore.kernel.org/all/20250418085802.2973519-1-gavinguo@igalia.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Gavin Guo <gavinguo(a)igalia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Hugh Dickins <hughd(a)google.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Cc: Florent Revest <revest(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2a47682d1ab7..47d76d03ce30 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3075,6 +3075,8 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, bool freeze, struct folio *folio) { + bool pmd_migration = is_pmd_migration_entry(*pmd); + VM_WARN_ON_ONCE(folio && !folio_test_pmd_mappable(folio)); VM_WARN_ON_ONCE(!IS_ALIGNED(address, HPAGE_PMD_SIZE)); VM_WARN_ON_ONCE(folio && !folio_test_locked(folio)); @@ -3085,9 +3087,12 @@ void split_huge_pmd_locked(struct vm_area_struct *vma, unsigned long address, * require a folio to check the PMD against. Otherwise, there * is a risk of replacing the wrong folio. */ - if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || - is_pmd_migration_entry(*pmd)) { - if (folio && folio != pmd_folio(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) || pmd_migration) { + /* + * Do not apply pmd_folio() to a migration entry; and folio lock + * guarantees that it must be of the wrong folio anyway. + */ + if (folio && (pmd_migration || folio != pmd_folio(*pmd))) return; __split_huge_pmd_locked(vma, pmd, address, freeze); }

11 hours, 54 minutes

2
1
0 0

[PATCH v2] iommu/arm-smmu-qcom: Add SM6115 MDSS compatible

by Alexey Klimov

Add the SM6115 MDSS compatible to clients compatible list, as it also needs that workaround. Without this workaround, for example, QRB4210 RB2 which is based on SM4250/SM6115 generates a lot of smmu unhandled context faults during boot: arm_smmu_context_fault: 116854 callbacks suppressed arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0ec600, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 arm-smmu c600000.iommu: FSYNR0 = 00320021 [S1CBNDX=50 PNU PLVL=1] arm-smmu c600000.iommu: Unhandled context fault: fsr=0x402, iova=0x5c0d7800, fsynr=0x320021, cbfrsynra=0x420, cb=5 arm-smmu c600000.iommu: FSR = 00000402 [Format=2 TF], SID=0x420 and also failed initialisation of lontium lt9611uxc, gpu and dpu is observed: (binding MDSS components triggered by lt9611uxc have failed) ------------[ cut here ]------------ !aspace WARNING: CPU: 6 PID: 324 at drivers/gpu/drm/msm/msm_gem_vma.c:130 msm_gem_vma_init+0x150/0x18c [msm] Modules linked in: ... (long list of modules) CPU: 6 UID: 0 PID: 324 Comm: (udev-worker) Not tainted 6.15.0-03037-gaacc73ceeb8b #4 PREEMPT Hardware name: Qualcomm Technologies, Inc. QRB4210 RB2 (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : msm_gem_vma_init+0x150/0x18c [msm] lr : msm_gem_vma_init+0x150/0x18c [msm] sp : ffff80008144b280 ... Call trace: msm_gem_vma_init+0x150/0x18c [msm] (P) get_vma_locked+0xc0/0x194 [msm] msm_gem_get_and_pin_iova_range+0x4c/0xdc [msm] msm_gem_kernel_new+0x48/0x160 [msm] msm_gpu_init+0x34c/0x53c [msm] adreno_gpu_init+0x1b0/0x2d8 [msm] a6xx_gpu_init+0x1e8/0x9e0 [msm] adreno_bind+0x2b8/0x348 [msm] component_bind_all+0x100/0x230 msm_drm_bind+0x13c/0x3d0 [msm] try_to_bring_up_aggregate_device+0x164/0x1d0 __component_add+0xa4/0x174 component_add+0x14/0x20 dsi_dev_attach+0x20/0x34 [msm] dsi_host_attach+0x58/0x98 [msm] devm_mipi_dsi_attach+0x34/0x90 lt9611uxc_attach_dsi.isra.0+0x94/0x124 [lontium_lt9611uxc] lt9611uxc_probe+0x540/0x5fc [lontium_lt9611uxc] i2c_device_probe+0x148/0x2a8 really_probe+0xbc/0x2c0 __driver_probe_device+0x78/0x120 driver_probe_device+0x3c/0x154 __driver_attach+0x90/0x1a0 bus_for_each_dev+0x68/0xb8 driver_attach+0x24/0x30 bus_add_driver+0xe4/0x208 driver_register+0x68/0x124 i2c_register_driver+0x48/0xcc lt9611uxc_driver_init+0x20/0x1000 [lontium_lt9611uxc] do_one_initcall+0x60/0x1d4 do_init_module+0x54/0x1fc load_module+0x1748/0x1c8c init_module_from_file+0x74/0xa0 __arm64_sys_finit_module+0x130/0x2f8 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x2c/0x80 el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- msm_dpu 5e01000.display-controller: [drm:msm_gpu_init [msm]] *ERROR* could not allocate memptrs: -22 msm_dpu 5e01000.display-controller: failed to load adreno gpu platform a400000.remoteproc:glink-edge:apr:service@7:dais: Adding to iommu group 19 msm_dpu 5e01000.display-controller: failed to bind 5900000.gpu (ops a3xx_ops [msm]): -22 msm_dpu 5e01000.display-controller: adev bind failed: -22 lt9611uxc 0-002b: failed to attach dsi to host lt9611uxc 0-002b: probe with driver lt9611uxc failed with error -22 Suggested-by: Bjorn Andersson <andersson(a)kernel.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Fixes: 3581b7062cec ("drm/msm/disp/dpu1: add support for display on SM6115") Cc: <stable(a)vger.kernel.org> Signed-off-by: Alexey Klimov <alexey.klimov(a)linaro.org> --- v2: - added tags as suggested by Dmitry; - slightly updated text in the commit message. Previous version: https://lore.kernel.org/linux-arm-msm/20250528003118.214093-1-alexey.klimov… drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c index 62874b18f645..c75023718595 100644 --- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c +++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c @@ -379,6 +379,7 @@ static const struct of_device_id qcom_smmu_client_of_match[] __maybe_unused = { { .compatible = "qcom,sdm670-mdss" }, { .compatible = "qcom,sdm845-mdss" }, { .compatible = "qcom,sdm845-mss-pil" }, + { .compatible = "qcom,sm6115-mdss" }, { .compatible = "qcom,sm6350-mdss" }, { .compatible = "qcom,sm6375-mdss" }, { .compatible = "qcom,sm8150-mdss" }, -- 2.47.2

14 hours, 18 minutes

2
1
0 0

[PATCH] HID: appletb-kbd: fix "appletb_backlight" backlight device reference counting

by Qasim Ijaz

During appletb_kbd_probe, probe attempts to get the backlight device by name. When this happens backlight_device_get_by_name looks for a device in the backlight class which has name "appletb_backlight" and upon finding a match it increments the reference count for the device and returns it to the caller. However this reference is never released leading to a reference leak. Fix this by decrementing the backlight device reference count on removal via put_device and on probe failure. Fixes: 93a0fc489481 ("HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/hid-appletb-kbd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hid/hid-appletb-kbd.c b/drivers/hid/hid-appletb-kbd.c index ef51b2c06872..e06567886e50 100644 --- a/drivers/hid/hid-appletb-kbd.c +++ b/drivers/hid/hid-appletb-kbd.c @@ -438,6 +438,8 @@ static int appletb_kbd_probe(struct hid_device *hdev, const struct hid_device_id return 0; close_hw: + if (kbd->backlight_dev) + put_device(&kbd->backlight_dev->dev); hid_hw_close(hdev); stop_hw: hid_hw_stop(hdev); @@ -453,6 +455,9 @@ static void appletb_kbd_remove(struct hid_device *hdev) input_unregister_handler(&kbd->inp_handler); timer_delete_sync(&kbd->inactivity_timer); + if (kbd->backlight_dev) + put_device(&kbd->backlight_dev->dev); + hid_hw_close(hdev); hid_hw_stop(hdev); } -- 2.39.5

15 hours, 29 minutes

1
0
0 0

+ bcache-remove-unnecessary-select-min_heap.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: bcache: remove unnecessary select MIN_HEAP has been added to the -mm mm-hotfixes-unstable branch. Its filename is bcache-remove-unnecessary-select-min_heap.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kuan-Wei Chiu <visitorckw(a)gmail.com> Subject: bcache: remove unnecessary select MIN_HEAP Date: Sun, 15 Jun 2025 04:23:53 +0800 After reverting the transition to the generic min heap library, bcache no longer depends on MIN_HEAP. The select entry can be removed to reduce code size and shrink the kernel's attack surface. This change effectively reverts the bcache-related part of commit 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions"). This is part of a series of changes to address a performance regression caused by the use of the generic min_heap implementation. As reported by Robert, bcache now suffers from latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. These regressions degrade bcache's effectiveness as a low-latency cache layer and lead to frequent timeouts and application stalls in production environments. Link: https://lore.kernel.org/lkml/CAJhEC05+0S69z+3+FB2Cd0hD+pCRyWTKLEOsc8BOmH73p… Link: https://lkml.kernel.org/r/20250614202353.1632957-4-visitorckw@gmail.com Fixes: 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap") Fixes: 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Reported-by: Robert Pang <robertpang(a)google.com> Closes: https://lore.kernel.org/linux-bcache/CAJhEC06F_AtrPgw2-7CvCqZgeStgCtitbD-ry… Acked-by: Coly Li <colyli(a)kernel.org> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/md/bcache/Kconfig | 1 - 1 file changed, 1 deletion(-) --- a/drivers/md/bcache/Kconfig~bcache-remove-unnecessary-select-min_heap +++ a/drivers/md/bcache/Kconfig @@ -5,7 +5,6 @@ config BCACHE select BLOCK_HOLDER_DEPRECATED if SYSFS select CRC64 select CLOSURES - select MIN_HEAP help Allows a block device to be used as cache for other devices; uses a btree for indexing and the layout is optimized for SSDs. _ Patches currently in -mm which might be from visitorckw(a)gmail.com are revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap.patch revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap.patch bcache-remove-unnecessary-select-min_heap.patch lib-math-gcd-use-static-key-to-select-implementation-at-runtime.patch riscv-optimize-gcd-code-size-when-config_riscv_isa_zbb-is-disabled.patch riscv-optimize-gcd-performance-on-risc-v-without-zbb-extension.patch

16 hours, 1 minute

1
0
0 0

+ revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "bcache: remove heap-related macros and switch to generic min_heap" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kuan-Wei Chiu <visitorckw(a)gmail.com> Subject: Revert "bcache: remove heap-related macros and switch to generic min_heap" Date: Sun, 15 Jun 2025 04:23:52 +0800 This reverts commit 866898efbb25bb44fd42848318e46db9e785973a. The generic bottom-up min_heap implementation causes performance regression in invalidate_buckets_lru(), a hot path in bcache. Before the cache is fully populated, new_bucket_prio() often returns zero, leading to many equal comparisons. In such cases, bottom-up sift_down performs up to 2 * log2(n) comparisons, while the original top-down approach completes with just O() comparisons, resulting in a measurable performance gap. The performance degradation is further worsened by the non-inlined min_heap API functions introduced in commit 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions"), adding function call overhead to this critical path. As reported by Robert, bcache now suffers from latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. These regressions degrade bcache's effectiveness as a low-latency cache layer and lead to frequent timeouts and application stalls in production environments. This revert aims to restore bcache's original low-latency behavior. Link: https://lore.kernel.org/lkml/CAJhEC05+0S69z+3+FB2Cd0hD+pCRyWTKLEOsc8BOmH73p… Link: https://lkml.kernel.org/r/20250614202353.1632957-3-visitorckw@gmail.com Fixes: 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap") Fixes: 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Reported-by: Robert Pang <robertpang(a)google.com> Closes: https://lore.kernel.org/linux-bcache/CAJhEC06F_AtrPgw2-7CvCqZgeStgCtitbD-ry… Acked-by: Coly Li <colyli(a)kernel.org> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/md/bcache/alloc.c | 64 ++++------------ drivers/md/bcache/bcache.h | 2 drivers/md/bcache/bset.c | 124 +++++++++++--------------------- drivers/md/bcache/bset.h | 42 ++++++---- drivers/md/bcache/btree.c | 69 +++++++---------- drivers/md/bcache/extents.c | 51 ++++--------- drivers/md/bcache/movinggc.c | 41 ++-------- drivers/md/bcache/super.c | 3 drivers/md/bcache/sysfs.c | 4 - drivers/md/bcache/util.h | 67 ++++++++++++++++- drivers/md/bcache/writeback.c | 13 +-- 11 files changed, 217 insertions(+), 263 deletions(-) --- a/drivers/md/bcache/alloc.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/alloc.c @@ -164,68 +164,40 @@ static void bch_invalidate_one_bucket(st * prio is worth 1/8th of what INITIAL_PRIO is worth. */ -static inline unsigned int new_bucket_prio(struct cache *ca, struct bucket *b) -{ - unsigned int min_prio = (INITIAL_PRIO - ca->set->min_prio) / 8; - - return (b->prio - ca->set->min_prio + min_prio) * GC_SECTORS_USED(b); -} - -static inline bool new_bucket_max_cmp(const void *l, const void *r, void *args) -{ - struct bucket **lhs = (struct bucket **)l; - struct bucket **rhs = (struct bucket **)r; - struct cache *ca = args; - - return new_bucket_prio(ca, *lhs) > new_bucket_prio(ca, *rhs); -} - -static inline bool new_bucket_min_cmp(const void *l, const void *r, void *args) -{ - struct bucket **lhs = (struct bucket **)l; - struct bucket **rhs = (struct bucket **)r; - struct cache *ca = args; - - return new_bucket_prio(ca, *lhs) < new_bucket_prio(ca, *rhs); -} - -static inline void new_bucket_swap(void *l, void *r, void __always_unused *args) -{ - struct bucket **lhs = l, **rhs = r; +#define bucket_prio(b) \ +({ \ + unsigned int min_prio = (INITIAL_PRIO - ca->set->min_prio) / 8; \ + \ + (b->prio - ca->set->min_prio + min_prio) * GC_SECTORS_USED(b); \ +}) - swap(*lhs, *rhs); -} +#define bucket_max_cmp(l, r) (bucket_prio(l) < bucket_prio(r)) +#define bucket_min_cmp(l, r) (bucket_prio(l) > bucket_prio(r)) static void invalidate_buckets_lru(struct cache *ca) { struct bucket *b; - const struct min_heap_callbacks bucket_max_cmp_callback = { - .less = new_bucket_max_cmp, - .swp = new_bucket_swap, - }; - const struct min_heap_callbacks bucket_min_cmp_callback = { - .less = new_bucket_min_cmp, - .swp = new_bucket_swap, - }; + ssize_t i; - ca->heap.nr = 0; + ca->heap.used = 0; for_each_bucket(b, ca) { if (!bch_can_invalidate_bucket(ca, b)) continue; - if (!min_heap_full(&ca->heap)) - min_heap_push(&ca->heap, &b, &bucket_max_cmp_callback, ca); - else if (!new_bucket_max_cmp(&b, min_heap_peek(&ca->heap), ca)) { + if (!heap_full(&ca->heap)) + heap_add(&ca->heap, b, bucket_max_cmp); + else if (bucket_max_cmp(b, heap_peek(&ca->heap))) { ca->heap.data[0] = b; - min_heap_sift_down(&ca->heap, 0, &bucket_max_cmp_callback, ca); + heap_sift(&ca->heap, 0, bucket_max_cmp); } } - min_heapify_all(&ca->heap, &bucket_min_cmp_callback, ca); + for (i = ca->heap.used / 2 - 1; i >= 0; --i) + heap_sift(&ca->heap, i, bucket_min_cmp); while (!fifo_full(&ca->free_inc)) { - if (!ca->heap.nr) { + if (!heap_pop(&ca->heap, b, bucket_min_cmp)) { /* * We don't want to be calling invalidate_buckets() * multiple times when it can't do anything @@ -234,8 +206,6 @@ static void invalidate_buckets_lru(struc wake_up_gc(ca->set); return; } - b = min_heap_peek(&ca->heap)[0]; - min_heap_pop(&ca->heap, &bucket_min_cmp_callback, ca); bch_invalidate_one_bucket(ca, b); } --- a/drivers/md/bcache/bcache.h~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/bcache.h @@ -458,7 +458,7 @@ struct cache { /* Allocation stuff: */ struct bucket *buckets; - DEFINE_MIN_HEAP(struct bucket *, cache_heap) heap; + DECLARE_HEAP(struct bucket *, heap); /* * If nonzero, we know we aren't going to find any buckets to invalidate --- a/drivers/md/bcache/bset.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/bset.c @@ -54,11 +54,9 @@ void bch_dump_bucket(struct btree_keys * int __bch_count_data(struct btree_keys *b) { unsigned int ret = 0; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey *k; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - if (b->ops->is_extents) for_each_key(b, k, &iter) ret += KEY_SIZE(k); @@ -69,11 +67,9 @@ void __bch_check_keys(struct btree_keys { va_list args; struct bkey *k, *p = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; const char *err; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - for_each_key(b, k, &iter) { if (b->ops->is_extents) { err = "Keys out of order"; @@ -114,9 +110,9 @@ bug: static void bch_btree_iter_next_check(struct btree_iter *iter) { - struct bkey *k = iter->heap.data->k, *next = bkey_next(k); + struct bkey *k = iter->data->k, *next = bkey_next(k); - if (next < iter->heap.data->end && + if (next < iter->data->end && bkey_cmp(k, iter->b->ops->is_extents ? &START_KEY(next) : next) > 0) { bch_dump_bucket(iter->b); @@ -883,14 +879,12 @@ unsigned int bch_btree_insert_key(struct unsigned int status = BTREE_INSERT_STATUS_NO_INSERT; struct bset *i = bset_tree_last(b)->data; struct bkey *m, *prev = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey preceding_key_on_stack = ZERO_KEY; struct bkey *preceding_key_p = &preceding_key_on_stack; BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); - min_heap_init(&iter.heap, NULL, MAX_BSETS); - /* * If k has preceding key, preceding_key_p will be set to address * of k's preceding key; otherwise preceding_key_p will be set @@ -901,9 +895,9 @@ unsigned int bch_btree_insert_key(struct else preceding_key(k, &preceding_key_p); - m = bch_btree_iter_init(b, &iter, preceding_key_p); + m = bch_btree_iter_stack_init(b, &iter, preceding_key_p); - if (b->ops->insert_fixup(b, k, &iter, replace_key)) + if (b->ops->insert_fixup(b, k, &iter.iter, replace_key)) return status; status = BTREE_INSERT_STATUS_INSERT; @@ -1083,102 +1077,79 @@ struct bkey *__bch_bset_search(struct bt /* Btree iterator */ -typedef bool (new_btree_iter_cmp_fn)(const void *, const void *, void *); - -static inline bool new_btree_iter_cmp(const void *l, const void *r, void __always_unused *args) -{ - const struct btree_iter_set *_l = l; - const struct btree_iter_set *_r = r; - - return bkey_cmp(_l->k, _r->k) <= 0; -} +typedef bool (btree_iter_cmp_fn)(struct btree_iter_set, + struct btree_iter_set); -static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +static inline bool btree_iter_cmp(struct btree_iter_set l, + struct btree_iter_set r) { - struct btree_iter_set *_iter1 = iter1; - struct btree_iter_set *_iter2 = iter2; - - swap(*_iter1, *_iter2); + return bkey_cmp(l.k, r.k) > 0; } static inline bool btree_iter_end(struct btree_iter *iter) { - return !iter->heap.nr; + return !iter->used; } void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k, struct bkey *end) { - const struct min_heap_callbacks callbacks = { - .less = new_btree_iter_cmp, - .swp = new_btree_iter_swap, - }; - if (k != end) - BUG_ON(!min_heap_push(&iter->heap, - &((struct btree_iter_set) { k, end }), - &callbacks, - NULL)); + BUG_ON(!heap_add(iter, + ((struct btree_iter_set) { k, end }), + btree_iter_cmp)); } -static struct bkey *__bch_btree_iter_init(struct btree_keys *b, - struct btree_iter *iter, - struct bkey *search, - struct bset_tree *start) +static struct bkey *__bch_btree_iter_stack_init(struct btree_keys *b, + struct btree_iter_stack *iter, + struct bkey *search, + struct bset_tree *start) { struct bkey *ret = NULL; - iter->heap.size = ARRAY_SIZE(iter->heap.preallocated); - iter->heap.nr = 0; + iter->iter.size = ARRAY_SIZE(iter->stack_data); + iter->iter.used = 0; #ifdef CONFIG_BCACHE_DEBUG - iter->b = b; + iter->iter.b = b; #endif for (; start <= bset_tree_last(b); start++) { ret = bch_bset_search(b, start, search); - bch_btree_iter_push(iter, ret, bset_bkey_last(start->data)); + bch_btree_iter_push(&iter->iter, ret, bset_bkey_last(start->data)); } return ret; } -struct bkey *bch_btree_iter_init(struct btree_keys *b, - struct btree_iter *iter, +struct bkey *bch_btree_iter_stack_init(struct btree_keys *b, + struct btree_iter_stack *iter, struct bkey *search) { - return __bch_btree_iter_init(b, iter, search, b->set); + return __bch_btree_iter_stack_init(b, iter, search, b->set); } static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter, - new_btree_iter_cmp_fn *cmp) + btree_iter_cmp_fn *cmp) { struct btree_iter_set b __maybe_unused; struct bkey *ret = NULL; - const struct min_heap_callbacks callbacks = { - .less = cmp, - .swp = new_btree_iter_swap, - }; if (!btree_iter_end(iter)) { bch_btree_iter_next_check(iter); - ret = iter->heap.data->k; - iter->heap.data->k = bkey_next(iter->heap.data->k); + ret = iter->data->k; + iter->data->k = bkey_next(iter->data->k); - if (iter->heap.data->k > iter->heap.data->end) { + if (iter->data->k > iter->data->end) { WARN_ONCE(1, "bset was corrupt!\n"); - iter->heap.data->k = iter->heap.data->end; + iter->data->k = iter->data->end; } - if (iter->heap.data->k == iter->heap.data->end) { - if (iter->heap.nr) { - b = min_heap_peek(&iter->heap)[0]; - min_heap_pop(&iter->heap, &callbacks, NULL); - } - } + if (iter->data->k == iter->data->end) + heap_pop(iter, b, cmp); else - min_heap_sift_down(&iter->heap, 0, &callbacks, NULL); + heap_sift(iter, 0, cmp); } return ret; @@ -1186,7 +1157,7 @@ static inline struct bkey *__bch_btree_i struct bkey *bch_btree_iter_next(struct btree_iter *iter) { - return __bch_btree_iter_next(iter, new_btree_iter_cmp); + return __bch_btree_iter_next(iter, btree_iter_cmp); } @@ -1224,18 +1195,16 @@ static void btree_mergesort(struct btree struct btree_iter *iter, bool fixup, bool remove_stale) { + int i; struct bkey *k, *last = NULL; BKEY_PADDED(k) tmp; bool (*bad)(struct btree_keys *, const struct bkey *) = remove_stale ? bch_ptr_bad : bch_ptr_invalid; - const struct min_heap_callbacks callbacks = { - .less = b->ops->sort_cmp, - .swp = new_btree_iter_swap, - }; /* Heapify the iterator, using our comparison function */ - min_heapify_all(&iter->heap, &callbacks, NULL); + for (i = iter->used / 2 - 1; i >= 0; --i) + heap_sift(iter, i, b->ops->sort_cmp); while (!btree_iter_end(iter)) { if (b->ops->sort_fixup && fixup) @@ -1324,11 +1293,10 @@ void bch_btree_sort_partial(struct btree struct bset_sort_state *state) { size_t order = b->page_order, keys = 0; - struct btree_iter iter; + struct btree_iter_stack iter; int oldsize = bch_count_data(b); - min_heap_init(&iter.heap, NULL, MAX_BSETS); - __bch_btree_iter_init(b, &iter, NULL, &b->set[start]); + __bch_btree_iter_stack_init(b, &iter, NULL, &b->set[start]); if (start) { unsigned int i; @@ -1339,7 +1307,7 @@ void bch_btree_sort_partial(struct btree order = get_order(__set_bytes(b->set->data, keys)); } - __btree_sort(b, &iter, start, order, false, state); + __btree_sort(b, &iter.iter, start, order, false, state); EBUG_ON(oldsize >= 0 && bch_count_data(b) != oldsize); } @@ -1355,13 +1323,11 @@ void bch_btree_sort_into(struct btree_ke struct bset_sort_state *state) { uint64_t start_time = local_clock(); - struct btree_iter iter; - - min_heap_init(&iter.heap, NULL, MAX_BSETS); + struct btree_iter_stack iter; - bch_btree_iter_init(b, &iter, NULL); + bch_btree_iter_stack_init(b, &iter, NULL); - btree_mergesort(b, new->set->data, &iter, false, true); + btree_mergesort(b, new->set->data, &iter.iter, false, true); bch_time_stats_update(&state->time, start_time); --- a/drivers/md/bcache/bset.h~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/bset.h @@ -187,9 +187,8 @@ struct bset_tree { }; struct btree_keys_ops { - bool (*sort_cmp)(const void *l, - const void *r, - void *args); + bool (*sort_cmp)(struct btree_iter_set l, + struct btree_iter_set r); struct bkey *(*sort_fixup)(struct btree_iter *iter, struct bkey *tmp); bool (*insert_fixup)(struct btree_keys *b, @@ -313,17 +312,23 @@ enum { BTREE_INSERT_STATUS_FRONT_MERGE, }; -struct btree_iter_set { - struct bkey *k, *end; -}; - /* Btree key iteration */ struct btree_iter { + size_t size, used; #ifdef CONFIG_BCACHE_DEBUG struct btree_keys *b; #endif - MIN_HEAP_PREALLOCATED(struct btree_iter_set, btree_iter_heap, MAX_BSETS) heap; + struct btree_iter_set { + struct bkey *k, *end; + } data[]; +}; + +/* Fixed-size btree_iter that can be allocated on the stack */ + +struct btree_iter_stack { + struct btree_iter iter; + struct btree_iter_set stack_data[MAX_BSETS]; }; typedef bool (*ptr_filter_fn)(struct btree_keys *b, const struct bkey *k); @@ -335,9 +340,9 @@ struct bkey *bch_btree_iter_next_filter( void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k, struct bkey *end); -struct bkey *bch_btree_iter_init(struct btree_keys *b, - struct btree_iter *iter, - struct bkey *search); +struct bkey *bch_btree_iter_stack_init(struct btree_keys *b, + struct btree_iter_stack *iter, + struct bkey *search); struct bkey *__bch_bset_search(struct btree_keys *b, struct bset_tree *t, const struct bkey *search); @@ -352,13 +357,14 @@ static inline struct bkey *bch_bset_sear return search ? __bch_bset_search(b, t, search) : t->data->start; } -#define for_each_key_filter(b, k, iter, filter) \ - for (bch_btree_iter_init((b), (iter), NULL); \ - ((k) = bch_btree_iter_next_filter((iter), (b), filter));) - -#define for_each_key(b, k, iter) \ - for (bch_btree_iter_init((b), (iter), NULL); \ - ((k) = bch_btree_iter_next(iter));) +#define for_each_key_filter(b, k, stack_iter, filter) \ + for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \ + ((k) = bch_btree_iter_next_filter(&((stack_iter)->iter), (b), \ + filter));) + +#define for_each_key(b, k, stack_iter) \ + for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \ + ((k) = bch_btree_iter_next(&((stack_iter)->iter)));) /* Sorting */ --- a/drivers/md/bcache/btree.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/btree.c @@ -148,19 +148,19 @@ void bch_btree_node_read_done(struct btr { const char *err = "bad btree header"; struct bset *i = btree_bset_first(b); - struct btree_iter iter; + struct btree_iter *iter; /* * c->fill_iter can allocate an iterator with more memory space * than static MAX_BSETS. * See the comment arount cache_set->fill_iter. */ - iter.heap.data = mempool_alloc(&b->c->fill_iter, GFP_NOIO); - iter.heap.size = b->c->cache->sb.bucket_size / b->c->cache->sb.block_size; - iter.heap.nr = 0; + iter = mempool_alloc(&b->c->fill_iter, GFP_NOIO); + iter->size = b->c->cache->sb.bucket_size / b->c->cache->sb.block_size; + iter->used = 0; #ifdef CONFIG_BCACHE_DEBUG - iter.b = &b->keys; + iter->b = &b->keys; #endif if (!i->seq) @@ -198,7 +198,7 @@ void bch_btree_node_read_done(struct btr if (i != b->keys.set[0].data && !i->keys) goto err; - bch_btree_iter_push(&iter, i->start, bset_bkey_last(i)); + bch_btree_iter_push(iter, i->start, bset_bkey_last(i)); b->written += set_blocks(i, block_bytes(b->c->cache)); } @@ -210,7 +210,7 @@ void bch_btree_node_read_done(struct btr if (i->seq == b->keys.set[0].data->seq) goto err; - bch_btree_sort_and_fix_extents(&b->keys, &iter, &b->c->sort); + bch_btree_sort_and_fix_extents(&b->keys, iter, &b->c->sort); i = b->keys.set[0].data; err = "short btree key"; @@ -222,7 +222,7 @@ void bch_btree_node_read_done(struct btr bch_bset_init_next(&b->keys, write_block(b), bset_magic(&b->c->cache->sb)); out: - mempool_free(iter.heap.data, &b->c->fill_iter); + mempool_free(iter, &b->c->fill_iter); return; err: set_btree_node_io_error(b); @@ -1306,11 +1306,9 @@ static bool btree_gc_mark_node(struct bt uint8_t stale = 0; unsigned int keys = 0, good_keys = 0; struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; struct bset_tree *t; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - gc->nodes++; for_each_key_filter(&b->keys, k, &iter, bch_ptr_invalid) { @@ -1569,11 +1567,9 @@ static int btree_gc_rewrite_node(struct static unsigned int btree_gc_count_keys(struct btree *b) { struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; unsigned int ret = 0; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - for_each_key_filter(&b->keys, k, &iter, bch_ptr_bad) ret += bkey_u64s(k); @@ -1612,18 +1608,18 @@ static int btree_gc_recurse(struct btree int ret = 0; bool should_rewrite; struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; struct gc_merge_info r[GC_MERGE_NODES]; struct gc_merge_info *i, *last = r + ARRAY_SIZE(r) - 1; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&b->keys, &iter, &b->c->gc_done); + bch_btree_iter_stack_init(&b->keys, &iter, &b->c->gc_done); for (i = r; i < r + ARRAY_SIZE(r); i++) i->b = ERR_PTR(-EINTR); while (1) { - k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad); + k = bch_btree_iter_next_filter(&iter.iter, &b->keys, + bch_ptr_bad); if (k) { r->b = bch_btree_node_get(b->c, op, k, b->level - 1, true, b); @@ -1918,9 +1914,7 @@ static int bch_btree_check_recurse(struc { int ret = 0; struct bkey *k, *p = NULL; - struct btree_iter iter; - - min_heap_init(&iter.heap, NULL, MAX_BSETS); + struct btree_iter_stack iter; for_each_key_filter(&b->keys, k, &iter, bch_ptr_invalid) bch_initial_mark_key(b->c, b->level, k); @@ -1928,10 +1922,10 @@ static int bch_btree_check_recurse(struc bch_initial_mark_key(b->c, b->level + 1, &b->key); if (b->level) { - bch_btree_iter_init(&b->keys, &iter, NULL); + bch_btree_iter_stack_init(&b->keys, &iter, NULL); do { - k = bch_btree_iter_next_filter(&iter, &b->keys, + k = bch_btree_iter_next_filter(&iter.iter, &b->keys, bch_ptr_bad); if (k) { btree_node_prefetch(b, k); @@ -1959,7 +1953,7 @@ static int bch_btree_check_thread(void * struct btree_check_info *info = arg; struct btree_check_state *check_state = info->state; struct cache_set *c = check_state->c; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey *k, *p; int cur_idx, prev_idx, skip_nr; @@ -1967,11 +1961,9 @@ static int bch_btree_check_thread(void * cur_idx = prev_idx = 0; ret = 0; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - /* root node keys are checked before thread created */ - bch_btree_iter_init(&c->root->keys, &iter, NULL); - k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad); + bch_btree_iter_stack_init(&c->root->keys, &iter, NULL); + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); BUG_ON(!k); p = k; @@ -1989,7 +1981,7 @@ static int bch_btree_check_thread(void * skip_nr = cur_idx - prev_idx; while (skip_nr) { - k = bch_btree_iter_next_filter(&iter, + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); if (k) @@ -2062,11 +2054,9 @@ int bch_btree_check(struct cache_set *c) int ret = 0; int i; struct bkey *k = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; struct btree_check_state check_state; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - /* check and mark root node keys */ for_each_key_filter(&c->root->keys, k, &iter, bch_ptr_invalid) bch_initial_mark_key(c, c->root->level, k); @@ -2560,12 +2550,11 @@ static int bch_btree_map_nodes_recurse(s if (b->level) { struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&b->keys, &iter, from); + bch_btree_iter_stack_init(&b->keys, &iter, from); - while ((k = bch_btree_iter_next_filter(&iter, &b->keys, + while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys, bch_ptr_bad))) { ret = bcache_btree(map_nodes_recurse, k, b, op, from, fn, flags); @@ -2594,12 +2583,12 @@ int bch_btree_map_keys_recurse(struct bt { int ret = MAP_CONTINUE; struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&b->keys, &iter, from); + bch_btree_iter_stack_init(&b->keys, &iter, from); - while ((k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad))) { + while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys, + bch_ptr_bad))) { ret = !b->level ? fn(op, b, k) : bcache_btree(map_keys_recurse, k, --- a/drivers/md/bcache/extents.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/extents.c @@ -33,16 +33,15 @@ static void sort_key_next(struct btree_i i->k = bkey_next(i->k); if (i->k == i->end) - *i = iter->heap.data[--iter->heap.nr]; + *i = iter->data[--iter->used]; } -static bool new_bch_key_sort_cmp(const void *l, const void *r, void *args) +static bool bch_key_sort_cmp(struct btree_iter_set l, + struct btree_iter_set r) { - struct btree_iter_set *_l = (struct btree_iter_set *)l; - struct btree_iter_set *_r = (struct btree_iter_set *)r; - int64_t c = bkey_cmp(_l->k, _r->k); + int64_t c = bkey_cmp(l.k, r.k); - return !(c ? c > 0 : _l->k < _r->k); + return c ? c > 0 : l.k < r.k; } static bool __ptr_invalid(struct cache_set *c, const struct bkey *k) @@ -239,7 +238,7 @@ static bool bch_btree_ptr_insert_fixup(s } const struct btree_keys_ops bch_btree_keys_ops = { - .sort_cmp = new_bch_key_sort_cmp, + .sort_cmp = bch_key_sort_cmp, .insert_fixup = bch_btree_ptr_insert_fixup, .key_invalid = bch_btree_ptr_invalid, .key_bad = bch_btree_ptr_bad, @@ -256,36 +255,22 @@ const struct btree_keys_ops bch_btree_ke * Necessary for btree_sort_fixup() - if there are multiple keys that compare * equal in different sets, we have to process them newest to oldest. */ - -static bool new_bch_extent_sort_cmp(const void *l, const void *r, void __always_unused *args) -{ - struct btree_iter_set *_l = (struct btree_iter_set *)l; - struct btree_iter_set *_r = (struct btree_iter_set *)r; - int64_t c = bkey_cmp(&START_KEY(_l->k), &START_KEY(_r->k)); - - return !(c ? c > 0 : _l->k < _r->k); -} - -static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +static bool bch_extent_sort_cmp(struct btree_iter_set l, + struct btree_iter_set r) { - struct btree_iter_set *_iter1 = iter1; - struct btree_iter_set *_iter2 = iter2; + int64_t c = bkey_cmp(&START_KEY(l.k), &START_KEY(r.k)); - swap(*_iter1, *_iter2); + return c ? c > 0 : l.k < r.k; } static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, struct bkey *tmp) { - const struct min_heap_callbacks callbacks = { - .less = new_bch_extent_sort_cmp, - .swp = new_btree_iter_swap, - }; - while (iter->heap.nr > 1) { - struct btree_iter_set *top = iter->heap.data, *i = top + 1; + while (iter->used > 1) { + struct btree_iter_set *top = iter->data, *i = top + 1; - if (iter->heap.nr > 2 && - !new_bch_extent_sort_cmp(&i[0], &i[1], NULL)) + if (iter->used > 2 && + bch_extent_sort_cmp(i[0], i[1])) i++; if (bkey_cmp(top->k, &START_KEY(i->k)) <= 0) @@ -293,7 +278,7 @@ static struct bkey *bch_extent_sort_fixu if (!KEY_SIZE(i->k)) { sort_key_next(iter, i); - min_heap_sift_down(&iter->heap, i - top, &callbacks, NULL); + heap_sift(iter, i - top, bch_extent_sort_cmp); continue; } @@ -303,7 +288,7 @@ static struct bkey *bch_extent_sort_fixu else bch_cut_front(top->k, i->k); - min_heap_sift_down(&iter->heap, i - top, &callbacks, NULL); + heap_sift(iter, i - top, bch_extent_sort_cmp); } else { /* can't happen because of comparison func */ BUG_ON(!bkey_cmp(&START_KEY(top->k), &START_KEY(i->k))); @@ -313,7 +298,7 @@ static struct bkey *bch_extent_sort_fixu bch_cut_back(&START_KEY(i->k), tmp); bch_cut_front(i->k, top->k); - min_heap_sift_down(&iter->heap, 0, &callbacks, NULL); + heap_sift(iter, 0, bch_extent_sort_cmp); return tmp; } else { @@ -633,7 +618,7 @@ static bool bch_extent_merge(struct btre } const struct btree_keys_ops bch_extent_keys_ops = { - .sort_cmp = new_bch_extent_sort_cmp, + .sort_cmp = bch_extent_sort_cmp, .sort_fixup = bch_extent_sort_fixup, .insert_fixup = bch_extent_insert_fixup, .key_invalid = bch_extent_invalid, --- a/drivers/md/bcache/movinggc.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/movinggc.c @@ -182,27 +182,16 @@ err: if (!IS_ERR_OR_NULL(w->private)) closure_sync(&cl); } -static bool new_bucket_cmp(const void *l, const void *r, void __always_unused *args) +static bool bucket_cmp(struct bucket *l, struct bucket *r) { - struct bucket **_l = (struct bucket **)l; - struct bucket **_r = (struct bucket **)r; - - return GC_SECTORS_USED(*_l) >= GC_SECTORS_USED(*_r); -} - -static void new_bucket_swap(void *l, void *r, void __always_unused *args) -{ - struct bucket **_l = l; - struct bucket **_r = r; - - swap(*_l, *_r); + return GC_SECTORS_USED(l) < GC_SECTORS_USED(r); } static unsigned int bucket_heap_top(struct cache *ca) { struct bucket *b; - return (b = min_heap_peek(&ca->heap)[0]) ? GC_SECTORS_USED(b) : 0; + return (b = heap_peek(&ca->heap)) ? GC_SECTORS_USED(b) : 0; } void bch_moving_gc(struct cache_set *c) @@ -210,10 +199,6 @@ void bch_moving_gc(struct cache_set *c) struct cache *ca = c->cache; struct bucket *b; unsigned long sectors_to_move, reserve_sectors; - const struct min_heap_callbacks callbacks = { - .less = new_bucket_cmp, - .swp = new_bucket_swap, - }; if (!c->copy_gc_enabled) return; @@ -224,7 +209,7 @@ void bch_moving_gc(struct cache_set *c) reserve_sectors = ca->sb.bucket_size * fifo_used(&ca->free[RESERVE_MOVINGGC]); - ca->heap.nr = 0; + ca->heap.used = 0; for_each_bucket(b, ca) { if (GC_MARK(b) == GC_MARK_METADATA || @@ -233,31 +218,25 @@ void bch_moving_gc(struct cache_set *c) atomic_read(&b->pin)) continue; - if (!min_heap_full(&ca->heap)) { + if (!heap_full(&ca->heap)) { sectors_to_move += GC_SECTORS_USED(b); - min_heap_push(&ca->heap, &b, &callbacks, NULL); - } else if (!new_bucket_cmp(&b, min_heap_peek(&ca->heap), ca)) { + heap_add(&ca->heap, b, bucket_cmp); + } else if (bucket_cmp(b, heap_peek(&ca->heap))) { sectors_to_move -= bucket_heap_top(ca); sectors_to_move += GC_SECTORS_USED(b); ca->heap.data[0] = b; - min_heap_sift_down(&ca->heap, 0, &callbacks, NULL); + heap_sift(&ca->heap, 0, bucket_cmp); } } while (sectors_to_move > reserve_sectors) { - if (ca->heap.nr) { - b = min_heap_peek(&ca->heap)[0]; - min_heap_pop(&ca->heap, &callbacks, NULL); - } + heap_pop(&ca->heap, b, bucket_cmp); sectors_to_move -= GC_SECTORS_USED(b); } - while (ca->heap.nr) { - b = min_heap_peek(&ca->heap)[0]; - min_heap_pop(&ca->heap, &callbacks, NULL); + while (heap_pop(&ca->heap, b, bucket_cmp)) SET_GC_MOVE(b, 1); - } mutex_unlock(&c->bucket_lock); --- a/drivers/md/bcache/super.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/super.c @@ -1912,7 +1912,8 @@ struct cache_set *bch_cache_set_alloc(st INIT_LIST_HEAD(&c->btree_cache_freed); INIT_LIST_HEAD(&c->data_buckets); - iter_size = ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size) * + iter_size = sizeof(struct btree_iter) + + ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size) * sizeof(struct btree_iter_set); c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL); --- a/drivers/md/bcache/sysfs.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/sysfs.c @@ -660,9 +660,7 @@ static unsigned int bch_root_usage(struc unsigned int bytes = 0; struct bkey *k; struct btree *b; - struct btree_iter iter; - - min_heap_init(&iter.heap, NULL, MAX_BSETS); + struct btree_iter_stack iter; goto lock_root; --- a/drivers/md/bcache/util.h~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/util.h @@ -9,7 +9,6 @@ #include <linux/kernel.h> #include <linux/sched/clock.h> #include <linux/llist.h> -#include <linux/min_heap.h> #include <linux/ratelimit.h> #include <linux/vmalloc.h> #include <linux/workqueue.h> @@ -31,10 +30,16 @@ struct closure; #endif +#define DECLARE_HEAP(type, name) \ + struct { \ + size_t size, used; \ + type *data; \ + } name + #define init_heap(heap, _size, gfp) \ ({ \ size_t _bytes; \ - (heap)->nr = 0; \ + (heap)->used = 0; \ (heap)->size = (_size); \ _bytes = (heap)->size * sizeof(*(heap)->data); \ (heap)->data = kvmalloc(_bytes, (gfp) & GFP_KERNEL); \ @@ -47,6 +52,64 @@ do { \ (heap)->data = NULL; \ } while (0) +#define heap_swap(h, i, j) swap((h)->data[i], (h)->data[j]) + +#define heap_sift(h, i, cmp) \ +do { \ + size_t _r, _j = i; \ + \ + for (; _j * 2 + 1 < (h)->used; _j = _r) { \ + _r = _j * 2 + 1; \ + if (_r + 1 < (h)->used && \ + cmp((h)->data[_r], (h)->data[_r + 1])) \ + _r++; \ + \ + if (cmp((h)->data[_r], (h)->data[_j])) \ + break; \ + heap_swap(h, _r, _j); \ + } \ +} while (0) + +#define heap_sift_down(h, i, cmp) \ +do { \ + while (i) { \ + size_t p = (i - 1) / 2; \ + if (cmp((h)->data[i], (h)->data[p])) \ + break; \ + heap_swap(h, i, p); \ + i = p; \ + } \ +} while (0) + +#define heap_add(h, d, cmp) \ +({ \ + bool _r = !heap_full(h); \ + if (_r) { \ + size_t _i = (h)->used++; \ + (h)->data[_i] = d; \ + \ + heap_sift_down(h, _i, cmp); \ + heap_sift(h, _i, cmp); \ + } \ + _r; \ +}) + +#define heap_pop(h, d, cmp) \ +({ \ + bool _r = (h)->used; \ + if (_r) { \ + (d) = (h)->data[0]; \ + (h)->used--; \ + heap_swap(h, 0, (h)->used); \ + heap_sift(h, 0, cmp); \ + } \ + _r; \ +}) + +#define heap_peek(h) ((h)->used ? (h)->data[0] : NULL) + +#define heap_full(h) ((h)->used == (h)->size) + #define DECLARE_FIFO(type, name) \ struct { \ size_t front, back, size, mask; \ --- a/drivers/md/bcache/writeback.c~revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap +++ a/drivers/md/bcache/writeback.c @@ -908,16 +908,15 @@ static int bch_dirty_init_thread(void *a struct dirty_init_thrd_info *info = arg; struct bch_dirty_init_state *state = info->state; struct cache_set *c = state->c; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey *k, *p; int cur_idx, prev_idx, skip_nr; k = p = NULL; prev_idx = 0; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&c->root->keys, &iter, NULL); - k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad); + bch_btree_iter_stack_init(&c->root->keys, &iter, NULL); + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); BUG_ON(!k); p = k; @@ -931,7 +930,7 @@ static int bch_dirty_init_thread(void *a skip_nr = cur_idx - prev_idx; while (skip_nr) { - k = bch_btree_iter_next_filter(&iter, + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); if (k) @@ -980,13 +979,11 @@ void bch_sectors_dirty_init(struct bcach int i; struct btree *b = NULL; struct bkey *k = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; struct sectors_dirty_init op; struct cache_set *c = d->c; struct bch_dirty_init_state state; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - retry_lock: b = c->root; rw_lock(0, b, b->level); _ Patches currently in -mm which might be from visitorckw(a)gmail.com are revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap.patch revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap.patch bcache-remove-unnecessary-select-min_heap.patch lib-math-gcd-use-static-key-to-select-implementation-at-runtime.patch riscv-optimize-gcd-code-size-when-config_riscv_isa_zbb-is-disabled.patch riscv-optimize-gcd-performance-on-risc-v-without-zbb-extension.patch

16 hours, 1 minute

1
0
0 0

+ revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "bcache: update min_heap_callbacks to use default builtin swap" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kuan-Wei Chiu <visitorckw(a)gmail.com> Subject: Revert "bcache: update min_heap_callbacks to use default builtin swap" Date: Sun, 15 Jun 2025 04:23:51 +0800 Patch series "bcache: Revert min_heap migration due to performance regression". This patch series reverts the migration of bcache from its original heap implementation to the generic min_heap library. While the original change aimed to simplify the code and improve maintainability, it introduced a severe performance regression in real-world scenarios. As reported by Robert, systems using bcache now suffer from periodic latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. This degrades bcache's value as a low-latency caching layer, and leads to frequent timeouts and application stalls in production environments. The primary cause of this regression is the behavior of the generic min_heap implementation's bottom-up sift_down, which performs up to 2 * log2(n) comparisons when many elements are equal. The original top-down variant used by bcache only required O(1) comparisons in such cases. The issue was further exacerbated by commit 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions"), which introduced non-inlined versions of the min_heap API, adding function call overhead to a performance-critical hot path. This patch (of 3): This reverts commit 3d8a9a1c35227c3f1b0bd132c9f0a80dbda07b65. Although removing the custom swap function simplified the code, this change is part of a broader migration to the generic min_heap API that introduced significant performance regressions in bcache. As reported by Robert, bcache now suffers from latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. These regressions degrade bcache's effectiveness as a low-latency cache layer and lead to frequent timeouts and application stalls in production environments. This revert is part of a series of changes to restore previous performance by undoing the min_heap transition. Link: https://lkml.kernel.org/r/20250614202353.1632957-1-visitorckw@gmail.com Link: https://lore.kernel.org/lkml/CAJhEC05+0S69z+3+FB2Cd0hD+pCRyWTKLEOsc8BOmH73p… Link: https://lkml.kernel.org/r/20250614202353.1632957-2-visitorckw@gmail.com Fixes: 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap") Fixes: 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions") Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Reported-by: Robert Pang <robertpang(a)google.com> Closes: https://lore.kernel.org/linux-bcache/CAJhEC06F_AtrPgw2-7CvCqZgeStgCtitbD-ry… Acked-by: Coly Li <colyli(a)kernel.org> Cc: Ching-Chun (Jim) Huang <jserv(a)ccns.ncku.edu.tw> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/md/bcache/alloc.c | 11 +++++++++-- drivers/md/bcache/bset.c | 14 +++++++++++--- drivers/md/bcache/extents.c | 10 +++++++++- drivers/md/bcache/movinggc.c | 10 +++++++++- 4 files changed, 38 insertions(+), 7 deletions(-) --- a/drivers/md/bcache/alloc.c~revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap +++ a/drivers/md/bcache/alloc.c @@ -189,16 +189,23 @@ static inline bool new_bucket_min_cmp(co return new_bucket_prio(ca, *lhs) < new_bucket_prio(ca, *rhs); } +static inline void new_bucket_swap(void *l, void *r, void __always_unused *args) +{ + struct bucket **lhs = l, **rhs = r; + + swap(*lhs, *rhs); +} + static void invalidate_buckets_lru(struct cache *ca) { struct bucket *b; const struct min_heap_callbacks bucket_max_cmp_callback = { .less = new_bucket_max_cmp, - .swp = NULL, + .swp = new_bucket_swap, }; const struct min_heap_callbacks bucket_min_cmp_callback = { .less = new_bucket_min_cmp, - .swp = NULL, + .swp = new_bucket_swap, }; ca->heap.nr = 0; --- a/drivers/md/bcache/bset.c~revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap +++ a/drivers/md/bcache/bset.c @@ -1093,6 +1093,14 @@ static inline bool new_btree_iter_cmp(co return bkey_cmp(_l->k, _r->k) <= 0; } +static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +{ + struct btree_iter_set *_iter1 = iter1; + struct btree_iter_set *_iter2 = iter2; + + swap(*_iter1, *_iter2); +} + static inline bool btree_iter_end(struct btree_iter *iter) { return !iter->heap.nr; @@ -1103,7 +1111,7 @@ void bch_btree_iter_push(struct btree_it { const struct min_heap_callbacks callbacks = { .less = new_btree_iter_cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; if (k != end) @@ -1149,7 +1157,7 @@ static inline struct bkey *__bch_btree_i struct bkey *ret = NULL; const struct min_heap_callbacks callbacks = { .less = cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; if (!btree_iter_end(iter)) { @@ -1223,7 +1231,7 @@ static void btree_mergesort(struct btree : bch_ptr_invalid; const struct min_heap_callbacks callbacks = { .less = b->ops->sort_cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; /* Heapify the iterator, using our comparison function */ --- a/drivers/md/bcache/extents.c~revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap +++ a/drivers/md/bcache/extents.c @@ -266,12 +266,20 @@ static bool new_bch_extent_sort_cmp(cons return !(c ? c > 0 : _l->k < _r->k); } +static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +{ + struct btree_iter_set *_iter1 = iter1; + struct btree_iter_set *_iter2 = iter2; + + swap(*_iter1, *_iter2); +} + static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, struct bkey *tmp) { const struct min_heap_callbacks callbacks = { .less = new_bch_extent_sort_cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; while (iter->heap.nr > 1) { struct btree_iter_set *top = iter->heap.data, *i = top + 1; --- a/drivers/md/bcache/movinggc.c~revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap +++ a/drivers/md/bcache/movinggc.c @@ -190,6 +190,14 @@ static bool new_bucket_cmp(const void *l return GC_SECTORS_USED(*_l) >= GC_SECTORS_USED(*_r); } +static void new_bucket_swap(void *l, void *r, void __always_unused *args) +{ + struct bucket **_l = l; + struct bucket **_r = r; + + swap(*_l, *_r); +} + static unsigned int bucket_heap_top(struct cache *ca) { struct bucket *b; @@ -204,7 +212,7 @@ void bch_moving_gc(struct cache_set *c) unsigned long sectors_to_move, reserve_sectors; const struct min_heap_callbacks callbacks = { .less = new_bucket_cmp, - .swp = NULL, + .swp = new_bucket_swap, }; if (!c->copy_gc_enabled) _ Patches currently in -mm which might be from visitorckw(a)gmail.com are revert-bcache-update-min_heap_callbacks-to-use-default-builtin-swap.patch revert-bcache-remove-heap-related-macros-and-switch-to-generic-min_heap.patch bcache-remove-unnecessary-select-min_heap.patch lib-math-gcd-use-static-key-to-select-implementation-at-runtime.patch riscv-optimize-gcd-code-size-when-config_riscv_isa_zbb-is-disabled.patch riscv-optimize-gcd-performance-on-risc-v-without-zbb-extension.patch

16 hours, 1 minute

1
0
0 0

[stable 6.12+] x86/pkeys: Simplify PKRU update in signal frame

by Ben Hutchings

Hi stable maintainers, Please apply commit d1e420772cd1 ("x86/pkeys: Simplify PKRU update in signal frame") to the stable branches for 6.12 and later. This fixes a regression introduced in 6.13 by commit ae6012d72fa6 ("x86/pkeys: Ensure updated PKRU value is XRSTOR'd"), which was also backported in 6.12.5. Ben. -- Ben Hutchings 73.46% of all statistics are made up.

19 hours, 3 minutes

1
0
0 0

[PATCH 2/2] dmaengine: qcom_hidma: fix handoff FIFO memory leak on driver removal

by Qasim Ijaz

hidma_ll_init() allocates a handoff FIFO, but the matching hidma_ll_uninit() function (which is invoked in remove()) never releases it, leaking memory. To fix this call kfifo_free in hidma_ll_uninit(). Fixes: d1615ca2e085 ("dmaengine: qcom_hidma: implement lower level hardware interface") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/dma/qcom/hidma_ll.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/dma/qcom/hidma_ll.c b/drivers/dma/qcom/hidma_ll.c index fee448499777..0c2bae46746c 100644 --- a/drivers/dma/qcom/hidma_ll.c +++ b/drivers/dma/qcom/hidma_ll.c @@ -816,6 +816,7 @@ int hidma_ll_uninit(struct hidma_lldev *lldev) required_bytes = sizeof(struct hidma_tre) * lldev->nr_tres; tasklet_kill(&lldev->task); + kfifo_free(&lldev->handoff_fifo); memset(lldev->trepool, 0, required_bytes); lldev->trepool = NULL; atomic_set(&lldev->pending_tre_count, 0); -- 2.39.5

19 hours, 13 minutes

3
3
0 0

[PATCH] kallsyms: fix build without execinfo

by Achill Gilgenast

Signed-off-by: Achill Gilgenast <fossdd(a)pwned.life> Cc: stable(a)vger.kernel.org --- tools/include/linux/kallsyms.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/include/linux/kallsyms.h b/tools/include/linux/kallsyms.h index 5a37ccbec54f..f61a01dd7eb7 100644 --- a/tools/include/linux/kallsyms.h +++ b/tools/include/linux/kallsyms.h @@ -18,6 +18,7 @@ static inline const char *kallsyms_lookup(unsigned long addr, return NULL; } +#ifdef HAVE_BACKTRACE_SUPPORT #include <execinfo.h> #include <stdlib.h> static inline void print_ip_sym(const char *loglvl, unsigned long ip) @@ -30,5 +31,8 @@ static inline void print_ip_sym(const char *loglvl, unsigned long ip) free(name); } +#else +static inline void print_ip_sym(const char *loglvl, unsigned long ip) {} +#endif #endif -- 2.49.0

19 hours, 22 minutes

3
2
0 0

[PATCH v2] kallsyms: fix build without execinfo

by Achill Gilgenast

Some libc's like musl libc don't provide execinfo.h since it's not part of POSIX. In order to fix compilation on musl, only include execinfo.h if available (HAVE_BACKTRACE_SUPPORT) This was discovered with c104c16073b7 ("Kunit to check the longest symbol length") which starts to include linux/kallsyms.h with Alpine Linux' configs. Signed-off-by: Achill Gilgenast <fossdd(a)pwned.life> Cc: stable(a)vger.kernel.org --- tools/include/linux/kallsyms.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/include/linux/kallsyms.h b/tools/include/linux/kallsyms.h index 5a37ccbec54f..f61a01dd7eb7 100644 --- a/tools/include/linux/kallsyms.h +++ b/tools/include/linux/kallsyms.h @@ -18,6 +18,7 @@ static inline const char *kallsyms_lookup(unsigned long addr, return NULL; } +#ifdef HAVE_BACKTRACE_SUPPORT #include <execinfo.h> #include <stdlib.h> static inline void print_ip_sym(const char *loglvl, unsigned long ip) @@ -30,5 +31,8 @@ static inline void print_ip_sym(const char *loglvl, unsigned long ip) free(name); } +#else +static inline void print_ip_sym(const char *loglvl, unsigned long ip) {} +#endif #endif -- 2.50.0.rc2

19 hours, 30 minutes

1
0
0 0

[PATCH 5.10.y 0/5] Backport few sfq fixes

by Harshit Mogalapalli

commit: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit") fixes CVE-2024-57996 and commit: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation") fixes CVE-2025-37752. Patches 3 and 5 are CVE fixes for above mentioned CVEs. Patch 1,2 and 4 are pulled in as stable-deps. Testing performed on the patched 5.10.238 kernel with the above 5 patches: (Used latest upstream kselftests for tc-testing) # uname -a Linux hamogala-vm-6 5.10.238+ #2 SMP Sun Jun 15 17:27:54 GMT 2025 x86_64 x86_64 x86_64 GNU/Linux # ./tdc.py -f tc-tests/qdiscs/sfq.json -- ns/SubPlugin.__init__ Test 7482: Create SFQ with default setting Test c186: Create SFQ with limit setting Test ae23: Create SFQ with perturb setting Test a430: Create SFQ with quantum setting Test 4539: Create SFQ with divisor setting Test b089: Create SFQ with flows setting Test 99a0: Create SFQ with depth setting Test 7389: Create SFQ with headdrop setting Test 6472: Create SFQ with redflowlimit setting Test 8929: Show SFQ class Test 4d6f: Check that limit of 1 is rejected Test 7f8f: Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) Test 5168: Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) All test results: 1..13 ok 1 7482 - Create SFQ with default setting ok 2 c186 - Create SFQ with limit setting ok 3 ae23 - Create SFQ with perturb setting ok 4 a430 - Create SFQ with quantum setting ok 5 4539 - Create SFQ with divisor setting ok 6 b089 - Create SFQ with flows setting ok 7 99a0 - Create SFQ with depth setting ok 8 7389 - Create SFQ with headdrop setting ok 9 6472 - Create SFQ with redflowlimit setting ok 10 8929 - Show SFQ class ok 11 4d6f - Check that limit of 1 is rejected ok 12 7f8f - Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) ok 13 5168 - Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) Thanks, Harshit Eric Dumazet (2): net_sched: sch_sfq: annotate data-races around q->perturb_period net_sched: sch_sfq: handle bigger packets Octavian Purdila (3): net_sched: sch_sfq: don't allow 1 packet limit net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: move the limit validation net/sched/sch_sfq.c | 112 ++++++++++++++++++++++++++++---------------- 1 file changed, 71 insertions(+), 41 deletions(-) -- 2.47.1

20 hours, 37 minutes

1
5
0 0

[PATCH 1/1] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode

by Wayne Chang

When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code assumed that the regulator should be disabled. However, if the regulator is marked as always-on, regulator_is_enabled() continues to return true, leading to an incorrect attempt to disable a regulator which is not enabled. This can result in warnings such as: [ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004 _regulator_disable+0xe4/0x1a0 [ 250.155652] unbalanced disables for VIN_SYS_5V0 To fix this, we move the regulator control logic into tegra186_xusb_padctl_id_override() function since it's directly related to the ID override state. The regulator is now only disabled when the role transitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID register. This ensures that regulator enable/disable operations are properly balanced and only occur when actually transitioning to/from host mode. Fixes: 49d46e3c7e59 ("phy: tegra: xusb: Add set_mode support for UTMI phy on Tegra186") Cc: stable(a)vger.kernel.org Signed-off-by: Wayne Chang <waynec(a)nvidia.com> --- drivers/phy/tegra/xusb-tegra186.c | 59 +++++++++++++++++++------------ 1 file changed, 37 insertions(+), 22 deletions(-) diff --git a/drivers/phy/tegra/xusb-tegra186.c b/drivers/phy/tegra/xusb-tegra186.c index fae6242aa730..1b35d50821f7 100644 --- a/drivers/phy/tegra/xusb-tegra186.c +++ b/drivers/phy/tegra/xusb-tegra186.c @@ -774,13 +774,15 @@ static int tegra186_xusb_padctl_vbus_override(struct tegra_xusb_padctl *padctl, } static int tegra186_xusb_padctl_id_override(struct tegra_xusb_padctl *padctl, - bool status) + struct tegra_xusb_usb2_port *port, bool status) { - u32 value; + u32 value, id_override; + int err = 0; dev_dbg(padctl->dev, "%s id override\n", status ? "set" : "clear"); value = padctl_readl(padctl, USB2_VBUS_ID); + id_override = value & ID_OVERRIDE(~0); if (status) { if (value & VBUS_OVERRIDE) { @@ -791,15 +793,35 @@ static int tegra186_xusb_padctl_id_override(struct tegra_xusb_padctl *padctl, value = padctl_readl(padctl, USB2_VBUS_ID); } - value &= ~ID_OVERRIDE(~0); - value |= ID_OVERRIDE_GROUNDED; + if (id_override != ID_OVERRIDE_GROUNDED) { + value &= ~ID_OVERRIDE(~0); + value |= ID_OVERRIDE_GROUNDED; + padctl_writel(padctl, value, USB2_VBUS_ID); + + err = regulator_enable(port->supply); + if (err) { + dev_err(padctl->dev, "Failed to enable regulator: %d\n", err); + return err; + } + } } else { - value &= ~ID_OVERRIDE(~0); - value |= ID_OVERRIDE_FLOATING; + if (id_override == ID_OVERRIDE_GROUNDED) { + /* + * The regulator is disabled only when the role transitions + * from USB_ROLE_HOST to USB_ROLE_NONE. + */ + err = regulator_disable(port->supply); + if (err) { + dev_err(padctl->dev, "Failed to disable regulator: %d\n", err); + return err; + } + + value &= ~ID_OVERRIDE(~0); + value |= ID_OVERRIDE_FLOATING; + padctl_writel(padctl, value, USB2_VBUS_ID); + } } - padctl_writel(padctl, value, USB2_VBUS_ID); - return 0; } @@ -818,27 +840,20 @@ static int tegra186_utmi_phy_set_mode(struct phy *phy, enum phy_mode mode, if (mode == PHY_MODE_USB_OTG) { if (submode == USB_ROLE_HOST) { - tegra186_xusb_padctl_id_override(padctl, true); - - err = regulator_enable(port->supply); + err = tegra186_xusb_padctl_id_override(padctl, port, true); + if (err) + goto out; } else if (submode == USB_ROLE_DEVICE) { tegra186_xusb_padctl_vbus_override(padctl, true); } else if (submode == USB_ROLE_NONE) { - /* - * When port is peripheral only or role transitions to - * USB_ROLE_NONE from USB_ROLE_DEVICE, regulator is not - * enabled. - */ - if (regulator_is_enabled(port->supply)) - regulator_disable(port->supply); - - tegra186_xusb_padctl_id_override(padctl, false); + err = tegra186_xusb_padctl_id_override(padctl, port, false); + if (err) + goto out; tegra186_xusb_padctl_vbus_override(padctl, false); } } - +out: mutex_unlock(&padctl->lock); - return err; } -- 2.25.1

21 hours, 37 minutes

3
3
0 0

[PATCH] i2c: qup: jump out of the loop in case of timeout

by Yang Xiwen via B4 Relay

From: Yang Xiwen <forbidden405(a)outlook.com> Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and return to the caller with -ETIMEDOUT. Cc: stable(a)vger.kernel.org Signed-off-by: Yang Xiwen <forbidden405(a)outlook.com> --- drivers/i2c/busses/i2c-qup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c index 3a36d682ed57..5b053e51f4c9 100644 --- a/drivers/i2c/busses/i2c-qup.c +++ b/drivers/i2c/busses/i2c-qup.c @@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup_i2c_dev *qup, int len) if (!(status & I2C_STATUS_BUS_ACTIVE)) break; - if (time_after(jiffies, timeout)) + if (time_after(jiffies, timeout)) { ret = -ETIMEDOUT; + break; + } usleep_range(len, len * 2); } --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250615-qca-i2c-d41bb61aa59e Best regards, -- Yang Xiwen <forbidden405(a)outlook.com>

22 hours, 27 minutes

1
0
0 0

stable patch 42fac18 missing from linux-6.6

by Alex Lyakas

Greetings, The following patch [1]: "42fac18 btrfs: check delayed refs when we're checking if a ref exists" has been marked as "CC: stable(a)vger.kernel.org # 5.4+" but I do not see that it has been backported to linux-6.6.y branch. Can this patch be picked up in the next version of linux-6.6 please? Thanks, Alex. [1] commit 42fac187b5c746227c92d024f1caf33bc1d337e4 Author: Josef Bacik <josef(a)toxicpanda.com> Date: Thu Apr 11 16:41:20 2024 -0400 btrfs: check delayed refs when we're checking if a ref exists In the patch 78c52d9eb6b7 ("btrfs: check for refs on snapshot delete resume") I added some code to handle file systems that had been corrupted by a bug that incorrectly skipped updating the drop progress key while dropping a snapshot. This code would check to see if we had already deleted our reference for a child block, and skip the deletion if we had already. ... Fixes: 78c52d9eb6b7 ("btrfs: check for refs on snapshot delete resume") CC: stable(a)vger.kernel.org # 5.4+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: David Sterba <dsterba(a)suse.com>

22 hours, 52 minutes

1
0
0 0

[PATCH 5.15.y 0/5] Backport few sfq fixes

by Harshit Mogalapalli

commit: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit") fixes CVE-2024-57996 and commit: b3bf8f63e617 ("net_sched: sch_sfq: move the limit validation") fixes CVE-2025-37752. Patches 3 and 5 are CVE fixes for above mentioned CVEs. Patch 1,2 and 4 are pulled in as stable-deps. Testeing performed on the patches 5.15.185 kernel with the above 5 patches: (Used latest upstream kselftests for tc-testing) # ./tdc.py -f tc-tests/qdiscs/sfq.json -- ns/SubPlugin.__init__ Test 7482: Create SFQ with default setting Test c186: Create SFQ with limit setting Test ae23: Create SFQ with perturb setting Test a430: Create SFQ with quantum setting Test 4539: Create SFQ with divisor setting Test b089: Create SFQ with flows setting Test 99a0: Create SFQ with depth setting Test 7389: Create SFQ with headdrop setting Test 6472: Create SFQ with redflowlimit setting Test 8929: Show SFQ class Test 4d6f: Check that limit of 1 is rejected Test 7f8f: Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) Test 5168: Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) All test results: 1..13 ok 1 7482 - Create SFQ with default setting ok 2 c186 - Create SFQ with limit setting ok 3 ae23 - Create SFQ with perturb setting ok 4 a430 - Create SFQ with quantum setting ok 5 4539 - Create SFQ with divisor setting ok 6 b089 - Create SFQ with flows setting ok 7 99a0 - Create SFQ with depth setting ok 8 7389 - Create SFQ with headdrop setting ok 9 6472 - Create SFQ with redflowlimit setting ok 10 8929 - Show SFQ class ok 11 4d6f - Check that limit of 1 is rejected ok 12 7f8f - Check that a derived limit of 1 is rejected (limit 2 depth 1 flows 1) ok 13 5168 - Check that a derived limit of 1 is rejected (limit 2 depth 1 divisor 1) # uname -a Linux hamogala-vm-6 5.15.185+ #1 SMP Fri Jun 13 18:34:53 GMT 2025 x86_64 x86_64 x86_64 GNU/Linux I will try to send similar backports to kernels older than 5.15.y as well. Thanks, Harshit Eric Dumazet (2): net_sched: sch_sfq: annotate data-races around q->perturb_period net_sched: sch_sfq: handle bigger packets Octavian Purdila (3): net_sched: sch_sfq: don't allow 1 packet limit net_sched: sch_sfq: use a temporary work area for validating configuration net_sched: sch_sfq: move the limit validation net/sched/sch_sfq.c | 112 ++++++++++++++++++++++++++++---------------- 1 file changed, 71 insertions(+), 41 deletions(-) -- 2.47.1

23 hours, 4 minutes

1
5
0 0

Re: Patch "Bluetooth: MGMT: Remove unused mgmt_pending_find_data" has been added to the 6.12-stable tree

by Dr. David Alan Gilbert

* Sasha Levin (sashal(a)kernel.org) wrote: > This is a note to let you know that I've just added the patch titled > > Bluetooth: MGMT: Remove unused mgmt_pending_find_data > > to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bluetooth-mgmt-remove-unused-mgmt_pending_find_data.patch > and it can be found in the queue-6.12 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. It's a cleanup only, so I wouldn't backport it unless it makes backporting a useful patch easier. Dave > > > commit 17d285fbdeb9dabee6c6c348a528ac81ca65a6da > Author: Dr. David Alan Gilbert <linux(a)treblig.org> > Date: Mon Jan 27 21:37:15 2025 +0000 > > Bluetooth: MGMT: Remove unused mgmt_pending_find_data > > [ Upstream commit 276af34d82f13bda0b2a4d9786c90b8bbf1cd064 ] > > mgmt_pending_find_data() last use was removed in 2021 by > commit 5a7501374664 ("Bluetooth: hci_sync: Convert MGMT_OP_GET_CLOCK_INFO") > > Remove it. > > Signed-off-by: Dr. David Alan Gilbert <linux(a)treblig.org> > Reviewed-by: Simon Horman <horms(a)kernel.org> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> > Stable-dep-of: 6fe26f694c82 ("Bluetooth: MGMT: Protect mgmt_pending list with its own lock") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c > index 67db32a60c6a9..3713ff490c65d 100644 > --- a/net/bluetooth/mgmt_util.c > +++ b/net/bluetooth/mgmt_util.c > @@ -229,23 +229,6 @@ struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode, > return NULL; > } > > -struct mgmt_pending_cmd *mgmt_pending_find_data(unsigned short channel, > - u16 opcode, > - struct hci_dev *hdev, > - const void *data) > -{ > - struct mgmt_pending_cmd *cmd; > - > - list_for_each_entry(cmd, &hdev->mgmt_pending, list) { > - if (cmd->user_data != data) > - continue; > - if (cmd->opcode == opcode) > - return cmd; > - } > - > - return NULL; > -} > - > void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, > void (*cb)(struct mgmt_pending_cmd *cmd, void *data), > void *data) > diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h > index bdf978605d5a8..f2ba994ab1d84 100644 > --- a/net/bluetooth/mgmt_util.h > +++ b/net/bluetooth/mgmt_util.h > @@ -54,10 +54,6 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status, > > struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode, > struct hci_dev *hdev); > -struct mgmt_pending_cmd *mgmt_pending_find_data(unsigned short channel, > - u16 opcode, > - struct hci_dev *hdev, > - const void *data); > void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, > void (*cb)(struct mgmt_pending_cmd *cmd, void *data), > void *data); -- -----Open up your eyes, open up your mind, open up your code ------- / Dr. David Alan Gilbert | Running GNU/Linux | Happy \ \ dave @ treblig.org | | In Hex / \ _________________________|_____ http://www.treblig.org |_______/

23 hours, 53 minutes

2
2
0 0

Re: Patch "Bluetooth: MGMT: Remove unused mgmt_pending_find_data" has been added to the 6.6-stable tree

by Dr. David Alan Gilbert

* Sasha Levin (sashal(a)kernel.org) wrote: > This is a note to let you know that I've just added the patch titled > > Bluetooth: MGMT: Remove unused mgmt_pending_find_data > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > bluetooth-mgmt-remove-unused-mgmt_pending_find_data.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. <rewinds, copies same message I did for 6.12 - please take this to mean all of them> It's a cleanup only, so I wouldn't backport it unless it makes backporting a useful patch easier. Dave > > > > commit af31788b431f56d9b304d32701f1f9143aae8f95 > Author: Dr. David Alan Gilbert <linux(a)treblig.org> > Date: Mon Jan 27 21:37:15 2025 +0000 > > Bluetooth: MGMT: Remove unused mgmt_pending_find_data > > [ Upstream commit 276af34d82f13bda0b2a4d9786c90b8bbf1cd064 ] > > mgmt_pending_find_data() last use was removed in 2021 by > commit 5a7501374664 ("Bluetooth: hci_sync: Convert MGMT_OP_GET_CLOCK_INFO") > > Remove it. > > Signed-off-by: Dr. David Alan Gilbert <linux(a)treblig.org> > Reviewed-by: Simon Horman <horms(a)kernel.org> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> > Stable-dep-of: 6fe26f694c82 ("Bluetooth: MGMT: Protect mgmt_pending list with its own lock") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c > index 17e32605d9b00..dba6a0d66500f 100644 > --- a/net/bluetooth/mgmt_util.c > +++ b/net/bluetooth/mgmt_util.c > @@ -229,23 +229,6 @@ struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode, > return NULL; > } > > -struct mgmt_pending_cmd *mgmt_pending_find_data(unsigned short channel, > - u16 opcode, > - struct hci_dev *hdev, > - const void *data) > -{ > - struct mgmt_pending_cmd *cmd; > - > - list_for_each_entry(cmd, &hdev->mgmt_pending, list) { > - if (cmd->user_data != data) > - continue; > - if (cmd->opcode == opcode) > - return cmd; > - } > - > - return NULL; > -} > - > void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, > void (*cb)(struct mgmt_pending_cmd *cmd, void *data), > void *data) > diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h > index bdf978605d5a8..f2ba994ab1d84 100644 > --- a/net/bluetooth/mgmt_util.h > +++ b/net/bluetooth/mgmt_util.h > @@ -54,10 +54,6 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status, > > struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode, > struct hci_dev *hdev); > -struct mgmt_pending_cmd *mgmt_pending_find_data(unsigned short channel, > - u16 opcode, > - struct hci_dev *hdev, > - const void *data); > void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, > void (*cb)(struct mgmt_pending_cmd *cmd, void *data), > void *data); -- -----Open up your eyes, open up your mind, open up your code ------- / Dr. David Alan Gilbert | Running GNU/Linux | Happy \ \ dave @ treblig.org | | In Hex / \ _________________________|_____ http://www.treblig.org |_______/

1 day, 1 hour

1
0
0 0

[PATCH v2 3/3] bcache: Remove unnecessary select MIN_HEAP

by Kuan-Wei Chiu

After reverting the transition to the generic min heap library, bcache no longer depends on MIN_HEAP. The select entry can be removed to reduce code size and shrink the kernel's attack surface. This change effectively reverts the bcache-related part of commit 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions"). This is part of a series of changes to address a performance regression caused by the use of the generic min_heap implementation. As reported by Robert, bcache now suffers from latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. These regressions degrade bcache's effectiveness as a low-latency cache layer and lead to frequent timeouts and application stalls in production environments. Link: https://lore.kernel.org/lkml/CAJhEC05+0S69z+3+FB2Cd0hD+pCRyWTKLEOsc8BOmH73p… Fixes: 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap") Fixes: 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions") Reported-by: Robert Pang <robertpang(a)google.com> Closes: https://lore.kernel.org/linux-bcache/CAJhEC06F_AtrPgw2-7CvCqZgeStgCtitbD-ry… Cc: stable(a)vger.kernel.org Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- drivers/md/bcache/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/md/bcache/Kconfig b/drivers/md/bcache/Kconfig index d4697e79d5a3..b2d10063d35f 100644 --- a/drivers/md/bcache/Kconfig +++ b/drivers/md/bcache/Kconfig @@ -5,7 +5,6 @@ config BCACHE select BLOCK_HOLDER_DEPRECATED if SYSFS select CRC64 select CLOSURES - select MIN_HEAP help Allows a block device to be used as cache for other devices; uses a btree for indexing and the layout is optimized for SSDs. -- 2.34.1

1 day, 8 hours

2
1
0 0

[PATCH v2 2/3] Revert "bcache: remove heap-related macros and switch to generic min_heap"

by Kuan-Wei Chiu

This reverts commit 866898efbb25bb44fd42848318e46db9e785973a. The generic bottom-up min_heap implementation causes performance regression in invalidate_buckets_lru(), a hot path in bcache. Before the cache is fully populated, new_bucket_prio() often returns zero, leading to many equal comparisons. In such cases, bottom-up sift_down performs up to 2 * log2(n) comparisons, while the original top-down approach completes with just O() comparisons, resulting in a measurable performance gap. The performance degradation is further worsened by the non-inlined min_heap API functions introduced in commit 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions"), adding function call overhead to this critical path. As reported by Robert, bcache now suffers from latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. These regressions degrade bcache's effectiveness as a low-latency cache layer and lead to frequent timeouts and application stalls in production environments. This revert aims to restore bcache's original low-latency behavior. Link: https://lore.kernel.org/lkml/CAJhEC05+0S69z+3+FB2Cd0hD+pCRyWTKLEOsc8BOmH73p… Fixes: 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap") Fixes: 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions") Reported-by: Robert Pang <robertpang(a)google.com> Closes: https://lore.kernel.org/linux-bcache/CAJhEC06F_AtrPgw2-7CvCqZgeStgCtitbD-ry… Cc: stable(a)vger.kernel.org Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- drivers/md/bcache/alloc.c | 64 +++++------------- drivers/md/bcache/bcache.h | 2 +- drivers/md/bcache/bset.c | 124 ++++++++++++---------------------- drivers/md/bcache/bset.h | 40 ++++++----- drivers/md/bcache/btree.c | 69 ++++++++----------- drivers/md/bcache/extents.c | 53 ++++++--------- drivers/md/bcache/movinggc.c | 41 +++-------- drivers/md/bcache/super.c | 3 +- drivers/md/bcache/sysfs.c | 4 +- drivers/md/bcache/util.h | 67 +++++++++++++++++- drivers/md/bcache/writeback.c | 13 ++-- 11 files changed, 217 insertions(+), 263 deletions(-) diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c index da50f6661bae..48ce750bf70a 100644 --- a/drivers/md/bcache/alloc.c +++ b/drivers/md/bcache/alloc.c @@ -164,68 +164,40 @@ static void bch_invalidate_one_bucket(struct cache *ca, struct bucket *b) * prio is worth 1/8th of what INITIAL_PRIO is worth. */ -static inline unsigned int new_bucket_prio(struct cache *ca, struct bucket *b) -{ - unsigned int min_prio = (INITIAL_PRIO - ca->set->min_prio) / 8; - - return (b->prio - ca->set->min_prio + min_prio) * GC_SECTORS_USED(b); -} - -static inline bool new_bucket_max_cmp(const void *l, const void *r, void *args) -{ - struct bucket **lhs = (struct bucket **)l; - struct bucket **rhs = (struct bucket **)r; - struct cache *ca = args; - - return new_bucket_prio(ca, *lhs) > new_bucket_prio(ca, *rhs); -} - -static inline bool new_bucket_min_cmp(const void *l, const void *r, void *args) -{ - struct bucket **lhs = (struct bucket **)l; - struct bucket **rhs = (struct bucket **)r; - struct cache *ca = args; - - return new_bucket_prio(ca, *lhs) < new_bucket_prio(ca, *rhs); -} - -static inline void new_bucket_swap(void *l, void *r, void __always_unused *args) -{ - struct bucket **lhs = l, **rhs = r; +#define bucket_prio(b) \ +({ \ + unsigned int min_prio = (INITIAL_PRIO - ca->set->min_prio) / 8; \ + \ + (b->prio - ca->set->min_prio + min_prio) * GC_SECTORS_USED(b); \ +}) - swap(*lhs, *rhs); -} +#define bucket_max_cmp(l, r) (bucket_prio(l) < bucket_prio(r)) +#define bucket_min_cmp(l, r) (bucket_prio(l) > bucket_prio(r)) static void invalidate_buckets_lru(struct cache *ca) { struct bucket *b; - const struct min_heap_callbacks bucket_max_cmp_callback = { - .less = new_bucket_max_cmp, - .swp = new_bucket_swap, - }; - const struct min_heap_callbacks bucket_min_cmp_callback = { - .less = new_bucket_min_cmp, - .swp = new_bucket_swap, - }; + ssize_t i; - ca->heap.nr = 0; + ca->heap.used = 0; for_each_bucket(b, ca) { if (!bch_can_invalidate_bucket(ca, b)) continue; - if (!min_heap_full(&ca->heap)) - min_heap_push(&ca->heap, &b, &bucket_max_cmp_callback, ca); - else if (!new_bucket_max_cmp(&b, min_heap_peek(&ca->heap), ca)) { + if (!heap_full(&ca->heap)) + heap_add(&ca->heap, b, bucket_max_cmp); + else if (bucket_max_cmp(b, heap_peek(&ca->heap))) { ca->heap.data[0] = b; - min_heap_sift_down(&ca->heap, 0, &bucket_max_cmp_callback, ca); + heap_sift(&ca->heap, 0, bucket_max_cmp); } } - min_heapify_all(&ca->heap, &bucket_min_cmp_callback, ca); + for (i = ca->heap.used / 2 - 1; i >= 0; --i) + heap_sift(&ca->heap, i, bucket_min_cmp); while (!fifo_full(&ca->free_inc)) { - if (!ca->heap.nr) { + if (!heap_pop(&ca->heap, b, bucket_min_cmp)) { /* * We don't want to be calling invalidate_buckets() * multiple times when it can't do anything @@ -234,8 +206,6 @@ static void invalidate_buckets_lru(struct cache *ca) wake_up_gc(ca->set); return; } - b = min_heap_peek(&ca->heap)[0]; - min_heap_pop(&ca->heap, &bucket_min_cmp_callback, ca); bch_invalidate_one_bucket(ca, b); } diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h index 785b0d9008fa..1d33e40d26ea 100644 --- a/drivers/md/bcache/bcache.h +++ b/drivers/md/bcache/bcache.h @@ -458,7 +458,7 @@ struct cache { /* Allocation stuff: */ struct bucket *buckets; - DEFINE_MIN_HEAP(struct bucket *, cache_heap) heap; + DECLARE_HEAP(struct bucket *, heap); /* * If nonzero, we know we aren't going to find any buckets to invalidate diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c index bd97d8626887..463eb13bd0b2 100644 --- a/drivers/md/bcache/bset.c +++ b/drivers/md/bcache/bset.c @@ -54,11 +54,9 @@ void bch_dump_bucket(struct btree_keys *b) int __bch_count_data(struct btree_keys *b) { unsigned int ret = 0; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey *k; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - if (b->ops->is_extents) for_each_key(b, k, &iter) ret += KEY_SIZE(k); @@ -69,11 +67,9 @@ void __bch_check_keys(struct btree_keys *b, const char *fmt, ...) { va_list args; struct bkey *k, *p = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; const char *err; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - for_each_key(b, k, &iter) { if (b->ops->is_extents) { err = "Keys out of order"; @@ -114,9 +110,9 @@ void __bch_check_keys(struct btree_keys *b, const char *fmt, ...) static void bch_btree_iter_next_check(struct btree_iter *iter) { - struct bkey *k = iter->heap.data->k, *next = bkey_next(k); + struct bkey *k = iter->data->k, *next = bkey_next(k); - if (next < iter->heap.data->end && + if (next < iter->data->end && bkey_cmp(k, iter->b->ops->is_extents ? &START_KEY(next) : next) > 0) { bch_dump_bucket(iter->b); @@ -883,14 +879,12 @@ unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k, unsigned int status = BTREE_INSERT_STATUS_NO_INSERT; struct bset *i = bset_tree_last(b)->data; struct bkey *m, *prev = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey preceding_key_on_stack = ZERO_KEY; struct bkey *preceding_key_p = &preceding_key_on_stack; BUG_ON(b->ops->is_extents && !KEY_SIZE(k)); - min_heap_init(&iter.heap, NULL, MAX_BSETS); - /* * If k has preceding key, preceding_key_p will be set to address * of k's preceding key; otherwise preceding_key_p will be set @@ -901,9 +895,9 @@ unsigned int bch_btree_insert_key(struct btree_keys *b, struct bkey *k, else preceding_key(k, &preceding_key_p); - m = bch_btree_iter_init(b, &iter, preceding_key_p); + m = bch_btree_iter_stack_init(b, &iter, preceding_key_p); - if (b->ops->insert_fixup(b, k, &iter, replace_key)) + if (b->ops->insert_fixup(b, k, &iter.iter, replace_key)) return status; status = BTREE_INSERT_STATUS_INSERT; @@ -1083,102 +1077,79 @@ struct bkey *__bch_bset_search(struct btree_keys *b, struct bset_tree *t, /* Btree iterator */ -typedef bool (new_btree_iter_cmp_fn)(const void *, const void *, void *); - -static inline bool new_btree_iter_cmp(const void *l, const void *r, void __always_unused *args) -{ - const struct btree_iter_set *_l = l; - const struct btree_iter_set *_r = r; - - return bkey_cmp(_l->k, _r->k) <= 0; -} +typedef bool (btree_iter_cmp_fn)(struct btree_iter_set, + struct btree_iter_set); -static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +static inline bool btree_iter_cmp(struct btree_iter_set l, + struct btree_iter_set r) { - struct btree_iter_set *_iter1 = iter1; - struct btree_iter_set *_iter2 = iter2; - - swap(*_iter1, *_iter2); + return bkey_cmp(l.k, r.k) > 0; } static inline bool btree_iter_end(struct btree_iter *iter) { - return !iter->heap.nr; + return !iter->used; } void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k, struct bkey *end) { - const struct min_heap_callbacks callbacks = { - .less = new_btree_iter_cmp, - .swp = new_btree_iter_swap, - }; - if (k != end) - BUG_ON(!min_heap_push(&iter->heap, - &((struct btree_iter_set) { k, end }), - &callbacks, - NULL)); + BUG_ON(!heap_add(iter, + ((struct btree_iter_set) { k, end }), + btree_iter_cmp)); } -static struct bkey *__bch_btree_iter_init(struct btree_keys *b, - struct btree_iter *iter, - struct bkey *search, - struct bset_tree *start) +static struct bkey *__bch_btree_iter_stack_init(struct btree_keys *b, + struct btree_iter_stack *iter, + struct bkey *search, + struct bset_tree *start) { struct bkey *ret = NULL; - iter->heap.size = ARRAY_SIZE(iter->heap.preallocated); - iter->heap.nr = 0; + iter->iter.size = ARRAY_SIZE(iter->stack_data); + iter->iter.used = 0; #ifdef CONFIG_BCACHE_DEBUG - iter->b = b; + iter->iter.b = b; #endif for (; start <= bset_tree_last(b); start++) { ret = bch_bset_search(b, start, search); - bch_btree_iter_push(iter, ret, bset_bkey_last(start->data)); + bch_btree_iter_push(&iter->iter, ret, bset_bkey_last(start->data)); } return ret; } -struct bkey *bch_btree_iter_init(struct btree_keys *b, - struct btree_iter *iter, +struct bkey *bch_btree_iter_stack_init(struct btree_keys *b, + struct btree_iter_stack *iter, struct bkey *search) { - return __bch_btree_iter_init(b, iter, search, b->set); + return __bch_btree_iter_stack_init(b, iter, search, b->set); } static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter, - new_btree_iter_cmp_fn *cmp) + btree_iter_cmp_fn *cmp) { struct btree_iter_set b __maybe_unused; struct bkey *ret = NULL; - const struct min_heap_callbacks callbacks = { - .less = cmp, - .swp = new_btree_iter_swap, - }; if (!btree_iter_end(iter)) { bch_btree_iter_next_check(iter); - ret = iter->heap.data->k; - iter->heap.data->k = bkey_next(iter->heap.data->k); + ret = iter->data->k; + iter->data->k = bkey_next(iter->data->k); - if (iter->heap.data->k > iter->heap.data->end) { + if (iter->data->k > iter->data->end) { WARN_ONCE(1, "bset was corrupt!\n"); - iter->heap.data->k = iter->heap.data->end; + iter->data->k = iter->data->end; } - if (iter->heap.data->k == iter->heap.data->end) { - if (iter->heap.nr) { - b = min_heap_peek(&iter->heap)[0]; - min_heap_pop(&iter->heap, &callbacks, NULL); - } - } + if (iter->data->k == iter->data->end) + heap_pop(iter, b, cmp); else - min_heap_sift_down(&iter->heap, 0, &callbacks, NULL); + heap_sift(iter, 0, cmp); } return ret; @@ -1186,7 +1157,7 @@ static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter, struct bkey *bch_btree_iter_next(struct btree_iter *iter) { - return __bch_btree_iter_next(iter, new_btree_iter_cmp); + return __bch_btree_iter_next(iter, btree_iter_cmp); } @@ -1224,18 +1195,16 @@ static void btree_mergesort(struct btree_keys *b, struct bset *out, struct btree_iter *iter, bool fixup, bool remove_stale) { + int i; struct bkey *k, *last = NULL; BKEY_PADDED(k) tmp; bool (*bad)(struct btree_keys *, const struct bkey *) = remove_stale ? bch_ptr_bad : bch_ptr_invalid; - const struct min_heap_callbacks callbacks = { - .less = b->ops->sort_cmp, - .swp = new_btree_iter_swap, - }; /* Heapify the iterator, using our comparison function */ - min_heapify_all(&iter->heap, &callbacks, NULL); + for (i = iter->used / 2 - 1; i >= 0; --i) + heap_sift(iter, i, b->ops->sort_cmp); while (!btree_iter_end(iter)) { if (b->ops->sort_fixup && fixup) @@ -1324,11 +1293,10 @@ void bch_btree_sort_partial(struct btree_keys *b, unsigned int start, struct bset_sort_state *state) { size_t order = b->page_order, keys = 0; - struct btree_iter iter; + struct btree_iter_stack iter; int oldsize = bch_count_data(b); - min_heap_init(&iter.heap, NULL, MAX_BSETS); - __bch_btree_iter_init(b, &iter, NULL, &b->set[start]); + __bch_btree_iter_stack_init(b, &iter, NULL, &b->set[start]); if (start) { unsigned int i; @@ -1339,7 +1307,7 @@ void bch_btree_sort_partial(struct btree_keys *b, unsigned int start, order = get_order(__set_bytes(b->set->data, keys)); } - __btree_sort(b, &iter, start, order, false, state); + __btree_sort(b, &iter.iter, start, order, false, state); EBUG_ON(oldsize >= 0 && bch_count_data(b) != oldsize); } @@ -1355,13 +1323,11 @@ void bch_btree_sort_into(struct btree_keys *b, struct btree_keys *new, struct bset_sort_state *state) { uint64_t start_time = local_clock(); - struct btree_iter iter; - - min_heap_init(&iter.heap, NULL, MAX_BSETS); + struct btree_iter_stack iter; - bch_btree_iter_init(b, &iter, NULL); + bch_btree_iter_stack_init(b, &iter, NULL); - btree_mergesort(b, new->set->data, &iter, false, true); + btree_mergesort(b, new->set->data, &iter.iter, false, true); bch_time_stats_update(&state->time, start_time); diff --git a/drivers/md/bcache/bset.h b/drivers/md/bcache/bset.h index f79441acd4c1..011f6062c4c0 100644 --- a/drivers/md/bcache/bset.h +++ b/drivers/md/bcache/bset.h @@ -187,9 +187,8 @@ struct bset_tree { }; struct btree_keys_ops { - bool (*sort_cmp)(const void *l, - const void *r, - void *args); + bool (*sort_cmp)(struct btree_iter_set l, + struct btree_iter_set r); struct bkey *(*sort_fixup)(struct btree_iter *iter, struct bkey *tmp); bool (*insert_fixup)(struct btree_keys *b, @@ -313,17 +312,23 @@ enum { BTREE_INSERT_STATUS_FRONT_MERGE, }; -struct btree_iter_set { - struct bkey *k, *end; -}; - /* Btree key iteration */ struct btree_iter { + size_t size, used; #ifdef CONFIG_BCACHE_DEBUG struct btree_keys *b; #endif - MIN_HEAP_PREALLOCATED(struct btree_iter_set, btree_iter_heap, MAX_BSETS) heap; + struct btree_iter_set { + struct bkey *k, *end; + } data[]; +}; + +/* Fixed-size btree_iter that can be allocated on the stack */ + +struct btree_iter_stack { + struct btree_iter iter; + struct btree_iter_set stack_data[MAX_BSETS]; }; typedef bool (*ptr_filter_fn)(struct btree_keys *b, const struct bkey *k); @@ -335,9 +340,9 @@ struct bkey *bch_btree_iter_next_filter(struct btree_iter *iter, void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k, struct bkey *end); -struct bkey *bch_btree_iter_init(struct btree_keys *b, - struct btree_iter *iter, - struct bkey *search); +struct bkey *bch_btree_iter_stack_init(struct btree_keys *b, + struct btree_iter_stack *iter, + struct bkey *search); struct bkey *__bch_bset_search(struct btree_keys *b, struct bset_tree *t, const struct bkey *search); @@ -352,13 +357,14 @@ static inline struct bkey *bch_bset_search(struct btree_keys *b, return search ? __bch_bset_search(b, t, search) : t->data->start; } -#define for_each_key_filter(b, k, iter, filter) \ - for (bch_btree_iter_init((b), (iter), NULL); \ - ((k) = bch_btree_iter_next_filter((iter), (b), filter));) +#define for_each_key_filter(b, k, stack_iter, filter) \ + for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \ + ((k) = bch_btree_iter_next_filter(&((stack_iter)->iter), (b), \ + filter));) -#define for_each_key(b, k, iter) \ - for (bch_btree_iter_init((b), (iter), NULL); \ - ((k) = bch_btree_iter_next(iter));) +#define for_each_key(b, k, stack_iter) \ + for (bch_btree_iter_stack_init((b), (stack_iter), NULL); \ + ((k) = bch_btree_iter_next(&((stack_iter)->iter)));) /* Sorting */ diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c index 1d0100677357..210b59007d98 100644 --- a/drivers/md/bcache/btree.c +++ b/drivers/md/bcache/btree.c @@ -148,19 +148,19 @@ void bch_btree_node_read_done(struct btree *b) { const char *err = "bad btree header"; struct bset *i = btree_bset_first(b); - struct btree_iter iter; + struct btree_iter *iter; /* * c->fill_iter can allocate an iterator with more memory space * than static MAX_BSETS. * See the comment arount cache_set->fill_iter. */ - iter.heap.data = mempool_alloc(&b->c->fill_iter, GFP_NOIO); - iter.heap.size = b->c->cache->sb.bucket_size / b->c->cache->sb.block_size; - iter.heap.nr = 0; + iter = mempool_alloc(&b->c->fill_iter, GFP_NOIO); + iter->size = b->c->cache->sb.bucket_size / b->c->cache->sb.block_size; + iter->used = 0; #ifdef CONFIG_BCACHE_DEBUG - iter.b = &b->keys; + iter->b = &b->keys; #endif if (!i->seq) @@ -198,7 +198,7 @@ void bch_btree_node_read_done(struct btree *b) if (i != b->keys.set[0].data && !i->keys) goto err; - bch_btree_iter_push(&iter, i->start, bset_bkey_last(i)); + bch_btree_iter_push(iter, i->start, bset_bkey_last(i)); b->written += set_blocks(i, block_bytes(b->c->cache)); } @@ -210,7 +210,7 @@ void bch_btree_node_read_done(struct btree *b) if (i->seq == b->keys.set[0].data->seq) goto err; - bch_btree_sort_and_fix_extents(&b->keys, &iter, &b->c->sort); + bch_btree_sort_and_fix_extents(&b->keys, iter, &b->c->sort); i = b->keys.set[0].data; err = "short btree key"; @@ -222,7 +222,7 @@ void bch_btree_node_read_done(struct btree *b) bch_bset_init_next(&b->keys, write_block(b), bset_magic(&b->c->cache->sb)); out: - mempool_free(iter.heap.data, &b->c->fill_iter); + mempool_free(iter, &b->c->fill_iter); return; err: set_btree_node_io_error(b); @@ -1306,11 +1306,9 @@ static bool btree_gc_mark_node(struct btree *b, struct gc_stat *gc) uint8_t stale = 0; unsigned int keys = 0, good_keys = 0; struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; struct bset_tree *t; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - gc->nodes++; for_each_key_filter(&b->keys, k, &iter, bch_ptr_invalid) { @@ -1569,11 +1567,9 @@ static int btree_gc_rewrite_node(struct btree *b, struct btree_op *op, static unsigned int btree_gc_count_keys(struct btree *b) { struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; unsigned int ret = 0; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - for_each_key_filter(&b->keys, k, &iter, bch_ptr_bad) ret += bkey_u64s(k); @@ -1612,18 +1608,18 @@ static int btree_gc_recurse(struct btree *b, struct btree_op *op, int ret = 0; bool should_rewrite; struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; struct gc_merge_info r[GC_MERGE_NODES]; struct gc_merge_info *i, *last = r + ARRAY_SIZE(r) - 1; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&b->keys, &iter, &b->c->gc_done); + bch_btree_iter_stack_init(&b->keys, &iter, &b->c->gc_done); for (i = r; i < r + ARRAY_SIZE(r); i++) i->b = ERR_PTR(-EINTR); while (1) { - k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad); + k = bch_btree_iter_next_filter(&iter.iter, &b->keys, + bch_ptr_bad); if (k) { r->b = bch_btree_node_get(b->c, op, k, b->level - 1, true, b); @@ -1918,9 +1914,7 @@ static int bch_btree_check_recurse(struct btree *b, struct btree_op *op) { int ret = 0; struct bkey *k, *p = NULL; - struct btree_iter iter; - - min_heap_init(&iter.heap, NULL, MAX_BSETS); + struct btree_iter_stack iter; for_each_key_filter(&b->keys, k, &iter, bch_ptr_invalid) bch_initial_mark_key(b->c, b->level, k); @@ -1928,10 +1922,10 @@ static int bch_btree_check_recurse(struct btree *b, struct btree_op *op) bch_initial_mark_key(b->c, b->level + 1, &b->key); if (b->level) { - bch_btree_iter_init(&b->keys, &iter, NULL); + bch_btree_iter_stack_init(&b->keys, &iter, NULL); do { - k = bch_btree_iter_next_filter(&iter, &b->keys, + k = bch_btree_iter_next_filter(&iter.iter, &b->keys, bch_ptr_bad); if (k) { btree_node_prefetch(b, k); @@ -1959,7 +1953,7 @@ static int bch_btree_check_thread(void *arg) struct btree_check_info *info = arg; struct btree_check_state *check_state = info->state; struct cache_set *c = check_state->c; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey *k, *p; int cur_idx, prev_idx, skip_nr; @@ -1967,11 +1961,9 @@ static int bch_btree_check_thread(void *arg) cur_idx = prev_idx = 0; ret = 0; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - /* root node keys are checked before thread created */ - bch_btree_iter_init(&c->root->keys, &iter, NULL); - k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad); + bch_btree_iter_stack_init(&c->root->keys, &iter, NULL); + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); BUG_ON(!k); p = k; @@ -1989,7 +1981,7 @@ static int bch_btree_check_thread(void *arg) skip_nr = cur_idx - prev_idx; while (skip_nr) { - k = bch_btree_iter_next_filter(&iter, + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); if (k) @@ -2062,11 +2054,9 @@ int bch_btree_check(struct cache_set *c) int ret = 0; int i; struct bkey *k = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; struct btree_check_state check_state; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - /* check and mark root node keys */ for_each_key_filter(&c->root->keys, k, &iter, bch_ptr_invalid) bch_initial_mark_key(c, c->root->level, k); @@ -2560,12 +2550,11 @@ static int bch_btree_map_nodes_recurse(struct btree *b, struct btree_op *op, if (b->level) { struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&b->keys, &iter, from); + bch_btree_iter_stack_init(&b->keys, &iter, from); - while ((k = bch_btree_iter_next_filter(&iter, &b->keys, + while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys, bch_ptr_bad))) { ret = bcache_btree(map_nodes_recurse, k, b, op, from, fn, flags); @@ -2594,12 +2583,12 @@ int bch_btree_map_keys_recurse(struct btree *b, struct btree_op *op, { int ret = MAP_CONTINUE; struct bkey *k; - struct btree_iter iter; + struct btree_iter_stack iter; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&b->keys, &iter, from); + bch_btree_iter_stack_init(&b->keys, &iter, from); - while ((k = bch_btree_iter_next_filter(&iter, &b->keys, bch_ptr_bad))) { + while ((k = bch_btree_iter_next_filter(&iter.iter, &b->keys, + bch_ptr_bad))) { ret = !b->level ? fn(op, b, k) : bcache_btree(map_keys_recurse, k, diff --git a/drivers/md/bcache/extents.c b/drivers/md/bcache/extents.c index a7221e5dbe81..d626ffcbecb9 100644 --- a/drivers/md/bcache/extents.c +++ b/drivers/md/bcache/extents.c @@ -33,16 +33,15 @@ static void sort_key_next(struct btree_iter *iter, i->k = bkey_next(i->k); if (i->k == i->end) - *i = iter->heap.data[--iter->heap.nr]; + *i = iter->data[--iter->used]; } -static bool new_bch_key_sort_cmp(const void *l, const void *r, void *args) +static bool bch_key_sort_cmp(struct btree_iter_set l, + struct btree_iter_set r) { - struct btree_iter_set *_l = (struct btree_iter_set *)l; - struct btree_iter_set *_r = (struct btree_iter_set *)r; - int64_t c = bkey_cmp(_l->k, _r->k); + int64_t c = bkey_cmp(l.k, r.k); - return !(c ? c > 0 : _l->k < _r->k); + return c ? c > 0 : l.k < r.k; } static bool __ptr_invalid(struct cache_set *c, const struct bkey *k) @@ -239,7 +238,7 @@ static bool bch_btree_ptr_insert_fixup(struct btree_keys *bk, } const struct btree_keys_ops bch_btree_keys_ops = { - .sort_cmp = new_bch_key_sort_cmp, + .sort_cmp = bch_key_sort_cmp, .insert_fixup = bch_btree_ptr_insert_fixup, .key_invalid = bch_btree_ptr_invalid, .key_bad = bch_btree_ptr_bad, @@ -256,36 +255,22 @@ const struct btree_keys_ops bch_btree_keys_ops = { * Necessary for btree_sort_fixup() - if there are multiple keys that compare * equal in different sets, we have to process them newest to oldest. */ - -static bool new_bch_extent_sort_cmp(const void *l, const void *r, void __always_unused *args) -{ - struct btree_iter_set *_l = (struct btree_iter_set *)l; - struct btree_iter_set *_r = (struct btree_iter_set *)r; - int64_t c = bkey_cmp(&START_KEY(_l->k), &START_KEY(_r->k)); - - return !(c ? c > 0 : _l->k < _r->k); -} - -static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +static bool bch_extent_sort_cmp(struct btree_iter_set l, + struct btree_iter_set r) { - struct btree_iter_set *_iter1 = iter1; - struct btree_iter_set *_iter2 = iter2; + int64_t c = bkey_cmp(&START_KEY(l.k), &START_KEY(r.k)); - swap(*_iter1, *_iter2); + return c ? c > 0 : l.k < r.k; } static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, struct bkey *tmp) { - const struct min_heap_callbacks callbacks = { - .less = new_bch_extent_sort_cmp, - .swp = new_btree_iter_swap, - }; - while (iter->heap.nr > 1) { - struct btree_iter_set *top = iter->heap.data, *i = top + 1; - - if (iter->heap.nr > 2 && - !new_bch_extent_sort_cmp(&i[0], &i[1], NULL)) + while (iter->used > 1) { + struct btree_iter_set *top = iter->data, *i = top + 1; + + if (iter->used > 2 && + bch_extent_sort_cmp(i[0], i[1])) i++; if (bkey_cmp(top->k, &START_KEY(i->k)) <= 0) @@ -293,7 +278,7 @@ static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, if (!KEY_SIZE(i->k)) { sort_key_next(iter, i); - min_heap_sift_down(&iter->heap, i - top, &callbacks, NULL); + heap_sift(iter, i - top, bch_extent_sort_cmp); continue; } @@ -303,7 +288,7 @@ static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, else bch_cut_front(top->k, i->k); - min_heap_sift_down(&iter->heap, i - top, &callbacks, NULL); + heap_sift(iter, i - top, bch_extent_sort_cmp); } else { /* can't happen because of comparison func */ BUG_ON(!bkey_cmp(&START_KEY(top->k), &START_KEY(i->k))); @@ -313,7 +298,7 @@ static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, bch_cut_back(&START_KEY(i->k), tmp); bch_cut_front(i->k, top->k); - min_heap_sift_down(&iter->heap, 0, &callbacks, NULL); + heap_sift(iter, 0, bch_extent_sort_cmp); return tmp; } else { @@ -633,7 +618,7 @@ static bool bch_extent_merge(struct btree_keys *bk, } const struct btree_keys_ops bch_extent_keys_ops = { - .sort_cmp = new_bch_extent_sort_cmp, + .sort_cmp = bch_extent_sort_cmp, .sort_fixup = bch_extent_sort_fixup, .insert_fixup = bch_extent_insert_fixup, .key_invalid = bch_extent_invalid, diff --git a/drivers/md/bcache/movinggc.c b/drivers/md/bcache/movinggc.c index d6c73dd8eb2b..26a6a535ec32 100644 --- a/drivers/md/bcache/movinggc.c +++ b/drivers/md/bcache/movinggc.c @@ -182,27 +182,16 @@ err: if (!IS_ERR_OR_NULL(w->private)) closure_sync(&cl); } -static bool new_bucket_cmp(const void *l, const void *r, void __always_unused *args) +static bool bucket_cmp(struct bucket *l, struct bucket *r) { - struct bucket **_l = (struct bucket **)l; - struct bucket **_r = (struct bucket **)r; - - return GC_SECTORS_USED(*_l) >= GC_SECTORS_USED(*_r); -} - -static void new_bucket_swap(void *l, void *r, void __always_unused *args) -{ - struct bucket **_l = l; - struct bucket **_r = r; - - swap(*_l, *_r); + return GC_SECTORS_USED(l) < GC_SECTORS_USED(r); } static unsigned int bucket_heap_top(struct cache *ca) { struct bucket *b; - return (b = min_heap_peek(&ca->heap)[0]) ? GC_SECTORS_USED(b) : 0; + return (b = heap_peek(&ca->heap)) ? GC_SECTORS_USED(b) : 0; } void bch_moving_gc(struct cache_set *c) @@ -210,10 +199,6 @@ void bch_moving_gc(struct cache_set *c) struct cache *ca = c->cache; struct bucket *b; unsigned long sectors_to_move, reserve_sectors; - const struct min_heap_callbacks callbacks = { - .less = new_bucket_cmp, - .swp = new_bucket_swap, - }; if (!c->copy_gc_enabled) return; @@ -224,7 +209,7 @@ void bch_moving_gc(struct cache_set *c) reserve_sectors = ca->sb.bucket_size * fifo_used(&ca->free[RESERVE_MOVINGGC]); - ca->heap.nr = 0; + ca->heap.used = 0; for_each_bucket(b, ca) { if (GC_MARK(b) == GC_MARK_METADATA || @@ -233,31 +218,25 @@ void bch_moving_gc(struct cache_set *c) atomic_read(&b->pin)) continue; - if (!min_heap_full(&ca->heap)) { + if (!heap_full(&ca->heap)) { sectors_to_move += GC_SECTORS_USED(b); - min_heap_push(&ca->heap, &b, &callbacks, NULL); - } else if (!new_bucket_cmp(&b, min_heap_peek(&ca->heap), ca)) { + heap_add(&ca->heap, b, bucket_cmp); + } else if (bucket_cmp(b, heap_peek(&ca->heap))) { sectors_to_move -= bucket_heap_top(ca); sectors_to_move += GC_SECTORS_USED(b); ca->heap.data[0] = b; - min_heap_sift_down(&ca->heap, 0, &callbacks, NULL); + heap_sift(&ca->heap, 0, bucket_cmp); } } while (sectors_to_move > reserve_sectors) { - if (ca->heap.nr) { - b = min_heap_peek(&ca->heap)[0]; - min_heap_pop(&ca->heap, &callbacks, NULL); - } + heap_pop(&ca->heap, b, bucket_cmp); sectors_to_move -= GC_SECTORS_USED(b); } - while (ca->heap.nr) { - b = min_heap_peek(&ca->heap)[0]; - min_heap_pop(&ca->heap, &callbacks, NULL); + while (heap_pop(&ca->heap, b, bucket_cmp)) SET_GC_MOVE(b, 1); - } mutex_unlock(&c->bucket_lock); diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c index 1efb768b2890..2ea490b9d370 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1912,7 +1912,8 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) INIT_LIST_HEAD(&c->btree_cache_freed); INIT_LIST_HEAD(&c->data_buckets); - iter_size = ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size) * + iter_size = sizeof(struct btree_iter) + + ((meta_bucket_pages(sb) * PAGE_SECTORS) / sb->block_size) * sizeof(struct btree_iter_set); c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL); diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c index e8f696cb58c0..826b14cae4e5 100644 --- a/drivers/md/bcache/sysfs.c +++ b/drivers/md/bcache/sysfs.c @@ -660,9 +660,7 @@ static unsigned int bch_root_usage(struct cache_set *c) unsigned int bytes = 0; struct bkey *k; struct btree *b; - struct btree_iter iter; - - min_heap_init(&iter.heap, NULL, MAX_BSETS); + struct btree_iter_stack iter; goto lock_root; diff --git a/drivers/md/bcache/util.h b/drivers/md/bcache/util.h index 539454d8e2d0..f61ab1bada6c 100644 --- a/drivers/md/bcache/util.h +++ b/drivers/md/bcache/util.h @@ -9,7 +9,6 @@ #include <linux/kernel.h> #include <linux/sched/clock.h> #include <linux/llist.h> -#include <linux/min_heap.h> #include <linux/ratelimit.h> #include <linux/vmalloc.h> #include <linux/workqueue.h> @@ -31,10 +30,16 @@ struct closure; #endif +#define DECLARE_HEAP(type, name) \ + struct { \ + size_t size, used; \ + type *data; \ + } name + #define init_heap(heap, _size, gfp) \ ({ \ size_t _bytes; \ - (heap)->nr = 0; \ + (heap)->used = 0; \ (heap)->size = (_size); \ _bytes = (heap)->size * sizeof(*(heap)->data); \ (heap)->data = kvmalloc(_bytes, (gfp) & GFP_KERNEL); \ @@ -47,6 +52,64 @@ do { \ (heap)->data = NULL; \ } while (0) +#define heap_swap(h, i, j) swap((h)->data[i], (h)->data[j]) + +#define heap_sift(h, i, cmp) \ +do { \ + size_t _r, _j = i; \ + \ + for (; _j * 2 + 1 < (h)->used; _j = _r) { \ + _r = _j * 2 + 1; \ + if (_r + 1 < (h)->used && \ + cmp((h)->data[_r], (h)->data[_r + 1])) \ + _r++; \ + \ + if (cmp((h)->data[_r], (h)->data[_j])) \ + break; \ + heap_swap(h, _r, _j); \ + } \ +} while (0) + +#define heap_sift_down(h, i, cmp) \ +do { \ + while (i) { \ + size_t p = (i - 1) / 2; \ + if (cmp((h)->data[i], (h)->data[p])) \ + break; \ + heap_swap(h, i, p); \ + i = p; \ + } \ +} while (0) + +#define heap_add(h, d, cmp) \ +({ \ + bool _r = !heap_full(h); \ + if (_r) { \ + size_t _i = (h)->used++; \ + (h)->data[_i] = d; \ + \ + heap_sift_down(h, _i, cmp); \ + heap_sift(h, _i, cmp); \ + } \ + _r; \ +}) + +#define heap_pop(h, d, cmp) \ +({ \ + bool _r = (h)->used; \ + if (_r) { \ + (d) = (h)->data[0]; \ + (h)->used--; \ + heap_swap(h, 0, (h)->used); \ + heap_sift(h, 0, cmp); \ + } \ + _r; \ +}) + +#define heap_peek(h) ((h)->used ? (h)->data[0] : NULL) + +#define heap_full(h) ((h)->used == (h)->size) + #define DECLARE_FIFO(type, name) \ struct { \ size_t front, back, size, mask; \ diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c index 453efbbdc8ee..302e75f1fc4b 100644 --- a/drivers/md/bcache/writeback.c +++ b/drivers/md/bcache/writeback.c @@ -908,16 +908,15 @@ static int bch_dirty_init_thread(void *arg) struct dirty_init_thrd_info *info = arg; struct bch_dirty_init_state *state = info->state; struct cache_set *c = state->c; - struct btree_iter iter; + struct btree_iter_stack iter; struct bkey *k, *p; int cur_idx, prev_idx, skip_nr; k = p = NULL; prev_idx = 0; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - bch_btree_iter_init(&c->root->keys, &iter, NULL); - k = bch_btree_iter_next_filter(&iter, &c->root->keys, bch_ptr_bad); + bch_btree_iter_stack_init(&c->root->keys, &iter, NULL); + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); BUG_ON(!k); p = k; @@ -931,7 +930,7 @@ static int bch_dirty_init_thread(void *arg) skip_nr = cur_idx - prev_idx; while (skip_nr) { - k = bch_btree_iter_next_filter(&iter, + k = bch_btree_iter_next_filter(&iter.iter, &c->root->keys, bch_ptr_bad); if (k) @@ -980,13 +979,11 @@ void bch_sectors_dirty_init(struct bcache_device *d) int i; struct btree *b = NULL; struct bkey *k = NULL; - struct btree_iter iter; + struct btree_iter_stack iter; struct sectors_dirty_init op; struct cache_set *c = d->c; struct bch_dirty_init_state state; - min_heap_init(&iter.heap, NULL, MAX_BSETS); - retry_lock: b = c->root; rw_lock(0, b, b->level); -- 2.34.1

1 day, 8 hours

2
1
0 0

[PATCH v2 1/3] Revert "bcache: update min_heap_callbacks to use default builtin swap"

by Kuan-Wei Chiu

This reverts commit 3d8a9a1c35227c3f1b0bd132c9f0a80dbda07b65. Although removing the custom swap function simplified the code, this change is part of a broader migration to the generic min_heap API that introduced significant performance regressions in bcache. As reported by Robert, bcache now suffers from latency spikes, with P100 (max) latency increasing from 600 ms to 2.4 seconds every 5 minutes. These regressions degrade bcache's effectiveness as a low-latency cache layer and lead to frequent timeouts and application stalls in production environments. This revert is part of a series of changes to restore previous performance by undoing the min_heap transition. Link: https://lore.kernel.org/lkml/CAJhEC05+0S69z+3+FB2Cd0hD+pCRyWTKLEOsc8BOmH73p… Fixes: 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap") Fixes: 92a8b224b833 ("lib/min_heap: introduce non-inline versions of min heap API functions") Reported-by: Robert Pang <robertpang(a)google.com> Closes: https://lore.kernel.org/linux-bcache/CAJhEC06F_AtrPgw2-7CvCqZgeStgCtitbD-ry… Cc: stable(a)vger.kernel.org Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- drivers/md/bcache/alloc.c | 11 +++++++++-- drivers/md/bcache/bset.c | 14 +++++++++++--- drivers/md/bcache/extents.c | 10 +++++++++- drivers/md/bcache/movinggc.c | 10 +++++++++- 4 files changed, 38 insertions(+), 7 deletions(-) diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c index 8998e61efa40..da50f6661bae 100644 --- a/drivers/md/bcache/alloc.c +++ b/drivers/md/bcache/alloc.c @@ -189,16 +189,23 @@ static inline bool new_bucket_min_cmp(const void *l, const void *r, void *args) return new_bucket_prio(ca, *lhs) < new_bucket_prio(ca, *rhs); } +static inline void new_bucket_swap(void *l, void *r, void __always_unused *args) +{ + struct bucket **lhs = l, **rhs = r; + + swap(*lhs, *rhs); +} + static void invalidate_buckets_lru(struct cache *ca) { struct bucket *b; const struct min_heap_callbacks bucket_max_cmp_callback = { .less = new_bucket_max_cmp, - .swp = NULL, + .swp = new_bucket_swap, }; const struct min_heap_callbacks bucket_min_cmp_callback = { .less = new_bucket_min_cmp, - .swp = NULL, + .swp = new_bucket_swap, }; ca->heap.nr = 0; diff --git a/drivers/md/bcache/bset.c b/drivers/md/bcache/bset.c index 68258a16e125..bd97d8626887 100644 --- a/drivers/md/bcache/bset.c +++ b/drivers/md/bcache/bset.c @@ -1093,6 +1093,14 @@ static inline bool new_btree_iter_cmp(const void *l, const void *r, void __alway return bkey_cmp(_l->k, _r->k) <= 0; } +static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +{ + struct btree_iter_set *_iter1 = iter1; + struct btree_iter_set *_iter2 = iter2; + + swap(*_iter1, *_iter2); +} + static inline bool btree_iter_end(struct btree_iter *iter) { return !iter->heap.nr; @@ -1103,7 +1111,7 @@ void bch_btree_iter_push(struct btree_iter *iter, struct bkey *k, { const struct min_heap_callbacks callbacks = { .less = new_btree_iter_cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; if (k != end) @@ -1149,7 +1157,7 @@ static inline struct bkey *__bch_btree_iter_next(struct btree_iter *iter, struct bkey *ret = NULL; const struct min_heap_callbacks callbacks = { .less = cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; if (!btree_iter_end(iter)) { @@ -1223,7 +1231,7 @@ static void btree_mergesort(struct btree_keys *b, struct bset *out, : bch_ptr_invalid; const struct min_heap_callbacks callbacks = { .less = b->ops->sort_cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; /* Heapify the iterator, using our comparison function */ diff --git a/drivers/md/bcache/extents.c b/drivers/md/bcache/extents.c index 4b84fda1530a..a7221e5dbe81 100644 --- a/drivers/md/bcache/extents.c +++ b/drivers/md/bcache/extents.c @@ -266,12 +266,20 @@ static bool new_bch_extent_sort_cmp(const void *l, const void *r, void __always_ return !(c ? c > 0 : _l->k < _r->k); } +static inline void new_btree_iter_swap(void *iter1, void *iter2, void __always_unused *args) +{ + struct btree_iter_set *_iter1 = iter1; + struct btree_iter_set *_iter2 = iter2; + + swap(*_iter1, *_iter2); +} + static struct bkey *bch_extent_sort_fixup(struct btree_iter *iter, struct bkey *tmp) { const struct min_heap_callbacks callbacks = { .less = new_bch_extent_sort_cmp, - .swp = NULL, + .swp = new_btree_iter_swap, }; while (iter->heap.nr > 1) { struct btree_iter_set *top = iter->heap.data, *i = top + 1; diff --git a/drivers/md/bcache/movinggc.c b/drivers/md/bcache/movinggc.c index 45ca134cbf02..d6c73dd8eb2b 100644 --- a/drivers/md/bcache/movinggc.c +++ b/drivers/md/bcache/movinggc.c @@ -190,6 +190,14 @@ static bool new_bucket_cmp(const void *l, const void *r, void __always_unused *a return GC_SECTORS_USED(*_l) >= GC_SECTORS_USED(*_r); } +static void new_bucket_swap(void *l, void *r, void __always_unused *args) +{ + struct bucket **_l = l; + struct bucket **_r = r; + + swap(*_l, *_r); +} + static unsigned int bucket_heap_top(struct cache *ca) { struct bucket *b; @@ -204,7 +212,7 @@ void bch_moving_gc(struct cache_set *c) unsigned long sectors_to_move, reserve_sectors; const struct min_heap_callbacks callbacks = { .less = new_bucket_cmp, - .swp = NULL, + .swp = new_bucket_swap, }; if (!c->copy_gc_enabled) -- 2.34.1

1 day, 8 hours

2
1
0 0

[PATCH v2] fscrypt: don't use problematic non-inline crypto accelerators

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> Make fscrypt no longer use Crypto API drivers for non-inline crypto accelerators, even when the Crypto API prioritizes them over CPU-based code (which unfortunately it often does). These drivers tend to be really problematic, especially for fscrypt's synchronous workload. Specifically, exclude drivers that have CRYPTO_ALG_KERN_DRIVER_ONLY or CRYPTO_ALG_ALLOCATES_MEMORY set. (Later, CRYPTO_ALG_ASYNC should be excluded too. That's omitted for now to keep this commit backportable, since until recently some CPU-based code had CRYPTO_ALG_ASYNC set.) There are two major issues with these drivers: bugs and performance. First, these drivers tend to be buggy. They're fundamentally much more error-prone and harder to test than the CPU-based code, and they often don't get tested before kernel releases. Released drivers have en/decrypted data incorrectly. These bugs cause real issues for fscrypt users who often didn't even want to use these drivers, for example: - https://github.com/google/fscryptctl/issues/32 - https://github.com/google/fscryptctl/issues/9 - https://lore.kernel.org/r/PH0PR02MB731916ECDB6C613665863B6CFFAA2@PH0PR02MB7… These drivers have also caused issues for dm-crypt users, including data corruption and deadlocks. Since Linux v5.10, dm-crypt has disabled most of these drivers by excluding CRYPTO_ALG_ALLOCATES_MEMORY. Second, the CPU-based crypto tends to be faster, often *much* faster. This may seem counterintuitive, but benchmarks clearly show it. There's a *lot* of overhead associated with going to a hardware driver, off the CPU, and back again. Measuring synchronous AES-256-XTS encryption of 4096-byte messages (fscrypt's workload) on two platforms with non-inline crypto accelerators that I have access to: Intel Emerald Rapids server: xts-aes-vaes-avx512: 16171 MB/s [CPU-based, Vector AES] xts(ecb(aes-generic)): 305 MB/s [CPU-based, generic C code] qat_aes_xts: 289 MB/s [Offload, Intel QuickAssist] Qualcomm SM8650 HDK: xts-aes-ce: 4301 MB/s [CPU-based, ARMv8 Crypto Extensions] xts(ecb(aes-generic)): 265 MB/s [CPU-based, generic C code] xts-aes-qce: 73 MB/s [Offload, Qualcomm Crypto Engine] So, using the "accelerators" is over 50 times slower than just using the CPU. Not only that, it's even slower than the generic C code, which suggests that even on platforms whose CPUs lack AES instructions the performance benefit of any accelerator would be marginal at best. The usefulness of the accelerators could be improved with a different software architecture that allows blocks to be efficiently en/decrypted in parallel. But fscrypt does not do that today, and even the async support in the Crypto API isn't really all that efficient. And even if the accelerator was used perfectly efficiently, it seems unlikely to help on small I/O requests, for which latency is really important. As of this writing, the Crypto API prioritizes qat_aes_xts over xts-aes-vaes-avx512. Therefore, this commit greatly improves fscrypt performance on Intel servers that have QAT and the QAT driver enabled. qat_aes_xts is going to be deprioritized in the Crypto API (like I did for xts-aes-qce recently too). But as this seems to be a common pattern with all the "accelerators", fscrypt should just disable all of them. An argument that has been given in favor of non-inline crypto accelerators is that they can protect keys in hardware. But fscrypt does not take advantage of that, so it is irrelevant. (Also, it would be quite difficult for fscrypt to do that.) Note that fscrypt does support inline encryption engines, using raw or hardware-wrapped keys. These actually do work well and are widely used. These do not use the "Crypto API" and are unaffected by this commit. Fixes: b30ab0e03407 ("ext4 crypto: add ext4 encryption facilities") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- Changed in v2: - Improved commit message and comment - Dropped CRYPTO_ALG_ASYNC from the mask, to make this patch backport-friendly - Added Fixes and Cc stable fs/crypto/fscrypt_private.h | 16 ++++++++++++++++ fs/crypto/hkdf.c | 2 +- fs/crypto/keysetup.c | 3 ++- fs/crypto/keysetup_v1.c | 3 ++- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h index c1d92074b65c5..0e95c7a095d49 100644 --- a/fs/crypto/fscrypt_private.h +++ b/fs/crypto/fscrypt_private.h @@ -43,10 +43,26 @@ * hardware-wrapped keys has made it misleading as it's only for raw keys. * Don't use it in kernel code; use one of the above constants instead. */ #undef FSCRYPT_MAX_KEY_SIZE +/* + * This mask is passed as the third argument to the crypto_alloc_*() functions + * to prevent fscrypt from using the Crypto API drivers for non-inline crypto + * accelerators. Those drivers have been problematic for fscrypt. fscrypt + * users have reported hangs and even incorrect en/decryption with these + * drivers. Since going to the driver, off CPU, and back again is really slow, + * such drivers can be over 50 times slower than the CPU-based code for + * fscrypt's synchronous workload. Even on platforms that lack AES instructions + * on the CPU, any performance benefit is likely to be marginal at best. + * + * Note that fscrypt also supports inline encryption engines. Those don't use + * the Crypto API and work much better than non-inline accelerators. + */ +#define FSCRYPT_CRYPTOAPI_MASK \ + (CRYPTO_ALG_ALLOCATES_MEMORY | CRYPTO_ALG_KERN_DRIVER_ONLY) + #define FSCRYPT_CONTEXT_V1 1 #define FSCRYPT_CONTEXT_V2 2 /* Keep this in sync with include/uapi/linux/fscrypt.h */ #define FSCRYPT_MODE_MAX FSCRYPT_MODE_AES_256_HCTR2 diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c index 0f3028adc9c72..5b9c21cfe2b45 100644 --- a/fs/crypto/hkdf.c +++ b/fs/crypto/hkdf.c @@ -56,11 +56,11 @@ int fscrypt_init_hkdf(struct fscrypt_hkdf *hkdf, const u8 *master_key, struct crypto_shash *hmac_tfm; static const u8 default_salt[HKDF_HASHLEN]; u8 prk[HKDF_HASHLEN]; int err; - hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0); + hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK); if (IS_ERR(hmac_tfm)) { fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld", PTR_ERR(hmac_tfm)); return PTR_ERR(hmac_tfm); } diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c index 0d71843af9469..d8113a7196979 100644 --- a/fs/crypto/keysetup.c +++ b/fs/crypto/keysetup.c @@ -101,11 +101,12 @@ fscrypt_allocate_skcipher(struct fscrypt_mode *mode, const u8 *raw_key, const struct inode *inode) { struct crypto_skcipher *tfm; int err; - tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0); + tfm = crypto_alloc_skcipher(mode->cipher_str, 0, + FSCRYPT_CRYPTOAPI_MASK); if (IS_ERR(tfm)) { if (PTR_ERR(tfm) == -ENOENT) { fscrypt_warn(inode, "Missing crypto API support for %s (API name: \"%s\")", mode->friendly_name, mode->cipher_str); diff --git a/fs/crypto/keysetup_v1.c b/fs/crypto/keysetup_v1.c index b70521c55132b..158ceae8a5bce 100644 --- a/fs/crypto/keysetup_v1.c +++ b/fs/crypto/keysetup_v1.c @@ -50,11 +50,12 @@ static int derive_key_aes(const u8 *master_key, { int res = 0; struct skcipher_request *req = NULL; DECLARE_CRYPTO_WAIT(wait); struct scatterlist src_sg, dst_sg; - struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0); + struct crypto_skcipher *tfm = + crypto_alloc_skcipher("ecb(aes)", 0, FSCRYPT_CRYPTOAPI_MASK); if (IS_ERR(tfm)) { res = PTR_ERR(tfm); tfm = NULL; goto out; base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 -- 2.49.0

1 day, 9 hours

1
0
0 0

Reply for - Mobile World Congress Shanghai 2025!

by Delilah Murray

Hi, Just wanted to check if you have received my previous email. Any update for me? Awaiting your reply. Regards, Delilah ___________________________________________________________________________________ From: Delilah Murray Subject: Attendee’s List “Mobile World Congress Shanghai 2025”. Hi, We're excited to offer exclusive access to the “Mobile World Congress Shanghai 2025” Visitor Contact List. Event Recap:- Date: 18 - 20 Jun 2025 Location: Shanghai, China Registrants Counts: 42,276 Visitors Contacts Data Fields Available: Individual Email Address, Cell Phone Number, Contact Name, Job Title, Company Name, Website, Physical Address, LinkedIn Profile, and more. This list gives you a direct line to your ideal audience—no gatekeepers, no guesswork. If you're interested in the list, just reply "Send me Pricing" or sample? Best regards, Delilah Murray Sr. Marketing Manager Prefer not to receive these emails? Just reply “NOT INTERESTED”.

1 day, 13 hours

1
0
0 0

[PATCH v2 0/4] arm64: dts: rockchip: enable further peripherals on ArmSoM Sige5

by Alexey Charkov

Link up the CPU regulators for DVFS, enable WiFi and Bluetooth. Different board versions use different incompatible WiFi/Bluetooth modules so split the version-specific bits out into an overlay. Basic WiFi functionality works even without an overlay, but OOB interrupts and all Bluetooth stuff requires one. My board is v1.2, so the overlay is only provided for it. Signed-off-by: Alexey Charkov <alchark(a)gmail.com> --- Changes in v2: - Expand the commit message for the patch linking CPU regulators and add tags for stable (thanks Nicolas) - Fix the ordering of cpu_b* nodes vs. combphy0_ps (thanks Diederik) - Drop the USB patch, as Nicolas has already posted a more comprehensive series including also the Type-C stuff (thanks Nicolas) - Pick up Nicolas' tags - Split out board version specific WiFi/Bluetooth stuff into an overlay - Link to v1: https://lore.kernel.org/r/20250603-sige5-updates-v1-0-717e8ce4ab77@gmail.com --- Alexey Charkov (4): arm64: dts: rockchip: list all CPU supplies on ArmSoM Sige5 arm64: dts: rockchip: add SDIO controller on RK3576 arm64: dts: rockchip: add version-independent WiFi/BT nodes on Sige5 arm64: dts: rockchip: add overlay for the WiFi/BT module on Sige5 v1.2 arch/arm64/boot/dts/rockchip/Makefile | 5 ++ .../rockchip/rk3576-armsom-sige5-v1.2-wifibt.dtso | 49 +++++++++++++ .../boot/dts/rockchip/rk3576-armsom-sige5.dts | 85 ++++++++++++++++++++++ arch/arm64/boot/dts/rockchip/rk3576.dtsi | 16 ++++ 4 files changed, 155 insertions(+) --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250602-sige5-updates-a162b501a1b1 Best regards, -- Alexey Charkov <alchark(a)gmail.com>

1 day, 20 hours

1
1
0 0

Re: Patch "PCI: pciehp: Ignore Link Down/Up caused by Secondary Bus Reset" has been added to the 6.15-stable tree

by Lukas Wunner

[cc += Joel Mathew Thomas] On Tue, Jun 10, 2025 at 08:16:05AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > PCI: pciehp: Ignore Link Down/Up caused by Secondary Bus Reset > > to the 6.15-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > pci-pciehp-ignore-link-down-up-caused-by-secondary-b.patch > and it can be found in the queue-6.15 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi Sasha, thanks for selecting the above (which is 2af781a9edc4 upstream) as a 6.15 backport. A small feature request, could you amend the stable tooling to cc people tagged as Reported-by and Tested-by? I think they're the ones most interested in seeing something backported. Thanks! Lukas > commit 161a7237de69f65ccfe68da318343f3719149480 > Author: Lukas Wunner <lukas(a)wunner.de> > Date: Thu Apr 10 17:27:12 2025 +0200 > > PCI: pciehp: Ignore Link Down/Up caused by Secondary Bus Reset > > [ Upstream commit 2af781a9edc4ef5f6684c0710cc3542d9be48b31 ] > > When a Secondary Bus Reset is issued at a hotplug port, it causes a Data > Link Layer State Changed event as a side effect. On hotplug ports using > in-band presence detect, it additionally causes a Presence Detect Changed > event. > > These spurious events should not result in teardown and re-enumeration of > the device in the slot. Hence commit 2e35afaefe64 ("PCI: pciehp: Add > reset_slot() method") masked the Presence Detect Changed Enable bit in the > Slot Control register during a Secondary Bus Reset. Commit 06a8d89af551 > ("PCI: pciehp: Disable link notification across slot reset") additionally > masked the Data Link Layer State Changed Enable bit. > > However masking those bits only disables interrupt generation (PCIe r6.2 > sec 6.7.3.1). The events are still visible in the Slot Status register > and picked up by the IRQ handler if it runs during a Secondary Bus Reset. > This can happen if the interrupt is shared or if an unmasked hotplug event > occurs, e.g. Attention Button Pressed or Power Fault Detected. > > The likelihood of this happening used to be small, so it wasn't much of a > problem in practice. That has changed with the recent introduction of > bandwidth control in v6.13-rc1 with commit 665745f27487 ("PCI/bwctrl: > Re-add BW notification portdrv as PCIe BW controller"): > > Bandwidth control shares the interrupt with PCIe hotplug. A Secondary Bus > Reset causes a Link Bandwidth Notification, so the hotplug IRQ handler > runs, picks up the masked events and tears down the device in the slot. > > As a result, Joel reports VFIO passthrough failure of a GPU, which Ilpo > root-caused to the incorrect handling of masked hotplug events. > > Clearly, a more reliable way is needed to ignore spurious hotplug events. > > For Downstream Port Containment, a new ignore mechanism was introduced by > commit a97396c6eb13 ("PCI: pciehp: Ignore Link Down/Up caused by DPC"). > It has been working reliably for the past four years. > > Adapt it for Secondary Bus Resets. > > Introduce two helpers to annotate code sections which cause spurious link > changes: pci_hp_ignore_link_change() and pci_hp_unignore_link_change() > Use those helpers in lieu of masking interrupts in the Slot Control > register. > > Introduce a helper to check whether such a code section is executing > concurrently and if so, await it: pci_hp_spurious_link_change() > Invoke the helper in the hotplug IRQ thread pciehp_ist(). Re-use the > IRQ thread's existing code which ignores DPC-induced link changes unless > the link is unexpectedly down after reset recovery or the device was > replaced during the bus reset. > > That code block in pciehp_ist() was previously only executed if a Data > Link Layer State Changed event has occurred. Additionally execute it for > Presence Detect Changed events. That's necessary for compatibility with > PCIe r1.0 hotplug ports because Data Link Layer State Changed didn't exist > before PCIe r1.1. DPC was added with PCIe r3.1 and thus DPC-capable > hotplug ports always support Data Link Layer State Changed events. > But the same cannot be assumed for Secondary Bus Reset, which already > existed in PCIe r1.0. > > Secondary Bus Reset is only one of many causes of spurious link changes. > Others include runtime suspend to D3cold, firmware updates or FPGA > reconfiguration. The new pci_hp_{,un}ignore_link_change() helpers may be > used by all kinds of drivers to annotate such code sections, hence their > declarations are publicly visible in <linux/pci.h>. A case in point is > the Mellanox Ethernet driver which disables a firmware reset feature if > the Ethernet card is attached to a hotplug port, see commit 3d7a3f2612d7 > ("net/mlx5: Nack sync reset request when HotPlug is enabled"). Going > forward, PCIe hotplug will be able to cope gracefully with all such use > cases once the code sections are properly annotated. > > The new helpers internally use two bits in struct pci_dev's priv_flags as > well as a wait_queue. This mirrors what was done for DPC by commit > a97396c6eb13 ("PCI: pciehp: Ignore Link Down/Up caused by DPC"). That may > be insufficient if spurious link changes are caused by multiple sources > simultaneously. An example might be a Secondary Bus Reset issued by AER > during FPGA reconfiguration. If this turns out to happen in real life, > support for it can easily be added by replacing the PCI_LINK_CHANGING flag > with an atomic_t counter incremented by pci_hp_ignore_link_change() and > decremented by pci_hp_unignore_link_change(). Instead of awaiting a zero > PCI_LINK_CHANGING flag, the pci_hp_spurious_link_change() helper would > then simply await a zero counter. > > Fixes: 665745f27487 ("PCI/bwctrl: Re-add BW notification portdrv as PCIe BW controller") > Reported-by: Joel Mathew Thomas <proxy0(a)tutamail.com> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219765 > Signed-off-by: Lukas Wunner <lukas(a)wunner.de> > Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> > Tested-by: Joel Mathew Thomas <proxy0(a)tutamail.com> > Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> > Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> > Link: https://patch.msgid.link/d04deaf49d634a2edf42bf3c06ed81b4ca54d17b.174429823… > Signed-off-by: Sasha Levin <sashal(a)kernel.org>

1 day, 22 hours

2
1
0 0

Re: Patch "tcp: reorganize tcp_in_ack_event() and tcp_count_delivered()" has been added to the 6.6-stable tree

by Eric Dumazet

On Thu, May 22, 2025 at 3:44 PM Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > tcp-reorganize-tcp_in_ack_event-and-tcp_count_delive.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > May I ask why this patch was backported to stable versions ? This is causing a packetdrill test to fail. Ilpo, can you take a look ? # packetdrill --ip_version=ipv6 --mtu=1520 dctcp-plb-simple.pkt dctcp-plb-simple.pkt:49: error handling packet: inconsistent flowlabels for this packet: expected: 0x1c50c vs actual: 0xb867c script packet: 0.032224 P.W 5001:6001(1000) ack 1 <nop,nop,TS val 100 ecr 100> actual packet: 0.032209 P.W 5001:6001(1000) ack 1 win 255 <nop,nop,TS val 124 ecr 100> $ cat dctcp-plb-simple.pkt // DCTCP PLB Test // Check that DCTCP rehashes based on PLB congestion conditions `sysctl -qw net/ipv4/tcp_ecn=1 \ net/ipv4/tcp_congestion_control=dctcp \ net/ipv4/tcp_plb_enabled=1 \ net/ipv4/tcp_rmem="4096 131072 15000000"` // Initialize connection 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1) = 0 // ECN handshake: send EW flags in SYN packet, E flag in SYN-ACK response +0 < SEW 0:0(0) win 32792 <mss 1460,sackOK,TS val 100 ecr 100,nop,wscale 6> +0 > (flowlabel 0x1) SE. 0:0(0) ack 1 <mss 1460,sackOK,TS val 100 ecr 100,nop,wscale 8> +0 < . 1:1(0) ack 1 win 257 +0 accept(3, ..., ...) = 4 +0 getsockopt(4, IPPROTO_TCP, TCP_CONGESTION, "dctcp", [5]) = 0 +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x1) P. 1:1001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < . 1:1(0) ack 1001 win 1000 <nop,nop,TS val 100 ecr 100> // no ECN mark, flowlabel won't change. +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x1) P. 1001:2001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < . 1:1(0) ack 2001 win 1000 <nop,nop,TS val 100 ecr 100> // No packets ECN-marked. +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x1) P. 2001:3001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < E. 1:1(0) ack 3001 win 1000 <nop,nop,TS val 100 ecr 100> // ECN-marked. 1 congested round. +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x1) PW. 3001:4001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < E. 1:1(0) ack 4001 win 1000 <nop,nop,TS val 100 ecr 100> // ECN-marked. 2 congested round. +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x1) PW. 4001:5001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < E. 1:1(0) ack 5001 win 1000 <nop,nop,TS val 100 ecr 100> // ECN-marked. 3 congested round. +0 write(4, ..., 1000) = 1000 // Flowlabel will change next round +0 > (flowlabel 0x1) PW. 5001:6001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < . 1:1(0) ack 6001 win 1000 <nop,nop,TS val 100 ecr 100> // No packets ECN-marked. 0 congested round. +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x2) P. 6001:7001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < . 1:1(0) ack 7001 win 1000 <nop,nop,TS val 100 ecr 100> // No packets ECN-marked. Verify new flowlabel +0 write(4, ..., 1000) = 1000 +0 > (flowlabel 0x2) P. 7001:8001(1000) ack 1 <nop,nop,TS val 100 ecr 100> +0 < . 1:1(0) ack 8001 win 1000 <nop,nop,TS val 100 ecr 100> // No packets ECN-marked. New flowlabel should stick > > commit c39f5ebea6713c908f64e4682c26d144d9a659de > Author: Ilpo Järvinen <ij(a)kernel.org> > Date: Wed Mar 5 23:38:41 2025 +0100 > > tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() > > [ Upstream commit 149dfb31615e22271d2525f078c95ea49bc4db24 ] > > - Move tcp_count_delivered() earlier and split tcp_count_delivered_ce() > out of it > - Move tcp_in_ack_event() later > - While at it, remove the inline from tcp_in_ack_event() and let > the compiler to decide > > Accurate ECN's heuristics does not know if there is going > to be ACE field based CE counter increase or not until after > rtx queue has been processed. Only then the number of ACKed > bytes/pkts is available. As CE or not affects presence of > FLAG_ECE, that information for tcp_in_ack_event is not yet > available in the old location of the call to tcp_in_ack_event(). > > Signed-off-by: Ilpo Järvinen <ij(a)kernel.org> > Signed-off-by: Chia-Yu Chang <chia-yu.chang(a)nokia-bell-labs.com> > Signed-off-by: David S. Miller <davem(a)davemloft.net> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c > index 10d38ec0ff5ac..a172248b66783 100644 > --- a/net/ipv4/tcp_input.c > +++ b/net/ipv4/tcp_input.c > @@ -425,6 +425,20 @@ static bool tcp_ecn_rcv_ecn_echo(const struct tcp_sock *tp, const struct tcphdr > return false; > } > > +static void tcp_count_delivered_ce(struct tcp_sock *tp, u32 ecn_count) > +{ > + tp->delivered_ce += ecn_count; > +} > + > +/* Updates the delivered and delivered_ce counts */ > +static void tcp_count_delivered(struct tcp_sock *tp, u32 delivered, > + bool ece_ack) > +{ > + tp->delivered += delivered; > + if (ece_ack) > + tcp_count_delivered_ce(tp, delivered); > +} > + > /* Buffer size and advertised window tuning. > * > * 1. Tuning sk->sk_sndbuf, when connection enters established state. > @@ -1137,15 +1151,6 @@ void tcp_mark_skb_lost(struct sock *sk, struct sk_buff *skb) > } > } > > -/* Updates the delivered and delivered_ce counts */ > -static void tcp_count_delivered(struct tcp_sock *tp, u32 delivered, > - bool ece_ack) > -{ > - tp->delivered += delivered; > - if (ece_ack) > - tp->delivered_ce += delivered; > -} > - > /* This procedure tags the retransmission queue when SACKs arrive. > * > * We have three tag bits: SACKED(S), RETRANS(R) and LOST(L). > @@ -3816,12 +3821,23 @@ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) > } > } > > -static inline void tcp_in_ack_event(struct sock *sk, u32 flags) > +static void tcp_in_ack_event(struct sock *sk, int flag) > { > const struct inet_connection_sock *icsk = inet_csk(sk); > > - if (icsk->icsk_ca_ops->in_ack_event) > - icsk->icsk_ca_ops->in_ack_event(sk, flags); > + if (icsk->icsk_ca_ops->in_ack_event) { > + u32 ack_ev_flags = 0; > + > + if (flag & FLAG_WIN_UPDATE) > + ack_ev_flags |= CA_ACK_WIN_UPDATE; > + if (flag & FLAG_SLOWPATH) { > + ack_ev_flags |= CA_ACK_SLOWPATH; > + if (flag & FLAG_ECE) > + ack_ev_flags |= CA_ACK_ECE; > + } > + > + icsk->icsk_ca_ops->in_ack_event(sk, ack_ev_flags); > + } > } > > /* Congestion control has updated the cwnd already. So if we're in > @@ -3938,12 +3954,8 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) > tcp_snd_una_update(tp, ack); > flag |= FLAG_WIN_UPDATE; > > - tcp_in_ack_event(sk, CA_ACK_WIN_UPDATE); > - > NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPHPACKS); > } else { > - u32 ack_ev_flags = CA_ACK_SLOWPATH; > - > if (ack_seq != TCP_SKB_CB(skb)->end_seq) > flag |= FLAG_DATA; > else > @@ -3955,19 +3967,12 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) > flag |= tcp_sacktag_write_queue(sk, skb, prior_snd_una, > &sack_state); > > - if (tcp_ecn_rcv_ecn_echo(tp, tcp_hdr(skb))) { > + if (tcp_ecn_rcv_ecn_echo(tp, tcp_hdr(skb))) > flag |= FLAG_ECE; > - ack_ev_flags |= CA_ACK_ECE; > - } > > if (sack_state.sack_delivered) > tcp_count_delivered(tp, sack_state.sack_delivered, > flag & FLAG_ECE); > - > - if (flag & FLAG_WIN_UPDATE) > - ack_ev_flags |= CA_ACK_WIN_UPDATE; > - > - tcp_in_ack_event(sk, ack_ev_flags); > } > > /* This is a deviation from RFC3168 since it states that: > @@ -3994,6 +3999,8 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) > > tcp_rack_update_reo_wnd(sk, &rs); > > + tcp_in_ack_event(sk, flag); > + > if (tp->tlp_high_seq) > tcp_process_tlp_ack(sk, ack, flag); > > @@ -4025,6 +4032,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) > return 1; > > no_queue: > + tcp_in_ack_event(sk, flag); > /* If data was DSACKed, see if we can undo a cwnd reduction. */ > if (flag & FLAG_DSACKING_ACK) { > tcp_fastretrans_alert(sk, prior_snd_una, num_dupack, &flag,

2 days

4
3
0 0

[PATCH 6.1 00/23] fixes from 6.11 for 6.1.y

by Leah Rumancik

Hello again, This is a series for 6.1.y for fixes from 6.11. It corresponds to the 6.6.y series here: https://lore.kernel.org/linux-xfs/20241218191725.63098-1-catherine.hoang@or… During porting, I noticed 6.1.y was missing a fix series from 6.5 that is a dependency of the fixes from 6.11 so I included those first. These were tested via the auto group on 9 configs with no regressions seen. These were also already ack'd on the xfs-stable mailing list. series from 6.5: https://lore.kernel.org/linux-xfs/168506055189.3727958.722711918040129046.s… 63ef7a35912d xfs: fix interval filtering in multi-step fsmap queries 7975aba19cba xfs: fix integer overflows in the fsmap rtbitmap and logdev backends d898137d789c xfs: fix getfsmap reporting past the last rt extent f045dd00328d xfs: clean up the rtbitmap fsmap backend a949a1c2a198 xfs: fix logdev fsmap query result filtering 3ee9351e7490 xfs: validate fsmap offsets specified in the query keys 75dc03453122 xfs: fix xfs_btree_query_range callers to initialize btree rec fully fix of 63ef7a35912dd ("xfs: fix interval filtering in multi-step fsmap queries") https://lore.kernel.org/linux-xfs/169335025661.3518128.12423331693506002020… cfa2df68b7ce xfs: fix an agbno overflow in __xfs_getfsmap_datadev 6.6 series for 6.11: https://lore.kernel.org/linux-xfs/20241218191725.63098-1-catherine.hoang@or… 85d0947db262 xfs: fix the contact address for the sysfs ABI documentation c08d03996cea xfs: verify buffer, inode, and dquot items every tx commit ff627196ddc1 xfs: use consistent uid/gid when grabbing dquots for inodes 7531c9ab2e55 xfs: declare xfs_file.c symbols in xfs_file.h c070b8802159 xfs: create a new helper to return a file's allocation unit 2e63ed9b0175 xfs: Fix xfs_flush_unmap_range() range for RT fe962ab3c4f1 xfs: Fix xfs_prepare_shift() range for RT ca96d83c9307 xfs: don't walk off the end of a directory data block 27336a327b40 xfs: remove unused parameter in macro XFS_DQUOT_LOGRES b2dcbd8a928c xfs: attr forks require attr, not attr2 4a82db7a4b73 xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set 9fadc53d793c xfs: Fix the owner setting issue for rmap query in xfs fsmap 35bd108619c2 xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code 29fcb5fef608 xfs: take m_growlock when running growfsrt e5d1ae2d4d0b xfs: reset rootdir extent size hint after growfsrt [skipped for 6.1 as scrub is not supported in 6.1:] cb95cb2450e3 xfs: convert comma to semicolon 1bee32f33c0a xfs: fix file_path handling in tracepoints - Leah Christoph Hellwig (1): xfs: fix the contact address for the sysfs ABI documentation Darrick J. Wong (17): xfs: fix interval filtering in multi-step fsmap queries xfs: fix integer overflows in the fsmap rtbitmap and logdev backends xfs: fix getfsmap reporting past the last rt extent xfs: clean up the rtbitmap fsmap backend xfs: fix logdev fsmap query result filtering xfs: validate fsmap offsets specified in the query keys xfs: fix xfs_btree_query_range callers to initialize btree rec fully xfs: fix an agbno overflow in __xfs_getfsmap_datadev xfs: verify buffer, inode, and dquot items every tx commit xfs: use consistent uid/gid when grabbing dquots for inodes xfs: declare xfs_file.c symbols in xfs_file.h xfs: create a new helper to return a file's allocation unit xfs: attr forks require attr, not attr2 xfs: conditionally allow FS_XFLAG_REALTIME changes if S_DAX is set xfs: use XFS_BUF_DADDR_NULL for daddrs in getfsmap code xfs: take m_growlock when running growfsrt xfs: reset rootdir extent size hint after growfsrt John Garry (2): xfs: Fix xfs_flush_unmap_range() range for RT xfs: Fix xfs_prepare_shift() range for RT Julian Sun (1): xfs: remove unused parameter in macro XFS_DQUOT_LOGRES Zizhi Wo (1): xfs: Fix the owner setting issue for rmap query in xfs fsmap lei lu (1): xfs: don't walk off the end of a directory data block Documentation/ABI/testing/sysfs-fs-xfs | 8 +- fs/xfs/Kconfig | 12 ++ fs/xfs/libxfs/xfs_alloc.c | 10 +- fs/xfs/libxfs/xfs_dir2_data.c | 31 ++- fs/xfs/libxfs/xfs_dir2_priv.h | 7 + fs/xfs/libxfs/xfs_quota_defs.h | 2 +- fs/xfs/libxfs/xfs_refcount.c | 13 +- fs/xfs/libxfs/xfs_rmap.c | 10 +- fs/xfs/libxfs/xfs_trans_resv.c | 28 +-- fs/xfs/scrub/bmap.c | 8 +- fs/xfs/xfs.h | 4 + fs/xfs/xfs_bmap_util.c | 22 +- fs/xfs/xfs_buf_item.c | 32 +++ fs/xfs/xfs_dquot_item.c | 31 +++ fs/xfs/xfs_file.c | 33 ++- fs/xfs/xfs_file.h | 15 ++ fs/xfs/xfs_fsmap.c | 266 ++++++++++++++----------- fs/xfs/xfs_inode.c | 29 ++- fs/xfs/xfs_inode.h | 2 + fs/xfs/xfs_inode_item.c | 32 +++ fs/xfs/xfs_ioctl.c | 12 ++ fs/xfs/xfs_iops.c | 1 + fs/xfs/xfs_iops.h | 3 - fs/xfs/xfs_rtalloc.c | 78 ++++++-- fs/xfs/xfs_symlink.c | 8 +- fs/xfs/xfs_trace.h | 25 +++ 26 files changed, 505 insertions(+), 217 deletions(-) create mode 100644 fs/xfs/xfs_file.h -- 2.50.0.rc1.591.g9c95f17f64-goog

2 days

2
24
0 0

Backport sh-sci fixes to 6.12.y

by Claudiu Beznea

Hi, stable team, Please backport the following commits to 6.12.y: 1/ 239f11209e5f ("serial: sh-sci: Move runtime PM enable to sci_probe_single()") 2/ 5f1017069933 ("serial: sh-sci: Clean sci_ports[0] after at earlycon exit") 3/ 651dee03696e ("serial: sh-sci: Increment the runtime usage counter for the earlycon device") These applies cleanly on top of 6.12.y (if applied in the order provided above) and fix the debug console on Renesas devices. Thank you, Claudiu Beznea

2 days

2
3
0 0

[PATCH AUTOSEL 6.15 001/118] net: macb: Check return value of dma_set_mask_and_coherent()

by Sasha Levin

From: Sergio Perez Gonzalez <sperezglz(a)gmail.com> [ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ] Issue flagged by coverity. Add a safety check for the return value of dma_set_mask_and_coherent, go to a safe exit if it returns error. Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=16… Signed-off-by: Sergio Perez Gonzalez <sperezglz(a)gmail.com> Reviewed-by: Claudiu Beznea <claudiu.beznea(a)tuxon.dev> Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of the commit and the codebase context, here's my assessment: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Code Analysis The commit adds proper error checking for `dma_set_mask_and_coherent()` in the macb network driver. Looking at the specific changes: **Before the fix:** ```c if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); bp->hw_dma_cap |= HW_DMA_CAP_64B; } ``` **After the fix:** ```c if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); if (err) { dev_err(&pdev->dev, "failed to set DMA mask\n"); goto err_out_free_netdev; } bp->hw_dma_cap |= HW_DMA_CAP_64B; } ``` ## Why this should be backported: 1. **Fixes a Real Bug**: The original code ignores the return value of `dma_set_mask_and_coherent()`. If this function fails (which can happen on systems with restricted DMA capabilities), the driver would continue execution assuming 44-bit DMA addressing is available when it's not, leading to potential memory corruption or system crashes. 2. **Small, Contained Fix**: This is a minimal change that only adds proper error checking without changing any core logic or introducing new features. It follows the stable tree principle of being a small, targeted bugfix. 3. **Follows Established Patterns**: Looking at the similar commits provided, this matches exactly the pattern of commits marked "YES" for backporting (commits #1, #2, and #5) which all add proper error checking for DMA mask functions. 4. **Critical Network Driver**: The macb driver is used in production systems, and DMA-related bugs can cause data corruption or system instability, making this a high-priority fix for stable trees. 5. **Proper Error Handling Path**: The fix correctly uses the existing `err_out_free_netdev` label, which properly cleans up allocated resources (line 5373-5383 in macb_main.c), preventing resource leaks when DMA setup fails. 6. **Static Analysis Tool Flagged**: The commit message mentions this was flagged by Coverity, indicating it's a legitimate code quality issue that could manifest as a runtime bug. 7. **Matches Stable Tree Criteria**: - Important bugfix ✓ - Minimal risk of regression ✓ - No architectural changes ✓ - Confined to one driver/subsystem ✓ - Clear side effects (proper cleanup on failure) ✓ This commit addresses the same class of vulnerability as the other "YES" examples: ignoring return values of critical DMA functions that can fail and lead to undefined behavior. The fix is surgical, safe, and addresses a genuine runtime issue in a widely-used network driver. drivers/net/ethernet/cadence/macb_main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c index e1e8bd2ec155b..d1f1ae5ea161c 100644 --- a/drivers/net/ethernet/cadence/macb_main.c +++ b/drivers/net/ethernet/cadence/macb_main.c @@ -5283,7 +5283,11 @@ static int macb_probe(struct platform_device *pdev) #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { - dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); + err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); + if (err) { + dev_err(&pdev->dev, "failed to set DMA mask\n"); + goto err_out_free_netdev; + } bp->hw_dma_cap |= HW_DMA_CAP_64B; } #endif -- 2.39.5

2 days, 9 hours

6
126
0 0

[PATCH 0/8] Fix bcache regression with equality-aware heap APIs

by Kuan-Wei Chiu

This patch series introduces equality-aware variants of the min heap API that use a top-down heapify strategy to improve performance when many elements are equal under the comparison function. It also updates the documentation accordingly and modifies bcache to use the new APIs to fix a performance regression caused by the switch to the generic min heap library. In particular, invalidate_buckets_lru() in bcache suffered from increased comparison overhead due to the bottom-up strategy introduced in commit 866898efbb25 ("bcache: remove heap-related macros and switch to generic min_heap"). The regression is addressed by switching to the equality-aware variants and using the inline versions to avoid function call overhead in this hot path. Cc: stable(a)vger.kernel.org --- To avoid duplicated effort and expedite resolution, Robert kindly agreed that I should submit my already-completed series instead. Many thanks to him for his cooperation and support. Kuan-Wei Chiu (8): lib min_heap: Add equal-elements-aware sift_down variant lib min_heap: Add typedef for sift_down function pointer lib min_heap: add eqaware variant of min_heapify_all() lib min_heap: add eqaware variant of min_heap_pop() lib min_heap: add eqaware variant of min_heap_pop_push() lib min_heap: add eqaware variant of min_heap_del() Documentation/core-api: min_heap: Document _eqaware variants of min-heap APIs bcache: Fix the tail IO latency regression by using equality-aware min heap API Documentation/core-api/min_heap.rst | 20 +++++ drivers/md/bcache/alloc.c | 15 ++-- include/linux/min_heap.h | 131 +++++++++++++++++++++++----- lib/min_heap.c | 23 +++-- 4 files changed, 154 insertions(+), 35 deletions(-) -- 2.34.1

2 days, 12 hours

3
17
0 0

+ mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() has been added to the -mm mm-unstable branch. Its filename is mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() Date: Fri, 13 Jun 2025 11:27:00 +0200 Patch series "mm/huge_memory: vmf_insert_folio_*() and vmf_insert_pfn_pud() fixes", v3. While working on improving vm_normal_page() and friends, I stumbled over this issues: refcounted "normal" folios must not be marked using pmd_special() / pud_special(). Otherwise, we're effectively telling the system that these folios are no "normal", violating the rules we documented for vm_normal_page(). Fortunately, there are not many pmd_special()/pud_special() users yet. So far there doesn't seem to be serious damage. Tested using the ndctl tests ("ndctl:dax" suite). This patch (of 3): We set up the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. It is unclear in which configurations we would get the cachemode wrong: through vfio seems possible. Getting cachemodes wrong is usually ... bad. As the fix is easy, let's backport it to stable. Identified by code inspection. Link: https://lkml.kernel.org/r/20250613092702.1943533-1-david@redhat.com Link: https://lkml.kernel.org/r/20250613092702.1943533-2-david@redhat.com Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Tested-by: Dan Williams <dan.j.williams(a)intel.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud +++ a/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_ pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct v add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; _ Patches currently in -mm which might be from david(a)redhat.com are mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch mm-gup-remove-vm_bug_ons.patch mm-gup-remove-vm_bug_ons-fix.patch mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch mm-huge_memory-dont-mark-refcounted-folios-special-in-vmf_insert_folio_pmd.patch mm-huge_memory-dont-mark-refcounted-folios-special-in-vmf_insert_folio_pud.patch

2 days, 14 hours

1
0
0 0

[PATCH 1/1] Drivers: hv: Select CONFIG_SYSFB only if EFI is enabled

by mhkelley58＠gmail.com

From: Michael Kelley <mhklinux(a)outlook.com> Commit 96959283a58d ("Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests") selects CONFIG_SYSFB for Hyper-V guests so that screen_info is available to the VMBus driver to get the location of the framebuffer in Generation 2 VMs. However, if CONFIG_HYPERV is enabled but CONFIG_EFI is not, a kernel link error results in ARM64 builds because screen_info is provided by the EFI firmware interface. While configuring an ARM64 Hyper-V guest without EFI isn't useful since EFI is required to boot, the configuration is still possible and the link error should be prevented. Fix this by making the selection of CONFIG_SYSFB conditional on CONFIG_EFI being defined. For Generation 1 VMs on x86/x64, which don't use EFI, the additional condition is OK because such VMs get the framebuffer information via a mechanism that doesn't use screen_info. Fixes: 96959283a58d ("Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests") Reported-by: Arnd Bergmann <arnd(a)arndb.de> Closes: https://lore.kernel.org/linux-hyperv/20250610091810.2638058-1-arnd@kernel.o… Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202506080820.1wmkQufc-lkp@intel.com/ Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> --- drivers/hv/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig index 1cd188b73b74..57623ca7f350 100644 --- a/drivers/hv/Kconfig +++ b/drivers/hv/Kconfig @@ -9,7 +9,7 @@ config HYPERV select PARAVIRT select X86_HV_CALLBACK_VECTOR if X86 select OF_EARLY_FLATTREE if OF - select SYSFB if !HYPERV_VTL_MODE + select SYSFB if EFI && !HYPERV_VTL_MODE help Select this option to run Linux as a Hyper-V client operating system. -- 2.25.1

2 days, 15 hours

2
1
0 0

[PATCH v4 4/5] scsi: fnic: Turn off FDMI ACTIVE flags on link down

by Karan Tilak Kumar

When the link goes down and comes up, FDMI requests are not sent out anymore. Fix bug by turning off FNIC_FDMI_ACTIVE when the link goes down. Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Reviewed-by: Arun Easi <aeasi(a)cisco.com> Tested-by: Karan Tilak Kumar <kartilak(a)cisco.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- Changes between v3 and v4: - Incorporate review comments from Dan: - Remove comments from Cc tag Changes between v2 and v3: - Incorporate review comments from Dan: - Add Cc to stable Changes between v1 and v2: - Incorporate review comments from Dan: - Add Fixes tag --- drivers/scsi/fnic/fdls_disc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/fnic/fdls_disc.c b/drivers/scsi/fnic/fdls_disc.c index 9e9939d41fa8..14691db4d5f9 100644 --- a/drivers/scsi/fnic/fdls_disc.c +++ b/drivers/scsi/fnic/fdls_disc.c @@ -5078,9 +5078,12 @@ void fnic_fdls_link_down(struct fnic_iport_s *iport) fdls_delete_tport(iport, tport); } - if ((fnic_fdmi_support == 1) && (iport->fabric.fdmi_pending > 0)) { - timer_delete_sync(&iport->fabric.fdmi_timer); - iport->fabric.fdmi_pending = 0; + if (fnic_fdmi_support == 1) { + if (iport->fabric.fdmi_pending > 0) { + timer_delete_sync(&iport->fabric.fdmi_timer); + iport->fabric.fdmi_pending = 0; + } + iport->flags &= ~FNIC_FDMI_ACTIVE; } FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, -- 2.47.1

2 days, 16 hours

3
2
0 0

[PATCH 1/3] mtd: spinand: winbond: Fix W35N number of planes/LUN

by Miquel Raynal

There's been a mistake when extracting the geometry of the W35N02 and W35N04 chips from the datasheet. There is a single plane, however there are respectively 2 and 4 LUNs. They are actually referred in the datasheet as dies (equivalent of target), but as there is no die select operation and the chips only feature a single configuration register for the entire chip (instead of one per die), we can reasonably assume we are talking about LUNs and not dies. Reported-by: Andreas Dannenberg <dannenberg(a)ti.com> Suggested-by: Vignesh Raghavendra <vigneshr(a)ti.com> Fixes: 25e08bf66660 ("mtd: spinand: winbond: Add support for W35N02JW and W35N04JW chips") Cc: stable(a)vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- drivers/mtd/nand/spi/winbond.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/nand/spi/winbond.c b/drivers/mtd/nand/spi/winbond.c index 19f8dd4a6370..2808bbd7a16e 100644 --- a/drivers/mtd/nand/spi/winbond.c +++ b/drivers/mtd/nand/spi/winbond.c @@ -289,7 +289,7 @@ static const struct spinand_info winbond_spinand_table[] = { SPINAND_ECCINFO(&w35n01jw_ooblayout, NULL)), SPINAND_INFO("W35N02JW", /* 1.8V */ SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xdf, 0x22), - NAND_MEMORG(1, 4096, 128, 64, 512, 10, 2, 1, 1), + NAND_MEMORG(1, 4096, 128, 64, 512, 10, 1, 2, 1), NAND_ECCREQ(1, 512), SPINAND_INFO_OP_VARIANTS(&read_cache_octal_variants, &write_cache_octal_variants, @@ -298,7 +298,7 @@ static const struct spinand_info winbond_spinand_table[] = { SPINAND_ECCINFO(&w35n01jw_ooblayout, NULL)), SPINAND_INFO("W35N04JW", /* 1.8V */ SPINAND_ID(SPINAND_READID_METHOD_OPCODE_DUMMY, 0xdf, 0x23), - NAND_MEMORG(1, 4096, 128, 64, 512, 10, 4, 1, 1), + NAND_MEMORG(1, 4096, 128, 64, 512, 10, 1, 4, 1), NAND_ECCREQ(1, 512), SPINAND_INFO_OP_VARIANTS(&read_cache_octal_variants, &write_cache_octal_variants, -- 2.48.1

2 days, 20 hours

1
0
0 0

[PATCH net] virtio-net: drop the multi-buffer XDP packet in zerocopy

by Bui Quang Minh

In virtio-net, we have not yet supported multi-buffer XDP packet in zerocopy mode when there is a binding XDP program. However, in that case, when receiving multi-buffer XDP packet, we skip the XDP program and return XDP_PASS. As a result, the packet is passed to normal network stack which is an incorrect behavior. This commit instead returns XDP_DROP in that case. Fixes: 99c861b44eb1 ("virtio_net: xsk: rx: support recv merge mode") Cc: stable(a)vger.kernel.org Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> --- drivers/net/virtio_net.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index e53ba600605a..4c35324d6e5b 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -1309,9 +1309,14 @@ static struct sk_buff *virtnet_receive_xsk_merge(struct net_device *dev, struct ret = XDP_PASS; rcu_read_lock(); prog = rcu_dereference(rq->xdp_prog); - /* TODO: support multi buffer. */ - if (prog && num_buf == 1) - ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, stats); + if (prog) { + /* TODO: support multi buffer. */ + if (num_buf == 1) + ret = virtnet_xdp_handler(prog, xdp, dev, xdp_xmit, + stats); + else + ret = XDP_DROP; + } rcu_read_unlock(); switch (ret) { -- 2.43.0

2 days, 22 hours

6
14
0 0

Re: [PATCH net-next v9 2/2] page_pool: Track DMA-mapped pages and unmap them when destroying the pool

by Jakub Kicinski

On Fri, 13 Jun 2025 10:41:10 +0200 Toke Høiland-Jørgensen wrote: > Jakub Kicinski <kuba(a)kernel.org> writes: > > > On Thu, 12 Jun 2025 09:25:30 +0200 Toke Høiland-Jørgensen wrote: > >> Hmm, okay, guess we should ask Sasha to drop these, then? > >> > >> https://lore.kernel.org/r/20250610122811.1567780-1-sashal@kernel.org > >> https://lore.kernel.org/r/20250610120306.1543986-1-sashal@kernel.org > > > > These links don't work for me? > > Oh, sorry, didn't realise the stable notifications are not archived on > lore. Here are the patches in the stable queue: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tre… > https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tre… > https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tre… > https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tre… Thanks! Sasha, could we drop these please? They need more mileage before we send them to LTS.

2 days, 23 hours

1
0
0 0

[PATCH v2] leds: flash: leds-qcom-flash: Fix registry access after re-bind

by Krzysztof Kozlowski

Driver in probe() updates each of 'reg_field' with 'reg_base': for (i = 0; i < REG_MAX_COUNT; i++) regs[i].reg += reg_base; 'reg_field' array (under variable 'regs' above) is statically allocated, thus each re-bind would add another 'reg_base' leading to bogus register addresses. Constify the local 'reg_field' array and duplicate it in probe to solve this. Fixes: 96a2e242a5dc ("leds: flash: Add driver to support flash LED module in QCOM PMICs") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Changes in v2: 1. Fix sizeof() argument (Fenglin Wu) This is a nice example why constifying static memory is useful. --- drivers/leds/flash/leds-qcom-flash.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/leds/flash/leds-qcom-flash.c b/drivers/leds/flash/leds-qcom-flash.c index b4c19be51c4d..89cf5120f5d5 100644 --- a/drivers/leds/flash/leds-qcom-flash.c +++ b/drivers/leds/flash/leds-qcom-flash.c @@ -117,7 +117,7 @@ enum { REG_MAX_COUNT, }; -static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { +static const struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { REG_FIELD(0x08, 0, 7), /* status1 */ REG_FIELD(0x09, 0, 7), /* status2 */ REG_FIELD(0x0a, 0, 7), /* status3 */ @@ -132,7 +132,7 @@ static struct reg_field mvflash_3ch_regs[REG_MAX_COUNT] = { REG_FIELD(0x58, 0, 2), /* therm_thrsh3 */ }; -static struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { +static const struct reg_field mvflash_4ch_regs[REG_MAX_COUNT] = { REG_FIELD(0x06, 0, 7), /* status1 */ REG_FIELD(0x07, 0, 6), /* status2 */ REG_FIELD(0x09, 0, 7), /* status3 */ @@ -854,11 +854,17 @@ static int qcom_flash_led_probe(struct platform_device *pdev) if (val == FLASH_SUBTYPE_3CH_PM8150_VAL || val == FLASH_SUBTYPE_3CH_PMI8998_VAL) { flash_data->hw_type = QCOM_MVFLASH_3CH; flash_data->max_channels = 3; - regs = mvflash_3ch_regs; + regs = devm_kmemdup(dev, mvflash_3ch_regs, sizeof(mvflash_3ch_regs), + GFP_KERNEL); + if (!regs) + return -ENOMEM; } else if (val == FLASH_SUBTYPE_4CH_VAL) { flash_data->hw_type = QCOM_MVFLASH_4CH; flash_data->max_channels = 4; - regs = mvflash_4ch_regs; + regs = devm_kmemdup(dev, mvflash_4ch_regs, sizeof(mvflash_4ch_regs), + GFP_KERNEL); + if (!regs) + return -ENOMEM; rc = regmap_read(regmap, reg_base + FLASH_REVISION_REG, &val); if (rc < 0) { @@ -880,6 +886,7 @@ static int qcom_flash_led_probe(struct platform_device *pdev) dev_err(dev, "Failed to allocate regmap field, rc=%d\n", rc); return rc; } + devm_kfree(dev, regs); /* devm_regmap_field_bulk_alloc() makes copies */ platform_set_drvdata(pdev, flash_data); mutex_init(&flash_data->lock); -- 2.45.2

3 days

3
2
0 0

[PATCH v2] mfd: cros_ec: Separate charge-control probing from USB-PD

by Thomas Weißschuh

The charge-control subsystem in the ChromeOS EC is not strictly tied to its USB-PD subsystem. Since commit 7613bc0d116a ("mfd: cros_ec: Don't load charger with UCSI") the presence of EC_FEATURE_UCSI_PPM would inhibit the probing of the charge-control driver. Furthermore recent versions of the EC firmware in Framework laptops hard-disable EC_FEATURE_USB_PD to avoid probing cros-usbpd-charger, which then also breaks cros-charge-control. Instead use the dedicated EC_FEATURE_CHARGER. Link: https://github.com/FrameworkComputer/EmbeddedController/commit/1d7bcf1d5013… Fixes: 555b5fcdb844 ("mfd: cros_ec: Register charge control subdevice") Cc: stable(a)vger.kernel.org Tested-by: Tom Vincent <linux(a)tlvince.com> Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- Changes in v2: - Rebase onto v6.16-rc1 - Pick up tested-by from Tom - Also Cc stable@ - Link to v1: https://lore.kernel.org/r/20250521-cros-ec-mfd-chctl-probe-v1-1-6ebfe3a6efa… --- drivers/mfd/cros_ec_dev.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/mfd/cros_ec_dev.c b/drivers/mfd/cros_ec_dev.c index 9f84a52b48d6a8994d23edba999398684303ee64..dc80a272726bb16b58253418999021cd56dfd975 100644 --- a/drivers/mfd/cros_ec_dev.c +++ b/drivers/mfd/cros_ec_dev.c @@ -87,7 +87,6 @@ static const struct mfd_cell cros_ec_sensorhub_cells[] = { }; static const struct mfd_cell cros_usbpd_charger_cells[] = { - { .name = "cros-charge-control", }, { .name = "cros-usbpd-charger", }, { .name = "cros-usbpd-logger", }, }; @@ -112,6 +111,10 @@ static const struct mfd_cell cros_ec_ucsi_cells[] = { { .name = "cros_ec_ucsi", }, }; +static const struct mfd_cell cros_ec_charge_control_cells[] = { + { .name = "cros-charge-control", }, +}; + static const struct cros_feature_to_cells cros_subdevices[] = { { .id = EC_FEATURE_CEC, @@ -148,6 +151,11 @@ static const struct cros_feature_to_cells cros_subdevices[] = { .mfd_cells = cros_ec_keyboard_leds_cells, .num_cells = ARRAY_SIZE(cros_ec_keyboard_leds_cells), }, + { + .id = EC_FEATURE_CHARGER, + .mfd_cells = cros_ec_charge_control_cells, + .num_cells = ARRAY_SIZE(cros_ec_charge_control_cells), + }, }; static const struct mfd_cell cros_ec_platform_cells[] = { --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250521-cros-ec-mfd-chctl-probe-64a63ac9c160 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

3 days

3
2
0 0

[PATCH v3 1/3] mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud()

by David Hildenbrand

We setup the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. It is unclear in which configurations we would get the cachemode wrong: through vfio seems possible. Getting cachemodes wrong is usually ... bad. As the fix is easy, let's backport it to stable. Identified by code inspection. Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Tested-by: Dan Williams <dan.j.williams(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- mm/huge_memory.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index d3e66136e41a3..49b98082c5401 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud, struct vm_area_struct *vma) } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_fault *vmf, pfn_t pfn, bool write) pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct vm_fault *vmf, struct folio *folio, add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; -- 2.49.0

3 days

2
1
0 0

[PATCH v3] ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard

by Niklas Cassel

A user has bisected a regression which causes graphical corruptions on his screen to commit 7627a0edef54 ("ata: ahci: Drop low power policy board type"). Simply reverting commit 7627a0edef54 ("ata: ahci: Drop low power policy board type") makes the graphical corruptions on his screen to go away. (Note: there are no visible messages in dmesg that indicates a problem with AHCI.) The user also reports that the problem occurs regardless if there is an HDD or an SSD connected via AHCI, so the problem is not device related. The devices also work fine on other motherboards, so it seems specific to the ASUSPRO-D840SA motherboard. While enabling low power modes for AHCI is not supposed to affect completely unrelated hardware, like a graphics card, it does however allow the system to enter deeper PC-states, which could expose ACPI issues that were previously not visible (because the system never entered these lower power states before). There are previous examples where enabling LPM exposed serious BIOS/ACPI bugs, see e.g. commit 240630e61870 ("ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS"). Since there hasn't been any BIOS update in years for the ASUSPRO-D840SA motherboard, disable LPM for this board, in order to avoid entering lower PC-states, which triggers graphical corruptions. Cc: stable(a)vger.kernel.org Reported-by: Andy Yang <andyybtc79(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220111 Fixes: 7627a0edef54 ("ata: ahci: Drop low power policy board type") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- Changes since v2: -Rework how we handle the quirk so that we also quirk future BIOS versions unless a build date is explicitly added to driver_data. drivers/ata/ahci.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c index e7c8357cbc54..c8ad8ace7496 100644 --- a/drivers/ata/ahci.c +++ b/drivers/ata/ahci.c @@ -1410,8 +1410,15 @@ static bool ahci_broken_suspend(struct pci_dev *pdev) static bool ahci_broken_lpm(struct pci_dev *pdev) { + /* + * Platforms with LPM problems. + * If driver_data is NULL, there is no existing BIOS version with + * functioning LPM. + * If driver_data is non-NULL, then driver_data contains the DMI BIOS + * build date of the first BIOS version with functioning LPM (i.e. older + * BIOS versions have broken LPM). + */ static const struct dmi_system_id sysids[] = { - /* Various Lenovo 50 series have LPM issues with older BIOSen */ { .matches = { DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), @@ -1440,6 +1447,13 @@ static bool ahci_broken_lpm(struct pci_dev *pdev) }, .driver_data = "20180409", /* 2.35 */ }, + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_VERSION, "ASUSPRO D840MB_M840SA"), + }, + /* 320 is broken, there is no known good version yet. */ + }, { } /* terminate list */ }; const struct dmi_system_id *dmi = dmi_first_match(sysids); @@ -1449,6 +1463,9 @@ static bool ahci_broken_lpm(struct pci_dev *pdev) if (!dmi) return false; + if (!dmi->driver_data) + return true; + dmi_get_date(DMI_BIOS_DATE, &year, &month, &date); snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date); -- 2.49.0

3 days, 1 hour

3
3
0 0

[PATCH] Revert "platform/x86: alienware-wmi-wmax: Add G-Mode support to Alienware m16 R1"

by Kurt Borja

This reverts commit 5ff79cabb23a2f14d2ed29e9596aec908905a0e6. Although the Alienware m16 R1 AMD model supports G-Mode, it actually has a lower power ceiling than plain "performance" profile, which results in lower performance. Reported-by: Cihan Ozakca <cozakca(a)outlook.com> Cc: stable(a)vger.kernel.org # 6.15.x Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> --- Hi all, Contrary to (my) intuition, imitating Windows behavior actually results in LOWER performance. I was having second thoughts about this revert because users will notice that "performance" not longer turns on the G-Mode key found in this laptop. Some users may think this is actually a regression, but IMO lower performance is worse. --- drivers/platform/x86/dell/alienware-wmi-wmax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/dell/alienware-wmi-wmax.c b/drivers/platform/x86/dell/alienware-wmi-wmax.c index c42f9228b0b255fe962b735ac96486824e83945f..20ec122a9fe0571a1ecd2ccf630615564ab30481 100644 --- a/drivers/platform/x86/dell/alienware-wmi-wmax.c +++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c @@ -119,7 +119,7 @@ static const struct dmi_system_id awcc_dmi_table[] __initconst = { DMI_MATCH(DMI_SYS_VENDOR, "Alienware"), DMI_MATCH(DMI_PRODUCT_NAME, "Alienware m16 R1 AMD"), }, - .driver_data = &g_series_quirks, + .driver_data = &generic_quirks, }, { .ident = "Alienware m16 R2", --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250611-m16-rev-8109b82dee30 -- ~ Kurt

3 days, 2 hours

2
1
0 0

[PATCH] drm/i915/snps_hdmi_pll: Fix 64-bit divisor truncation by using div64_u64

by Ankit Nautiyal

DIV_ROUND_CLOSEST_ULL uses do_div(), which expects a 32-bit divisor. When passing a 64-bit constant like CURVE2_MULTIPLIER, the value is silently truncated to u32, potentially leading to incorrect results on large divisors. Replace DIV_ROUND_CLOSEST_ULL with div64_u64(), which correctly handles full 64-bit division. Since the result is clamped between 1 and 127, rounding is unnecessary and truncating division is sufficient. Fixes: 5947642004bf ("drm/i915/display: Add support for SNPS PHY HDMI PLL algorithm for DG2") Cc: Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> Cc: Suraj Kandpal <suraj.kandpal(a)intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.15+ Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal(a)intel.com> --- drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c b/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c index 74bb3bedf30f..ac609bdf6653 100644 --- a/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c +++ b/drivers/gpu/drm/i915/display/intel_snps_hdmi_pll.c @@ -103,8 +103,8 @@ static void get_ana_cp_int_prop(u64 vco_clk, DIV_ROUND_DOWN_ULL(curve_1_interpolated, CURVE0_MULTIPLIER))); ana_cp_int_temp = - DIV_ROUND_CLOSEST_ULL(DIV_ROUND_DOWN_ULL(adjusted_vco_clk1, curve_2_scaled1), - CURVE2_MULTIPLIER); + div64_u64(DIV_ROUND_DOWN_ULL(adjusted_vco_clk1, curve_2_scaled1), + CURVE2_MULTIPLIER); *ana_cp_int = max(1, min(ana_cp_int_temp, 127)); -- 2.45.2

3 days, 4 hours

3
2
0 0

Reply Request: UITP Summit - Hamburg 2025 Attendees List

by Michelle Calara

Hi, Following up on my primary email about the visitor list. Please let me know your thoughts, and I'd be happy to give more details. Best regards, Grace Subject: UITP Summit - Hamburg 2025! Hi, I wanted to check if you’d be interested in acquiring the attendees list of UITP Summit - Hamburg 2025? Event Overview: Dates: 15 - 18 Jun 2025 Location: Hamburg, Germany Attendees: 10,126 Exhibitors: 380 Each contact contains: Contact Name, First Name, Last Name, Job Title, Company, Website Address, City, State, Zip, Country Code, Revenue, Employee Size, Email, Phone Number, and Fax Number. If you're interested in the list, just reply "Send Counts and Cost"? Best regards, Michelle Calara Senior Marketing Manager To unsubscribe, simply respond with “Not interested.”

3 days, 5 hours

1
0
0 0

[tip: perf/urgent] perf/x86/intel: Fix crash in icl_update_topdown_event()

by tip-bot2 for Kan Liang

The following commit has been merged into the perf/urgent branch of tip: Commit-ID: b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed Gitweb: https://git.kernel.org/tip/b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed Author: Kan Liang <kan.liang(a)linux.intel.com> AuthorDate: Thu, 12 Jun 2025 07:38:18 -07:00 Committer: Ingo Molnar <mingo(a)kernel.org> CommitterDate: Fri, 13 Jun 2025 09:38:06 +02:00 perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org # v6.15+ Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com --- arch/x86/events/intel/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 741b229..c2fb729 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -2826,7 +2826,7 @@ static void intel_pmu_read_event(struct perf_event *event) * If the PEBS counters snapshotting is enabled, * the topdown event is available in PEBS records. */ - if (is_topdown_event(event) && !is_pebs_counter_event_group(event)) + if (is_topdown_count(event) && !is_pebs_counter_event_group(event)) static_call(intel_pmu_update_topdown_event)(event, NULL); else intel_pmu_drain_pebs_buffer();

3 days, 6 hours

1
0
0 0

[PATCH V3 2/2] PCI: Prevent LS7A Bus Master clearing on kexec

by Huacai Chen

This is similar to commit 62b6dee1b44a ("PCI/portdrv: Prevent LS7A Bus Master clearing on shutdown"), which prevents LS7A Bus Master clearing on kexec. The key point of this is to work around the LS7A defect that clearing PCI_COMMAND_MASTER prevents MMIO requests from going downstream, and we may need to do that even after .shutdown(), e.g., to print console messages. And in this case we rely on .shutdown() for the downstream devices to disable interrupts and DMA. Only skip Bus Master clearing on bridges because endpoint devices still need it. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ming Wang <wangming01(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- drivers/pci/pci-driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c index 602838416e6a..8a1e32367a06 100644 --- a/drivers/pci/pci-driver.c +++ b/drivers/pci/pci-driver.c @@ -517,7 +517,7 @@ static void pci_device_shutdown(struct device *dev) * If it is not a kexec reboot, firmware will hit the PCI * devices with big hammer and stop their DMA any way. */ - if (kexec_in_progress && (pci_dev->current_state <= PCI_D3hot)) + if (kexec_in_progress && !pci_is_bridge(pci_dev) && (pci_dev->current_state <= PCI_D3hot)) pci_clear_master(pci_dev); } -- 2.47.1

3 days, 7 hours

2
1
0 0

[PATCH V3 1/2] PCI: Use local_pci_probe() when best selected cpu is offline

by Huacai Chen

From: Hongchen Zhang <zhanghongchen(a)loongson.cn> When the best selected CPU is offline, work_on_cpu() will stuck forever. This can be happen if a node is online while all its CPUs are offline (we can use "maxcpus=1" without "nr_cpus=1" to reproduce it), Therefore, in this case, we should call local_pci_probe() instead of work_on_cpu(). Cc: <stable(a)vger.kernel.org> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- drivers/pci/pci-driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c index c8bd71a739f7..602838416e6a 100644 --- a/drivers/pci/pci-driver.c +++ b/drivers/pci/pci-driver.c @@ -386,7 +386,7 @@ static int pci_call_probe(struct pci_driver *drv, struct pci_dev *dev, free_cpumask_var(wq_domain_mask); } - if (cpu < nr_cpu_ids) + if ((cpu < nr_cpu_ids) && cpu_online(cpu)) error = work_on_cpu(cpu, local_pci_probe, &ddi); else error = local_pci_probe(&ddi); -- 2.47.1

3 days, 7 hours

2
1
0 0

two nouveau patches for 6.15 stable

by Dave Airlie

Hey, Can we please get 4570355f8eaa476164cfb7ca959fdbf0cebbc9eb Author: Zhi Wang <zhiw(a)nvidia.com> Date: Thu Feb 27 01:35:53 2025 +0000 drm/nouveau/nvkm: factor out current GSP RPC command policies a738fa9105ac2897701ba4067c33e85faa27d1e2 Author: Zhi Wang <zhiw(a)nvidia.com> Date: Thu Feb 27 01:35:54 2025 +0000 drm/nouveau/nvkm: introduce new GSP reply policy NVKM_GSP_RPC_REPLY_POLL Into 6.15 stable they fix a major regression in suspend/resume on nouveau. Thanks, Dave.

3 days, 8 hours

1
0
0 0

[PATCH v2 0/6] media: ti, cdns: Multiple pixel support and misc fixes

by Jai Luthra

Hi, The first four patches in this series are miscellaneous fixes and improvements in the Cadence and TI CSI-RX drivers around probing, fwnode and link creation. The last two patches add support for transmitting multiple pixels per clock on the internal bus between Cadence CSI-RX bridge and TI CSI-RX wrapper. As this internal bus is 32-bit wide, the maximum number of pixels that can be transmitted per cycle depend upon the format's bit width. Secondly, the downstream element must support unpacking of multiple pixels. Thus we export a module function that can be used by the downstream driver to negotiate the pixels per cycle on the output pixel stream of the Cadence bridge. Signed-off-by: Jai Luthra <jai.luthra(a)ideasonboard.com> --- Changes in v2: - Rebase on v6.15-rc1 - Fix lkp warnings in PATCH 5/6 missing header for FIELD_PREP - Add R-By tags from Devarsh and Changhuang - Link to v1: https://lore.kernel.org/r/20250324-probe_fixes-v1-0-5cd5b9e1cfac@ideasonboa… --- Jai Luthra (6): media: ti: j721e-csi2rx: Use devm_of_platform_populate media: ti: j721e-csi2rx: Use fwnode_get_named_child_node media: ti: j721e-csi2rx: Fix source subdev link creation media: cadence: csi2rx: Implement get_fwnode_pad op media: cadence: cdns-csi2rx: Support multiple pixels per clock cycle media: ti: j721e-csi2rx: Support multiple pixels per clock drivers/media/platform/cadence/cdns-csi2rx.c | 76 +++++++++++++++++----- drivers/media/platform/cadence/cdns-csi2rx.h | 19 ++++++ drivers/media/platform/ti/Kconfig | 3 +- .../media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 66 ++++++++++++++----- 4 files changed, 129 insertions(+), 35 deletions(-) --- base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8 change-id: 20250314-probe_fixes-7e0ec33c7fee Best regards, -- Jai Luthra <jai.luthra(a)ideasonboard.com>

3 days, 8 hours

2
3
0 0

Re: it's Seven again for PCBA One-stop Service

by Seven

Hi , What would it mean to you if your business was able to reduce Expenses by 20% (Clients: Littelfuse, Corsair, BMB, Mercedes-Benz, Fantac) We are a PCBA factory with an area of 6,000 square meters. We have been in this industry for 18 years and have an experienced team of engineers. Help you reduce BOM Expenses Fast delivery (15 days for Demo) Competitive prices (10% lower than peers) Real factory processing fees are Fees Complete quality management system (ISO9001,ISO14001,ISO13485,IATF16949,UL)Given how well our pcba service suits your needs, I think we could do some Excellent work together. Seven LeeChief Technology Officer Business Department | Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com 在2025-06-04，Seven <seven(a)ems-sthi.com> 写道:-----原始邮件----- 发件人： Seven <seven(a)ems-sthi.com> 发件时间: 2025年06月04日周三收件人： [Linux-stable-mirror <linux-stable-mirror(a)lists.linaro.org>] 主题： Re:Jordan recommend me get in touch Hi, Glad to know you and your company from Jordan. I‘m Seven CTO of STHL We are a one-stop service provider for PCBA. We can help you with production from PCB to finished product assembly. Why Partner With Us? ✅ One-Stop Expertise: From PCB fabrication, PCBA (SMT & Through-Hole), custom cable harnesses, , to final product assembly – we eliminate multi-vendor coordination risks. ✅ Cost Efficiency: 40%+ clients reduce logistics/QC costs through our integrated service model (ISO 9001:2015 certified). ✅ Speed-to-Market: Average 15% faster lead times achieved via in-house vertical integration. Recent Success Case: Helped a German IoT startup scale from prototype to 50K-unit/month production within 6 months through our: PCB Design-for-Manufacturing (DFM) optimization Automated PCBA with 99.98% first-pass yield Mechanical housing CNC machining & IP67-rated assembly Seven Marcus CTO Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com

3 days, 8 hours

1
0
0 0

[PATCH] arm64/ptdump: Ensure memory hotplug is prevented during ptdump_check_wx()

by Anshuman Khandual

The arm64 page table dump code can race with concurrent modification of the kernel page tables. When a leaf entries are modified concurrently, the dump code may log stale or inconsistent information for a VA range, but this is otherwise not harmful. When intermediate levels of table are freed, the dump code will continue to use memory which has been freed and potentially reallocated for another purpose. In such cases, the dump code may dereference bogus addresses, leading to a number of potential problems. This problem was fixed for ptdump_show() earlier via commit 'bf2b59f60ee1 ("arm64/mm: Hold memory hotplug lock while walking for kernel page table dump")' but a same was missed for ptdump_check_wx() which faced the race condition as well. Let's just take the memory hotplug lock while executing ptdump_check_wx(). Cc: stable(a)vger.kernel.org Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove") Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Reported-by: Dev Jain <dev.jain(a)arm.com> Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> --- This patch applies on v6.16-rc1 Dev Jain found this via code inspection. arch/arm64/mm/ptdump.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/arm64/mm/ptdump.c b/arch/arm64/mm/ptdump.c index 421a5de806c62..551f80d41e8d2 100644 --- a/arch/arm64/mm/ptdump.c +++ b/arch/arm64/mm/ptdump.c @@ -328,7 +328,7 @@ static struct ptdump_info kernel_ptdump_info __ro_after_init = { .mm = &init_mm, }; -bool ptdump_check_wx(void) +static bool __ptdump_check_wx(void) { struct ptdump_pg_state st = { .seq = NULL, @@ -367,6 +367,16 @@ bool ptdump_check_wx(void) } } +bool ptdump_check_wx(void) +{ + bool ret; + + get_online_mems(); + ret = __ptdump_check_wx(); + put_online_mems(); + return ret; +} + static int __init ptdump_init(void) { u64 page_offset = _PAGE_OFFSET(vabits_actual); -- 2.30.2

3 days, 9 hours

5
5
0 0

[PATCH 6.12.y] wifi: rtw89: phy: add dummy C2H event handler for report of TAS power

by Zenm Chen

From: Ping-Ke Shih <pkshih(a)realtek.com> [ Upstream commit 09489812013f9ff3850c3af9900c88012b8c1e5d ] The newer firmware, like RTL8852C version 0.27.111.0, will notify driver report of TAS (Time Averaged SAR) power by new C2H events. This is to assist in higher accurate calculation of TAS. For now, driver doesn't use the report yet, so add a dummy handler to avoid it throws info like: rtw89_8852ce 0000:03:00.0: c2h class 9 func 6 not support Also add "MAC" and "PHY" to the message to disambiguate the source of C2H event. Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://patch.msgid.link/20241209042127.21424-1-pkshih@realtek.com Signed-off-by: Zenm Chen <zenmchen(a)gmail.com> --- Currently the rtw89 driver in kernel 6.12.y could spam the system log with the messages below if the distro provides a newer firmware, backport this patch to 6.12.y to fix it. [ 13.207637] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 17.115171] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 19.117996] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 21.122162] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 23.123588] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 25.127008] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 31.246591] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 34.665080] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 41.064308] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 43.067127] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 45.069878] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 47.072845] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 49.265599] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 51.268512] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 53.271490] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support [ 55.274271] rtw89_8852ce 0000:02:00.0: c2h class 9 func 6 not support --- drivers/net/wireless/realtek/rtw89/mac.c | 4 ++-- drivers/net/wireless/realtek/rtw89/phy.c | 10 ++++++++-- drivers/net/wireless/realtek/rtw89/phy.h | 1 + 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c index 9b09d4b7d..2188bca89 100644 --- a/drivers/net/wireless/realtek/rtw89/mac.c +++ b/drivers/net/wireless/realtek/rtw89/mac.c @@ -5513,11 +5513,11 @@ void rtw89_mac_c2h_handle(struct rtw89_dev *rtwdev, struct sk_buff *skb, case RTW89_MAC_C2H_CLASS_FWDBG: return; default: - rtw89_info(rtwdev, "c2h class %d not support\n", class); + rtw89_info(rtwdev, "MAC c2h class %d not support\n", class); return; } if (!handler) { - rtw89_info(rtwdev, "c2h class %d func %d not support\n", class, + rtw89_info(rtwdev, "MAC c2h class %d func %d not support\n", class, func); return; } diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c index 5c31639b4..355c3f58a 100644 --- a/drivers/net/wireless/realtek/rtw89/phy.c +++ b/drivers/net/wireless/realtek/rtw89/phy.c @@ -3062,10 +3062,16 @@ rtw89_phy_c2h_rfk_report_state(struct rtw89_dev *rtwdev, struct sk_buff *c2h, u3 (int)(len - sizeof(report->hdr)), &report->state); } +static void +rtw89_phy_c2h_rfk_log_tas_pwr(struct rtw89_dev *rtwdev, struct sk_buff *c2h, u32 len) +{ +} + static void (* const rtw89_phy_c2h_rfk_report_handler[])(struct rtw89_dev *rtwdev, struct sk_buff *c2h, u32 len) = { [RTW89_PHY_C2H_RFK_REPORT_FUNC_STATE] = rtw89_phy_c2h_rfk_report_state, + [RTW89_PHY_C2H_RFK_LOG_TAS_PWR] = rtw89_phy_c2h_rfk_log_tas_pwr, }; bool rtw89_phy_c2h_chk_atomic(struct rtw89_dev *rtwdev, u8 class, u8 func) @@ -3119,11 +3125,11 @@ void rtw89_phy_c2h_handle(struct rtw89_dev *rtwdev, struct sk_buff *skb, return; fallthrough; default: - rtw89_info(rtwdev, "c2h class %d not support\n", class); + rtw89_info(rtwdev, "PHY c2h class %d not support\n", class); return; } if (!handler) { - rtw89_info(rtwdev, "c2h class %d func %d not support\n", class, + rtw89_info(rtwdev, "PHY c2h class %d func %d not support\n", class, func); return; } diff --git a/drivers/net/wireless/realtek/rtw89/phy.h b/drivers/net/wireless/realtek/rtw89/phy.h index 9bb9c9c8e..961a4bacb 100644 --- a/drivers/net/wireless/realtek/rtw89/phy.h +++ b/drivers/net/wireless/realtek/rtw89/phy.h @@ -151,6 +151,7 @@ enum rtw89_phy_c2h_rfk_log_func { enum rtw89_phy_c2h_rfk_report_func { RTW89_PHY_C2H_RFK_REPORT_FUNC_STATE = 0, + RTW89_PHY_C2H_RFK_LOG_TAS_PWR = 6, }; enum rtw89_phy_c2h_dm_func { -- 2.49.0

3 days, 11 hours

1
0
0 0

[PATCH 6.15 00/34] 6.15.2-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.2 release. There are 34 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon, 09 Jun 2025 10:07:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.2-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.2-rc1 Aurabindo Pillai <aurabindo.pillai(a)amd.com> Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Xu Yang <xu.yang_2(a)nxp.com> dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property Lukasz Czechowski <lukasz.czechowski(a)thaumatec.com> dt-bindings: usb: cypress,hx3: Add support for all variants Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: remoteproc: qcom,sm8150-pas: Add missing SC8180X compatible David Lechner <dlechner(a)baylibre.com> dt-bindings: pwm: adi,axi-pwmgen: Fix clocks Sergey Senozhatsky <senozhatsky(a)chromium.org> thunderbolt: Do not double dequeue a configuration request Carlos Llamas <cmllamas(a)google.com> binder: fix yet another UAF in binder_devices Dmitry Antipov <dmantipov(a)yandex.ru> binder: fix use-after-free in binderfs_evict_inode() Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix timeout value in get_stb Arnd Bergmann <arnd(a)arndb.de> nvmem: rmem: select CONFIG_CRC32 Dustin Lundquist <dustin(a)null-ptr.net> serial: jsm: fix NPE during jsm_uart_port_init Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Bluetooth: hci_qca: move the SoC type check to the right place Qasim Ijaz <qasdev00(a)gmail.com> usb: typec: ucsi: fix Clang -Wsign-conversion warning Charles Yeh <charlesyeh522(a)gmail.com> USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Hongyu Xie <xiehongyu1(a)kylinos.cn> usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li <lijiayi(a)kylinos.cn> usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix subvol to missing root repair Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Run may_delete_deleted_inode() checks in bch2_inode_rm() Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: delete dead code from may_delete_deleted_inode() Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Repair code for directory i_size Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Kill un-reverted directory i_size code Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Fix offset calculation for .start_secs < 0 Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Make rtc_time64_to_tm() support dates before 1970 Nícolas F. R. A. Prado <nfraprado(a)collabora.com> pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms Sakari Ailus <sakari.ailus(a)linux.intel.com> Documentation: ACPI: Use all-string data node references Gautham R. Shenoy <gautham.shenoy(a)amd.com> acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Pritam Manohar Sutar <pritam.sutar(a)samsung.com> clk: samsung: correct clock summary for hsi1 block Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: set GPIO output value before setting direction Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Ahmed Salem <x0rw3ll(a)gmail.com> ACPICA: Apply ACPI_NONSTRING in more places Kees Cook <kees(a)kernel.org> ACPICA: Apply ACPI_NONSTRING Kees Cook <kees(a)kernel.org> ACPICA: Introduce ACPI_NONSTRING Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Revert "x86/smp: Eliminate mwait_play_dead_cpuid_hint()" Pan Taixi <pantaixi(a)huaweicloud.com> tracing: Fix compilation warning on arm32 ------------- Diffstat: .../bindings/phy/fsl,imx8mq-usb-phy.yaml | 3 +- .../devicetree/bindings/pwm/adi,axi-pwmgen.yaml | 13 +++- .../bindings/remoteproc/qcom,sm8150-pas.yaml | 3 + .../devicetree/bindings/usb/cypress,hx3.yaml | 19 +++++- .../acpi/dsd/data-node-references.rst | 26 ++++---- Documentation/firmware-guide/acpi/dsd/graph.rst | 11 ++-- Documentation/firmware-guide/acpi/dsd/leds.rst | 7 +- Makefile | 4 +- arch/x86/kernel/smpboot.c | 54 +++++++++++++-- drivers/acpi/acpica/acdebug.h | 2 +- drivers/acpi/acpica/aclocal.h | 4 +- drivers/acpi/acpica/nsnames.c | 2 +- drivers/acpi/acpica/nsrepair2.c | 2 +- drivers/android/binder.c | 16 ++++- drivers/android/binder_internal.h | 8 ++- drivers/android/binderfs.c | 2 +- drivers/bluetooth/hci_qca.c | 14 ++-- drivers/clk/samsung/clk-exynosautov920.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 ++--- drivers/nvmem/Kconfig | 1 + drivers/pinctrl/mediatek/mtk-eint.c | 26 ++++---- drivers/pinctrl/mediatek/mtk-eint.h | 5 +- drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 2 +- drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 2 +- drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 14 ++-- drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 24 +++++-- drivers/thunderbolt/ctl.c | 5 ++ drivers/tty/serial/jsm/jsm_tty.c | 1 + drivers/usb/class/usbtmc.c | 4 +- drivers/usb/core/quirks.c | 3 + drivers/usb/serial/pl2303.c | 2 + drivers/usb/storage/unusual_uas.h | 7 ++ drivers/usb/typec/ucsi/ucsi.h | 2 +- fs/bcachefs/dirent.c | 12 +--- fs/bcachefs/dirent.h | 4 +- fs/bcachefs/errcode.h | 2 + fs/bcachefs/fs.c | 8 ++- fs/bcachefs/fsck.c | 8 +++ fs/bcachefs/inode.c | 77 ++++++++++++++-------- fs/bcachefs/namei.c | 4 +- fs/bcachefs/sb-errors_format.h | 4 +- fs/bcachefs/subvolume.c | 19 ++++-- include/acpi/actbl.h | 6 +- include/acpi/actypes.h | 4 ++ include/acpi/platform/acgcc.h | 8 +++ kernel/trace/trace.c | 2 +- .../acpi/os_specific/service_layers/oslinuxtbl.c | 2 +- tools/power/acpi/tools/acpidump/apfiles.c | 2 +- 50 files changed, 314 insertions(+), 158 deletions(-)

3 days, 12 hours

16
51
0 0

[PATCH v2 0/5] drm/xe: enable driver usage on non-4KiB kernels

by Mingcong Bai via B4 Relay

This patch series attempts to enable the use of xe DRM driver on non-4KiB kernel page platforms. This involves fixing the ttm/bo interface, as well as parts of the userspace API to make use of kernel `PAGE_SIZE' for alignment instead of the assumed `SZ_4K', it also fixes incorrect usage of `PAGE_SIZE' in the GuC and ring buffer interface code to make sure all instructions/commands were aligned to 4KiB barriers (per the Programmer's Manual for the GPUs covered by this DRM driver). This issue was first discovered and reported by members of the LoongArch user communities, whose hardware commonly ran on 16KiB-page kernels. The patch series began on an unassuming branch of a downstream kernel tree maintained by Shang Yatsen.[^1] It worked well but remained sparsely documented, a lot of the work done here relied on Shang Yatsen's original patch. AOSC OS then picked it up[^2] to provide Intel Xe/Arc support for users of its LoongArch port, for which I worked extensively on. After months of positive user feedback and from encouragement from Kexy Biscuit, my colleague at the community, I decided to examine its potential for upstreaming, cross-reference kernel and Intel documentation to better document and revise this patch. Now that this series has been tested good (for boot up, OpenGL, and playback of a standardised set of video samples[^3] on the following platforms (motherboard + GPU model): - x86-64, 4KiB kernel page: - MS-7D42 + Intel Arc A580 - COLORFIRE B760M-MEOW WIFI D5 + Intel Arc B580 - LoongArch, 16KiB kernel page: - XA61200 + GUNNIR DG1 Blue Halberd (Intel DG1) - XA61200 + GUNNIR Iris Xe Index 4 (Intel DG1) - XA61200 + GUNNIR Intel Iris Xe Max Index V2 (Intel DG1) - XA61200 + GUNNIR Intel Arc A380 Index 6G (Intel Arc A380) - XA61200 + ASRock Arc A380 Challenger ITX OC (Intel Arc A380) - XA61200 + Intel Arc A580 - XA61200 + GUNNIR Intel Arc A750 Photon 8G OC (Intel Arc A750) - XA61200 + Intel Arc B580 - XB612B0 + GUNNIR Intel Iris Xe Max Index V2 (Intel DG1) - XB612B0 + GUNNIR Intel Arc A380 Index 6G (Intel Arc A380) - ASUS XC-LS3A6M + GUNNIR Intel Arc B580 INDEX 12G (Intel Arc B580) On these platforms, basic functionalities tested good but the driver was unstable with occasional resets (I do suspect however, that this platform suffers from PCIe coherence issues, as instability only occurs under heavy VRAM I/O load): - AArch64, 4KiB/64KiB kernel pages: - ERUN-FD3000 (Phytium D3000) + GUNNIR Intel Iris Xe Max Index V2 (Intel DG1) - ERUN-FD3000 (Phytium D3000) + GUNNIR Intel Arc A380 Index 6G (Intel Arc A380) - ERUN-FD3000 (Phytium D3000) + GUNNIR Intel Arc A750 Photon 8G OC (Intel Arc A750) I think that this patch series is now ready for your comment and review. Please forgive me if I made any simple mistake or used wrong terminologies, but I have never worked on a patch for the DRM subsystem and my experience is still quite thin. But anyway, just letting you all know that Intel Xe/Arc works on non-4KiB kernel page platforms (and honestly, it's great to use, especially for games and media playback)! [^1]: https://github.com/FanFansfan/loongson-linux/tree/loongarch-xe [^2]: We maintained Shang Yatsen's patch until our v6.13.3 tree, until we decided to test and send this series upstream, https://github.com/AOSC-Tracking/linux/tree/aosc/v6.13.3 [^3]: Delicious hot pot! https://repo.aosc.io/ahvl/sample-videos-20250223.tar.zst --- Matthew(s), Lucas, and Francois: Thanks again for your patience and review. I recently had a job change and it put me off this series for months, but I'm back (and should be a lot more responsive now) - sorry! Let's get this ball rolling again. I was unfortunately unable to revise 1/5 from v1 as you requested, neither of your suggestions to allow allocation of VRAM smaller than page size worked... So I kept that part as is. As for the your comment in 5/5, I'm not sure about what the right approach to implement a SZ_64K >= PAGE_SIZE assert was, as there are many other instances of similar ternary conditional operators in the xe code. Correct me if I'm wrong but I felt that it might be better handled in a separate patch series? --- Changes in v2: - Define `GUC_ALIGN' and use them in GuC code to improve clarity. - Update documentation on `DRM_XE_QUERY_CONFIG_MIN_ALIGNMENT'. - Rebase, and other minor changes. - Link to v1: https://lore.kernel.org/all/20250226-xe-non-4k-fix-v1-0-80f23b5ee40e@aosc.i… To: Lucas De Marchi <lucas.demarchi(a)intel.com> To: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> To: Rodrigo Vivi <rodrigo.vivi(a)intel.com> To: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> To: Maxime Ripard <mripard(a)kernel.org> To: Thomas Zimmermann <tzimmermann(a)suse.de> To: David Airlie <airlied(a)gmail.com> To: Simona Vetter <simona(a)ffwll.ch> To: José Roberto de Souza <jose.souza(a)intel.com> To: Francois Dugast <francois.dugast(a)intel.com> To: Matthew Brost <matthew.brost(a)intel.com> To: Alan Previn <alan.previn.teres.alexis(a)intel.com> To: Zhanjun Dong <zhanjun.dong(a)intel.com> To: Matt Roper <matthew.d.roper(a)intel.com> To: Mateusz Naklicki <mateusz.naklicki(a)intel.com> Cc: Mauro Carvalho Chehab <mauro.chehab(a)linux.intel.com> Cc: Zbigniew Kempczyński <zbigniew.kempczynski(a)intel.com> Cc: intel-xe(a)lists.freedesktop.org Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Suggested-by: Kexy Biscuit <kexybiscuit(a)aosc.io> Co-developed-by: Shang Yatsen <429839446(a)qq.com> Signed-off-by: Shang Yatsen <429839446(a)qq.com> Signed-off-by: Mingcong Bai <jeffbai(a)aosc.io> --- Mingcong Bai (5): drm/xe/bo: fix alignment with non-4KiB kernel page sizes drm/xe/guc: use GUC_SIZE (SZ_4K) for alignment drm/xe/regs: fix RING_CTL_SIZE(size) calculation drm/xe: use 4KiB alignment for cursor jumps drm/xe/query: use PAGE_SIZE as the minimum page alignment drivers/gpu/drm/xe/regs/xe_engine_regs.h | 2 +- drivers/gpu/drm/xe/xe_bo.c | 8 ++++---- drivers/gpu/drm/xe/xe_guc.c | 4 ++-- drivers/gpu/drm/xe/xe_guc.h | 3 +++ drivers/gpu/drm/xe/xe_guc_ads.c | 32 ++++++++++++++++---------------- drivers/gpu/drm/xe/xe_guc_capture.c | 8 ++++---- drivers/gpu/drm/xe/xe_guc_ct.c | 2 +- drivers/gpu/drm/xe/xe_guc_log.c | 5 +++-- drivers/gpu/drm/xe/xe_guc_pc.c | 4 ++-- drivers/gpu/drm/xe/xe_migrate.c | 4 ++-- drivers/gpu/drm/xe/xe_query.c | 2 +- include/uapi/drm/xe_drm.h | 7 +++++-- 12 files changed, 44 insertions(+), 37 deletions(-) --- base-commit: 546b1c9e93c2bb8cf5ed24e0be1c86bb089b3253 change-id: 20250603-upstream-xe-non-4k-v2-4acf253c9bfd Best regards, -- Mingcong Bai <jeffbai(a)aosc.io>

3 days, 13 hours

3
7
0 0

[PATCH 6.6.y] wifi: rtw89: pci: use DBI function for 8852AE/8852BE/8851BE

by Zenm Chen

From: Chin-Yen Lee <timlee(a)realtek.com> [ Upstream commit 9496d62f3877bc0f97b415bc04af98d092878026 ] Sometimes driver can't use kernel API pci_read/write_config_byte to access the PCI config space of above address 0x100 due to the negotiated PCI setting. 8852AE/8852BE/8851BE provide another way called DBI function, which belongs to WiFi mac and could access all PCI config space for this case. Link: https://lore.kernel.org/linux-wireless/79fe81b7db7148b9a7da2353c16d70fb@rea… Signed-off-by: Chin-Yen Lee <timlee(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://msgid.link/20240103012346.6822-1-pkshih@realtek.com Signed-off-by: Zenm Chen <zenmchen(a)gmail.com> --- Without this patch applied, the rtw89 driver in kernel 6.6.y may fail to initialize the RTL8852BE chip and print the error messages below on some platforms [1]. [ 13.449168] rtw89_8852be_git 0000:02:00.0: [ERR]pci config read 719 [ 13.449754] rtw89_8852be_git 0000:02:00.0: [ERR] pcie autok fail -22 [ 13.450353] rtw89_8852be_git 0000:02:00.0: failed to setup chip information [ 13.455857] rtw89_8852be_git: probe of 0000:02:00.0 failed with error -22 [1] https://github.com/a5a5aa555oo/rtw89/issues/3 --- drivers/net/wireless/realtek/rtw89/pci.c | 69 +++++++++++++++++++++++- drivers/net/wireless/realtek/rtw89/pci.h | 1 + 2 files changed, 68 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 30cc6e03c..33b2543ee 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1822,22 +1822,87 @@ static int rtw89_write16_mdio_clr(struct rtw89_dev *rtwdev, u8 addr, u16 mask, u return 0; } +static int rtw89_dbi_write8(struct rtw89_dev *rtwdev, u16 addr, u8 data) +{ + u16 addr_2lsb = addr & B_AX_DBI_2LSB; + u16 write_addr; + u8 flag; + int ret; + + write_addr = addr & B_AX_DBI_ADDR_MSK; + write_addr |= u16_encode_bits(BIT(addr_2lsb), B_AX_DBI_WREN_MSK); + rtw89_write8(rtwdev, R_AX_DBI_WDATA + addr_2lsb, data); + rtw89_write16(rtwdev, R_AX_DBI_FLAG, write_addr); + rtw89_write8(rtwdev, R_AX_DBI_FLAG + 2, B_AX_DBI_WFLAG >> 16); + + ret = read_poll_timeout_atomic(rtw89_read8, flag, !flag, 10, + 10 * RTW89_PCI_WR_RETRY_CNT, false, + rtwdev, R_AX_DBI_FLAG + 2); + if (ret) + rtw89_err(rtwdev, "failed to write DBI register, addr=0x%X\n", + addr); + + return ret; +} + +static int rtw89_dbi_read8(struct rtw89_dev *rtwdev, u16 addr, u8 *value) +{ + u16 read_addr = addr & B_AX_DBI_ADDR_MSK; + u8 flag; + int ret; + + rtw89_write16(rtwdev, R_AX_DBI_FLAG, read_addr); + rtw89_write8(rtwdev, R_AX_DBI_FLAG + 2, B_AX_DBI_RFLAG >> 16); + + ret = read_poll_timeout_atomic(rtw89_read8, flag, !flag, 10, + 10 * RTW89_PCI_WR_RETRY_CNT, false, + rtwdev, R_AX_DBI_FLAG + 2); + if (ret) { + rtw89_err(rtwdev, "failed to read DBI register, addr=0x%X\n", + addr); + return ret; + } + + read_addr = R_AX_DBI_RDATA + (addr & 3); + *value = rtw89_read8(rtwdev, read_addr); + + return 0; +} + static int rtw89_pci_write_config_byte(struct rtw89_dev *rtwdev, u16 addr, u8 data) { struct rtw89_pci *rtwpci = (struct rtw89_pci *)rtwdev->priv; + enum rtw89_core_chip_id chip_id = rtwdev->chip->chip_id; struct pci_dev *pdev = rtwpci->pdev; + int ret; + + ret = pci_write_config_byte(pdev, addr, data); + if (!ret) + return 0; - return pci_write_config_byte(pdev, addr, data); + if (chip_id == RTL8852A || chip_id == RTL8852B || chip_id == RTL8851B) + ret = rtw89_dbi_write8(rtwdev, addr, data); + + return ret; } static int rtw89_pci_read_config_byte(struct rtw89_dev *rtwdev, u16 addr, u8 *value) { struct rtw89_pci *rtwpci = (struct rtw89_pci *)rtwdev->priv; + enum rtw89_core_chip_id chip_id = rtwdev->chip->chip_id; struct pci_dev *pdev = rtwpci->pdev; + int ret; - return pci_read_config_byte(pdev, addr, value); + ret = pci_read_config_byte(pdev, addr, value); + if (!ret) + return 0; + + if (chip_id == RTL8852A || chip_id == RTL8852B || chip_id == RTL8851B) + ret = rtw89_dbi_read8(rtwdev, addr, value); + + return ret; } static int rtw89_pci_config_byte_set(struct rtw89_dev *rtwdev, u16 addr, diff --git a/drivers/net/wireless/realtek/rtw89/pci.h b/drivers/net/wireless/realtek/rtw89/pci.h index 4259b79b1..119c0608b 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.h +++ b/drivers/net/wireless/realtek/rtw89/pci.h @@ -42,6 +42,7 @@ #define B_AX_DBI_WFLAG BIT(16) #define B_AX_DBI_WREN_MSK GENMASK(15, 12) #define B_AX_DBI_ADDR_MSK GENMASK(11, 2) +#define B_AX_DBI_2LSB GENMASK(1, 0) #define R_AX_DBI_WDATA 0x1094 #define R_AX_DBI_RDATA 0x1098 -- 2.49.0

3 days, 13 hours

1
0
0 0

[PATCH] drm/xe: Fix early wedge on GuC load failure

by Daniele Ceraolo Spurio

When the GuC fails to load we declare the device wedged. However, the very first GuC load attempt on GT0 (from xe_gt_init_hwconfig) is done before the GT1 GuC objects are initialized, so things go bad when the wedge code attempts to cleanup GT1. To fix this, check the initialization status in the functions called during wedge. Fixes: 7dbe8af13c18 ("drm/xe: Wedge the entire device") Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Jonathan Cavitt <jonathan.cavitt(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: Zhanjun Dong <zhanjun.dong(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.12+: 1e1981b16bb1: drm/xe: Fix taking invalid lock on wedge Cc: <stable(a)vger.kernel.org> # v6.12+ Reviewed-by: Jonathan Cavitt <jonathan.cavitt(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 8 ++++++++ drivers/gpu/drm/xe/xe_guc_ct.c | 7 +++++-- drivers/gpu/drm/xe/xe_guc_ct.h | 5 +++++ drivers/gpu/drm/xe/xe_guc_submit.c | 3 +++ 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c index 084cbdeba8ea..e1362e608146 100644 --- a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c +++ b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c @@ -137,6 +137,14 @@ void xe_gt_tlb_invalidation_reset(struct xe_gt *gt) struct xe_gt_tlb_invalidation_fence *fence, *next; int pending_seqno; + /* + * we can get here before the CTs are even initialized if we're wedging + * very early, in which case there are not going to be any pending + * fences so we can bail immediately. + */ + if (!xe_guc_ct_initialized(&gt->uc.guc.ct)) + return; + /* * CT channel is already disabled at this point. No new TLB requests can * appear. diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 822f4c33f730..e303fec18174 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -517,6 +517,9 @@ void xe_guc_ct_disable(struct xe_guc_ct *ct) */ void xe_guc_ct_stop(struct xe_guc_ct *ct) { + if (!xe_guc_ct_initialized(ct)) + return; + xe_guc_ct_set_state(ct, XE_GUC_CT_STATE_STOPPED); stop_g2h_handler(ct); } @@ -788,7 +791,7 @@ static int __guc_ct_send_locked(struct xe_guc_ct *ct, const u32 *action, u16 seqno; int ret; - xe_gt_assert(gt, ct->state != XE_GUC_CT_STATE_NOT_INITIALIZED); + xe_gt_assert(gt, xe_guc_ct_initialized(ct)); xe_gt_assert(gt, !g2h_len || !g2h_fence); xe_gt_assert(gt, !num_g2h || !g2h_fence); xe_gt_assert(gt, !g2h_len || num_g2h); @@ -1424,7 +1427,7 @@ static int g2h_read(struct xe_guc_ct *ct, u32 *msg, bool fast_path) u32 action; u32 *hxg; - xe_gt_assert(gt, ct->state != XE_GUC_CT_STATE_NOT_INITIALIZED); + xe_gt_assert(gt, xe_guc_ct_initialized(ct)); lockdep_assert_held(&ct->fast_lock); if (ct->state == XE_GUC_CT_STATE_DISABLED) diff --git a/drivers/gpu/drm/xe/xe_guc_ct.h b/drivers/gpu/drm/xe/xe_guc_ct.h index 5649bda82823..99c5dec446f2 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.h +++ b/drivers/gpu/drm/xe/xe_guc_ct.h @@ -24,6 +24,11 @@ void xe_guc_ct_print(struct xe_guc_ct *ct, struct drm_printer *p, bool want_ctb) void xe_guc_ct_fixup_messages_with_ggtt(struct xe_guc_ct *ct, s64 ggtt_shift); +static inline bool xe_guc_ct_initialized(struct xe_guc_ct *ct) +{ + return ct->state != XE_GUC_CT_STATE_NOT_INITIALIZED; +} + static inline bool xe_guc_ct_enabled(struct xe_guc_ct *ct) { return ct->state == XE_GUC_CT_STATE_ENABLED; diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index 4a5bcaf83965..55f6385c63a6 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -1787,6 +1787,9 @@ int xe_guc_submit_reset_prepare(struct xe_guc *guc) { int ret; + if (!guc->submission_state.initialized) + return 0; + /* * Using an atomic here rather than submission_state.lock as this * function can be called while holding the CT lock (engine reset -- 2.43.0

3 days, 15 hours

2
1
0 0

[PATCH] drm/xe: Fix memset on iomem

by Lucas De Marchi

It should rather use xe_map_memset() as the BO is created with XE_BO_FLAG_VRAM_IF_DGFX in xe_guc_pc_init(). Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: stable(a)vger.kernel.org Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_guc_pc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c index 18c6239920355..3beaaa7b25c1b 100644 --- a/drivers/gpu/drm/xe/xe_guc_pc.c +++ b/drivers/gpu/drm/xe/xe_guc_pc.c @@ -1068,7 +1068,7 @@ int xe_guc_pc_start(struct xe_guc_pc *pc) goto out; } - memset(pc->bo->vmap.vaddr, 0, size); + xe_map_memset(xe, &pc->bo->vmap, 0, 0, size); slpc_shared_data_write(pc, header.size, size); earlier = ktime_get();

3 days, 15 hours

2
1
0 0

[PATCH v4 2/5] scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out

by Karan Tilak Kumar

When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. On send completion, this causes an attempt to free the same frame twice that leads to a crash. Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS logic accordingly. Tested by checking MDS for FDMI information. Tested by using instrumented driver to: Drop PLOGI response Drop RHBA response Drop RPA response Drop RHBA and RPA response Drop PLOGI response + ABTS response Drop RHBA response + ABTS response Drop RPA response + ABTS response Drop RHBA and RPA response + ABTS response for both of them Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Tested-by: Arun Easi <aeasi(a)cisco.com> Co-developed-by: Arun Easi <aeasi(a)cisco.com> Signed-off-by: Arun Easi <aeasi(a)cisco.com> Tested-by: Karan Tilak Kumar <kartilak(a)cisco.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- Changes between v3 and v4: - Incorporate review comments from Dan: - Remove comments from Cc tag Changes between v2 and v3: - Incorporate review comments from Dan: - Add Cc to stable Changes between v1 and v2: - Incorporate review comments from Dan: - Add Fixes tag --- drivers/scsi/fnic/fdls_disc.c | 113 +++++++++++++++++++++++++--------- drivers/scsi/fnic/fnic_fdls.h | 1 + 2 files changed, 86 insertions(+), 28 deletions(-) diff --git a/drivers/scsi/fnic/fdls_disc.c b/drivers/scsi/fnic/fdls_disc.c index c2b6f4eb338e..0ee1b74967b9 100644 --- a/drivers/scsi/fnic/fdls_disc.c +++ b/drivers/scsi/fnic/fdls_disc.c @@ -763,47 +763,69 @@ static void fdls_send_fabric_abts(struct fnic_iport_s *iport) iport->fabric.timer_pending = 1; } -static void fdls_send_fdmi_abts(struct fnic_iport_s *iport) +static uint8_t *fdls_alloc_init_fdmi_abts_frame(struct fnic_iport_s *iport, + uint16_t oxid) { - uint8_t *frame; + struct fc_frame_header *pfdmi_abts; uint8_t d_id[3]; + uint8_t *frame; struct fnic *fnic = iport->fnic; - struct fc_frame_header *pfabric_abts; - unsigned long fdmi_tov; - uint16_t oxid; - uint16_t frame_size = FNIC_ETH_FCOE_HDRS_OFFSET + - sizeof(struct fc_frame_header); frame = fdls_alloc_frame(iport); if (frame == NULL) { FNIC_FCS_DBG(KERN_ERR, fnic->host, fnic->fnic_num, "Failed to allocate frame to send FDMI ABTS"); - return; + return NULL; } - pfabric_abts = (struct fc_frame_header *) (frame + FNIC_ETH_FCOE_HDRS_OFFSET); + pfdmi_abts = (struct fc_frame_header *) (frame + FNIC_ETH_FCOE_HDRS_OFFSET); fdls_init_fabric_abts_frame(frame, iport); hton24(d_id, FC_FID_MGMT_SERV); - FNIC_STD_SET_D_ID(*pfabric_abts, d_id); + FNIC_STD_SET_D_ID(*pfdmi_abts, d_id); + FNIC_STD_SET_OX_ID(*pfdmi_abts, oxid); + + return frame; +} + +static void fdls_send_fdmi_abts(struct fnic_iport_s *iport) +{ + uint8_t *frame; + unsigned long fdmi_tov; + uint16_t frame_size = FNIC_ETH_FCOE_HDRS_OFFSET + + sizeof(struct fc_frame_header); if (iport->fabric.fdmi_pending & FDLS_FDMI_PLOGI_PENDING) { - oxid = iport->active_oxid_fdmi_plogi; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_plogi); + if (frame == NULL) + return; + fnic_send_fcoe_frame(iport, frame, frame_size); } else { if (iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING) { - oxid = iport->active_oxid_fdmi_rhba; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_rhba); + if (frame == NULL) + return; + fnic_send_fcoe_frame(iport, frame, frame_size); } if (iport->fabric.fdmi_pending & FDLS_FDMI_RPA_PENDING) { - oxid = iport->active_oxid_fdmi_rpa; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_rpa); + if (frame == NULL) { + if (iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING) + goto arm_timer; + else + return; + } + fnic_send_fcoe_frame(iport, frame, frame_size); } } +arm_timer: fdmi_tov = jiffies + msecs_to_jiffies(2 * iport->e_d_tov); mod_timer(&iport->fabric.fdmi_timer, round_jiffies(fdmi_tov)); iport->fabric.fdmi_pending |= FDLS_FDMI_ABORT_PENDING; @@ -2244,6 +2266,21 @@ void fdls_fabric_timer_callback(struct timer_list *t) spin_unlock_irqrestore(&fnic->fnic_lock, flags); } +void fdls_fdmi_retry_plogi(struct fnic_iport_s *iport) +{ + struct fnic *fnic = iport->fnic; + + iport->fabric.fdmi_pending = 0; + /* If max retries not exhausted, start over from fdmi plogi */ + if (iport->fabric.fdmi_retry < FDLS_FDMI_MAX_RETRY) { + iport->fabric.fdmi_retry++; + FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, + "Retry FDMI PLOGI. FDMI retry: %d", + iport->fabric.fdmi_retry); + fdls_send_fdmi_plogi(iport); + } +} + void fdls_fdmi_timer_callback(struct timer_list *t) { struct fnic_fdls_fabric_s *fabric = from_timer(fabric, t, fdmi_timer); @@ -2289,14 +2326,7 @@ void fdls_fdmi_timer_callback(struct timer_list *t) FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, "fdmi timer callback : 0x%x\n", iport->fabric.fdmi_pending); - iport->fabric.fdmi_pending = 0; - /* If max retries not exhaused, start over from fdmi plogi */ - if (iport->fabric.fdmi_retry < FDLS_FDMI_MAX_RETRY) { - iport->fabric.fdmi_retry++; - FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, - "retry fdmi timer %d", iport->fabric.fdmi_retry); - fdls_send_fdmi_plogi(iport); - } + fdls_fdmi_retry_plogi(iport); FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, "fdmi timer callback : 0x%x\n", iport->fabric.fdmi_pending); spin_unlock_irqrestore(&fnic->fnic_lock, flags); @@ -3714,11 +3744,32 @@ static void fdls_process_fdmi_abts_rsp(struct fnic_iport_s *iport, switch (FNIC_FRAME_TYPE(oxid)) { case FNIC_FRAME_TYPE_FDMI_PLOGI: fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_plogi); + + iport->fabric.fdmi_pending &= ~FDLS_FDMI_PLOGI_PENDING; + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; break; case FNIC_FRAME_TYPE_FDMI_RHBA: + iport->fabric.fdmi_pending &= ~FDLS_FDMI_REG_HBA_PENDING; + + /* If RPA is still pending, don't turn off ABORT PENDING. + * We count on the timer to detect the ABTS timeout and take + * corrective action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_RPA_PENDING)) + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; + fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_rhba); break; case FNIC_FRAME_TYPE_FDMI_RPA: + iport->fabric.fdmi_pending &= ~FDLS_FDMI_RPA_PENDING; + + /* If RHBA is still pending, don't turn off ABORT PENDING. + * We count on the timer to detect the ABTS timeout and take + * corrective action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING)) + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; + fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_rpa); break; default: @@ -3728,10 +3779,16 @@ static void fdls_process_fdmi_abts_rsp(struct fnic_iport_s *iport, break; } - timer_delete_sync(&iport->fabric.fdmi_timer); - iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; - - fdls_send_fdmi_plogi(iport); + /* + * Only if ABORT PENDING is off, delete the timer, and if no other + * operations are pending, retry FDMI. + * Otherwise, let the timer pop and take the appropriate action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_ABORT_PENDING)) { + timer_delete_sync(&iport->fabric.fdmi_timer); + if (!iport->fabric.fdmi_pending) + fdls_fdmi_retry_plogi(iport); + } } static void diff --git a/drivers/scsi/fnic/fnic_fdls.h b/drivers/scsi/fnic/fnic_fdls.h index 8e610b65ad57..531d0b37e450 100644 --- a/drivers/scsi/fnic/fnic_fdls.h +++ b/drivers/scsi/fnic/fnic_fdls.h @@ -394,6 +394,7 @@ void fdls_send_tport_abts(struct fnic_iport_s *iport, bool fdls_delete_tport(struct fnic_iport_s *iport, struct fnic_tport_s *tport); void fdls_fdmi_timer_callback(struct timer_list *t); +void fdls_fdmi_retry_plogi(struct fnic_iport_s *iport); /* fnic_fcs.c */ void fnic_fdls_init(struct fnic *fnic, int usefip); -- 2.47.1

3 days, 16 hours

1
0
0 0

[PATCH v3 2/5] scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out

by Karan Tilak Kumar

When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. On send completion, this causes an attempt to free the same frame twice that leads to a crash. Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS logic accordingly. Tested by checking MDS for FDMI information. Tested by using instrumented driver to: Drop PLOGI response Drop RHBA response Drop RPA response Drop RHBA and RPA response Drop PLOGI response + ABTS response Drop RHBA response + ABTS response Drop RPA response + ABTS response Drop RHBA and RPA response + ABTS response for both of them Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Tested-by: Arun Easi <aeasi(a)cisco.com> Co-developed-by: Arun Easi <aeasi(a)cisco.com> Signed-off-by: Arun Easi <aeasi(a)cisco.com> Tested-by: Karan Tilak Kumar <kartilak(a)cisco.com> Cc: <stable(a)vger.kernel.org> # 6.14.x Please see patch description Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- drivers/scsi/fnic/fdls_disc.c | 113 +++++++++++++++++++++++++--------- drivers/scsi/fnic/fnic_fdls.h | 1 + 2 files changed, 86 insertions(+), 28 deletions(-) diff --git a/drivers/scsi/fnic/fdls_disc.c b/drivers/scsi/fnic/fdls_disc.c index c2b6f4eb338e..0ee1b74967b9 100644 --- a/drivers/scsi/fnic/fdls_disc.c +++ b/drivers/scsi/fnic/fdls_disc.c @@ -763,47 +763,69 @@ static void fdls_send_fabric_abts(struct fnic_iport_s *iport) iport->fabric.timer_pending = 1; } -static void fdls_send_fdmi_abts(struct fnic_iport_s *iport) +static uint8_t *fdls_alloc_init_fdmi_abts_frame(struct fnic_iport_s *iport, + uint16_t oxid) { - uint8_t *frame; + struct fc_frame_header *pfdmi_abts; uint8_t d_id[3]; + uint8_t *frame; struct fnic *fnic = iport->fnic; - struct fc_frame_header *pfabric_abts; - unsigned long fdmi_tov; - uint16_t oxid; - uint16_t frame_size = FNIC_ETH_FCOE_HDRS_OFFSET + - sizeof(struct fc_frame_header); frame = fdls_alloc_frame(iport); if (frame == NULL) { FNIC_FCS_DBG(KERN_ERR, fnic->host, fnic->fnic_num, "Failed to allocate frame to send FDMI ABTS"); - return; + return NULL; } - pfabric_abts = (struct fc_frame_header *) (frame + FNIC_ETH_FCOE_HDRS_OFFSET); + pfdmi_abts = (struct fc_frame_header *) (frame + FNIC_ETH_FCOE_HDRS_OFFSET); fdls_init_fabric_abts_frame(frame, iport); hton24(d_id, FC_FID_MGMT_SERV); - FNIC_STD_SET_D_ID(*pfabric_abts, d_id); + FNIC_STD_SET_D_ID(*pfdmi_abts, d_id); + FNIC_STD_SET_OX_ID(*pfdmi_abts, oxid); + + return frame; +} + +static void fdls_send_fdmi_abts(struct fnic_iport_s *iport) +{ + uint8_t *frame; + unsigned long fdmi_tov; + uint16_t frame_size = FNIC_ETH_FCOE_HDRS_OFFSET + + sizeof(struct fc_frame_header); if (iport->fabric.fdmi_pending & FDLS_FDMI_PLOGI_PENDING) { - oxid = iport->active_oxid_fdmi_plogi; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_plogi); + if (frame == NULL) + return; + fnic_send_fcoe_frame(iport, frame, frame_size); } else { if (iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING) { - oxid = iport->active_oxid_fdmi_rhba; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_rhba); + if (frame == NULL) + return; + fnic_send_fcoe_frame(iport, frame, frame_size); } if (iport->fabric.fdmi_pending & FDLS_FDMI_RPA_PENDING) { - oxid = iport->active_oxid_fdmi_rpa; - FNIC_STD_SET_OX_ID(*pfabric_abts, oxid); + frame = fdls_alloc_init_fdmi_abts_frame(iport, + iport->active_oxid_fdmi_rpa); + if (frame == NULL) { + if (iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING) + goto arm_timer; + else + return; + } + fnic_send_fcoe_frame(iport, frame, frame_size); } } +arm_timer: fdmi_tov = jiffies + msecs_to_jiffies(2 * iport->e_d_tov); mod_timer(&iport->fabric.fdmi_timer, round_jiffies(fdmi_tov)); iport->fabric.fdmi_pending |= FDLS_FDMI_ABORT_PENDING; @@ -2244,6 +2266,21 @@ void fdls_fabric_timer_callback(struct timer_list *t) spin_unlock_irqrestore(&fnic->fnic_lock, flags); } +void fdls_fdmi_retry_plogi(struct fnic_iport_s *iport) +{ + struct fnic *fnic = iport->fnic; + + iport->fabric.fdmi_pending = 0; + /* If max retries not exhausted, start over from fdmi plogi */ + if (iport->fabric.fdmi_retry < FDLS_FDMI_MAX_RETRY) { + iport->fabric.fdmi_retry++; + FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, + "Retry FDMI PLOGI. FDMI retry: %d", + iport->fabric.fdmi_retry); + fdls_send_fdmi_plogi(iport); + } +} + void fdls_fdmi_timer_callback(struct timer_list *t) { struct fnic_fdls_fabric_s *fabric = from_timer(fabric, t, fdmi_timer); @@ -2289,14 +2326,7 @@ void fdls_fdmi_timer_callback(struct timer_list *t) FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, "fdmi timer callback : 0x%x\n", iport->fabric.fdmi_pending); - iport->fabric.fdmi_pending = 0; - /* If max retries not exhaused, start over from fdmi plogi */ - if (iport->fabric.fdmi_retry < FDLS_FDMI_MAX_RETRY) { - iport->fabric.fdmi_retry++; - FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, - "retry fdmi timer %d", iport->fabric.fdmi_retry); - fdls_send_fdmi_plogi(iport); - } + fdls_fdmi_retry_plogi(iport); FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, "fdmi timer callback : 0x%x\n", iport->fabric.fdmi_pending); spin_unlock_irqrestore(&fnic->fnic_lock, flags); @@ -3714,11 +3744,32 @@ static void fdls_process_fdmi_abts_rsp(struct fnic_iport_s *iport, switch (FNIC_FRAME_TYPE(oxid)) { case FNIC_FRAME_TYPE_FDMI_PLOGI: fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_plogi); + + iport->fabric.fdmi_pending &= ~FDLS_FDMI_PLOGI_PENDING; + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; break; case FNIC_FRAME_TYPE_FDMI_RHBA: + iport->fabric.fdmi_pending &= ~FDLS_FDMI_REG_HBA_PENDING; + + /* If RPA is still pending, don't turn off ABORT PENDING. + * We count on the timer to detect the ABTS timeout and take + * corrective action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_RPA_PENDING)) + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; + fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_rhba); break; case FNIC_FRAME_TYPE_FDMI_RPA: + iport->fabric.fdmi_pending &= ~FDLS_FDMI_RPA_PENDING; + + /* If RHBA is still pending, don't turn off ABORT PENDING. + * We count on the timer to detect the ABTS timeout and take + * corrective action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_REG_HBA_PENDING)) + iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; + fdls_free_oxid(iport, oxid, &iport->active_oxid_fdmi_rpa); break; default: @@ -3728,10 +3779,16 @@ static void fdls_process_fdmi_abts_rsp(struct fnic_iport_s *iport, break; } - timer_delete_sync(&iport->fabric.fdmi_timer); - iport->fabric.fdmi_pending &= ~FDLS_FDMI_ABORT_PENDING; - - fdls_send_fdmi_plogi(iport); + /* + * Only if ABORT PENDING is off, delete the timer, and if no other + * operations are pending, retry FDMI. + * Otherwise, let the timer pop and take the appropriate action. + */ + if (!(iport->fabric.fdmi_pending & FDLS_FDMI_ABORT_PENDING)) { + timer_delete_sync(&iport->fabric.fdmi_timer); + if (!iport->fabric.fdmi_pending) + fdls_fdmi_retry_plogi(iport); + } } static void diff --git a/drivers/scsi/fnic/fnic_fdls.h b/drivers/scsi/fnic/fnic_fdls.h index 8e610b65ad57..531d0b37e450 100644 --- a/drivers/scsi/fnic/fnic_fdls.h +++ b/drivers/scsi/fnic/fnic_fdls.h @@ -394,6 +394,7 @@ void fdls_send_tport_abts(struct fnic_iport_s *iport, bool fdls_delete_tport(struct fnic_iport_s *iport, struct fnic_tport_s *tport); void fdls_fdmi_timer_callback(struct timer_list *t); +void fdls_fdmi_retry_plogi(struct fnic_iport_s *iport); /* fnic_fcs.c */ void fnic_fdls_init(struct fnic *fnic, int usefip); -- 2.47.1

3 days, 17 hours

3
3
0 0

[PATCH net] net_sched: sch_sfq: reject invalid perturb period

by Eric Dumazet

Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. Tested: tc qd add dev lo root sfq perturb -10 # negative value : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 1000000000 # too big : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 2000000 # acceptable value tc -s -d qd sh dev lo qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Gerrard Tai <gerrard.tai(a)starlabs.sg> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: stable(a)vger.kernel.org --- net/sched/sch_sfq.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c index 77fa02f2bfcd56a36815199aa2e7987943ea226f..a8cca549b5a2eb2407949560c2b6b658fb7a581f 100644 --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c @@ -656,6 +656,14 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt, NL_SET_ERR_MSG_MOD(extack, "invalid quantum"); return -EINVAL; } + + if (ctl->perturb_period < 0 || + ctl->perturb_period > INT_MAX / HZ) { + NL_SET_ERR_MSG_MOD(extack, "invalid perturb period"); + return -EINVAL; + } + perturb_period = ctl->perturb_period * HZ; + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) return -EINVAL; @@ -672,14 +680,12 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt, headdrop = q->headdrop; maxdepth = q->maxdepth; maxflows = q->maxflows; - perturb_period = q->perturb_period; quantum = q->quantum; flags = q->flags; /* update and validate configuration */ if (ctl->quantum) quantum = ctl->quantum; - perturb_period = ctl->perturb_period * HZ; if (ctl->flows) maxflows = min_t(u32, ctl->flows, SFQ_MAX_FLOWS); if (ctl->divisor) { -- 2.50.0.rc0.642.g800a2b2222-goog

3 days, 18 hours

3
2
0 0

FAILED: patch "[PATCH] iio: dac: ad3552r-common: fix ad3541/2r ranges" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1e758b613212b6964518a67939535910b5aee831 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025021010-antarctic-untried-a72b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e758b613212b6964518a67939535910b5aee831 Mon Sep 17 00:00:00 2001 From: Angelo Dureghello <adureghello(a)baylibre.com> Date: Wed, 8 Jan 2025 18:29:15 +0100 Subject: [PATCH] iio: dac: ad3552r-common: fix ad3541/2r ranges Fix ad3541/2r voltage ranges to be as per ad3542r datasheet, rev. C, table 38 (page 57). The wrong ad354xr ranges was generating erroneous Vpp output. In more details: - fix wrong number of ranges, they are 5 ranges, not 6, - remove non-existent 0-3V range, - adjust order, since ad3552r_find_range() get a wrong index, producing a wrong Vpp as output. Retested all the ranges on real hardware, EVALAD3542RFMCZ: adi,output-range-microvolt (fdt): <(000000) (2500000)>; ok (Rfbx1, switch 10) <(000000) (5000000)>; ok (Rfbx1, switch 10) <(000000) (10000000)>; ok (Rfbx1, switch 10) <(-5000000) (5000000)>; ok (Rfbx2, switch +/- 5) <(-2500000) (7500000)>; ok (Rfbx2, switch -2.5/7.5) Fixes: 8f2b54824b28 ("drivers:iio:dac: Add AD3552R driver support") Signed-off-by: Angelo Dureghello <adureghello(a)baylibre.com> Reviewed-by: David Lechner <dlechner(a)baylibre.com> Link: https://patch.msgid.link/20250108-wip-bl-ad3552r-axi-v0-iio-testing-carlos-… Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/dac/ad3552r-common.c b/drivers/iio/dac/ad3552r-common.c index 0f495df2e5ce..03e0864f5084 100644 --- a/drivers/iio/dac/ad3552r-common.c +++ b/drivers/iio/dac/ad3552r-common.c @@ -22,11 +22,10 @@ EXPORT_SYMBOL_NS_GPL(ad3552r_ch_ranges, "IIO_AD3552R"); const s32 ad3542r_ch_ranges[AD3542R_MAX_RANGES][2] = { [AD3542R_CH_OUTPUT_RANGE_0__2P5V] = { 0, 2500 }, - [AD3542R_CH_OUTPUT_RANGE_0__3V] = { 0, 3000 }, [AD3542R_CH_OUTPUT_RANGE_0__5V] = { 0, 5000 }, [AD3542R_CH_OUTPUT_RANGE_0__10V] = { 0, 10000 }, - [AD3542R_CH_OUTPUT_RANGE_NEG_2P5__7P5V] = { -2500, 7500 }, - [AD3542R_CH_OUTPUT_RANGE_NEG_5__5V] = { -5000, 5000 } + [AD3542R_CH_OUTPUT_RANGE_NEG_5__5V] = { -5000, 5000 }, + [AD3542R_CH_OUTPUT_RANGE_NEG_2P5__7P5V] = { -2500, 7500 } }; EXPORT_SYMBOL_NS_GPL(ad3542r_ch_ranges, "IIO_AD3552R"); diff --git a/drivers/iio/dac/ad3552r.h b/drivers/iio/dac/ad3552r.h index fd5a3dfd1d1c..4b5581039ae9 100644 --- a/drivers/iio/dac/ad3552r.h +++ b/drivers/iio/dac/ad3552r.h @@ -131,7 +131,7 @@ #define AD3552R_CH1_ACTIVE BIT(1) #define AD3552R_MAX_RANGES 5 -#define AD3542R_MAX_RANGES 6 +#define AD3542R_MAX_RANGES 5 #define AD3552R_QUAD_SPI 2 extern const s32 ad3552r_ch_ranges[AD3552R_MAX_RANGES][2]; @@ -189,16 +189,14 @@ enum ad3552r_ch_vref_select { enum ad3542r_ch_output_range { /* Range from 0 V to 2.5 V. Requires Rfb1x connection */ AD3542R_CH_OUTPUT_RANGE_0__2P5V, - /* Range from 0 V to 3 V. Requires Rfb1x connection */ - AD3542R_CH_OUTPUT_RANGE_0__3V, /* Range from 0 V to 5 V. Requires Rfb1x connection */ AD3542R_CH_OUTPUT_RANGE_0__5V, /* Range from 0 V to 10 V. Requires Rfb2x connection */ AD3542R_CH_OUTPUT_RANGE_0__10V, - /* Range from -2.5 V to 7.5 V. Requires Rfb2x connection */ - AD3542R_CH_OUTPUT_RANGE_NEG_2P5__7P5V, /* Range from -5 V to 5 V. Requires Rfb2x connection */ AD3542R_CH_OUTPUT_RANGE_NEG_5__5V, + /* Range from -2.5 V to 7.5 V. Requires Rfb2x connection */ + AD3542R_CH_OUTPUT_RANGE_NEG_2P5__7P5V, }; enum ad3552r_ch_output_range {

3 days, 19 hours

3
4
0 0

[PATCH v2 1/3] mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud()

by David Hildenbrand

We setup the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. Identified by code inspection. Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Cc: <stable(a)vger.kernel.org> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- mm/huge_memory.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index d3e66136e41a3..49b98082c5401 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud, struct vm_area_struct *vma) } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_fault *vmf, pfn_t pfn, bool write) pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct vm_fault *vmf, struct folio *folio, add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; -- 2.49.0

3 days, 20 hours

5
9
0 0

Revert of a commit in 6.6-stable

by Jens Axboe

Hi Greg and crew, Can you revert: commit 746e7d285dcb96caa1845fbbb62b14bf4010cdfb Author: Jens Axboe <axboe(a)kernel.dk> Date: Wed May 7 08:07:09 2025 -0600 io_uring: ensure deferred completions are posted for multishot in 6.6-stable? There's some missing dependencies that makes this not work right, I'll bring it back in a series instead. -- Jens Axboe

3 days, 20 hours

1
1
0 0

6.6-stable inclusion request

by Jens Axboe

Hi, Can you add these three patches to 6.6-stable? It fixes a behavioral change with 6.6-stable that Rom reported, affecting OpenBMC. Other stable versions not affected, as they got the required fixes on top backported already. Thanks, -- Jens Axboe

3 days, 20 hours

1
0
0 0

[PATCH v3] arm64: Restrict pagetable teardown to avoid false warning

by Dev Jain

Commit 9c006972c3fe removes the pxd_present() checks because the caller checks pxd_present(). But, in case of vmap_try_huge_pud(), the caller only checks pud_present(); pud_free_pmd_page() recurses on each pmd through pmd_free_pte_page(), wherein the pmd may be none. Thus it is possible to hit a warning in the latter, since pmd_none => !pmd_table(). Thus, add a pmd_present() check in pud_free_pmd_page(). This problem was found by code inspection. Fixes: 9c006972c3fe (arm64: mmu: drop pXd_present() checks from pXd_free_pYd_table()) Cc: <stable(a)vger.kernel.org> Reported-by: Ryan Roberts <ryan.roberts(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Dev Jain <dev.jain(a)arm.com> --- This patch is based on 6.15-rc6. v2->v3: - Use pmdp_get() v1->v2: - Enforce check in caller arch/arm64/mm/mmu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index ea6695d53fb9..5a9bf291c649 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -1286,7 +1286,8 @@ int pud_free_pmd_page(pud_t *pudp, unsigned long addr) next = addr; end = addr + PUD_SIZE; do { - pmd_free_pte_page(pmdp, next); + if (pmd_present(pmdp_get(pmdp))) + pmd_free_pte_page(pmdp, next); } while (pmdp++, next += PMD_SIZE, next != end); pud_clear(pudp); -- 2.30.2

3 days, 21 hours

5
7
0 0

[PATCH v2 0/2] Samsung Exynos 7870 DECON driver support

by Kaustabh Chakraborty

This patch series aims at adding support for Exynos7870's DECON in the Exynos7 DECON driver. It introduces a driver data struct so that support for DECON on other SoCs can be added to it in the future. It also fixes a few bugs in the driver, such as functions receiving bad pointers. Tested on Samsung Galaxy J7 Prime (samsung-on7xelte), Samsung Galaxy A2 Core (samsung-a2corelte), and Samsung Galaxy J6 (samsung-j6lte). Signed-off-by: Kaustabh Chakraborty <kauschluss(a)disroot.org> --- Changes in v2: - Add a new commit to prevent an occasional panic under circumstances. - Rewrite and redo [v1 2/6] to be a more sensible commit. - Link to v1: https://lore.kernel.org/r/20240919-exynosdrm-decon-v1-0-6c5861c1cb04@disroo… --- Kaustabh Chakraborty (2): drm/exynos: exynos7_drm_decon: fix call of decon_commit() drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling drivers/gpu/drm/exynos/exynos7_drm_decon.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- base-commit: 0bb71d301869446810a0b13d3da290bd455d7c78 change-id: 20240917-exynosdrm-decon-4c228dd1d2bf Best regards, -- Kaustabh Chakraborty <kauschluss(a)disroot.org>

3 days, 23 hours

1
2
0 0

[PATCH] net: pfcp: fix typo in message_priority field name

by RubenKelevra

Fix 'message_priprity' typo to 'message_priority' in big endian bitfield definition. This typo breaks compilation on big endian architectures. Fixes: 6dd514f48110 ("pfcp: always set pfcp metadata") Cc: stable(a)vger.kernel.org # commit 6dd514f48110 ("pfcp: always set pfcp metadata") Signed-off-by: RubenKelevra <rubenkelevra(a)gmail.com> --- include/net/pfcp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/pfcp.h b/include/net/pfcp.h index af14f970b80e1..639553797d3e4 100644 --- a/include/net/pfcp.h +++ b/include/net/pfcp.h @@ -45,7 +45,7 @@ struct pfcphdr_session { reserved:4; #elif defined(__BIG_ENDIAN_BITFIELD) u8 reserved:4, - message_priprity:4; + message_priority:4; #else #error "Please fix <asm/byteorder>" #endif -- 2.49.0

3 days, 23 hours

4
4
0 0

[REGRESSION] drm/amd/display: Radeon 840M/860M: bisected suspend crash

by ggo＠tuxedocomputers.com

Hi, I have discovered that two small form factor desktops with Ryzen AI 7 350 and Ryzen AI 5 340 crash when woken up from suspend. I can see how the LED on the USB mouse is switched on when I trigger a resume via keyboard button, but the display remains black. The kernel also no longer responds to Magic SysRq keys in this state. The problem affects all kernels after merge b50753547453 (v6.11.0). But this merge only adds PCI_DEVICE_ID_AMD_1AH_M60H_ROOT with commit 59c34008d (necessary to trigger this bug with Ryzen AI CPU). I cherry-picked this commit and continued searching. Which finally led me to commit f6098641d3e - drm/amd/display: fix s2idle entry for DCN3.5+ If I remove the code, which has changed somewhat in the meantime, then the suspend works without any problems. See the following patch. Regards, Georg diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index d3100f641ac6..76204ae70acc 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -3121,9 +3121,6 @@ static int dm_suspend(struct amdgpu_ip_block *ip_block) dc_set_power_state(dm->dc, DC_ACPI_CM_POWER_STATE_D3); - if (dm->dc->caps.ips_support && adev->in_s0ix) - dc_allow_idle_optimizations(dm->dc, true); - dc_dmub_srv_set_power_state(dm->dc->ctx->dmub_srv, DC_ACPI_CM_POWER_STATE_D3); return 0;

4 days

1
0
0 0

[PATCH v2] iommu/amd: Fix geometry.aperture_end for V2 tables

by Jason Gunthorpe

The AMD IOMMU documentation seems pretty clear that the V2 table follows the normal CPU expectation of sign extension. This is shown in Figure 25: AMD64 Long Mode 4-Kbyte Page Address Translation Where bits Sign-Extend [63:57] == [56]. This is typical for x86 which would have three regions in the page table: lower, non-canonical, upper. The manual describes that the V1 table does not sign extend in section 2.2.4 Sharing AMD64 Processor and IOMMU Page Tables GPA-to-SPA Further, Vasant has checked this and indicates the HW has an addtional behavior that the manual does not yet describe. The AMDv2 table does not have the sign extended behavior when attached to PASID 0, which may explain why this has gone unnoticed. The iommu domain geometry does not directly support sign extended page tables. The driver should report only one of the lower/upper spaces. Solve this by removing the top VA bit from the geometry to use only the lower space. This will also make the iommu_domain work consistently on all PASID 0 and PASID != 1. Adjust dma_max_address() to remove the top VA bit. It now returns: 5 Level: Before 0x1ffffffffffffff After 0x0ffffffffffffff 4 Level: Before 0xffffffffffff After 0x7fffffffffff Fixes: 11c439a19466 ("iommu/amd/pgtbl_v2: Fix domain max address") Link: https://lore.kernel.org/all/8858d4d6-d360-4ef0-935c-bfd13ea54f42@amd.com/ Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> --- drivers/iommu/amd/iommu.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) v2: - Revise the commit message and comment with the new information from Vasant. v1: https://patch.msgid.link/r/0-v1-6925ece6b623+296-amdv2_geo_jgg@nvidia.com diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c index 3117d99cf83d0d..1baa9d3583f369 100644 --- a/drivers/iommu/amd/iommu.c +++ b/drivers/iommu/amd/iommu.c @@ -2526,8 +2526,21 @@ static inline u64 dma_max_address(enum protection_domain_mode pgtable) if (pgtable == PD_MODE_V1) return ~0ULL; - /* V2 with 4/5 level page table */ - return ((1ULL << PM_LEVEL_SHIFT(amd_iommu_gpt_level)) - 1); + /* + * V2 with 4/5 level page table. Note that "2.2.6.5 AMD64 4-Kbyte Page + * Translation" shows that the V2 table sign extends the top of the + * address space creating a reserved region in the middle of the + * translation, just like the CPU does. Further Vasant says the docs are + * incomplete and this only applies to non-zero PASIDs. If the AMDv2 + * page table is assigned to the 0 PASID then there is no sign extension + * check. + * + * Since the IOMMU must have a fixed geometry, and the core code does + * not understand sign extended addressing, we have to chop off the high + * bit to get consistent behavior with attachments of the domain to any + * PASID. + */ + return ((1ULL << (PM_LEVEL_SHIFT(amd_iommu_gpt_level) - 1)) - 1); } static bool amd_iommu_hd_support(struct amd_iommu *iommu) base-commit: eb328711b15b17987021dbb674f446b7b008dca5 -- 2.43.0

4 days, 1 hour

3
3
0 0

[PATCH 0/3] arm64: dts: rockchip: Fix HDMI output on RK3576

by Cristian Ciocaltea

Since commit c871a311edf0 ("phy: rockchip: samsung-hdptx: Setup TMDS char rate via phy_configure_opts_hdmi"), the workaround of passing the PHY rate from DW HDMI QP bridge driver via phy_set_bus_width() became partially broken, unless the rate adjustment is done as with RK3588, i.e. by CCF from VOP2. Attempting to fix this up at PHY level would not only introduce additional hacks, but it would also fail to adequately resolve the display issues that are a consequence of the system CRU limitations. Therefore, let's proceed with the solution already implemented for RK3588, that is to make use of the HDMI PHY PLL as a more accurate DCLK source in VOP2. It's worth noting a follow-up patch is going to drop the hack from the bridge driver altogether, while switching to HDMI PHY configuration API for setting up the TMDS character rate. Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> --- Cristian Ciocaltea (3): dt-bindings: display: vop2: Add optional PLL clock property for rk3576 arm64: dts: rockchip: Enable HDMI PHY clk provider on rk3576 arm64: dts: rockchip: Add HDMI PHY PLL clock source to VOP2 on rk3576 .../bindings/display/rockchip/rockchip-vop2.yaml | 56 +++++++++++++++++----- arch/arm64/boot/dts/rockchip/rk3576.dtsi | 7 ++- 2 files changed, 49 insertions(+), 14 deletions(-) --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250611-rk3576-hdmitx-fix-e030fbdb0d17

4 days, 1 hour

4
9
0 0

[PATCH v2] s390/pkey: prevent overflow in size calculation for memdup_user()

by Fedor Pchelkin

Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org). Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v2: use memdup_array_user() helper (Heiko Carstens) drivers/s390/crypto/pkey_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index cef60770f68b..b3fcdcae379e 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -86,7 +86,7 @@ static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns) if (!uapqns || nr_apqns == 0) return NULL; - return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); + return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn)); } static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs) -- 2.49.0

4 days, 2 hours

4
3
0 0

[PATCH v2] pinctrl: qcom: msm: mark certain pins as invalid for interrupts

by Bartosz Golaszewski

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for example: `gpiomon -c 0 113` on RB2. The exact culprit is requesting pins whose intr_detection_width setting is not 1 or 2 for interrupts. This hits a BUG() in msm_gpio_irq_set_type(). Potentially crashing the kernel due to an invalid request from user-space is not optimal, so let's go through the pins and mark those that would fail the check as invalid for the irq chip as we should not even register them as available irqs. This function can be extended if we determine that there are more corner-cases like this. Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") Cc: stable(a)vger.kernel.org Reviewed-by: Bjorn Andersson <andersson(a)kernel.org> Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- Changes in v2: - expand the commit message, describing the underlying code issue in detail - added a newline for better readability drivers/pinctrl/qcom/pinctrl-msm.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c index f012ea88aa22c..1ff84e8c176d4 100644 --- a/drivers/pinctrl/qcom/pinctrl-msm.c +++ b/drivers/pinctrl/qcom/pinctrl-msm.c @@ -1038,6 +1038,25 @@ static bool msm_gpio_needs_dual_edge_parent_workaround(struct irq_data *d, test_bit(d->hwirq, pctrl->skip_wake_irqs); } +static void msm_gpio_irq_init_valid_mask(struct gpio_chip *gc, + unsigned long *valid_mask, + unsigned int ngpios) +{ + struct msm_pinctrl *pctrl = gpiochip_get_data(gc); + const struct msm_pingroup *g; + int i; + + bitmap_fill(valid_mask, ngpios); + + for (i = 0; i < ngpios; i++) { + g = &pctrl->soc->groups[i]; + + if (g->intr_detection_width != 1 && + g->intr_detection_width != 2) + clear_bit(i, valid_mask); + } +} + static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type) { struct gpio_chip *gc = irq_data_get_irq_chip_data(d); @@ -1441,6 +1460,7 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) girq->default_type = IRQ_TYPE_NONE; girq->handler = handle_bad_irq; girq->parents[0] = pctrl->irq; + girq->init_valid_mask = msm_gpio_irq_init_valid_mask; ret = gpiochip_add_data(&pctrl->chip, pctrl); if (ret) { -- 2.48.1

4 days, 5 hours

1
0
0 0

Qualcomm Snapdragon <SM6375>

by Alan Ye

The Qualcomm SM6375 processor is a 7nm process SoC for the mid-range market with the following features: CPU: Eight-core design, including high-performance Kryo 670 core and efficient Kryo 265 core, optimized performance and energy efficiency. GPU: Equipped with Adreno 642L GPU, supporting high-quality graphics and gaming experience. AI Engine: Integrated Qualcomm AI engine to enhance intelligent features such as voice recognition and image processing. Connectivity: Supports modern wireless standards such as 5G, Wi-Fi 6 and Bluetooth 5.2. Multimedia: Supports 4K video encoding and decoding Mainly used in mid-to-high-end smartphones, tablets and some IoT devices, suitable for users who need to balance cost performance and performance. .# Part Number Manufacturer Date Code Quantity Unit Price Lead Time Condition (PCS) USD/Each one 1 SM-6375-1-PSP837-TR-00-0-AB QUALCOMM 2023+ 12000pcs US$18.00/pcs 7days New & original - stock 2 PM-6375-0-FOWNSP144-TR-01-0；TR-01-1 QUALCOMM 2023+ 12000pcs US$1.00/pcs 3 PMR-735A-0-WLNSP48-TR-05-0,TR-05-1 QUALCOMM 2023+ 12000pcs US$0.85/pcs 4 PMK-8003-0-FOWPSP36-TR-01-0 QUALCOMM 2023+ 12000pcs US$0.24/pcs 5 SDR-735-0-PSP219B-TR-01-0；TR-01-1 QUALCOMM 2023+ 12000pcs US$2.50/pcs 6 WCD-9370-0-WLPSP55-TR-01-0;TR-01-4 QUALCOMM 2023+ 12000pcs US$0.50/pcs 7 WCN-3988-0-82BWLPSP-TR-00-0 QUALCOMM 2023+ 12000pcs US$3.50/pcs 8 QET-6105-0-WLNSP24B-TR-00-1 QUALCOMM 2023+ 12000pcs US$1.20/pcs 9 QET4101-0-12WLNSP-TR-00-0 QUALCOMM 2022+ 12000pcs US$0.21/pcs These materials are sold as a set for $28/usd, and are guaranteed to be authentic. If you need other Qualcomm materials, please feel free to contact me Stay in tune with product evolutions—tap . Keep Receiving Notices Feel like taking a break? Select Configure Your Mailing.

4 days, 7 hours

1
0
0 0

[PATCH] wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan

by Mingyen Hsieh

From: Michael Lo <michael.lo(a)mediatek.com> Update the destination index to use 'n_ssids', which is incremented only when a valid SSID is present. Previously, both mt76_connac_mcu_hw_scan() and mt7925_mcu_hw_scan() used the loop index 'i' for the destination array, potentially leaving gaps if any source SSIDs had zero length. Cc: stable(a)vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Michael Lo <michael.lo(a)mediatek.com> Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++-- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c index db85a9d984c5..660c8df89910 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c @@ -1740,8 +1740,8 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, if (!sreq->ssids[i].ssid_len) continue; - req->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); - memcpy(req->ssids[i].ssid, sreq->ssids[i].ssid, + req->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); + memcpy(req->ssids[n_ssids].ssid, sreq->ssids[i].ssid, sreq->ssids[i].ssid_len); n_ssids++; } diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c index 2bd506a4208c..66bac3047b2b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c @@ -3178,8 +3178,8 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, if (i > MT7925_RNR_SCAN_MAX_BSSIDS) break; - ssid->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); - memcpy(ssid->ssids[i].ssid, sreq->ssids[i].ssid, + ssid->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); + memcpy(ssid->ssids[n_ssids].ssid, sreq->ssids[i].ssid, sreq->ssids[i].ssid_len); n_ssids++; } -- 2.34.1

4 days, 8 hours

1
0
0 0

[PATCH] wifi: mt76: mt7925: fix the wrong config for tx interrupt

by Mingyen Hsieh

From: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> MT_INT_TX_DONE_MCU_WM may cause tx interrupt to be mishandled during a reset failure, leading to the reset process failing. By using MT_INT_TX_DONE_MCU instead of MT_INT_TX_DONE_MCU_WM, the handling of tx interrupt is improved. Cc: stable(a)vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> --- drivers/net/wireless/mediatek/mt76/mt7925/regs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/regs.h b/drivers/net/wireless/mediatek/mt76/mt7925/regs.h index 547489092c29..341987e47f67 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/regs.h +++ b/drivers/net/wireless/mediatek/mt76/mt7925/regs.h @@ -58,7 +58,7 @@ #define MT_INT_TX_DONE_MCU (MT_INT_TX_DONE_MCU_WM | \ MT_INT_TX_DONE_FWDL) -#define MT_INT_TX_DONE_ALL (MT_INT_TX_DONE_MCU_WM | \ +#define MT_INT_TX_DONE_ALL (MT_INT_TX_DONE_MCU | \ MT_INT_TX_DONE_BAND0 | \ GENMASK(18, 4)) -- 2.34.1

4 days, 8 hours

1
0
0 0

[merged mm-hotfixes-stable] drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite has been removed from the -mm tree. Its filename was drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: drivers/rapidio/rio_cm.c: prevent possible heap overwrite Date: Sat Jun 7 05:43:18 PM PDT 2025 In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace. Reported-by: maher azz <maherazz04(a)gmail.com> Cc: Matt Porter <mporter(a)kernel.crashing.org> Cc: Alexandre Bounine <alex.bou9(a)gmail.com> Cc: Linus Torvalds <torvalds(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/rapidio/rio_cm.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/rapidio/rio_cm.c~drivers-rapidio-rio_cmc-prevent-possible-used-uninitialized +++ a/drivers/rapidio/rio_cm.c @@ -783,6 +783,9 @@ static int riocm_ch_send(u16 ch_id, void if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE) return -EINVAL; + if (len < sizeof(struct rio_ch_chan_hdr)) + return -EINVAL; /* insufficient data from user */ + ch = riocm_get_channel(ch_id); if (!ch) { riocm_error("%s(%d) ch_%d not found", current->comm, _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems-fix.patch

4 days, 8 hours

1
0
0 0

[merged mm-hotfixes-stable] mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: close theoretical race where stale TLB entries could linger has been removed from the -mm tree. Its filename was mm-close-theoretical-race-where-stale-tlb-entries-could-linger.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Ryan Roberts <ryan.roberts(a)arm.com> Subject: mm: close theoretical race where stale TLB entries could linger Date: Fri, 6 Jun 2025 10:28:07 +0100 Commit 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") described a theoretical race as such: """ Nadav Amit identified a theoretical race between page reclaim and mprotect due to TLB flushes being batched outside of the PTL being held. He described the race as follows: CPU0 CPU1 ---- ---- user accesses memory using RW PTE [PTE now cached in TLB] try_to_unmap_one() ==> ptep_get_and_clear() ==> set_tlb_ubc_flush_pending() mprotect(addr, PROT_READ) ==> change_pte_range() ==> [ PTE non-present - no flush ] user writes using cached RW PTE ... try_to_unmap_flush() The same type of race exists for reads when protecting for PROT_NONE and also exists for operations that can leave an old TLB entry behind such as munmap, mremap and madvise. """ The solution was to introduce flush_tlb_batched_pending() and call it under the PTL from mprotect/madvise/munmap/mremap to complete any pending tlb flushes. However, while madvise_free_pte_range() and madvise_cold_or_pageout_pte_range() were both retro-fitted to call flush_tlb_batched_pending() immediately after initially acquiring the PTL, they both temporarily release the PTL to split a large folio if they stumble upon one. In this case, where re-acquiring the PTL flush_tlb_batched_pending() must be called again, but it previously was not. Let's fix that. There are 2 Fixes: tags here: the first is the commit that fixed madvise_free_pte_range(). The second is the commit that added madvise_cold_or_pageout_pte_range(), which looks like it copy/pasted the faulty pattern from madvise_free_pte_range(). This is a theoretical bug discovered during code review. Link: https://lkml.kernel.org/r/20250606092809.4194056-1-ryan.roberts@arm.com Fixes: 3ea277194daa ("mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries") Fixes: 9c276cc65a58 ("mm: introduce MADV_COLD") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Jann Horn <jannh(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mel Gorman <mgorman <mgorman(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/madvise.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/madvise.c~mm-close-theoretical-race-where-stale-tlb-entries-could-linger +++ a/mm/madvise.c @@ -508,6 +508,7 @@ restart: pte_offset_map_lock(mm, pmd, addr, &ptl); if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; @@ -741,6 +742,7 @@ static int madvise_free_pte_range(pmd_t start_pte = pte; if (!start_pte) break; + flush_tlb_batched_pending(mm); arch_enter_lazy_mmu_mode(); if (!err) nr = 0; _ Patches currently in -mm which might be from ryan.roberts(a)arm.com are mm-readahead-honour-new_order-in-page_cache_ra_order.patch mm-readahead-terminate-async-readahead-on-natural-boundary.patch mm-readahead-make-space-in-struct-file_ra_state.patch mm-readahead-store-folio-order-in-struct-file_ra_state.patch mm-filemap-allow-arch-to-request-folio-size-for-exec-memory.patch mm-remove-arch_flush_tlb_batched_pending-arch-helper.patch

4 days, 8 hours

1
0
0 0

[merged mm-hotfixes-stable] mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure has been removed from the -mm tree. Its filename was mm-vma-reset-vma-iterator-on-commit_merge-oom-failure.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm/vma: reset VMA iterator on commit_merge() OOM failure Date: Fri, 6 Jun 2025 13:50:32 +0100 While an OOM failure in commit_merge() isn't really feasible due to the allocation which might fail (a maple tree pre-allocation) being 'too small to fail', we do need to handle this case correctly regardless. In vma_merge_existing_range(), we can theoretically encounter failures which result in an OOM error in two ways - firstly dup_anon_vma() might fail with an OOM error, and secondly commit_merge() failing, ultimately, to pre-allocate a maple tree node. The abort logic for dup_anon_vma() resets the VMA iterator to the initial range, ensuring that any logic looping on this iterator will correctly proceed to the next VMA. However the commit_merge() abort logic does not do the same thing. This resulted in a syzbot report occurring because mlockall() iterates through VMAs, is tolerant of errors, but ended up with an incorrect previous VMA being specified due to incorrect iterator state. While making this change, it became apparent we are duplicating logic - the logic introduced in commit 41e6ddcaa0f1 ("mm/vma: add give_up_on_oom option on modify/merge, use in uffd release") duplicates the vmg->give_up_on_oom check in both abort branches. Additionally, we observe that we can perform the anon_dup check safely on dup_anon_vma() failure, as this will not be modified should this call fail. Finally, we need to reset the iterator in both cases, so now we can simply use the exact same code to abort for both. We remove the VM_WARN_ON(err != -ENOMEM) as it would be silly for this to be otherwise and it allows us to implement the abort check more neatly. Link: https://lkml.kernel.org/r/20250606125032.164249-1-lorenzo.stoakes@oracle.com Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reported-by: syzbot+d16409ea9ecc16ed261a(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/6842cc67.a00a0220.29ac89.003b.GAE@google.c… Reviewed-by: Pedro Falcato <pfalcato(a)suse.de> Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vma.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) --- a/mm/vma.c~mm-vma-reset-vma-iterator-on-commit_merge-oom-failure +++ a/mm/vma.c @@ -967,26 +967,9 @@ static __must_check struct vm_area_struc err = dup_anon_vma(next, middle, &anon_dup); } - if (err) + if (err || commit_merge(vmg)) goto abort; - err = commit_merge(vmg); - if (err) { - VM_WARN_ON(err != -ENOMEM); - - if (anon_dup) - unlink_anon_vmas(anon_dup); - - /* - * We've cleaned up any cloned anon_vma's, no VMAs have been - * modified, no harm no foul if the user requests that we not - * report this and just give up, leaving the VMAs unmerged. - */ - if (!vmg->give_up_on_oom) - vmg->state = VMA_MERGE_ERROR_NOMEM; - return NULL; - } - khugepaged_enter_vma(vmg->target, vmg->flags); vmg->state = VMA_MERGE_SUCCESS; return vmg->target; @@ -995,6 +978,9 @@ abort: vma_iter_set(vmg->vmi, start); vma_iter_load(vmg->vmi); + if (anon_dup) + unlink_anon_vmas(anon_dup); + /* * This means we have failed to clone anon_vma's correctly, but no * actual changes to VMAs have occurred, so no harm no foul - if the _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems.patch mm-add-mmap_prepare-compatibility-layer-for-nested-file-systems-fix-2.patch docs-mm-expand-vma-doc-to-highlight-pte-freeing-non-vma-traversal.patch mm-ksm-have-ksm-vma-checks-not-require-a-vma-pointer.patch mm-ksm-refer-to-special-vmas-via-vm_special-in-ksm_compatible.patch mm-prevent-ksm-from-breaking-vma-merging-for-new-vmas.patch tools-testing-selftests-add-vma-merge-tests-for-ksm-merge.patch mm-pagewalk-split-walk_page_range_novma-into-kernel-user-parts.patch mm-mremap-introduce-more-mergeable-mremap-via-mremap_relocate_anon.patch mm-mremap-add-mremap_must_relocate_anon.patch mm-mremap-add-mremap_relocate_anon-support-for-large-folios.patch tools-uapi-update-copy-of-linux-mmanh-from-the-kernel-sources.patch tools-testing-selftests-add-sys_mremap-helper-to-vm_utilh.patch tools-testing-selftests-add-mremap-cases-that-merge-normally.patch tools-testing-selftests-add-mremap_relocate_anon-merge-test-cases.patch tools-testing-selftests-expand-mremap-tests-for-mremap_relocate_anon.patch tools-testing-selftests-have-cow-self-test-use-mremap_relocate_anon.patch tools-testing-selftests-test-relocate-anon-in-split-huge-page-test.patch tools-testing-selftests-add-mremap_relocate_anon-fork-tests.patch

4 days, 8 hours

1
0
0 0

[PATCH v6] clk: qcom: dispcc-sm8750: Fix setting rate byte and pixel clocks

by Krzysztof Kozlowski

On SM8750 the setting rate of pixel and byte clocks, while the parent DSI PHY PLL, fails with: disp_cc_mdss_byte0_clk_src: rcg didn't update its configuration. DSI PHY PLL has to be unprepared and its "PLL Power Down" bits in CMN_CTRL_0 asserted. Mark these clocks with CLK_OPS_PARENT_ENABLE to ensure the parent is enabled during rate changes. Cc: <stable(a)vger.kernel.org> Fixes: f1080d8dab0f ("clk: qcom: dispcc-sm8750: Add SM8750 Display clock controller") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- Changes in v6: 1. Add CLK_OPS_PARENT_ENABLE also to pclk1, pclk2 and byte1. 2. Add Fixes tag and cc-stable Previously part of v5 (thus b4 diff might not work nice here): https://lore.kernel.org/r/20250430-b4-sm8750-display-v5-6-8cab30c3e4df@lina… Changes in v5: 1. New patch in above patchset. Cc: Abhinav Kumar <quic_abhinavk(a)quicinc.com> Cc: Dmitry Baryshkov <lumag(a)kernel.org> --- drivers/clk/qcom/dispcc-sm8750.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/clk/qcom/dispcc-sm8750.c b/drivers/clk/qcom/dispcc-sm8750.c index 877b40d50e6f..ca09da111a50 100644 --- a/drivers/clk/qcom/dispcc-sm8750.c +++ b/drivers/clk/qcom/dispcc-sm8750.c @@ -393,7 +393,7 @@ static struct clk_rcg2 disp_cc_mdss_byte0_clk_src = { .name = "disp_cc_mdss_byte0_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_byte2_ops, }, }; @@ -408,7 +408,7 @@ static struct clk_rcg2 disp_cc_mdss_byte1_clk_src = { .name = "disp_cc_mdss_byte1_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_byte2_ops, }, }; @@ -712,7 +712,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk0_clk_src = { .name = "disp_cc_mdss_pclk0_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_pixel_ops, }, }; @@ -727,7 +727,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk1_clk_src = { .name = "disp_cc_mdss_pclk1_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_pixel_ops, }, }; @@ -742,7 +742,7 @@ static struct clk_rcg2 disp_cc_mdss_pclk2_clk_src = { .name = "disp_cc_mdss_pclk2_clk_src", .parent_data = disp_cc_parent_data_1, .num_parents = ARRAY_SIZE(disp_cc_parent_data_1), - .flags = CLK_SET_RATE_PARENT, + .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE, .ops = &clk_pixel_ops, }, }; -- 2.45.2

4 days, 10 hours

4
3
0 0

[PATCH] clk: qcom: gcc-ipq8074: fix broken freq table for nss_port6_tx_clk_src

by Christian Marangi

With the conversion done by commit e88f03230dc0 ("clk: qcom: gcc-ipq8074: rework nss_port5/6 clock to multiple conf") a Copy-Paste error was made for the nss_port6_tx_clk_src frequency table. This was caused by the wrong setting of the parent in ftbl_nss_port6_tx_clk_src that was wrongly set to P_UNIPHY1_RX instead of P_UNIPHY2_TX. This cause the UNIPHY2 port to malfunction when it needs to be scaled to higher clock. The malfunction was observed with the example scenario with an Aquantia 10G PHY connected and a speed higher than 1G (example 2.5G) Fix the broken frequency table to restore original functionality. Cc: stable(a)vger.kernel.org Fixes: e88f03230dc0 ("clk: qcom: gcc-ipq8074: rework nss_port5/6 clock to multiple conf") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/clk/qcom/gcc-ipq8074.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/clk/qcom/gcc-ipq8074.c b/drivers/clk/qcom/gcc-ipq8074.c index 7258ba5c0900..1329ea28d703 100644 --- a/drivers/clk/qcom/gcc-ipq8074.c +++ b/drivers/clk/qcom/gcc-ipq8074.c @@ -1895,10 +1895,10 @@ static const struct freq_conf ftbl_nss_port6_tx_clk_src_125[] = { static const struct freq_multi_tbl ftbl_nss_port6_tx_clk_src[] = { FMS(19200000, P_XO, 1, 0, 0), FM(25000000, ftbl_nss_port6_tx_clk_src_25), - FMS(78125000, P_UNIPHY1_RX, 4, 0, 0), + FMS(78125000, P_UNIPHY2_TX, 4, 0, 0), FM(125000000, ftbl_nss_port6_tx_clk_src_125), - FMS(156250000, P_UNIPHY1_RX, 2, 0, 0), - FMS(312500000, P_UNIPHY1_RX, 1, 0, 0), + FMS(156250000, P_UNIPHY2_TX, 2, 0, 0), + FMS(312500000, P_UNIPHY2_TX, 1, 0, 0), { } }; -- 2.48.1

4 days, 10 hours

3
2
0 0

[PATCH RESEND 5.10.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v5.10.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

4 days, 12 hours

2
8
0 0

[PATCH 6.1.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v6.1.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

4 days, 12 hours

2
8
0 0

[PATCH 5.15.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v5.15.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

4 days, 12 hours

2
8
0 0

[PATCH 5.4.y] NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes

by Larry Bassel

From: Chuck Lever <chuck.lever(a)oracle.com> [ Upstream commit a648fdeb7c0e17177a2280344d015dba3fbe3314 ] iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE procedure to return NFS3ERR_FBIG. We believe that NFSv3 reference implementations also return NFS3ERR_FBIG when ia_size is too large. Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> (cherry picked from commit a648fdeb7c0e17177a2280344d015dba3fbe3314) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9cde9360d18d NFSD: Update the SETATTR3args decoder to use struct xdr_stream] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- fs/nfsd/nfs3xdr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c index 03e8c45a52f3..25b6b4db0af2 100644 --- a/fs/nfsd/nfs3xdr.c +++ b/fs/nfsd/nfs3xdr.c @@ -122,7 +122,7 @@ decode_sattr3(__be32 *p, struct iattr *iap, struct user_namespace *userns) iap->ia_valid |= ATTR_SIZE; p = xdr_decode_hyper(p, &newsize); - iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX); + iap->ia_size = newsize; } if ((tmp = ntohl(*p++)) == 1) { /* set to server time */ iap->ia_valid |= ATTR_ATIME; -- 2.46.0

4 days, 12 hours

2
1
0 0

[PATCH 6.6.y 0/4] serial: sh-sci: Backport fixes

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Hi, Commit 653143ed73ec ("serial: sh-sci: Check if TX data was written to device in .tx_empty()") doesn't apply cleanly on top of v6.6.y stable tree. This series adjust it. Along with it, propose for backporting other sh-sci fixes. Please provide your feedback. Thank you, Claudiu Beznea Claudiu Beznea (4): serial: sh-sci: Check if TX data was written to device in .tx_empty() serial: sh-sci: Move runtime PM enable to sci_probe_single() serial: sh-sci: Clean sci_ports[0] after at earlycon exit serial: sh-sci: Increment the runtime usage counter for the earlycon device drivers/tty/serial/sh-sci.c | 97 ++++++++++++++++++++++++++++++------- 1 file changed, 79 insertions(+), 18 deletions(-) -- 2.43.0

4 days, 12 hours

2
8
0 0

[PATCH 5.4.y] NFSD: Fix ia_size underflow

by Larry Bassel

From: Chuck Lever <chuck.lever(a)oracle.com> [ Upstream commit e6faac3f58c7c4176b66f63def17a34232a17b0e ] iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr(). Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> (cherry picked from commit e6faac3f58c7c4176b66f63def17a34232a17b0e) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 2f221d6f7b88 attr: handle idmapped mounts] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- fs/nfsd/vfs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 6aa968bee0ce..bee4fdf6e239 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -448,6 +448,10 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap, .ia_size = iap->ia_size, }; + host_err = -EFBIG; + if (iap->ia_size < 0) + goto out_unlock; + host_err = notify_change(dentry, &size_attr, NULL); if (host_err) goto out_unlock; -- 2.46.0

4 days, 12 hours

2
1
0 0

[PATCH v3 4/5] scsi: fnic: Turn off FDMI ACTIVE flags on link down

by Karan Tilak Kumar

When the link goes down and comes up, FDMI requests are not sent out anymore. Fix bug by turning off FNIC_FDMI_ACTIVE when the link goes down. Fixes: 09c1e6ab4ab2 ("scsi: fnic: Add and integrate support for FDMI") Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Reviewed-by: Arun Easi <aeasi(a)cisco.com> Tested-by: Karan Tilak Kumar <kartilak(a)cisco.com> Cc: <stable(a)vger.kernel.org> # 6.14.x Please see patch description Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- drivers/scsi/fnic/fdls_disc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/fnic/fdls_disc.c b/drivers/scsi/fnic/fdls_disc.c index 9e9939d41fa8..14691db4d5f9 100644 --- a/drivers/scsi/fnic/fdls_disc.c +++ b/drivers/scsi/fnic/fdls_disc.c @@ -5078,9 +5078,12 @@ void fnic_fdls_link_down(struct fnic_iport_s *iport) fdls_delete_tport(iport, tport); } - if ((fnic_fdmi_support == 1) && (iport->fabric.fdmi_pending > 0)) { - timer_delete_sync(&iport->fabric.fdmi_timer); - iport->fabric.fdmi_pending = 0; + if (fnic_fdmi_support == 1) { + if (iport->fabric.fdmi_pending > 0) { + timer_delete_sync(&iport->fabric.fdmi_timer); + iport->fabric.fdmi_pending = 0; + } + iport->flags &= ~FNIC_FDMI_ACTIVE; } FNIC_FCS_DBG(KERN_INFO, fnic->host, fnic->fnic_num, -- 2.47.1

4 days, 13 hours

1
0
0 0

[PATCH net v3 1/2] net: clear the dst when changing skb protocol

by Jakub Kicinski

A not-so-careful NAT46 BPF program can crash the kernel if it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000 ip6_rcv_core (net/ipv6/ip6_input.c:190:20) ipv6_rcv (net/ipv6/ip6_input.c:306:8) process_backlog (net/core/dev.c:6186:4) napi_poll (net/core/dev.c:6906:9) net_rx_action (net/core/dev.c:7028:13) do_softirq (kernel/softirq.c:462:3) netif_rx (net/core/dev.c:5326:3) dev_loopback_xmit (net/core/dev.c:4015:2) ip_mc_finish_output (net/ipv4/ip_output.c:363:8) NF_HOOK (./include/linux/netfilter.h:314:9) ip_mc_output (net/ipv4/ip_output.c:400:5) dst_output (./include/net/dst.h:459:9) ip_local_out (net/ipv4/ip_output.c:130:9) ip_send_skb (net/ipv4/ip_output.c:1496:8) udp_send_skb (net/ipv4/udp.c:1040:8) udp_sendmsg (net/ipv4/udp.c:1328:10) The output interface has a 4->6 program attached at ingress. We try to loop the multicast skb back to the sending socket. Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr and changes skb->protocol to v6. We enter ip6_rcv_core which tries to use skb_dst(). But the dst is still an IPv4 one left after IPv4 mcast output. Clear the dst in all BPF helpers which change the protocol. Try to preserve metadata dsts, those may carry non-routing metadata. Cc: stable(a)vger.kernel.org Reviewed-by: Maciej Żenczykowski <maze(a)google.com> Acked-by: Daniel Borkmann <daniel(a)iogearbox.net> Fixes: d219df60a70e ("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()") Fixes: 1b00e0dfe7d0 ("bpf: update skb->protocol in bpf_skb_net_grow") Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> --- v3: - go back to v1, the encap / decap which don't change proto will be added in -next - split out the test v2: https://lore.kernel.org/20250607204734.1588964-1-kuba@kernel.org - drop on encap/decap - fix typo (protcol) - add the test to the Makefile v1: https://lore.kernel.org/20250604210604.257036-1-kuba@kernel.org I wonder if we should not skip ingress (tc_skip_classify?) for looped back packets in the first place. But that doesn't seem robust enough vs multiple redirections to solve the crash. Ignoring LOOPBACK packets (like the NAT46 prog should) doesn't work either, since BPF can change pkt_type arbitrarily. CC: martin.lau(a)linux.dev CC: daniel(a)iogearbox.net CC: john.fastabend(a)gmail.com CC: eddyz87(a)gmail.com CC: sdf(a)fomichev.me CC: haoluo(a)google.com CC: willemb(a)google.com CC: william.xuanziyang(a)huawei.com CC: alan.maguire(a)oracle.com CC: bpf(a)vger.kernel.org CC: edumazet(a)google.com CC: maze(a)google.com CC: shuah(a)kernel.org CC: linux-kselftest(a)vger.kernel.org CC: yonghong.song(a)linux.dev --- net/core/filter.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 327ca73f9cd7..7a72f766aacf 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -3233,6 +3233,13 @@ static const struct bpf_func_proto bpf_skb_vlan_pop_proto = { .arg1_type = ARG_PTR_TO_CTX, }; +static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto) +{ + skb->protocol = htons(proto); + if (skb_valid_dst(skb)) + skb_dst_drop(skb); +} + static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len) { /* Caller already did skb_cow() with len as headroom, @@ -3329,7 +3336,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb) } } - skb->protocol = htons(ETH_P_IPV6); + bpf_skb_change_protocol(skb, ETH_P_IPV6); skb_clear_hash(skb); return 0; @@ -3359,7 +3366,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb) } } - skb->protocol = htons(ETH_P_IP); + bpf_skb_change_protocol(skb, ETH_P_IP); skb_clear_hash(skb); return 0; @@ -3550,10 +3557,10 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 off, u32 len_diff, /* Match skb->protocol to new outer l3 protocol */ if (skb->protocol == htons(ETH_P_IP) && flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6) - skb->protocol = htons(ETH_P_IPV6); + bpf_skb_change_protocol(skb, ETH_P_IPV6); else if (skb->protocol == htons(ETH_P_IPV6) && flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV4) - skb->protocol = htons(ETH_P_IP); + bpf_skb_change_protocol(skb, ETH_P_IP); } if (skb_is_gso(skb)) { @@ -3606,10 +3613,10 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 off, u32 len_diff, /* Match skb->protocol to new outer l3 protocol */ if (skb->protocol == htons(ETH_P_IP) && flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV6) - skb->protocol = htons(ETH_P_IPV6); + bpf_skb_change_protocol(skb, ETH_P_IPV6); else if (skb->protocol == htons(ETH_P_IPV6) && flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV4) - skb->protocol = htons(ETH_P_IP); + bpf_skb_change_protocol(skb, ETH_P_IP); if (skb_is_gso(skb)) { struct skb_shared_info *shinfo = skb_shinfo(skb); -- 2.49.0

4 days, 13 hours

3
2
0 0

[PATCH v2 1/5] scsi: fnic: Set appropriate logging level for log message

by Karan Tilak Kumar

Replace KERN_INFO with KERN_DEBUG for a log message. Reviewed-by: Sesidhar Baddela <sebaddel(a)cisco.com> Reviewed-by: Arulprabhu Ponnusamy <arulponn(a)cisco.com> Reviewed-by: Gian Carlo Boffa <gcboffa(a)cisco.com> Reviewed-by: Arun Easi <aeasi(a)cisco.com> Signed-off-by: Karan Tilak Kumar <kartilak(a)cisco.com> --- drivers/scsi/fnic/fnic_scsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c index 7133b254cbe4..75b29a018d1f 100644 --- a/drivers/scsi/fnic/fnic_scsi.c +++ b/drivers/scsi/fnic/fnic_scsi.c @@ -1046,7 +1046,7 @@ static void fnic_fcpio_icmnd_cmpl_handler(struct fnic *fnic, unsigned int cq_ind if (icmnd_cmpl->scsi_status == SAM_STAT_TASK_SET_FULL) atomic64_inc(&fnic_stats->misc_stats.queue_fulls); - FNIC_SCSI_DBG(KERN_INFO, fnic->host, fnic->fnic_num, + FNIC_SCSI_DBG(KERN_DEBUG, fnic->host, fnic->fnic_num, "xfer_len: %llu", xfer_len); break; -- 2.47.1

4 days, 14 hours

2
5
0 0

[PATCH v4] mm: userfaultfd: fix race of userfaultfd_move and swap cache

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> On seeing a swap entry PTE, userfaultfd_move does a lockless swap cache lookup, and tries to move the found folio to the faulting vma. Currently, it relies on checking the PTE value to ensure that the moved folio still belongs to the src swap entry and that no new folio has been added to the swap cache, which turns out to be unreliable. While working and reviewing the swap table series with Barry, following existing races are observed and reproduced [1]: In the example below, move_pages_pte is moving src_pte to dst_pte, where src_pte is a swap entry PTE holding swap entry S1, and S1 is not in the swap cache: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1 ... < interrupted> ... <swapin src_pte, alloc and use folio A> // folio A is a new allocated folio // and get installed into src_pte <frees swap entry S1> // src_pte now points to folio A, S1 // has swap count == 0, it can be freed // by folio_swap_swap or swap // allocator's reclaim. <try to swap out another folio B> // folio B is a folio in another VMA. <put folio B to swap cache using S1 > // S1 is freed, folio B can use it // for swap out with no problem. ... folio = filemap_get_folio(S1) // Got folio B here !!! ... < interrupted again> ... <swapin folio B and free S1> // Now S1 is free to be used again. <swapout src_pte & folio A using S1> // Now src_pte is a swap entry PTE // holding S1 again. folio_trylock(folio) move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // Moved invalid folio B here !!! The race window is very short and requires multiple collisions of multiple rare events, so it's very unlikely to happen, but with a deliberately constructed reproducer and increased time window, it can be reproduced easily. This can be fixed by checking if the folio returned by filemap is the valid swap cache folio after acquiring the folio lock. Another similar race is possible: filemap_get_folio may return NULL, but folio (A) could be swapped in and then swapped out again using the same swap entry after the lookup. In such a case, folio (A) may remain in the swap cache, so it must be moved too: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1, and S1 is not in swap cache folio = filemap_get_folio(S1) // Got NULL ... < interrupted again> ... <swapin folio A and free S1> <swapout folio A re-using S1> move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // folio A is ignored !!! Fix this by checking the swap cache again after acquiring the src_pte lock. And to avoid the filemap overhead, we check swap_map directly [2]. The SWP_SYNCHRONOUS_IO path does make the problem more complex, but so far we don't need to worry about that, since folios can only be exposed to the swap cache in the swap out path, and this is covered in this patch by checking the swap cache again after acquiring the src_pte lock. Testing with a simple C program that allocates and moves several GB of memory did not show any observable performance change. Cc: <stable(a)vger.kernel.org> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Closes: https://lore.kernel.org/linux-mm/CAMgjq7B1K=6OOrK2OUZ0-tqCzi+EJt+2_K97TPGoS… [1] Link: https://lore.kernel.org/all/CAGsJ_4yJhJBo16XhiC-nUzSheyX-V3-nFE+tAi=8Y560K8… [2] Signed-off-by: Kairui Song <kasong(a)tencent.com> Reviewed-by: Lokesh Gidra <lokeshgidra(a)google.com> --- V1: https://lore.kernel.org/linux-mm/20250530201710.81365-1-ryncsn@gmail.com/ Changes: - Check swap_map instead of doing a filemap lookup after acquiring the PTE lock to minimize critical section overhead [ Barry Song, Lokesh Gidra ] V2: https://lore.kernel.org/linux-mm/20250601200108.23186-1-ryncsn@gmail.com/ Changes: - Move the folio and swap check inside move_swap_pte to avoid skipping the check and potential overhead [ Lokesh Gidra ] - Add a READ_ONCE for the swap_map read to ensure it reads a up to dated value. V3: https://lore.kernel.org/all/20250602181419.20478-1-ryncsn@gmail.com/ Changes: - Add more comments and more context in commit message. mm/userfaultfd.c | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index bc473ad21202..8253978ee0fb 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1084,8 +1084,18 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, pte_t orig_dst_pte, pte_t orig_src_pte, pmd_t *dst_pmd, pmd_t dst_pmdval, spinlock_t *dst_ptl, spinlock_t *src_ptl, - struct folio *src_folio) + struct folio *src_folio, + struct swap_info_struct *si, swp_entry_t entry) { + /* + * Check if the folio still belongs to the target swap entry after + * acquiring the lock. Folio can be freed in the swap cache while + * not locked. + */ + if (src_folio && unlikely(!folio_test_swapcache(src_folio) || + entry.val != src_folio->swap.val)) + return -EAGAIN; + double_pt_lock(dst_ptl, src_ptl); if (!is_pte_pages_stable(dst_pte, src_pte, orig_dst_pte, orig_src_pte, @@ -1102,6 +1112,25 @@ static int move_swap_pte(struct mm_struct *mm, struct vm_area_struct *dst_vma, if (src_folio) { folio_move_anon_rmap(src_folio, dst_vma); src_folio->index = linear_page_index(dst_vma, dst_addr); + } else { + /* + * Check if the swap entry is cached after acquiring the src_pte + * lock. Otherwise, we might miss a newly loaded swap cache folio. + * + * Check swap_map directly to minimize overhead, READ_ONCE is sufficient. + * We are trying to catch newly added swap cache, the only possible case is + * when a folio is swapped in and out again staying in swap cache, using the + * same entry before the PTE check above. The PTL is acquired and released + * twice, each time after updating the swap_map's flag. So holding + * the PTL here ensures we see the updated value. False positive is possible, + * e.g. SWP_SYNCHRONOUS_IO swapin may set the flag without touching the + * cache, or during the tiny synchronization window between swap cache and + * swap_map, but it will be gone very quickly, worst result is retry jitters. + */ + if (READ_ONCE(si->swap_map[swp_offset(entry)]) & SWAP_HAS_CACHE) { + double_pt_unlock(dst_ptl, src_ptl); + return -EAGAIN; + } } orig_src_pte = ptep_get_and_clear(mm, src_addr, src_pte); @@ -1412,7 +1441,7 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, } err = move_swap_pte(mm, dst_vma, dst_addr, src_addr, dst_pte, src_pte, orig_dst_pte, orig_src_pte, dst_pmd, dst_pmdval, - dst_ptl, src_ptl, src_folio); + dst_ptl, src_ptl, src_folio, si, entry); } out: -- 2.49.0

4 days, 14 hours

6
6
0 0

+ mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() has been added to the -mm mm-new branch. Its filename is mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/huge_memory: don't ignore queried cachemode in vmf_insert_pfn_pud() Date: Wed, 11 Jun 2025 14:06:52 +0200 Patch series "mm/huge_memory: vmf_insert_folio_*() and vmf_insert_pfn_pud() fixes", v2. While working on improving vm_normal_page() and friends, I stumbled over this issues: refcounted "normal" pages must not be marked using pmd_special() / pud_special(). Fortunately, so far there doesn't seem to be serious damage. This patch (of 3): We setup the cache mode but ... don't forward the updated pgprot to insert_pfn_pud(). Only a problem on x86-64 PAT when mapping PFNs using PUDs that require a special cachemode. Fix it by using the proper pgprot where the cachemode was setup. Identified by code inspection. Link: https://lkml.kernel.org/r/20250611120654.545963-1-david@redhat.com Link: https://lkml.kernel.org/r/20250611120654.545963-2-david@redhat.com Fixes: 7b806d229ef1 ("mm: remove vmf_insert_pfn_xxx_prot() for huge page-table entries") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud +++ a/mm/huge_memory.c @@ -1516,10 +1516,9 @@ static pud_t maybe_pud_mkwrite(pud_t pud } static void insert_pfn_pud(struct vm_area_struct *vma, unsigned long addr, - pud_t *pud, pfn_t pfn, bool write) + pud_t *pud, pfn_t pfn, pgprot_t prot, bool write) { struct mm_struct *mm = vma->vm_mm; - pgprot_t prot = vma->vm_page_prot; pud_t entry; if (!pud_none(*pud)) { @@ -1581,7 +1580,7 @@ vm_fault_t vmf_insert_pfn_pud(struct vm_ pfnmap_setup_cachemode_pfn(pfn_t_to_pfn(pfn), &pgprot); ptl = pud_lock(vma->vm_mm, vmf->pud); - insert_pfn_pud(vma, addr, vmf->pud, pfn, write); + insert_pfn_pud(vma, addr, vmf->pud, pfn, pgprot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; @@ -1625,7 +1624,7 @@ vm_fault_t vmf_insert_folio_pud(struct v add_mm_counter(mm, mm_counter_file(folio), HPAGE_PUD_NR); } insert_pfn_pud(vma, addr, vmf->pud, pfn_to_pfn_t(folio_pfn(folio)), - write); + vma->vm_page_prot, write); spin_unlock(ptl); return VM_FAULT_NOPAGE; _ Patches currently in -mm which might be from david(a)redhat.com are mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch mm-gup-remove-vm_bug_ons.patch mm-gup-remove-vm_bug_ons-fix.patch mm-huge_memory-dont-ignore-queried-cachemode-in-vmf_insert_pfn_pud.patch mm-huge_memory-dont-mark-refcounted-folios-special-in-vmf_insert_folio_pmd.patch mm-huge_memory-dont-mark-refcounted-folios-special-in-vmf_insert_folio_pud.patch

4 days, 15 hours

1
0
0 0

[PATCH wireless v2] Revert "wifi: mwifiex: Fix HT40 bandwidth issue."

by Francesco Dolcini

From: Francesco Dolcini <francesco.dolcini(a)toradex.com> This reverts commit 4fcfcbe457349267fe048524078e8970807c1a5b. That commit introduces a regression, when HT40 mode is enabled, received packets are lost, this was experience with W8997 with both SDIO-UART and SDIO-SDIO variants. From an initial investigation the issue solves on its own after some time, but it's not clear what is the reason. Given that this was just a performance optimization, let's revert it till we have a better understanding of the issue and a proper fix. Cc: Jeff Chen <jeff.chen_1(a)nxp.com> Cc: stable(a)vger.kernel.org Fixes: 4fcfcbe45734 ("wifi: mwifiex: Fix HT40 bandwidth issue.") Closes: https://lore.kernel.org/all/20250603203337.GA109929@francesco-nb/ Signed-off-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> --- v2: fix reverted commit sha v1: https://lore.kernel.org/all/20250605100313.34014-1-francesco@dolcini.it/ --- drivers/net/wireless/marvell/mwifiex/11n.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c index 738bafc3749b..66f0f5377ac1 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n.c +++ b/drivers/net/wireless/marvell/mwifiex/11n.c @@ -403,14 +403,12 @@ mwifiex_cmd_append_11n_tlv(struct mwifiex_private *priv, if (sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40 && bss_desc->bcn_ht_oper->ht_param & - IEEE80211_HT_PARAM_CHAN_WIDTH_ANY) { - chan_list->chan_scan_param[0].radio_type |= - CHAN_BW_40MHZ << 2; + IEEE80211_HT_PARAM_CHAN_WIDTH_ANY) SET_SECONDARYCHAN(chan_list->chan_scan_param[0]. radio_type, (bss_desc->bcn_ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET)); - } + *buffer += struct_size(chan_list, chan_scan_param, 1); ret_len += struct_size(chan_list, chan_scan_param, 1); } -- 2.39.5

4 days, 15 hours

2
1
0 0

+ mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" Date: Wed, 11 Jun 2025 15:13:14 +0200 After commit 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked") we are able to longterm pin folios that are not supposed to get longterm pinned, simply because they temporarily have the LRU flag cleared (esp. temporarily isolated). For example, two __get_longterm_locked() callers can race, or __get_longterm_locked() can race with anything else that temporarily isolates folios. The introducing commit mentions the use case of a driver that uses vm_ops->fault to insert pages allocated through cma_alloc() into the page tables, assuming they can later get longterm pinned. These pages/ folios would never have the LRU flag set and consequently cannot get isolated. There is no known in-tree user making use of that so far, fortunately. To handle that in the future -- and avoid retrying forever to isolate/migrate them -- we will need a different mechanism for the CMA area *owner* to indicate that it actually already allocated the page and is fine with longterm pinning it. The LRU flag is not suitable for that. Probably we can lookup the relevant CMA area and query the bitmap; we only have have to care about some races, probably. If already allocated, we could just allow longterm pinning) Anyhow, let's fix the "must not be longterm pinned" problem first by reverting the original commit. Link: https://lkml.kernel.org/r/20250611131314.594529-1-david@redhat.com Fixes: 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked") Signed-off-by: David Hildenbrand <david(a)redhat.com> Closes: https://lore.kernel.org/all/20250522092755.GA3277597@tiffany/ Reported-by: Hyesoo Yu <hyesoo.yu(a)samsung.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Peter Xu <peterx(a)redhat.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: Aijun Sun <aijun.sun(a)unisoc.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) --- a/mm/gup.c~mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked +++ a/mm/gup.c @@ -2303,13 +2303,13 @@ static void pofs_unpin(struct pages_or_f /* * Returns the number of collected folios. Return value is always >= 0. */ -static void collect_longterm_unpinnable_folios( +static unsigned long collect_longterm_unpinnable_folios( struct list_head *movable_folio_list, struct pages_or_folios *pofs) { + unsigned long i, collected = 0; struct folio *prev_folio = NULL; bool drain_allow = true; - unsigned long i; for (i = 0; i < pofs->nr_entries; i++) { struct folio *folio = pofs_get_folio(pofs, i); @@ -2321,6 +2321,8 @@ static void collect_longterm_unpinnable_ if (folio_is_longterm_pinnable(folio)) continue; + collected++; + if (folio_is_device_coherent(folio)) continue; @@ -2342,6 +2344,8 @@ static void collect_longterm_unpinnable_ NR_ISOLATED_ANON + folio_is_file_lru(folio), folio_nr_pages(folio)); } + + return collected; } /* @@ -2418,9 +2422,11 @@ static long check_and_migrate_movable_pages_or_folios(struct pages_or_folios *pofs) { LIST_HEAD(movable_folio_list); + unsigned long collected; - collect_longterm_unpinnable_folios(&movable_folio_list, pofs); - if (list_empty(&movable_folio_list)) + collected = collect_longterm_unpinnable_folios(&movable_folio_list, + pofs); + if (!collected) return 0; return migrate_longterm_unpinnable_folios(&movable_folio_list, pofs); _ Patches currently in -mm which might be from david(a)redhat.com are mm-gup-revert-mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch mm-gup-remove-vm_bug_ons.patch mm-gup-remove-vm_bug_ons-fix.patch

4 days, 15 hours

1
0
0 0

[REGRESSION] Linux 6.15.1 xen/dom0 domain_crash_sync called from entry.S

by Chuck Zmudzinski

Hi, I am seeing the following regression between Linux 6.14.8 and 6.15.1. Kernel version 6.14.8 boots fine but version 6.15.1 crashes and reboots on Xen. I don't know if 6.14.9 or 6.14.10 is affected, or if 6.15 or the 6.15 release candidates are affected because I did not test them. Also, Linux 6.15.1 boots fine on bare metal without Xen. Hardware: Intel i5-14500 Raptor Lake CPU, and ASRock B760M PG motherboard and 32 GB RAM. Xen version: 4.19.2 (mockbuild(a)dynavirt.com) (gcc (GCC) 13.3.1 20240611 (Red Hat 13.3.1-2)) debug=n Sun Apr 13 15:24:29 PDT 2025 Xen Command line: placeholder dom0_mem=2G,max:2G conring_size=32k com1=9600,8n1,0x40c0,16,1:0.0 console=com1 Linux version 6.15.1-1.el9.elrepo.x86_64 (mockbuild@5b7a5dab3b71429898b4f8474fab8fa0) (gcc (GCC) 11.5.0 20240719 (Red Hat 11.5.0-5), GNU ld version 2.35.2-63.el9) #1 SMP PREEMPT_DYNAMIC Wed Jun 4 16:42:58 EDT 2025 Linux Kernel Command line: placeholder root=/dev/mapper/systems-rootalma ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=UUID=2ddc2e3b-8f7b-498b-a4e8-bb4d33a1e5a7 console=hvc0 The Linux 6.15.1 dom0 kernel causes Xen to crash and reboot, here are the last messages on the serial console (includes messages from both dom0 and Xen) before crash: [ 0.301573] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl [ 0.301577] Register File Data Sampling: Vulnerable: No microcode [ 0.301581] ITS: Mitigation: Aligned branch/return thunks [ 0.301594] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' [ 0.301598] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' [ 0.301602] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers' [ 0.301605] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256 [ 0.301609] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format. (XEN) Pagetable walk from ffffc9003ffffff8: (XEN) L4[0x192] = 0000000855bee067 0000000000060e56 (XEN) L3[0x000] = 0000000855bed067 0000000000060e55 (XEN) L2[0x1ff] = 0000000855bf0067 0000000000060e58 (XEN) L1[0x1ff] = 8010000855bf2025 0000000000060e5a (XEN) domain_crash_sync called from entry.S: fault at ffff82d04036e5b0 x86_64/entry.S#domain_crash_page_fault_6x8+0/0x4 (XEN) Domain 0 (vcpu#0) crashed on cpu#11: (XEN) ----[ Xen-4.19.2 x86_64 debug=n Not tainted ]---- (XEN) CPU: 11 (XEN) RIP: e033:[<ffffffff810014fe>] (XEN) RFLAGS: 0000000000010206 EM: 1 CONTEXT: pv guest (d0v0) (XEN) rax: ffffffff81fb12d0 rbx: 000000000000029a rcx: 000000000000000c (XEN) rdx: 000000000000029a rsi: ffffffff81000b99 rdi: ffffc900400000f0 (XEN) rbp: 000000000000014d rsp: ffffc90040000000 r8: 0000000000000f9c (XEN) r9: 0000000000000000 r10: 0000000000000000 r11: 0000000000000000 (XEN) r12: 000000000000000c r13: ffffffff82771530 r14: ffffffff827724cc (XEN) r15: ffffc900400000f0 cr0: 0000000080050033 cr4: 0000000000b526e0 (XEN) cr3: 000000086ae24000 cr2: ffffc9003ffffff8 (XEN) fsb: 0000000000000000 gsb: ffff88819ac55000 gss: 0000000000000000 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033 (XEN) Guest stack trace from rsp=ffffc90040000000: (XEN) Stack empty. (XEN) Hardware Dom0 crashed: rebooting machine in 5 seconds. (XEN) Resetting with ACPI MEMORY or I/O RESET_REG. I searched mailing lists but could not find a report similar to what I am seeing here. I don't know what to try except to git bisect, but I have not done that yet. Chuck Zmudzinski

4 days, 16 hours

2
2
0 0

[PATCH 0/5] Fixes for ITS mitigation and execmem

by Mike Rapoport

From: "Mike Rapoport (Microsoft)" <rppt(a)kernel.org> Hi, Jürgen Groß reported some bugs in interaction of ITS mitigation with execmem [1] when running on a Xen PV guest. These patches fix the issue by moving all the permissions management of ITS memory allocated from execmem into ITS code. I didn't test on a real Xen PV guest, but I emulated !PSE variant by force-disabling the ROX cache in x86::execmem_arch_setup(). Peter, I took liberty to put your SoB in the patch that actually implements the execmem permissions management in ITS, please let me know if I need to update something about the authorship. The patches are against v6.15. They are also available in git: https://web.git.kernel.org/pub/scm/linux/kernel/git/rppt/linux.git/log/?h=i… [1] https://lore.kernel.org/all/20250528123557.12847-2-jgross@suse.com/ Juergen Gross (1): x86/mm/pat: don't collapse pages without PSE set Mike Rapoport (Microsoft) (3): x86/Kconfig: only enable ROX cache in execmem when STRICT_MODULE_RWX is set x86/its: move its_pages array to struct mod_arch_specific Revert "mm/execmem: Unify early execmem_cache behaviour" Peter Zijlstra (Intel) (1): x86/its: explicitly manage permissions for ITS pages arch/x86/Kconfig | 2 +- arch/x86/include/asm/module.h | 8 ++++ arch/x86/kernel/alternative.c | 89 ++++++++++++++++++++++++++--------- arch/x86/mm/init_32.c | 3 -- arch/x86/mm/init_64.c | 3 -- arch/x86/mm/pat/set_memory.c | 3 ++ include/linux/execmem.h | 8 +--- include/linux/module.h | 5 -- mm/execmem.c | 40 ++-------------- 9 files changed, 82 insertions(+), 79 deletions(-) base-commit: 0ff41df1cb268fc69e703a08a57ee14ae967d0ca -- 2.47.2

4 days, 17 hours

8
16
0 0

[PATCH] s390/pkey: prevent overflow in size calculation for memdup_user()

by Fedor Pchelkin

Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Return an error if an overflow is detected. Note that it is different from when nr_apqns is zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org). Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- drivers/s390/crypto/pkey_api.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index cef60770f68b..a731fc9c62a7 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -83,10 +83,15 @@ static void *_copy_key_from_user(void __user *ukey, size_t keylen) static void *_copy_apqns_from_user(void __user *uapqns, size_t nr_apqns) { + size_t size; + if (!uapqns || nr_apqns == 0) return NULL; - return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); + if (check_mul_overflow(nr_apqns, sizeof(struct pkey_apqn), &size)) + return ERR_PTR(-EINVAL); + + return memdup_user(uapqns, size); } static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs) -- 2.49.0

4 days, 19 hours

2
1
0 0

[PATCH 05/10] drm/amd/display: Check dce_hwseq before dereferencing it

by Aurabindo Pillai

From: Alex Hung <alex.hung(a)amd.com> [WHAT] hws was checked for null earlier in dce110_blank_stream, indicating hws can be null, and should be checked whenever it is used. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> --- drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c index c717cc1eca6d..542468224789 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c @@ -1227,7 +1227,7 @@ void dce110_blank_stream(struct pipe_ctx *pipe_ctx) return; if (link->local_sink && link->local_sink->sink_signal == SIGNAL_TYPE_EDP) { - if (!link->skip_implict_edp_power_control) + if (!link->skip_implict_edp_power_control && hws) hws->funcs.edp_backlight_control(link, false); link->dc->hwss.set_abm_immediate_disable(pipe_ctx); } -- 2.49.0

4 days, 19 hours

1
0
0 0

Re: [PATCH 5.10.y 2/3] rtc: Make rtc_time64_to_tm() support dates before 1970

by Alexandre Belloni

Hello Cassio, On 10/06/2025 21:31:48+0100, Cassio Neri wrote: > Hi all, > > Although untested, I'm pretty sure that with very small changes, the > previous revision (1d1bb12) can handle dates prior to 1970-01-01 with no > need to add extra branches or arithmetic operations. Indeed, 1d1bb12 > contains: > > <code> > /* time must be positive */ > days = div_s64_rem(time, 86400, &secs); > > /* day of the week, 1970-01-01 was a Thursday */ > tm->tm_wday = (days + 4) % 7; > > /* long comments */ > > udays = ((u32) days) + 719468; > </code> > > This could have been changed to: > > <code> > /* time must be >= -719468 * 86400 which corresponds to 0000-03-01 */ > udays = div_u64_rem(time + 719468 * 86400, 86400, &secs); > > /* day of the week, 0000-03-01 was a Wednesday (in the proleptic Gregorian > calendar) */ > tm->tm_wday = (days + 3) % 7; > > /* long comments */ > </code> > > Indeed, the addition of 719468 * 86400 to `time` makes `days` to be 719468 > more than it should be. Therefore, in the calculation of `udays`, the > addition of 719468 becomes unnecessary and thus, `udays == days`. Moreover, > this means that `days` can be removed altogether and replaced by `udays`. > (Not the other way around because in the remaining code `udays` must be > u32.) > > Now, 719468 % 7 = 1 and thus tm->wday is 1 day after what it should be and > we correct that by adding 3 instead of 4. > > Therefore, I suggest these changes on top of 1d1bb12 instead of those made > in 7df4cfe. Since you're working on this, can I please kindly suggest two > other changes? > > 1) Change the reference provided in the long comment. It should say, "The > following algorithm is, basically, Figure 12 of Neri and Schneider [1]" and > [1] should refer to the published article: > > Neri C, Schneider L. Euclidean affine functions and their application to > calendar algorithms. Softw Pract Exper. 2023;53(4):937-970. doi: > 10.1002/spe.3172 > https://doi.org/10.1002/spe.3172 > > The article is much better written and clearer than the pre-print currently > referred to. > Thanks for your input, I wanted to look again at your paper and make those optimizations which is why I took so long to review the original patch. Unfortunately, I didn't have the time before the merge window. I would also gladly take patches for this if you are up for the task. > 2) Function rtc_time64_to_tm_test_date_range in drivers/rtc/lib_test.c, is > a kunit test that checks the result for everyday in a 160000 years range > starting at 1970-01-01. It'd be nice if this test is adapted to the new > code and starts at 1900-01-01 (technically, it could start at 0000-03-01 > but since tm->year counts from 1900, it would be weird to see tm->year == > -1900 to mean that the calendar year is 0.) Also 160000 is definitely an > overkill (my bad!) and a couple of thousands of years, say 3000, should be > more than safe for anyone. :-) This is also something on my radar as some have been complaining about the time it takes to run those tests. > > Many thanks, > Cassio. > > > > On Tue, 10 Jun 2025 at 08:35, Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> > wrote: > > > From: Alexandre Mergnat <amergnat(a)baylibre.com> > > > > commit 7df4cfef8b351fec3156160bedfc7d6d29de4cce upstream. > > > > Conversion of dates before 1970 is still relevant today because these > > dates are reused on some hardwares to store dates bigger than the > > maximal date that is representable in the device's native format. > > This prominently and very soon affects the hardware covered by the > > rtc-mt6397 driver that can only natively store dates in the interval > > 1900-01-01 up to 2027-12-31. So to store the date 2028-01-01 00:00:00 > > to such a device, rtc_time64_to_tm() must do the right thing for > > time=-2208988800. > > > > Signed-off-by: Alexandre Mergnat <amergnat(a)baylibre.com> > > Reviewed-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> > > Link: > > https://lore.kernel.org/r/20250428-enable-rtc-v4-1-2b2f7e3f9349@baylibre.com > > Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> > > Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> > > --- > > drivers/rtc/lib.c | 24 +++++++++++++++++++----- > > 1 file changed, 19 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/rtc/lib.c b/drivers/rtc/lib.c > > index fe361652727a..13b5b1f20465 100644 > > --- a/drivers/rtc/lib.c > > +++ b/drivers/rtc/lib.c > > @@ -46,24 +46,38 @@ EXPORT_SYMBOL(rtc_year_days); > > * rtc_time64_to_tm - converts time64_t to rtc_time. > > * > > * @time: The number of seconds since 01-01-1970 00:00:00. > > - * (Must be positive.) > > + * Works for values since at least 1900 > > * @tm: Pointer to the struct rtc_time. > > */ > > void rtc_time64_to_tm(time64_t time, struct rtc_time *tm) > > { > > - unsigned int secs; > > - int days; > > + int days, secs; > > > > u64 u64tmp; > > u32 u32tmp, udays, century, day_of_century, year_of_century, year, > > day_of_year, month, day; > > bool is_Jan_or_Feb, is_leap_year; > > > > - /* time must be positive */ > > + /* > > + * Get days and seconds while preserving the sign to > > + * handle negative time values (dates before 1970-01-01) > > + */ > > days = div_s64_rem(time, 86400, &secs); > > > > + /* > > + * We need 0 <= secs < 86400 which isn't given for negative > > + * values of time. Fixup accordingly. > > + */ > > + if (secs < 0) { > > + days -= 1; > > + secs += 86400; > > + } > > + > > /* day of the week, 1970-01-01 was a Thursday */ > > tm->tm_wday = (days + 4) % 7; > > + /* Ensure tm_wday is always positive */ > > + if (tm->tm_wday < 0) > > + tm->tm_wday += 7; > > > > /* > > * The following algorithm is, basically, Proposition 6.3 of Neri > > @@ -93,7 +107,7 @@ void rtc_time64_to_tm(time64_t time, struct rtc_time > > *tm) > > * thus, is slightly different from [1]. > > */ > > > > - udays = ((u32) days) + 719468; > > + udays = days + 719468; > > > > u32tmp = 4 * udays + 3; > > century = u32tmp / 146097; > > -- > > 2.49.0 > > > >

4 days, 19 hours

2
1
0 0

Re: Bug#1104745: gcc-15 ICE compiling linux kernel 6.14.5 with CONFIG_RANDSTRUCT

by Uwe Kleine-König

Control: tag -1 + fixed-upstream Control: forwarded -1 https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org Hello, On Mon, May 05, 2025 at 05:40:57PM +0200, Ingo Saitz wrote: > When compiling the linux kernel (tested on 6.15-rc5 and 6.14.5 from > kernel.org) with CONFIG_RANDSTRUCT enabled, gcc-15 throws an ICE: > > arch/x86/kernel/cpu/proc.c:174:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1516 > 174 | const struct seq_operations cpuinfo_op = { > | ^~~~~~~~~~~~~~ This is claimed to be fixed in upstream by commit https://git.kernel.org/linus/f39f18f3c3531aa802b58a20d39d96e82eb96c14 that is scheduled to be included in 6.16-rc1. This wasn't explicitly marked for stable, but I think a backport would be good. Best regards Uwe

4 days, 21 hours

3
3
0 0

[PATCH] Revert "block: don't reorder requests in blk_add_rq_to_plug"

by Hazem Mohamed Abuelfotoh

This reverts commit e70c301faece15b618e54b613b1fd6ece3dd05b4. Commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug") reversed how requests are stored in the blk_plug list, this had significant impact on bio merging with requests exist on the plug list. This impact has been reported in [1] and could easily be reproducible using 4k randwrite fio benchmark on an NVME based SSD without having any filesystem on the disk. My benchmark is: fio --time_based --name=benchmark --size=50G --rw=randwrite \ --runtime=60 --filename="/dev/nvme1n1" --ioengine=psync \ --randrepeat=0 --iodepth=1 --fsync=64 --invalidate=1 \ --verify=0 --verify_fatal=0 --blocksize=4k --numjobs=4 \ --group_reporting On 1.9TiB SSD(180K Max IOPS) attached to i3.16xlarge AWS EC2 instance. Kernel | fio (B.W MiB/sec) | I/O size (iostat) --------------+---------------------+-------------------- 6.15.1 | 362 | 2KiB 6.15.1+revert | 660 (+82%) | 4KiB --------------+---------------------+-------------------- I have run iostat while the fio benchmark was running and was able to see that the I/O size seen on the disk is shown as 2KB without this revert while it's 4KB with the revert. In the bad case the write bandwidth is capped at around 362MiB/sec which almost 2KiB * 180K IOPS so we are hitting the SSD Disk IOPS limit which is 180K. After the revert the I/O size has been doubled to 4KiB hence the bandwidth has been almost doubled as we no longer hit the Disk IOPS limit. I have done some tracing using bpftrace & bcc and was able to conclude that the reason behind the I/O size discrepancy with the revert is that this fio benchmark is subimitting each 4k I/O as 2 contiguous 2KB bios. In the good case each 2 bios are merged in a 4KB request that's then been submitted to the disk while in the bad case 2K bios are submitted to the disk without merging because blk_attempt_plug_merge() failed to merge them as seen below. **Without the revert** [12:12:28] r::blk_attempt_plug_merge():int:$retval COUNT EVENT 5618 $retval = 1 176578 $retval = 0 **With the revert** [12:11:43] r::blk_attempt_plug_merge():int:$retval COUNT EVENT 146684 $retval = 0 146686 $retval = 1 In blk_attempt_plug_merge() we are iterating ithrought the plug list from head to tail looking for a request with which we can merge the most recently submitted bio. With commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug") the most recent request will be at the tail so blk_attempt_plug_merge() will fail because it tries to merge bio with the plug list head. In blk_attempt_plug_merge() we don't iterate across the whole plug list because as we exit the loop once we fail merging in blk_attempt_bio_merge(). In commit <bc490f81731> ("block: change plugging to use a singly linked list") the plug list has been changed to single linked list so there's no way to iterate the list from tail to head which is the only way to mitigate the impact on bio merging if we want to keep commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug"). Given that moving plug list to a single linked list was mainly for performance reason then let's revert commit <e70c301faece> ("block: don't reorder requests in blk_add_rq_to_plug") for now to mitigate the reported performance regression. [1] https://lore.kernel.org/lkml/202412122112.ca47bcec-lkp@intel.com/ Cc: stable(a)vger.kernel.org # 6.12 Reported-by: kernel test robot <oliver.sang(a)intel.com> Reported-by: Hagar Hemdan <hagarhem(a)amazon.com> Reported-and-bisected-by: Shaoying Xu <shaoyi(a)amazon.com> Signed-off-by: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com> --- block/blk-mq.c | 4 ++-- drivers/block/virtio_blk.c | 2 +- drivers/nvme/host/pci.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index c2697db59109..28965cac19fb 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -1394,7 +1394,7 @@ static void blk_add_rq_to_plug(struct blk_plug *plug, struct request *rq) */ if (!plug->has_elevator && (rq->rq_flags & RQF_SCHED_TAGS)) plug->has_elevator = true; - rq_list_add_tail(&plug->mq_list, rq); + rq_list_add_head(&plug->mq_list, rq); plug->rq_count++; } @@ -2846,7 +2846,7 @@ static void blk_mq_dispatch_plug_list(struct blk_plug *plug, bool from_sched) rq_list_add_tail(&requeue_list, rq); continue; } - list_add_tail(&rq->queuelist, &list); + list_add(&rq->queuelist, &list); depth++; } while (!rq_list_empty(&plug->mq_list)); diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index 7cffea01d868..7992a171f905 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -513,7 +513,7 @@ static void virtio_queue_rqs(struct rq_list *rqlist) vq = this_vq; if (virtblk_prep_rq_batch(req)) - rq_list_add_tail(&submit_list, req); + rq_list_add_head(&submit_list, req); /* reverse order */ else rq_list_add_tail(&requeue_list, req); } diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index f1dd804151b1..5f7da42f9dac 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -1026,7 +1026,7 @@ static void nvme_queue_rqs(struct rq_list *rqlist) nvmeq = req->mq_hctx->driver_data; if (nvme_prep_rq_batch(nvmeq, req)) - rq_list_add_tail(&submit_list, req); + rq_list_add_head(&submit_list, req); /* reverse order */ else rq_list_add_tail(&requeue_list, req); } -- 2.47.1

4 days, 23 hours

5
6
0 0

[PATCH] pinctrl: qcom: msm: mark certain pins as invalid for interrupts

by Bartosz Golaszewski

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> When requesting pins whose intr_detection_width setting is not 1 or 2 for interrupts (for example by running `gpiomon -c 0 113` on RB2), we'll hit a BUG() in msm_gpio_irq_set_type(). Potentially crashing the kernel due to an invalid request from user-space is not optimal, so let's go through the pins and mark those that would fail the check as invalid for the irq chip as we should not even register them as available irqs. This function can be extended if we determine that there are more corner-cases like this. Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") Cc: stable(a)vger.kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/pinctrl/qcom/pinctrl-msm.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c index f012ea88aa22c..77e0c2f023455 100644 --- a/drivers/pinctrl/qcom/pinctrl-msm.c +++ b/drivers/pinctrl/qcom/pinctrl-msm.c @@ -1038,6 +1038,24 @@ static bool msm_gpio_needs_dual_edge_parent_workaround(struct irq_data *d, test_bit(d->hwirq, pctrl->skip_wake_irqs); } +static void msm_gpio_irq_init_valid_mask(struct gpio_chip *gc, + unsigned long *valid_mask, + unsigned int ngpios) +{ + struct msm_pinctrl *pctrl = gpiochip_get_data(gc); + const struct msm_pingroup *g; + int i; + + bitmap_fill(valid_mask, ngpios); + + for (i = 0; i < ngpios; i++) { + g = &pctrl->soc->groups[i]; + if (g->intr_detection_width != 1 && + g->intr_detection_width != 2) + clear_bit(i, valid_mask); + } +} + static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type) { struct gpio_chip *gc = irq_data_get_irq_chip_data(d); @@ -1441,6 +1459,7 @@ static int msm_gpio_init(struct msm_pinctrl *pctrl) girq->default_type = IRQ_TYPE_NONE; girq->handler = handle_bad_irq; girq->parents[0] = pctrl->irq; + girq->init_valid_mask = msm_gpio_irq_init_valid_mask; ret = gpiochip_add_data(&pctrl->chip, pctrl); if (ret) { -- 2.48.1

4 days, 23 hours

2
2
0 0

[PATCH v3 0/3] m68k: Bug fix and cleanup for framebuffer debug console

by Finn Thain

This series has a bug fix for the early bootconsole as well as some related efficiency improvements and cleanup. The relevant code is subject to CONSOLE_DEBUG, which is presently only used with CONFIG_MAC. To test this series (in qemu-system-m68k, for example) it's helpful to enable CONFIG_EARLY_PRINTK and CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER and boot with kernel parameters 'console=ttyS0 earlyprintk keep_bootcon'. --- Changed since v1: - Solved problem with line wrap while scrolling. - Added two additional patches. Changed since v2: - Adopted addq and subq as suggested by Andreas. Finn Thain (3): m68k: Fix lost column on framebuffer debug console m68k: Avoid pointless recursion in debug console rendering m68k: Remove unused "cursor home" code from debug console arch/m68k/kernel/head.S | 73 +++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 36 deletions(-) -- 2.45.3

4 days, 23 hours

2
2
0 0

[PATCH 5.4.y] xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create

by Larry Bassel

From: Dan Aloni <dan.aloni(a)vastdata.com> [ Upstream commit a9c10b5b3b67b3750a10c8b089b2e05f5e176e33 ] If there are failures then we must not leave the non-NULL pointers with the error value, otherwise `rpcrdma_ep_destroy` gets confused and tries free them, resulting in an Oops. Signed-off-by: Dan Aloni <dan.aloni(a)vastdata.com> Acked-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Anna Schumaker <Anna.Schumaker(a)Netapp.com> (cherry picked from commit a9c10b5b3b67b3750a10c8b089b2e05f5e176e33) [Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 93aa8e0a9de80 xprtrdma: Merge struct rpcrdma_ia into struct rpcrdma_ep] Signed-off-by: Larry Bassel <larry.bassel(a)oracle.com> --- net/sunrpc/xprtrdma/verbs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c index cfae1a871578..4fd3f632a2af 100644 --- a/net/sunrpc/xprtrdma/verbs.c +++ b/net/sunrpc/xprtrdma/verbs.c @@ -525,6 +525,7 @@ int rpcrdma_ep_create(struct rpcrdma_xprt *r_xprt) IB_POLL_WORKQUEUE); if (IS_ERR(sendcq)) { rc = PTR_ERR(sendcq); + sendcq = NULL; goto out1; } @@ -533,6 +534,7 @@ int rpcrdma_ep_create(struct rpcrdma_xprt *r_xprt) IB_POLL_WORKQUEUE); if (IS_ERR(recvcq)) { rc = PTR_ERR(recvcq); + recvcq = NULL; goto out2; } -- 2.46.0

5 days

2
1
0 0

[PATCH 0/1] disable __counted_by for clang < 19.1.3

by Jan Hendrik Farr

Hi Kees, Bill's PR to disable __counted_by for "whole struct" __bdos cases has now been merged into 19.1.3 [1], so here's the patch to disable __counted_by for clang versions < 19.1.3 in the kernel. Hopefully in the near future __counted_by for whole struct __bdos can be enabled once again in coordination between the kernel, gcc, and clang. There has been recent progress on this in [2] thanks to Tavian. Also see previous discussion on the mailing list [3] Thanks to everyone for moving this issue along. In particular, Bill for his PR to clang/llvm, Kees and Thorsten for reproducers of the two issues, Nathan for Kconfig-ifying this patch, and Miguel for reviewing. Info for the stable team: This patch should be backported to kernels >= 6.6 to make sure that those build correctly with the effected clang versions. This patch cherry-picks cleanly onto linux-6.11.y. For linux-6.6.y three prerequiste commits are neded: 16c31dd7fdf6: Compiler Attributes: counted_by: bump min gcc version 2993eb7a8d34: Compiler Attributes: counted_by: fixup clang URL 231dc3f0c936: lkdtm/bugs: Improve warning message for compilers without counted_by support There are still two merge conflicts even with those prerequistes. Here's the correct resolution: 1. include/linux/compiler_types.h: use the incoming change until before (but not including) the "Apply __counted_by() when the Endianness matches to increase test coverage." comment 2. lib/overflow_kunit.c: HEAD is correct [1] https://github.com/llvm/llvm-project/pull/112786 [2] https://github.com/llvm/llvm-project/pull/112636 [3] https://lore.kernel.org/lkml/3E304FB2-799D-478F-889A-CDFC1A52DCD8@toblux.co… Best Regards Jan Jan Hendrik Farr (1): Compiler Attributes: disable __counted_by for clang < 19.1.3 drivers/misc/lkdtm/bugs.c | 2 +- include/linux/compiler_attributes.h | 13 ------------- include/linux/compiler_types.h | 19 +++++++++++++++++++ init/Kconfig | 9 +++++++++ lib/overflow_kunit.c | 2 +- 5 files changed, 30 insertions(+), 15 deletions(-) -- 2.47.0

5 days

6
7
0 0

[PATCH v4 01/10] platform/x86/intel/pmt: fix a crashlog NULL pointer access

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Augment the inte_pmt_entry to include the pcidev to allow for access to the pcidev and avoid the NULL pointer exception. Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/class.c | 3 ++- drivers/platform/x86/intel/pmt/class.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c index 7233b654bbad..d046e8752173 100644 --- a/drivers/platform/x86/intel/pmt/class.c +++ b/drivers/platform/x86/intel/pmt/class.c @@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, if (count > entry->size - off) count = entry->size - off; - count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, + count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf, entry->base, off, count); return count; @@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(struct intel_pmt_entry *entry, return -EINVAL; } + entry->pcidev = pci_dev; entry->guid = header->guid; entry->size = header->size; entry->cb = ivdev->priv_data; diff --git a/drivers/platform/x86/intel/pmt/class.h b/drivers/platform/x86/intel/pmt/class.h index b2006d57779d..f6ce80c4e051 100644 --- a/drivers/platform/x86/intel/pmt/class.h +++ b/drivers/platform/x86/intel/pmt/class.h @@ -39,6 +39,7 @@ struct intel_pmt_header { struct intel_pmt_entry { struct telem_endpoint *ep; + struct pci_dev *pcidev; struct intel_pmt_header header; struct bin_attribute pmt_bin_attr; struct kobject *kobj; -- 2.49.0

5 days

4
4
0 0

[PATCH stable linux-5.10.y v1 0/8] Fix bpf mem read/write vulnerability.

by Puranjay Mohan

Hi Greg, Please cherry-pick this patch series into 5.10.y stable. It includes a feature that fixes CVE-2022-0500 which allows a user with cap_bpf privileges to get root privileges. The patch that fixes the bug is patch 6/8: bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM The rest are the depedences required by the fix patch. This patchset has been merged in mainline v5.17 and backported to v5.16[1] and v5.15[2] Tested by compile, build and run through the bpf selftest test_progs. Before: ./test_progs -t ksyms_btf/write_check test_ksyms_btf:PASS:btf_exists 0 nsec test_write_check:FAIL:skel_open unexpected load of a prog writing to ksym memory #44/3 write_check:FAIL #44 ksyms_btf:FAIL Summary: 0/0 PASSED, 0 SKIPPED, 2 FAILED After: ./test_progs -t ksyms_btf/write_check #44/3 write_check:OK #44 ksyms_btf:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED [1] https://lore.kernel.org/all/Yg6cixLJFoxDmp+I@kroah.com/ [2] https://lore.kernel.org/all/Ymupcl2JshcWjmMD@kroah.com/ Hao Luo (8): bpf: Introduce composable reg, ret and arg types. bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL bpf: Introduce MEM_RDONLY flag bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM. bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. bpf/selftests: Test PTR_TO_RDONLY_MEM include/linux/bpf.h | 98 +++- include/linux/bpf_verifier.h | 18 + kernel/bpf/btf.c | 8 +- kernel/bpf/cgroup.c | 2 +- kernel/bpf/helpers.c | 10 +- kernel/bpf/map_iter.c | 4 +- kernel/bpf/ringbuf.c | 2 +- kernel/bpf/verifier.c | 477 +++++++++--------- kernel/trace/bpf_trace.c | 22 +- net/core/bpf_sk_storage.c | 2 +- net/core/filter.c | 62 +-- net/core/sock_map.c | 2 +- .../selftests/bpf/prog_tests/ksyms_btf.c | 14 + .../bpf/progs/test_ksyms_btf_write_check.c | 29 ++ 14 files changed, 441 insertions(+), 309 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c -- 2.47.1

5 days, 1 hour

2
12
0 0

[PATCH 5.10.y 0/3] rtc: backport support for handling dates before 1970

by Uwe Kleine-König

Hello, this is a followup to https://lore.kernel.org/stable/cover.1749223334.git.u.kleine-koenig@baylibr… that handled backporting the two patches by Alexandre to the active stable kernels between 6.15 and 5.15. Here comes a backport to 5.10.y, git am handles application to 5.4.y just fine. Compared to the backport for later kernels I included a major rework of rtc_time64_to_tm() by Cassio Neri. (FTR: I checked, that commit by Cassio Neri isn't the reason we need to fix rtc_time64_to_tm(), the actual problem is older.) Now that I completed the backport and did some final checks on it I noticed that the problem fixed here is (TTBOMK) a theoretic one because only drivers with .start_secs < 0 are known to have issues and in 5.10 and before there is no such driver. I'm uncertain if this should result in not backporting the changes. I would tend to pick them anyhow, but I won't argue on a veto. Best regards Uwe Alexandre Mergnat (2): rtc: Make rtc_time64_to_tm() support dates before 1970 rtc: Fix offset calculation for .start_secs < 0 Cassio Neri (1): rtc: Improve performance of rtc_time64_to_tm(). Add tests. drivers/rtc/Kconfig | 10 ++++ drivers/rtc/Makefile | 1 + drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 121 ++++++++++++++++++++++++++++++++--------- drivers/rtc/lib_test.c | 79 +++++++++++++++++++++++++++ 5 files changed, 185 insertions(+), 28 deletions(-) create mode 100644 drivers/rtc/lib_test.c base-commit: 01e7e36b8606e5d4fddf795938010f7bfa3aa277 -- 2.49.0

5 days, 1 hour

3
7
0 0

[PATCH 6.6.y] net: make for_each_netdev_dump() a little more bug-proof

by Jeremy Kerr

From: Jakub Kicinski <kuba(a)kernel.org> commit f22b4b55edb507a2b30981e133b66b642be4d13f upstream. I find the behavior of xa_for_each_start() slightly counter-intuitive. It doesn't end the iteration by making the index point after the last element. IOW calling xa_for_each_start() again after it "finished" will run the body of the loop for the last valid element, instead of doing nothing. This works fine for netlink dumps if they terminate correctly (i.e. coalesce or carefully handle NLM_DONE), but as we keep getting reminded legacy dumps are unlikely to go away. Fixing this generically at the xa_for_each_start() level seems hard - there is no index reserved for "end of iteration". ifindexes are 31b wide, tho, and iterator is ulong so for for_each_netdev_dump() it's safe to go to the next element. Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Jeremy Kerr <jk(a)codeconstruct.com.au> --- The mctp RTM_GETADDR rework backport of acab78ae12c7 ("net: mctp: Don't access ifa_index when missing") pulled 2d45eeb7d5d7 ("mctp: no longer rely on net->dev_index_head[]") as a dependency. However, that change relies on this backport for correct behaviour of for_each_netdev_dump(). Jakub mentions[1] that nothing should be relying on the old behaviour of for_each_netdev_dump(), hence the backport. [1]: https://lore.kernel.org/netdev/20250609083749.741c27f5@kernel.org/ This backport is only applicable to 6.6.y; the change hit upstream in 6.10. --- include/linux/netdevice.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 0b0a172337dbac5716e5e5556befd95b4c201f5b..030d9de2ba2d23aa80b4b02182883f022f553964 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -3036,7 +3036,8 @@ extern rwlock_t dev_base_lock; /* Device list lock */ #define net_device_entry(lh) list_entry(lh, struct net_device, dev_list) #define for_each_netdev_dump(net, d, ifindex) \ - xa_for_each_start(&(net)->dev_by_index, (ifindex), (d), (ifindex)) + for (; (d = xa_find(&(net)->dev_by_index, &ifindex, \ + ULONG_MAX, XA_PRESENT)); ifindex++) static inline struct net_device *next_net_device(struct net_device *dev) { --- base-commit: c2603c511feb427b2b09f74b57816a81272932a1 change-id: 20250610-nl-dump-618700905d4f Best regards, -- Jeremy Kerr <jk(a)codeconstruct.com.au>

5 days, 1 hour

2
1
0 0

[PATCH v2] dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status()

by Qiu-ji Chen

Fixed a flag reuse bug in the mtk_cqdma_tx_status() function. Fixes: 157ae5ffd76a ("dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()") Cc: stable(a)vger.kernel.org Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202505270641.MStzJUfU-lkp@intel.com/ Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- V2: Change the inner vc lock from spin_lock_irqsave() to spin_lock() Thanks Eugen Hristev for helpful suggestion. --- drivers/dma/mediatek/mtk-cqdma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c index 47c8adfdc155..9f0c41ca7770 100644 --- a/drivers/dma/mediatek/mtk-cqdma.c +++ b/drivers/dma/mediatek/mtk-cqdma.c @@ -449,9 +449,9 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, return ret; spin_lock_irqsave(&cvc->pc->lock, flags); - spin_lock_irqsave(&cvc->vc.lock, flags); + spin_lock(&cvc->vc.lock); vd = mtk_cqdma_find_active_desc(c, cookie); - spin_unlock_irqrestore(&cvc->vc.lock, flags); + spin_unlock(&cvc->vc.lock); spin_unlock_irqrestore(&cvc->pc->lock, flags); if (vd) { -- 2.34.1

5 days, 1 hour

3
2
0 0

[PATCH stable 6.6 6.12 1/1] selftests/bpf: Check for timeout in perf_link test

by Shung-Hsi Yu

From: Ihor Solodrai <ihor.solodrai(a)pm.me> Recently perf_link test started unreliably failing on libbpf CI: * https://github.com/libbpf/libbpf/actions/runs/11260672407/job/31312405473 * https://github.com/libbpf/libbpf/actions/runs/11260992334/job/31315514626 * https://github.com/libbpf/libbpf/actions/runs/11263162459/job/31320458251 Part of the test is running a dummy loop for a while and then checking for a counter incremented by the test program. Instead of waiting for an arbitrary number of loop iterations once, check for the test counter in a loop and use get_time_ns() helper to enforce a 100ms timeout. v1: https://lore.kernel.org/bpf/zuRd072x9tumn2iN4wDNs5av0nu5nekMNV4PkR-YwCT10eF… Signed-off-by: Ihor Solodrai <ihor.solodrai(a)pm.me> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/bpf/20241011153104.249800-1-ihor.solodrai@pm.me Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- .../testing/selftests/bpf/prog_tests/perf_link.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/perf_link.c b/tools/testing/selftests/bpf/prog_tests/perf_link.c index 3a25f1c743a1..d940ff87fa08 100644 --- a/tools/testing/selftests/bpf/prog_tests/perf_link.c +++ b/tools/testing/selftests/bpf/prog_tests/perf_link.c @@ -4,8 +4,12 @@ #include <pthread.h> #include <sched.h> #include <test_progs.h> +#include "testing_helpers.h" #include "test_perf_link.skel.h" +#define BURN_TIMEOUT_MS 100 +#define BURN_TIMEOUT_NS BURN_TIMEOUT_MS * 1000000 + static void burn_cpu(void) { volatile int j = 0; @@ -32,6 +36,7 @@ void serial_test_perf_link(void) int run_cnt_before, run_cnt_after; struct bpf_link_info info; __u32 info_len = sizeof(info); + __u64 timeout_time_ns; /* create perf event */ memset(&attr, 0, sizeof(attr)); @@ -63,8 +68,14 @@ void serial_test_perf_link(void) ASSERT_GT(info.prog_id, 0, "link_prog_id"); /* ensure we get at least one perf_event prog execution */ - burn_cpu(); - ASSERT_GT(skel->bss->run_cnt, 0, "run_cnt"); + timeout_time_ns = get_time_ns() + BURN_TIMEOUT_NS; + while (true) { + burn_cpu(); + if (skel->bss->run_cnt > 0) + break; + if (!ASSERT_LT(get_time_ns(), timeout_time_ns, "run_cnt_timeout")) + break; + } /* perf_event is still active, but we close link and BPF program * shouldn't be executed anymore -- 2.49.0

5 days, 1 hour

2
1
0 0

[PATCH v2 5.10.y] net/ipv4: fix type mismatch in inet_ehash_locks_alloc() causing build failure

by Eliav Farber

Fix compilation warning: In file included from ./include/linux/kernel.h:15, from ./include/linux/list.h:9, from ./include/linux/module.h:12, from net/ipv4/inet_hashtables.c:12: net/ipv4/inet_hashtables.c: In function ‘inet_ehash_locks_alloc’: ./include/linux/minmax.h:20:35: warning: comparison of distinct pointer types lacks a cast 20 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) | ^~ ./include/linux/minmax.h:26:18: note: in expansion of macro ‘__typecheck’ 26 | (__typecheck(x, y) && __no_side_effects(x, y)) | ^~~~~~~~~~~ ./include/linux/minmax.h:36:31: note: in expansion of macro ‘__safe_cmp’ 36 | __builtin_choose_expr(__safe_cmp(x, y), \ | ^~~~~~~~~~ ./include/linux/minmax.h:52:25: note: in expansion of macro ‘__careful_cmp’ 52 | #define max(x, y) __careful_cmp(x, y, >) | ^~~~~~~~~~~~~ net/ipv4/inet_hashtables.c:946:19: note: in expansion of macro ‘max’ 946 | nblocks = max(nblocks, num_online_nodes() * PAGE_SIZE / locksz); | ^~~ CC block/badblocks.o When warnings are treated as errors, this causes the build to fail. The issue is a type mismatch between the operands passed to the max() macro. Here, nblocks is an unsigned int, while the expression num_online_nodes() * PAGE_SIZE / locksz is promoted to unsigned long. This happens because: - num_online_nodes() returns int - PAGE_SIZE is typically defined as an unsigned long (depending on the architecture) - locksz is unsigned int The resulting arithmetic expression is promoted to unsigned long. Thus, the max() macro compares values of different types: unsigned int vs unsigned long. This issue was introduced in commit f8ece40786c9 ("tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()") during the update from kernel v5.10.237 to v5.10.238. It does not exist in newer kernel branches (e.g., v5.15.185 and all 6.x branches), because they include commit d03eba99f5bf ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") Fix the issue by using max_t(unsigned int, ...) to explicitly cast both operands to the same type, avoiding the type mismatch and ensuring correctness. Fixes: f8ece40786c9 ("tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()") Signed-off-by: Eliav Farber <farbere(a)amazon.com> --- V1 -> V2: Use upstream commit SHA1 in reference net/ipv4/inet_hashtables.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index fea74ab2a4be..ac2d185c04ef 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -943,7 +943,7 @@ int inet_ehash_locks_alloc(struct inet_hashinfo *hashinfo) nblocks = max(2U * L1_CACHE_BYTES / locksz, 1U) * num_possible_cpus(); /* At least one page per NUMA node. */ - nblocks = max(nblocks, num_online_nodes() * PAGE_SIZE / locksz); + nblocks = max_t(unsigned int, nblocks, num_online_nodes() * PAGE_SIZE / locksz); nblocks = roundup_pow_of_two(nblocks); -- 2.47.1

5 days, 1 hour

2
1
0 0

[PATCH v1] mm/gup: Revert "mm: gup: fix infinite loop within __get_longterm_locked"

by David Hildenbrand

After commit 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked") we are able to longterm pin folios that are not supposed to get longterm pinned, simply because they temporarily have the LRU flag cleared (esp. temporarily isolated). For example, two __get_longterm_locked() callers can race, or __get_longterm_locked() can race with anything else that temporarily isolates folios. The introducing commit mentions the use case of a driver that uses vm_ops->fault to insert pages allocated through cma_alloc() into the page tables, assuming they can later get longterm pinned. These pages/ folios would never have the LRU flag set and consequently cannot get isolated. There is no known in-tree user making use of that so far, fortunately. To handle that in the future -- and avoid retrying forever to isolate/migrate them -- we will need a different mechanism for the CMA area *owner* to indicate that it actually already allocated the page and is fine with longterm pinning it. The LRU flag is not suitable for that. Probably we can lookup the relevant CMA area and query the bitmap; we only have have to care about some races, probably. If already allocated, we could just allow longterm pinning) Anyhow, let's fix the "must not be longterm pinned" problem first by reverting the original commit. Fixes: 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked") Closes: https://lore.kernel.org/all/20250522092755.GA3277597@tiffany/ Reported-by: Hyesoo Yu <hyesoo.yu(a)samsung.com> Cc: <Stable(a)vger.kernel.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Peter Xu <peterx(a)redhat.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: Aijun Sun <aijun.sun(a)unisoc.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- mm/gup.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/mm/gup.c b/mm/gup.c index e065a49842a87..3c39cbbeebef1 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2303,13 +2303,13 @@ static void pofs_unpin(struct pages_or_folios *pofs) /* * Returns the number of collected folios. Return value is always >= 0. */ -static void collect_longterm_unpinnable_folios( +static unsigned long collect_longterm_unpinnable_folios( struct list_head *movable_folio_list, struct pages_or_folios *pofs) { + unsigned long i, collected = 0; struct folio *prev_folio = NULL; bool drain_allow = true; - unsigned long i; for (i = 0; i < pofs->nr_entries; i++) { struct folio *folio = pofs_get_folio(pofs, i); @@ -2321,6 +2321,8 @@ static void collect_longterm_unpinnable_folios( if (folio_is_longterm_pinnable(folio)) continue; + collected++; + if (folio_is_device_coherent(folio)) continue; @@ -2342,6 +2344,8 @@ static void collect_longterm_unpinnable_folios( NR_ISOLATED_ANON + folio_is_file_lru(folio), folio_nr_pages(folio)); } + + return collected; } /* @@ -2418,9 +2422,11 @@ static long check_and_migrate_movable_pages_or_folios(struct pages_or_folios *pofs) { LIST_HEAD(movable_folio_list); + unsigned long collected; - collect_longterm_unpinnable_folios(&movable_folio_list, pofs); - if (list_empty(&movable_folio_list)) + collected = collect_longterm_unpinnable_folios(&movable_folio_list, + pofs); + if (!collected) return 0; return migrate_longterm_unpinnable_folios(&movable_folio_list, pofs); -- 2.49.0

5 days, 1 hour

1
0
0 0

[PATCH] dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status()

by Qiu-ji Chen

Fixed a flag reuse bug in the mtk_cqdma_tx_status() function. Fixes: 157ae5ffd76a ("dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()") Cc: stable(a)vger.kernel.org Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202505270641.MStzJUfU-lkp@intel.com/ Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/dma/mediatek/mtk-cqdma.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/dma/mediatek/mtk-cqdma.c b/drivers/dma/mediatek/mtk-cqdma.c index 47c8adfdc155..f7b870d2ca90 100644 --- a/drivers/dma/mediatek/mtk-cqdma.c +++ b/drivers/dma/mediatek/mtk-cqdma.c @@ -441,18 +441,19 @@ static enum dma_status mtk_cqdma_tx_status(struct dma_chan *c, struct mtk_cqdma_vdesc *cvd; struct virt_dma_desc *vd; enum dma_status ret; - unsigned long flags; + unsigned long pc_flags; + unsigned long vc_flags; size_t bytes = 0; ret = dma_cookie_status(c, cookie, txstate); if (ret == DMA_COMPLETE || !txstate) return ret; - spin_lock_irqsave(&cvc->pc->lock, flags); - spin_lock_irqsave(&cvc->vc.lock, flags); + spin_lock_irqsave(&cvc->pc->lock, pc_flags); + spin_lock_irqsave(&cvc->vc.lock, vc_flags); vd = mtk_cqdma_find_active_desc(c, cookie); - spin_unlock_irqrestore(&cvc->vc.lock, flags); - spin_unlock_irqrestore(&cvc->pc->lock, flags); + spin_unlock_irqrestore(&cvc->vc.lock, vc_flags); + spin_unlock_irqrestore(&cvc->pc->lock, pc_flags); if (vd) { cvd = to_cqdma_vdesc(vd); -- 2.34.1

5 days, 1 hour

2
5
0 0

[PATCH] gpio: loongson-64bit: Correct Loongson-7A2000 ACPI GPIO access mode

by Binbin Zhou

According to the description of the Loongson-7A2000 ACPI GPIO register in the manual, its access mode should be BIT_CTRL_MODE, otherwise there maybe some unpredictable behavior. Cc: stable(a)vger.kernel.org Fixes: 44fe79020b91 ("gpio: loongson-64bit: Add more gpio chip support") Signed-off-by: Binbin Zhou <zhoubinbin(a)loongson.cn> --- drivers/gpio/gpio-loongson-64bit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-loongson-64bit.c b/drivers/gpio/gpio-loongson-64bit.c index 26227669f026..70a01c5b8ad1 100644 --- a/drivers/gpio/gpio-loongson-64bit.c +++ b/drivers/gpio/gpio-loongson-64bit.c @@ -268,7 +268,7 @@ static const struct loongson_gpio_chip_data loongson_gpio_ls7a2000_data0 = { /* LS7A2000 ACPI GPIO */ static const struct loongson_gpio_chip_data loongson_gpio_ls7a2000_data1 = { .label = "ls7a2000_gpio", - .mode = BYTE_CTRL_MODE, + .mode = BIT_CTRL_MODE, .conf_offset = 0x4, .in_offset = 0x8, .out_offset = 0x0, base-commit: e0d4a0f1d066f14522049e827107a577444d9183 -- 2.47.1

5 days, 1 hour

3
2
0 0

[PATCH v1] usb: acpi: fix device link removal

by Heikki Krogerus

The device link to the USB4 host interface has to be removed manually since it's no longer auto removed. Fixes: 623dae3e7084 ("usb: acpi: fix boot hang due to early incorrect 'tunneled' USB3 device links") Cc: stable(a)vger.kernel.org Signed-off-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> --- drivers/usb/core/hub.c | 3 +++ drivers/usb/core/usb-acpi.c | 4 +++- include/linux/usb.h | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 770d1e91183c..14229dcb0952 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -2337,6 +2337,9 @@ void usb_disconnect(struct usb_device **pdev) usb_remove_ep_devs(&udev->ep0); usb_unlock_device(udev); + if (udev->usb4_link) + device_link_del(udev->usb4_link); + /* Unregister the device. The device driver is responsible * for de-configuring the device and invoking the remove-device * notifier chain (used by usbfs and possibly others). diff --git a/drivers/usb/core/usb-acpi.c b/drivers/usb/core/usb-acpi.c index ea1ce8beb0cb..489dbdc96f94 100644 --- a/drivers/usb/core/usb-acpi.c +++ b/drivers/usb/core/usb-acpi.c @@ -157,7 +157,7 @@ EXPORT_SYMBOL_GPL(usb_acpi_set_power_state); */ static int usb_acpi_add_usb4_devlink(struct usb_device *udev) { - const struct device_link *link; + struct device_link *link; struct usb_port *port_dev; struct usb_hub *hub; @@ -188,6 +188,8 @@ static int usb_acpi_add_usb4_devlink(struct usb_device *udev) dev_dbg(&port_dev->dev, "Created device link from %s to %s\n", dev_name(&port_dev->child->dev), dev_name(nhi_fwnode->dev)); + udev->usb4_link = link; + return 0; } diff --git a/include/linux/usb.h b/include/linux/usb.h index 1b2545b4363b..92c752f5446f 100644 --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -614,6 +614,7 @@ struct usb3_lpm_parameters { * FIXME -- complete doc * @authenticated: Crypto authentication passed * @tunnel_mode: Connection native or tunneled over USB4 + * @usb4_link: device link to the USB4 host interface * @lpm_capable: device supports LPM * @lpm_devinit_allow: Allow USB3 device initiated LPM, exit latency is in range * @usb2_hw_lpm_capable: device can perform USB2 hardware LPM @@ -724,6 +725,7 @@ struct usb_device { unsigned reset_resume:1; unsigned port_is_suspended:1; enum usb_link_tunnel_mode tunnel_mode; + struct device_link *usb4_link; int slot_id; struct usb2_lpm_parameters l1_params; -- 2.47.2

5 days, 2 hours

2
1
0 0

[PATCH v2] usb: hub: fix detection of high tier USB3 devices behind suspended hubs

by Mathias Nyman

USB3 devices connected behind several external suspended hubs may not be detected when plugged in due to aggressive hub runtime pm suspend. The hub driver immediately runtime-suspends hubs if there are no active children or port activity. There is a delay between the wake signal causing hub resume, and driver visible port activity on the hub downstream facing ports. Most of the LFPS handshake, resume signaling and link training done on the downstream ports is not visible to the hub driver until completed, when device then will appear fully enabled and running on the port. This delay between wake signal and detectable port change is even more significant with chained suspended hubs where the wake signal will propagate upstream first. Suspended hubs will only start resuming downstream ports after upstream facing port resumes. The hub driver may resume a USB3 hub, read status of all ports, not yet see any activity, and runtime suspend back the hub before any port activity is visible. This exact case was seen when conncting USB3 devices to a suspended Thunderbolt dock. USB3 specification defines a 100ms tU3WakeupRetryDelay, indicating USB3 devices expect to be resumed within 100ms after signaling wake. if not then device will resend the wake signal. Give the USB3 hubs twice this time (200ms) to detect any port changes after resume, before allowing hub to runtime suspend again. Cc: stable(a)vger.kernel.org Fixes: 2839f5bcfcfc ("USB: Turn on auto-suspend for USB 3.0 hubs.") Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- v2 changes - Update commit in Fixes tag - Add Ack from Alan Stern drivers/usb/core/hub.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 770d1e91183c..5c12dfdef569 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -68,6 +68,12 @@ */ #define USB_SHORT_SET_ADDRESS_REQ_TIMEOUT 500 /* ms */ +/* + * Give SS hubs 200ms time after wake to train downstream links before + * assuming no port activity and allowing hub to runtime suspend back. + */ +#define USB_SS_PORT_U0_WAKE_TIME 200 /* ms */ + /* Protect struct usb_device->state and ->children members * Note: Both are also protected by ->dev.sem, except that ->state can * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ @@ -1068,11 +1074,12 @@ int usb_remove_device(struct usb_device *udev) enum hub_activation_type { HUB_INIT, HUB_INIT2, HUB_INIT3, /* INITs must come first */ - HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, + HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, HUB_POST_RESUME, }; static void hub_init_func2(struct work_struct *ws); static void hub_init_func3(struct work_struct *ws); +static void hub_post_resume(struct work_struct *ws); static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) { @@ -1095,6 +1102,13 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) goto init2; goto init3; } + + if (type == HUB_POST_RESUME) { + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); + hub_put(hub); + return; + } + hub_get(hub); /* The superspeed hub except for root hub has to use Hub Depth @@ -1343,6 +1357,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) device_unlock(&hdev->dev); } + if (type == HUB_RESUME && hub_is_superspeed(hub->hdev)) { + /* give usb3 downstream links training time after hub resume */ + INIT_DELAYED_WORK(&hub->init_work, hub_post_resume); + queue_delayed_work(system_power_efficient_wq, &hub->init_work, + msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME)); + usb_autopm_get_interface_no_resume( + to_usb_interface(hub->intfdev)); + return; + } + hub_put(hub); } @@ -1361,6 +1385,13 @@ static void hub_init_func3(struct work_struct *ws) hub_activate(hub, HUB_INIT3); } +static void hub_post_resume(struct work_struct *ws) +{ + struct usb_hub *hub = container_of(ws, struct usb_hub, init_work.work); + + hub_activate(hub, HUB_POST_RESUME); +} + enum hub_quiescing_type { HUB_DISCONNECT, HUB_PRE_RESET, HUB_SUSPEND }; -- 2.43.0

5 days, 3 hours

1
0
0 0

[PATCH v3 2/3] udmabuf: use sgtable-based scatterlist wrappers

by Marek Szyprowski

Use common wrappers operating directly on the struct sg_table objects to fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() functions have to be called with the number of elements originally passed to dma_map_sg_*() function, not the one returned in sgtable's nents. Fixes: 1ffe09590121 ("udmabuf: fix dma-buf cpu access") CC: stable(a)vger.kernel.org Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> --- drivers/dma-buf/udmabuf.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 7eee3eb47a8e..c9d0c68d2fcb 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -264,8 +264,7 @@ static int begin_cpu_udmabuf(struct dma_buf *buf, ubuf->sg = NULL; } } else { - dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents, - direction); + dma_sync_sgtable_for_cpu(dev, ubuf->sg, direction); } return ret; @@ -280,7 +279,7 @@ static int end_cpu_udmabuf(struct dma_buf *buf, if (!ubuf->sg) return -EINVAL; - dma_sync_sg_for_device(dev, ubuf->sg->sgl, ubuf->sg->nents, direction); + dma_sync_sgtable_for_device(dev, ubuf->sg, direction); return 0; } -- 2.34.1

5 days, 3 hours

2
4
0 0

6.12.y longterm regression - IPv6 UDP packet fragmentation

by Brett Sheffield

Hello Stable Maintainers, Longterm kernel 6.12.y backports commit: - a18dfa9925b9ef6107ea3aa5814ca3c704d34a8a "ipv6: save dontfrag in cork" but does not backport these related commits: - 54580ccdd8a9c6821fd6f72171d435480867e4c3 "ipv6: remove leftover ip6 cookie initializer" - 096208592b09c2f5fc0c1a174694efa41c04209d "ipv6: replace ipcm6_init calls with ipcm6_init_sk" This causes a regression when sending IPv6 UDP packets by preventing fragmentation and instead returning EMSGSIZE. I have attached a program which demonstrates the issue. sendmsg() returns correctly (8192) on a working kernel, and returns -1 (EMSGSIZE) when the regression is present. The regression is not present in the mainline kernel. Applying the two missing commits to 6.12.y fixes the regression. Cheers, Brett -- Brett Sheffield (he/him) Librecast - Decentralising the Internet with Multicast https://librecast.net/ https://blog.brettsheffield.com/

5 days, 3 hours

1
0
0 0

Re: Patch "powerpc: do not build ppc_save_regs.o always" has been added to the 6.15-stable tree

by Jiri Slaby

On 10. 06. 25, 13:56, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > powerpc: do not build ppc_save_regs.o always > > to the 6.15-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… Please drop this from all trees. It was correctly broken. The whole if was removed later by 93bd4a80efeb521314485a06d8c21157240497bb. > The filename of the patch is: > powerpc-do-not-build-ppc_save_regs.o-always.patch > and it can be found in the queue-6.15 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 242c2ba3f16d92cd81c309725550f6c723833ae3 > Author: Jiri Slaby (SUSE) <jirislaby(a)kernel.org> > Date: Thu Apr 17 12:53:05 2025 +0200 > > powerpc: do not build ppc_save_regs.o always > > [ Upstream commit 497b7794aef03d525a5be05ae78dd7137c6861a5 ] > > The Fixes commit below tried to add CONFIG_PPC_BOOK3S to one of the > conditions to enable the build of ppc_save_regs.o. But it failed to do > so, in fact. The commit omitted to add a dollar sign. > > Therefore, ppc_save_regs.o is built always these days (as > "(CONFIG_PPC_BOOK3S)" is never an empty string). > > Fix this by adding the missing dollar sign. > > Signed-off-by: Jiri Slaby (SUSE) <jirislaby(a)kernel.org> > Fixes: fc2a5a6161a2 ("powerpc/64s: ppc_save_regs is now needed for all 64s builds") > Acked-by: Stephen Rothwell <sfr(a)canb.auug.org.au> > Signed-off-by: Madhavan Srinivasan <maddy(a)linux.ibm.com> > Link: https://patch.msgid.link/20250417105305.397128-1-jirislaby@kernel.org > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile > index 6ac621155ec3c..0c26b2412d173 100644 > --- a/arch/powerpc/kernel/Makefile > +++ b/arch/powerpc/kernel/Makefile > @@ -160,7 +160,7 @@ endif > > obj64-$(CONFIG_PPC_TRANSACTIONAL_MEM) += tm.o > > -ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)(CONFIG_PPC_BOOK3S),) > +ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)$(CONFIG_PPC_BOOK3S),) > obj-y += ppc_save_regs.o > endif > -- js suse labs

5 days, 4 hours

2
2
0 0

[PATCH 0/3] x86: Fix some bugs related to ITS mitigation

by Juergen Gross

Running as a Xen PV guest uncovered some bugs when ITS mitigation is active. Juergen Gross (3): x86/execmem: don't use PAGE_KERNEL protection for code pages x86/mm/pat: don't collapse pages without PSE set x86/alternative: make kernel ITS thunks read-only arch/x86/kernel/alternative.c | 16 ++++++++++++++++ arch/x86/mm/init.c | 2 +- arch/x86/mm/pat/set_memory.c | 3 +++ 3 files changed, 20 insertions(+), 1 deletion(-) -- 2.43.0

5 days, 4 hours

6
17
0 0

Re: [PATCH 5.10.y 2/3] rtc: Make rtc_time64_to_tm() support dates before 1970

by Uwe Kleine-König

Hello Cassio, thanks for your input. On Tue, Jun 10, 2025 at 09:31:48PM +0100, Cassio Neri wrote: > Although untested, I'm pretty sure that with very small changes, the > previous revision (1d1bb12) can handle dates prior to 1970-01-01 with no > need to add extra branches or arithmetic operations. Indeed, 1d1bb12 > contains: > > <code> > /* time must be positive */ > days = div_s64_rem(time, 86400, &secs); > > /* day of the week, 1970-01-01 was a Thursday */ > tm->tm_wday = (days + 4) % 7; > > /* long comments */ > > udays = ((u32) days) + 719468; > </code> > > This could have been changed to: > > <code> > /* time must be >= -719468 * 86400 which corresponds to 0000-03-01 */ > udays = div_u64_rem(time + 719468 * 86400, 86400, &secs); > > /* day of the week, 0000-03-01 was a Wednesday (in the proleptic Gregorian > calendar) */ > tm->tm_wday = (days + 3) % 7; > > /* long comments */ > </code> > > Indeed, the addition of 719468 * 86400 to `time` makes `days` to be 719468 > more than it should be. Therefore, in the calculation of `udays`, the > addition of 719468 becomes unnecessary and thus, `udays == days`. Moreover, > this means that `days` can be removed altogether and replaced by `udays`. > (Not the other way around because in the remaining code `udays` must be > u32.) > > Now, 719468 % 7 = 1 and thus tm->wday is 1 day after what it should be and > we correct that by adding 3 instead of 4. > > Therefore, I suggest these changes on top of 1d1bb12 instead of those made > in 7df4cfe. Since you're working on this, can I please kindly suggest two > other changes? It's to late for "instead", and we're discussing a backport to stable for a commit that is already in v6.16-rc1. While your concerns are correct (though I didn't check the details yet), I claim that 7df4cfef8b35 is correct and it's the right thing to backport that today. Incremental changes can then go in the development version (and backported if deemed necessary). > 1) Change the reference provided in the long comment. It should say, "The > following algorithm is, basically, Figure 12 of Neri and Schneider [1]" and > [1] should refer to the published article: > > Neri C, Schneider L. Euclidean affine functions and their application to > calendar algorithms. Softw Pract Exper. 2023;53(4):937-970. doi: > 10.1002/spe.3172 > https://doi.org/10.1002/spe.3172 > > The article is much better written and clearer than the pre-print currently > referred to. I'll add that to my todo list. (that = improving rtc_time64_to_tm() and reading your paper :-) > 2) Function rtc_time64_to_tm_test_date_range in drivers/rtc/lib_test.c, is > a kunit test that checks the result for everyday in a 160000 years range > starting at 1970-01-01. It'd be nice if this test is adapted to the new > code and starts at 1900-01-01 (technically, it could start at 0000-03-01 > but since tm->year counts from 1900, it would be weird to see tm->year == > -1900 to mean that the calendar year is 0.) Also 160000 is definitely an > overkill (my bad!) and a couple of thousands of years, say 3000, should be > more than safe for anyone. :-) I already did 2), see https://git.kernel.org/linus/ccb2dba3c19f. Best regards Uwe

5 days, 8 hours

1
0
0 0

Mailbox Alert: Storage Limit Almost Reached

by lists.linaro.org 通知

5 days, 10 hours

1
0
0 0

[PATCH] x86/mm: Disable INVLPGB when PTI is enabled

by Dave Hansen

From: Dave Hansen <dave.hansen(a)linux.intel.com> PTI uses separate ASIDs (aka. PCIDs) for kernel and user address spaces. When the kernel needs to flush the user address space, it just sets a bit in a bitmap and then flushes the entire PCID on the next switch to userspace. But, this bitmap is a single 'unsigned long' which is plenty for all 6 dynamic ASIDs. But, unfortunately, the INVLPGB support brings along a bunch more user ASIDs, as many as ~2k more. The bitmap can't address that many. Fortunately, the bitmap is only needed for PTI and all the CPUs with INVLPGB are AMD CPUs that aren't vulnerable to Meltdown and don't need PTI. The only way someone can run into an issue in practice is by booting with pti=on on a newer AMD CPU. Disable INVLPGB if PTI is enabled. Avoid overrunning the small bitmap. Note: this will be fixed up properly by making the bitmap bigger. For now, just avoid the mostly theoretical bug. Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Fixes: 4afeb0ed1753 ("x86/mm: Enable broadcast TLB invalidation for multi-threaded processes") Cc: stable(a)vger.kernel.org Cc: Rik van Riel <riel(a)surriel.com> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Nadav Amit <nadav.amit(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> --- b/arch/x86/mm/pti.c | 5 +++++ 1 file changed, 5 insertions(+) diff -puN arch/x86/mm/pti.c~no-INVLPGB-plus-KPTI arch/x86/mm/pti.c --- a/arch/x86/mm/pti.c~no-INVLPGB-plus-KPTI 2025-06-10 15:02:14.439554339 -0700 +++ b/arch/x86/mm/pti.c 2025-06-10 15:09:47.713198206 -0700 @@ -98,6 +98,11 @@ void __init pti_check_boottime_disable(v return; setup_force_cpu_cap(X86_FEATURE_PTI); + + if (cpu_feature_enabled(X86_FEATURE_INVLPGB)) { + pr_debug("PTI enabled, disabling INVLPGB\n"); + setup_clear_cpu_cap(X86_FEATURE_INVLPGB); + } } static int __init pti_parse_cmdline(char *arg) _

5 days, 10 hours

3
2
0 0

[PATCH v2] mm/memory-tier: Fix abstract distance calculation overflow

by Li Zhijian

In mt_perf_to_adistance(), the calculation of abstract distance (adist) involves multiplying several int values including MEMTIER_ADISTANCE_DRAM. ``` *adist = MEMTIER_ADISTANCE_DRAM * (perf->read_latency + perf->write_latency) / (default_dram_perf.read_latency + default_dram_perf.write_latency) * (default_dram_perf.read_bandwidth + default_dram_perf.write_bandwidth) / (perf->read_bandwidth + perf->write_bandwidth); ``` Since these values can be large, the multiplication may exceed the maximum value of an int (INT_MAX) and overflow (Our platform did), leading to an incorrect adist. User-visible impact: The memory tiering subsystem will misinterpret slow memory (like CXL) as faster than DRAM, causing inappropriate demotion of pages from CXL (slow memory) to DRAM (fast memory). For example, we will see the following demotion chains from the dmesg, where Node0,1 are DRAM, and Node2,3 are CXL node: Demotion targets for Node 0: null Demotion targets for Node 1: null Demotion targets for Node 2: preferred: 0-1, fallback: 0-1 Demotion targets for Node 3: preferred: 0-1, fallback: 0-1 Change MEMTIER_ADISTANCE_DRAM to be a long constant by writing it with the 'L' suffix. This prevents the overflow because the multiplication will then be done in the long type which has a larger range. Fixes: 3718c02dbd4c ("acpi, hmat: calculate abstract distance with HMAT") Cc: stable(a)vger.kernel.org Reviewed-by: Huang Ying <ying.huang(a)linux.alibaba.com> Acked-by: Balbir Singh <balbirs(a)nvidia.com> Reviewed-by: Donet Tom <donettom(a)linux.ibm.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Signed-off-by: Li Zhijian <lizhijian(a)fujitsu.com> --- V2: Document the 'User-visible impact' # Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/memory-tiers.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/memory-tiers.h b/include/linux/memory-tiers.h index 0dc0cf2863e2..7a805796fcfd 100644 --- a/include/linux/memory-tiers.h +++ b/include/linux/memory-tiers.h @@ -18,7 +18,7 @@ * adistance value (slightly faster) than default DRAM adistance to be part of * the same memory tier. */ -#define MEMTIER_ADISTANCE_DRAM ((4 * MEMTIER_CHUNK_SIZE) + (MEMTIER_CHUNK_SIZE >> 1)) +#define MEMTIER_ADISTANCE_DRAM ((4L * MEMTIER_CHUNK_SIZE) + (MEMTIER_CHUNK_SIZE >> 1)) struct memory_tier; struct memory_dev_type { -- 2.41.0

5 days, 11 hours

1
0
0 0

+ maple_tree-restart-walk-on-correct-status.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: maple_tree: restart walk on correct status has been added to the -mm mm-new branch. Its filename is maple_tree-restart-walk-on-correct-status.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: maple_tree: restart walk on correct status Date: Wed, 11 Jun 2025 01:12:52 +0000 Commit a8091f039c1e ("maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states") adds more status during maple tree walk. But it introduce a typo on the status check during walk. It expects to mean neither active nor start, we would restart the walk, while current code means we would always restart the walk. Link: https://lkml.kernel.org/r/20250611011253.19515-3-richard.weiyang@gmail.com Fixes: a8091f039c1e ("maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/maple_tree.c~maple_tree-restart-walk-on-correct-status +++ a/lib/maple_tree.c @@ -4930,7 +4930,7 @@ void *mas_walk(struct ma_state *mas) { void *entry; - if (!mas_is_active(mas) || !mas_is_start(mas)) + if (!mas_is_active(mas) && !mas_is_start(mas)) mas->status = ma_start; retry: entry = mas_state_walk(mas); _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are maple_tree-fix-mt_destroy_walk-on-root-leaf-node.patch maple_tree-restart-walk-on-correct-status.patch maple_tree-assert-retrieving-new-value-on-a-tree-containing-just-a-leaf-node.patch

5 days, 12 hours

1
0
0 0

+ maple_tree-fix-mt_destroy_walk-on-root-leaf-node.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: maple_tree: fix mt_destroy_walk() on root leaf node has been added to the -mm mm-new branch. Its filename is maple_tree-fix-mt_destroy_walk-on-root-leaf-node.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: maple_tree: fix mt_destroy_walk() on root leaf node Date: Wed, 11 Jun 2025 01:12:51 +0000 Patch series "maple_tree: Fix the replacement of a root leaf node", v3. On destroy we should set each node dead. But current code miss this when the maple tree has only the root node. The reason is that mt_destroy_walk() leverages mte_destroy_descend() to set the node dead, but this is skipped since the only root node is a leaf. Patch 1 fixes this. When adding a test case, I found we always get the new value even when we leave the old root node not dead. It turns out we always re-walk the tree in mas_walk(). It looks like a typo on the status check of mas_walk(). Patch 2 fixes this. Patch 3 adds a test case to assert retrieving new value when overwriting the whole range to a tree with only root node. This patch (of 3): On destroy, we should set each node dead. But current code miss this when the maple tree has only the root node. The reason is mt_destroy_walk() leverage mte_destroy_descend() to set node dead, but this is skipped since the only root node is a leaf. Fixes this by setting the node dead if it is a leaf. Link: https://lkml.kernel.org/r/20250611011253.19515-1-richard.weiyang@gmail.com Link: https://lkml.kernel.org/r/20250611011253.19515-2-richard.weiyang@gmail.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/maple_tree.c | 1 + 1 file changed, 1 insertion(+) --- a/lib/maple_tree.c~maple_tree-fix-mt_destroy_walk-on-root-leaf-node +++ a/lib/maple_tree.c @@ -5319,6 +5319,7 @@ static void mt_destroy_walk(struct maple struct maple_enode *start; if (mte_is_leaf(enode)) { + mte_set_node_dead(enode); node->type = mte_node_type(enode); goto free_leaf; } _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are maple_tree-fix-mt_destroy_walk-on-root-leaf-node.patch maple_tree-restart-walk-on-correct-status.patch maple_tree-assert-retrieving-new-value-on-a-tree-containing-just-a-leaf-node.patch

5 days, 12 hours

1
0
0 0

[PATCH v3 5/9] LoongArch: KVM: INTC: Avoid overflow with array index

by Bibo Mao

Variable index is modified and reused as array index when modify register EIOINTC_ENABLE. There will be array index overflow problem. Cc: stable(a)vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index ed80bf290755..0bc870796f56 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -447,17 +447,16 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu, break; case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END: index = (offset - EIOINTC_ENABLE_START) >> 1; - old_data = s->enable.reg_u32[index]; + old_data = s->enable.reg_u16[index]; s->enable.reg_u16[index] = data; /* * 1: enable irq. * update irq when isr is set. */ data = s->enable.reg_u16[index] & ~old_data & s->isr.reg_u16[index]; - index = index << 1; for (i = 0; i < sizeof(data); i++) { u8 mask = (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 1); } /* * 0: disable irq. @@ -466,7 +465,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu, data = ~s->enable.reg_u16[index] & old_data & s->isr.reg_u16[index]; for (i = 0; i < sizeof(data); i++) { u8 mask = (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: @@ -540,10 +539,9 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu, * update irq when isr is set. */ data = s->enable.reg_u32[index] & ~old_data & s->isr.reg_u32[index]; - index = index << 2; for (i = 0; i < sizeof(data); i++) { u8 mask = (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 1); } /* * 0: disable irq. @@ -552,7 +550,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu, data = ~s->enable.reg_u32[index] & old_data & s->isr.reg_u32[index]; for (i = 0; i < sizeof(data); i++) { u8 mask = (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: @@ -626,10 +624,9 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu, * update irq when isr is set. */ data = s->enable.reg_u64[index] & ~old_data & s->isr.reg_u64[index]; - index = index << 3; for (i = 0; i < sizeof(data); i++) { u8 mask = (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 1); } /* * 0: disable irq. @@ -638,7 +635,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu, data = ~s->enable.reg_u64[index] & old_data & s->isr.reg_u64[index]; for (i = 0; i < sizeof(data); i++) { u8 mask = (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: -- 2.39.3

5 days, 12 hours

1
0
0 0

[PATCH v3 4/9] LoongArch: KVM: INTC: Check validation of num_cpu from user space

by Bibo Mao

The maximum supported cpu number is EIOINTC_ROUTE_MAX_VCPUS about irqchip eiointc, here add validation about cpu number to avoid array pointer overflow. Cc: stable(a)vger.kernel.org Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index b48511f903b5..ed80bf290755 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -798,7 +798,7 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev, int ret = 0; unsigned long flags; unsigned long type = (unsigned long)attr->attr; - u32 i, start_irq; + u32 i, start_irq, val; void __user *data; struct loongarch_eiointc *s = dev->kvm->arch.eiointc; @@ -806,7 +806,12 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev, spin_lock_irqsave(&s->lock, flags); switch (type) { case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_NUM_CPU: - if (copy_from_user(&s->num_cpu, data, 4)) + if (copy_from_user(&val, data, 4) == 0) { + if (val < EIOINTC_ROUTE_MAX_VCPUS) + s->num_cpu = val; + else + ret = -EINVAL; + } else ret = -EFAULT; break; case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_FEATURE: @@ -835,7 +840,7 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev, struct kvm_device_attr *attr, bool is_write) { - int addr, cpuid, offset, ret = 0; + int addr, cpu, offset, ret = 0; unsigned long flags; void *p = NULL; void __user *data; @@ -843,7 +848,7 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev, s = dev->kvm->arch.eiointc; addr = attr->attr; - cpuid = addr >> 16; + cpu = addr >> 16; addr &= 0xffff; data = (void __user *)attr->addr; switch (addr) { @@ -868,8 +873,11 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev, p = &s->isr.reg_u32[offset]; break; case EIOINTC_COREISR_START ... EIOINTC_COREISR_END: + if (cpu >= s->num_cpu) + return -EINVAL; + offset = (addr - EIOINTC_COREISR_START) / 4; - p = &s->coreisr.reg_u32[cpuid][offset]; + p = &s->coreisr.reg_u32[cpu][offset]; break; case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END: offset = (addr - EIOINTC_COREMAP_START) / 4; -- 2.39.3

5 days, 12 hours

1
0
0 0

[PATCH v3 3/9] LoongArch: KVM: INTC: Disable update property num_cpu and feature

by Bibo Mao

Property num_cpu and feature is read-only once eiointc is created, which is set with KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL attr group before device creation. Attr group KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS is to update register and software state for migration and reset usage, property num_cpu and feature can not be update again if it is created already. Here discard write operation with property num_cpu and feature in attr group KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL. Cc: stable(a)vger.kernel.org Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index 0b648c56b0c3..b48511f903b5 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -910,9 +910,22 @@ static int kvm_eiointc_sw_status_access(struct kvm_device *dev, data = (void __user *)attr->addr; switch (addr) { case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_NUM_CPU: + /* + * Property num_cpu and feature is read-only once eiointc is + * created with KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL group API + * + * Disable writing with KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS + * group API + */ + if (is_write) + return ret; + p = &s->num_cpu; break; case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_FEATURE: + if (is_write) + return ret; + p = &s->features; break; case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_STATE: -- 2.39.3

5 days, 12 hours

1
0
0 0

[PATCH v3 2/9] LoongArch: KVM: INTC: Check interrupt route from physical cpu

by Bibo Mao

With eiointc interrupt controller, physical cpu id is set for irq route. However function kvm_get_vcpu() is used to get destination vCPU when delivering irq. With API kvm_get_vcpu(), logical cpu is used. With API kvm_get_vcpu_by_cpuid(), vCPU can be searched from physical cpu id. Cc: stable(a)vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index d2c521b0e923..0b648c56b0c3 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -9,7 +9,8 @@ static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) { - int ipnum, cpu, irq_index, irq_mask, irq; + int ipnum, cpu, irq_index, irq_mask, irq, cpuid; + struct kvm_vcpu *vcpu; for (irq = 0; irq < EIOINTC_IRQS; irq++) { ipnum = s->ipmap.reg_u8[irq / 32]; @@ -20,7 +21,12 @@ static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) irq_index = irq / 32; irq_mask = BIT(irq & 0x1f); - cpu = s->coremap.reg_u8[irq]; + cpuid = s->coremap.reg_u8[irq]; + vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid); + if (vcpu == NULL) + continue; + + cpu = vcpu->vcpu_id; if (!!(s->coreisr.reg_u32[cpu][irq_index] & irq_mask)) set_bit(irq, s->sw_coreisr[cpu][ipnum]); else @@ -68,17 +74,23 @@ static void eiointc_update_irq(struct loongarch_eiointc *s, int irq, int level) static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, int irq, u64 val, u32 len, bool notify) { - int i, cpu; + int i, cpu, cpuid; + struct kvm_vcpu *vcpu; for (i = 0; i < len; i++) { - cpu = val & 0xff; + cpuid = val & 0xff; val = val >> 8; if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) { - cpu = ffs(cpu) - 1; - cpu = (cpu >= 4) ? 0 : cpu; + cpuid = ffs(cpuid) - 1; + cpuid = (cpuid >= 4) ? 0 : cpuid; } + vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid); + if (vcpu == NULL) + continue; + + cpu = vcpu->vcpu_id; if (s->sw_coremap[irq + i] == cpu) continue; -- 2.39.3

5 days, 12 hours

1
0
0 0

[PATCH v3 1/9] LoongArch: KVM: INTC: Fix interrupt route update with eiointc

by Bibo Mao

With function eiointc_update_sw_coremap(), there is forced assignment like val = *(u64 *)pvalue. Parameter pvalue may be pointer to char type or others, there is problem with forced assignment with u64 type. Here the detailed value is passed rather address pointer. Cc: stable(a)vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao <maobibo(a)loongson.cn> --- arch/loongarch/kvm/intc/eiointc.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c index f39929d7bf8a..d2c521b0e923 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -66,10 +66,9 @@ static void eiointc_update_irq(struct loongarch_eiointc *s, int irq, int level) } static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, - int irq, void *pvalue, u32 len, bool notify) + int irq, u64 val, u32 len, bool notify) { int i, cpu; - u64 val = *(u64 *)pvalue; for (i = 0; i < len; i++) { cpu = val & 0xff; @@ -398,7 +397,7 @@ static int loongarch_eiointc_writeb(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq; s->coremap.reg_u8[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -484,7 +483,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq >> 1; s->coremap.reg_u16[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -570,7 +569,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq >> 2; s->coremap.reg_u32[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -656,7 +655,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu, irq = offset - EIOINTC_COREMAP_START; index = irq >> 3; s->coremap.reg_u64[index] = data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret = -EINVAL; @@ -809,7 +808,7 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev, for (i = 0; i < (EIOINTC_IRQS / 4); i++) { start_irq = i * 4; eiointc_update_sw_coremap(s, start_irq, - (void *)&s->coremap.reg_u32[i], sizeof(u32), false); + s->coremap.reg_u32[i], sizeof(u32), false); } break; default: -- 2.39.3

5 days, 12 hours

1
0
0 0

[Patch v3 2/3] maple_tree: restart walk on correct status

by Wei Yang

Commit a8091f039c1e ("maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states") adds more status during maple tree walk. But it introduce a typo on the status check during walk. It expects to mean neither active nor start, we would restart the walk, while current code means we would always restart the walk. Fixes: a8091f039c1e ("maple_tree: add MAS_UNDERFLOW and MAS_OVERFLOW states") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: <stable(a)vger.kernel.org> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> --- lib/maple_tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index b0c345b6e646..7144dbbc3481 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -4930,7 +4930,7 @@ void *mas_walk(struct ma_state *mas) { void *entry; - if (!mas_is_active(mas) || !mas_is_start(mas)) + if (!mas_is_active(mas) && !mas_is_start(mas)) mas->status = ma_start; retry: entry = mas_state_walk(mas); -- 2.34.1

5 days, 13 hours

1
0
0 0

[Patch v3 1/3] maple_tree: Fix mt_destroy_walk() on root leaf node

by Wei Yang

On destroy, we should set each node dead. But current code miss this when the maple tree has only the root node. The reason is mt_destroy_walk() leverage mte_destroy_descend() to set node dead, but this is skipped since the only root node is a leaf. Fixes this by setting the node dead if it is a leaf. Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: <stable(a)vger.kernel.org> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> --- v2: * move the operation into mt_destroy_walk() * adjust the title accordingly --- lib/maple_tree.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/maple_tree.c b/lib/maple_tree.c index affe979bd14d..b0c345b6e646 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -5319,6 +5319,7 @@ static void mt_destroy_walk(struct maple_enode *enode, struct maple_tree *mt, struct maple_enode *start; if (mte_is_leaf(enode)) { + mte_set_node_dead(enode); node->type = mte_node_type(enode); goto free_leaf; } -- 2.34.1

5 days, 13 hours

1
0
0 0

[PATCH v3] riscv: hwprobe: Fix stale vDSO data for late-initialized keys at boot

by Jingwei Wang

The riscv_hwprobe vDSO data is populated by init_hwprobe_vdso_data(), an arch_initcall_sync. However, underlying data for some keys, like RISCV_HWPROBE_KEY_MISALIGNED_VECTOR_PERF, is determined asynchronously. Specifically, the per_cpu(vector_misaligned_access, cpu) values are set by the vec_check_unaligned_access_speed_all_cpus kthread. This kthread is spawned by an earlier arch_initcall (check_unaligned_access_all_cpus) and may complete its benchmark *after* init_hwprobe_vdso_data() has already populated the vDSO with default/stale values. So, refresh the vDSO data for specified keys (e.g., MISALIGNED_VECTOR_PERF) ensuring it reflects the final boot-time values. Test by comparing vDSO and syscall results for affected keys (e.g., MISALIGNED_VECTOR_PERF), which now match their final boot-time values. Reported-by: Tsukasa OI <research_trasio(a)irq.a4lg.com> Closes: https://lore.kernel.org/linux-riscv/760d637b-b13b-4518-b6bf-883d55d44e7f@ir… Fixes: e7c9d66e313b ("RISC-V: Report vector unaligned access speed hwprobe") Cc: stable(a)vger.kernel.org Reviewed-by: Yanteng Si <si.yanteng(a)linux.dev> Reviewed-by: Jesse Taube <jesse(a)rivosinc.com> Signed-off-by: Jingwei Wang <wangjingwei(a)iscas.ac.cn> --- Changes in v3: - Retained existing blank line. Changes in v2: - Addressed feedback from Yixun's regarding #ifdef CONFIG_MMU usage. - Updated commit message to provide a high-level summary. - Added Fixes tag for commit e7c9d66e313b. v1: https://lore.kernel.org/linux-riscv/20250521052754.185231-1-wangjingwei@isc… arch/riscv/include/asm/hwprobe.h | 6 ++++++ arch/riscv/kernel/sys_hwprobe.c | 16 ++++++++++++++++ arch/riscv/kernel/unaligned_access_speed.c | 1 + 3 files changed, 23 insertions(+) diff --git a/arch/riscv/include/asm/hwprobe.h b/arch/riscv/include/asm/hwprobe.h index 1f690fea0e03de6a..58dc847d86c7f2b0 100644 --- a/arch/riscv/include/asm/hwprobe.h +++ b/arch/riscv/include/asm/hwprobe.h @@ -40,4 +40,10 @@ static inline bool riscv_hwprobe_pair_cmp(struct riscv_hwprobe *pair, return pair->value == other_pair->value; } +#ifdef CONFIG_MMU +void riscv_hwprobe_vdso_sync(__s64 sync_key); +#else +static inline void riscv_hwprobe_vdso_sync(__s64 sync_key) { }; +#endif /* CONFIG_MMU */ + #endif diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c index 249aec8594a92a80..2e3e612b7ac6fd57 100644 --- a/arch/riscv/kernel/sys_hwprobe.c +++ b/arch/riscv/kernel/sys_hwprobe.c @@ -17,6 +17,7 @@ #include <asm/vector.h> #include <asm/vendor_extensions/thead_hwprobe.h> #include <vdso/vsyscall.h> +#include <vdso/datapage.h> static void hwprobe_arch_id(struct riscv_hwprobe *pair, @@ -500,6 +501,21 @@ static int __init init_hwprobe_vdso_data(void) arch_initcall_sync(init_hwprobe_vdso_data); +void riscv_hwprobe_vdso_sync(__s64 sync_key) +{ + struct vdso_arch_data *avd = vdso_k_arch_data; + struct riscv_hwprobe pair; + + pair.key = sync_key; + hwprobe_one_pair(&pair, cpu_online_mask); + /* + * Update vDSO data for the given key. + * Currently for non-ID key updates (e.g. MISALIGNED_VECTOR_PERF), + * so 'homogeneous_cpus' is not re-evaluated here. + */ + avd->all_cpu_hwprobe_values[sync_key] = pair.value; +} + #endif /* CONFIG_MMU */ SYSCALL_DEFINE5(riscv_hwprobe, struct riscv_hwprobe __user *, pairs, diff --git a/arch/riscv/kernel/unaligned_access_speed.c b/arch/riscv/kernel/unaligned_access_speed.c index 585d2dcf2dab1ccb..a2cdb396ff823720 100644 --- a/arch/riscv/kernel/unaligned_access_speed.c +++ b/arch/riscv/kernel/unaligned_access_speed.c @@ -375,6 +375,7 @@ static void check_vector_unaligned_access(struct work_struct *work __always_unus static int __init vec_check_unaligned_access_speed_all_cpus(void *unused __always_unused) { schedule_on_each_cpu(check_vector_unaligned_access); + riscv_hwprobe_vdso_sync(RISCV_HWPROBE_KEY_MISALIGNED_VECTOR_PERF); return 0; } -- 2.49.0

5 days, 16 hours

2
1
0 0

[tip: x86/urgent] x86/virt/tdx: Avoid indirect calls to TDX assembly functions

by tip-bot2 for Kai Huang

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 0b3bc018e86afdc0cbfef61328c63d5c08f8b370 Gitweb: https://git.kernel.org/tip/0b3bc018e86afdc0cbfef61328c63d5c08f8b370 Author: Kai Huang <kai.huang(a)intel.com> AuthorDate: Sat, 07 Jun 2025 01:07:37 +12:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Tue, 10 Jun 2025 12:32:52 -07:00 x86/virt/tdx: Avoid indirect calls to TDX assembly functions Two 'static inline' TDX helper functions (sc_retry() and sc_retry_prerr()) take function pointer arguments which refer to assembly functions. Normally, the compiler inlines the TDX helper, realizes that the function pointer targets are completely static -- thus can be resolved at compile time -- and generates direct call instructions. But, other times (like when CONFIG_CC_OPTIMIZE_FOR_SIZE=y), the compiler declines to inline the helpers and will instead generate indirect call instructions. Indirect calls to assembly functions require special annotation (for various Control Flow Integrity mechanisms). But TDX assembly functions lack the special annotations and can only be called directly. Annotate both the helpers as '__always_inline' to prod the compiler into maintaining the direct calls. There is no guarantee here, but Peter has volunteered to report the compiler bug if this assumption ever breaks[1]. Fixes: 1e66a7e27539 ("x86/virt/tdx: Handle SEAMCALL no entropy error in common code") Fixes: df01f5ae07dd ("x86/virt/tdx: Add SEAMCALL error printing for module initialization") Signed-off-by: Kai Huang <kai.huang(a)intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/lkml/20250605145914.GW39944@noisy.programming.kicks… [1] Link: https://lore.kernel.org/all/20250606130737.30713-1-kai.huang%40intel.com --- arch/x86/include/asm/tdx.h | 2 +- arch/x86/virt/vmx/tdx/tdx.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h index 8b19294..7ddef3a 100644 --- a/arch/x86/include/asm/tdx.h +++ b/arch/x86/include/asm/tdx.h @@ -106,7 +106,7 @@ void tdx_init(void); typedef u64 (*sc_func_t)(u64 fn, struct tdx_module_args *args); -static inline u64 sc_retry(sc_func_t func, u64 fn, +static __always_inline u64 sc_retry(sc_func_t func, u64 fn, struct tdx_module_args *args) { int retry = RDRAND_RETRY_LOOPS; diff --git a/arch/x86/virt/vmx/tdx/tdx.c b/arch/x86/virt/vmx/tdx/tdx.c index 2457d13..c7a9a08 100644 --- a/arch/x86/virt/vmx/tdx/tdx.c +++ b/arch/x86/virt/vmx/tdx/tdx.c @@ -75,8 +75,9 @@ static inline void seamcall_err_ret(u64 fn, u64 err, args->r9, args->r10, args->r11); } -static inline int sc_retry_prerr(sc_func_t func, sc_err_func_t err_func, - u64 fn, struct tdx_module_args *args) +static __always_inline int sc_retry_prerr(sc_func_t func, + sc_err_func_t err_func, + u64 fn, struct tdx_module_args *args) { u64 sret = sc_retry(func, fn, args);

5 days, 16 hours

1
0
0 0

[REGRESSION][stable v6.14] AMD GPU init failure in v6.14.10 – revert needed for commit c53f23f7075c9f63f14d7ec8f2cc3e33e118d986

by msk

Hi all, #regzbot introduced: c53f23f7075c9f63f14d7ec8f2cc3e33e118d986 **Summary** A regression introduced in **v6.14.10** breaks AMD GPU initialization on RX 9070 XT system due to commit c53f23f7… (“drm/amd/display: check stream id dml21 wrapper…”). Reverting this commit restores proper graphical startup. dmesg output before revert [ 2.699091] ACPI: bus type drm_connector registered [ 2.699734] xhci_hcd 0000:02:00.0: xHCI Host Controller [ 2.699740] xhci_hcd 0000:02:00.0: new USB bus registered, assigned bus number 1 [ 2.755165] xhci_hcd 0000:02:00.0: hcc params 0x0200ef81 hci version 0x110 quirks 0x0000000000000010 [ 2.755445] xhci_hcd 0000:02:00.0: xHCI Host Controller [ 2.755448] xhci_hcd 0000:02:00.0: new USB bus registered, assigned bus number 2 [ 2.755450] xhci_hcd 0000:02:00.0: Host supports USB 3.1 Enhanced SuperSpeed [ 2.755511] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.14 [ 2.755512] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 2.755514] usb usb1: Product: xHCI Host Controller [ 2.755515] usb usb1: Manufacturer: Linux 6.14.10-x64v3-xanmod1 xhci-hcd [ 2.755517] usb usb1: SerialNumber: 0000:02:00.0 [ 2.755613] hub 1-0:1.0: USB hub found [ 2.755629] hub 1-0:1.0: 10 ports detected [ 2.755952] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM. [ 2.755973] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 6.14 [ 2.755975] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 2.755976] usb usb2: Product: xHCI Host Controller [ 2.755978] usb usb2: Manufacturer: Linux 6.14.10-x64v3-xanmod1 xhci-hcd [ 2.755979] usb usb2: SerialNumber: 0000:02:00.0 [ 2.756056] hub 2-0:1.0: USB hub found [ 2.756065] hub 2-0:1.0: 4 ports detected [ 2.756274] xhci_hcd 0000:0a:00.3: xHCI Host Controller [ 2.756278] xhci_hcd 0000:0a:00.3: new USB bus registered, assigned bus number 3 [ 2.756384] xhci_hcd 0000:0a:00.3: hcc params 0x0278ffe5 hci version 0x110 quirks 0x0000000000000010 [ 2.756622] xhci_hcd 0000:0a:00.3: xHCI Host Controller [ 2.756624] xhci_hcd 0000:0a:00.3: new USB bus registered, assigned bus number 4 [ 2.756626] xhci_hcd 0000:0a:00.3: Host supports USB 3.1 Enhanced SuperSpeed [ 2.756657] usb usb3: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.14 [ 2.756659] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 2.756660] usb usb3: Product: xHCI Host Controller [ 2.756661] usb usb3: Manufacturer: Linux 6.14.10-x64v3-xanmod1 xhci-hcd [ 2.756663] usb usb3: SerialNumber: 0000:0a:00.3 [ 2.756748] hub 3-0:1.0: USB hub found [ 2.756756] hub 3-0:1.0: 4 ports detected [ 2.756903] usb usb4: We don't know the algorithms for LPM for this host, disabling LPM. [ 2.756924] usb usb4: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 6.14 [ 2.756926] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 2.756927] usb usb4: Product: xHCI Host Controller [ 2.756928] usb usb4: Manufacturer: Linux 6.14.10-x64v3-xanmod1 xhci-hcd [ 2.756929] usb usb4: SerialNumber: 0000:0a:00.3 [ 2.757008] hub 4-0:1.0: USB hub found [ 2.757015] hub 4-0:1.0: 4 ports detected [ 2.757180] usbcore: registered new interface driver usbserial_generic [ 2.757184] usbserial: USB Serial support registered for generic [ 2.757253] rtc_cmos 00:02: RTC can wake from S4 [ 2.757465] rtc_cmos 00:02: registered as rtc0 [ 2.757494] rtc_cmos 00:02: setting system clock to 2025-06-10T13:46:18 UTC (1749563178) [ 2.757517] rtc_cmos 00:02: alarms up to one month, y3k, 114 bytes nvram [ 2.793080] simple-framebuffer simple-framebuffer.0: [drm] Registered 1 planes with drm panic [ 2.793082] [drm] Initialized simpledrm 1.0.0 for simple-framebuffer.0 on minor 0 [ 2.796240] fbcon: Deferring console take-over [ 2.796241] simple-framebuffer simple-framebuffer.0: [drm] fb0: simpledrmdrmfb frame buffer device dmesg output after revert [ 2.634779] ata1: SATA max UDMA/133 abar m131072@0xfcc80000 port 0xfcc80100 irq 40 lpm-pol 0 [ 2.634782] ata2: SATA max UDMA/133 abar m131072@0xfcc80000 port 0xfcc80180 irq 40 lpm-pol 0 [ 2.634785] ata3: SATA max UDMA/133 abar m131072@0xfcc80000 port 0xfcc80200 irq 40 lpm-pol 0 [ 2.634787] ata4: SATA max UDMA/133 abar m131072@0xfcc80000 port 0xfcc80280 irq 40 lpm-pol 0 [ 2.634789] ata5: SATA max UDMA/133 abar m131072@0xfcc80000 port 0xfcc80300 irq 40 lpm-pol 0 [ 2.634791] ata6: SATA max UDMA/133 abar m131072@0xfcc80000 port 0xfcc80380 irq 40 lpm-pol 0 [ 2.634848] ACPI: bus type drm_connector registered [ 2.634869] [drm] amdgpu kernel modesetting enabled. [ 2.644006] amdgpu: Virtual CRAT table created for CPU [ 2.644017] amdgpu: Topology: Add CPU node [ 2.644089] amdgpu 0000:08:00.0: enabling device (0006 -> 0007) [ 2.644120] [drm] initializing kernel modesetting (IP DISCOVERY 0x1002:0x7550 0x1EAE:0x8811 0xC0). [ 2.644128] [drm] register mmio base: 0xFCD00000 [ 2.644129] [drm] register mmio size: 524288 [ 2.648358] amdgpu 0000:08:00.0: amdgpu: detected ip block number 0 <soc24_common> [ 2.648360] amdgpu 0000:08:00.0: amdgpu: detected ip block number 1 <gmc_v12_0> [ 2.648362] amdgpu 0000:08:00.0: amdgpu: detected ip block number 2 <ih_v7_0> [ 2.648364] amdgpu 0000:08:00.0: amdgpu: detected ip block number 3 <psp> [ 2.648365] amdgpu 0000:08:00.0: amdgpu: detected ip block number 4 <smu> [ 2.648366] amdgpu 0000:08:00.0: amdgpu: detected ip block number 5 <dm> [ 2.648368] amdgpu 0000:08:00.0: amdgpu: detected ip block number 6 <gfx_v12_0> [ 2.648369] amdgpu 0000:08:00.0: amdgpu: detected ip block number 7 <sdma_v7_0> [ 2.648370] amdgpu 0000:08:00.0: amdgpu: detected ip block number 8 <vcn_v5_0_0> [ 2.648372] amdgpu 0000:08:00.0: amdgpu: detected ip block number 9 <jpeg_v5_0_0> [ 2.648373] amdgpu 0000:08:00.0: amdgpu: detected ip block number 10 <mes_v12_0> [ 2.648383] amdgpu 0000:08:00.0: amdgpu: Fetched VBIOS from VFCT [ 2.648385] amdgpu: ATOM BIOS: 113-EXT108832-100 [ 2.659806] amdgpu 0000:08:00.0: vgaarb: deactivate vga console [ 2.659809] amdgpu 0000:08:00.0: amdgpu: Trusted Memory Zone (TMZ) feature not supported [ 2.659830] amdgpu 0000:08:00.0: amdgpu: MEM ECC is not presented. [ 2.659831] amdgpu 0000:08:00.0: amdgpu: SRAM ECC is not presented. [ 2.659845] [drm] vm size is 262144 GB, 4 levels, block size is 9-bit, fragment size is 9-bit [ 2.659850] amdgpu 0000:08:00.0: amdgpu: VRAM: 16304M 0x0000008000000000 - 0x00000083FAFFFFFF (16304M used) [ 2.659852] amdgpu 0000:08:00.0: amdgpu: GART: 512M 0x0000000000000000 - 0x000000001FFFFFFF [ 2.659856] [drm] Detected VRAM RAM=16304M, BAR=16384M [ 2.659858] [drm] RAM width 256bits GDDR6 [ 2.659915] [drm] amdgpu: 16304M of VRAM memory ready [ 2.659916] [drm] amdgpu: 15990M of GTT memory ready. [ 2.659926] [drm] GART: num cpu pages 131072, num gpu pages 131072 [ 2.659998] amdgpu 0000:08:00.0: amdgpu: PCIE GART of 512M enabled (table at 0x00000083DAB00000). [ 2.660416] [drm] Loading DMUB firmware via PSP: version=0x00010300 [ 2.660749] [drm] Found VCN firmware Version ENC: 1.7 DEC: 9 VEP: 0 Revision: 19 [ 2.895324] amdgpu 0000:08:00.0: amdgpu: RAP: optional rap ta ucode is not available [ 2.895327] amdgpu 0000:08:00.0: amdgpu: SECUREDISPLAY: securedisplay ta ucode is not available [ 2.895357] amdgpu 0000:08:00.0: amdgpu: smu driver if version = 0x0000002e, smu fw if version = 0x00000032, smu fw program = 0, smu fw version = 0x00684400 (104.68.0) [ 2.895360] amdgpu 0000:08:00.0: amdgpu: SMU driver if version not matched [ 2.934857] amdgpu 0000:08:00.0: amdgpu: SMU is initialized successfully! [ 2.935596] [drm] Display Core v3.2.316 initialized on DCN 4.0.1 [ 2.935598] [drm] DP-HDMI FRL PCON supported [ 2.939115] [drm] DMUB hardware initialized: version=0x00010300 [ 2.942565] ata1: SATA link down (SStatus 0 SControl 300) [ 3.233092] amdgpu 0000:08:00.0: amdgpu: program CP_MES_CNTL : 0x4000000 [ 3.233097] amdgpu 0000:08:00.0: amdgpu: program CP_MES_CNTL : 0xc000000 [ 3.293410] amdgpu: HMM registered 16304MB device memory [ 3.294762] kfd kfd: amdgpu: Allocated 3969056 bytes on gart [ 3.294771] kfd kfd: amdgpu: Total number of KFD nodes to be created: 1 [ 3.294806] amdgpu: Virtual CRAT table created for GPU [ 3.294972] amdgpu: Topology: Add dGPU node [0x7550:0x1002] [ 3.294974] kfd kfd: amdgpu: added device 1002:7550 [ 3.294983] amdgpu 0000:08:00.0: amdgpu: SE 4, SH per SE 2, CU per SH 8, active_cu_number 64 [ 3.294986] amdgpu 0000:08:00.0: amdgpu: ring gfx_0.0.0 uses VM inv eng 0 on hub 0 [ 3.294987] amdgpu 0000:08:00.0: amdgpu: ring comp_1.0.0 uses VM inv eng 1 on hub 0 [ 3.294989] amdgpu 0000:08:00.0: amdgpu: ring comp_1.1.0 uses VM inv eng 4 on hub 0 [ 3.294990] amdgpu 0000:08:00.0: amdgpu: ring comp_1.0.1 uses VM inv eng 6 on hub 0 [ 3.294991] amdgpu 0000:08:00.0: amdgpu: ring comp_1.1.1 uses VM inv eng 7 on hub 0 [ 3.294993] amdgpu 0000:08:00.0: amdgpu: ring sdma0 uses VM inv eng 8 on hub 0 [ 3.294994] amdgpu 0000:08:00.0: amdgpu: ring sdma1 uses VM inv eng 9 on hub 0 [ 3.294995] amdgpu 0000:08:00.0: amdgpu: ring vcn_unified_0 uses VM inv eng 0 on hub 8 [ 3.294997] amdgpu 0000:08:00.0: amdgpu: ring jpeg_dec uses VM inv eng 1 on hub 8 [ 3.296713] [drm] ring gfx_32768.1.1 was added [ 3.296874] [drm] ring compute_32768.2.2 was added [ 3.297032] [drm] ring sdma_32768.3.3 was added [ 3.297075] [drm] ring gfx_32768.1.1 ib test pass [ 3.297119] [drm] ring compute_32768.2.2 ib test pass [ 3.297157] [drm] ring sdma_32768.3.3 ib test pass [ 3.299782] amdgpu 0000:08:00.0: amdgpu: Using BACO for runtime pm [ 3.300156] amdgpu 0000:08:00.0: [drm] Registered 4 planes with drm panic [ 3.300158] [drm] Initialized amdgpu 3.61.0 for 0000:08:00.0 on minor 0 [ 3.328171] fbcon: amdgpudrmfb (fb0) is primary device [ 3.328173] fbcon: Deferring console take-over [ 3.328175] amdgpu 0000:08:00.0: [drm] fb0: amdgpudrmfb frame buffer device I am aware that this issue pertains to the XanMod kernel. However, upon reviewing the commits, there is no indication that it is a downstream issue. I attempted to confirm this regression by building the kernel from the Git repository, but my limited skills and knowledge proved insufficient. Please review this regression and consider reverting the commit from the stable 6.14 and 6.15 branches - or propose an alternate patch. Thanks & Regards, Marcin Kryzak

5 days, 18 hours

1
0
0 0

[PATCH] HID: lenovo: Restrict F7/9/11 mode to compact keyboards only

by Iusico Maxim

Commit 2f2bd7cbd1d1 ("hid: lenovo: Resend all settings on reset_resume for compact keyboards") introduced a regression for ThinkPad TrackPoint Keyboard II by removing the conditional check for enabling F7/9/11 mode needed for compact keyboards only. As a result, the non-compact keyboards can no longer toggle Fn-lock via Fn+Esc, although it can be controlled via sysfs knob that directly sends raw commands. This patch restores the previous conditional check without any additions. Cc: stable(a)vger.kernel.org Fixes: 2f2bd7cbd1d1 ("hid: lenovo: Resend all settings on reset_resume for compact keyboards") Signed-off-by: Iusico Maxim <iusico.maxim(a)libero.it> --- drivers/hid/hid-lenovo.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c index af29ba84052..a3c23a72316 100644 --- a/drivers/hid/hid-lenovo.c +++ b/drivers/hid/hid-lenovo.c @@ -548,11 +548,14 @@ static void lenovo_features_set_cptkbd(struct hid_device *hdev) /* * Tell the keyboard a driver understands it, and turn F7, F9, F11 into - * regular keys + * regular keys (Compact only) */ - ret = lenovo_send_cmd_cptkbd(hdev, 0x01, 0x03); - if (ret) - hid_warn(hdev, "Failed to switch F7/9/11 mode: %d\n", ret); + if (hdev->product == USB_DEVICE_ID_LENOVO_CUSBKBD || + hdev->product == USB_DEVICE_ID_LENOVO_CBTKBD) { + ret = lenovo_send_cmd_cptkbd(hdev, 0x01, 0x03); + if (ret) + hid_warn(hdev, "Failed to switch F7/9/11 mode: %d\n", ret); + } /* Switch middle button to native mode */ ret = lenovo_send_cmd_cptkbd(hdev, 0x09, 0x01); -- 2.48.1

5 days, 18 hours

2
1
0 0

[RFC PATCH 5.10 00/16] ITS mitigation for 5.10

by Pawan Gupta

This is the backport for Indirect Target Selection(ITS) mitigation for 5.10. This is only boot tested, so sending it as an RFC for now. I hope some bot picks this up for some at-scale testing. Meanwhile I am doing basic tests around ITS mitigation. In addition to commits in 5.15 ITS backport, below commits are required to make the ITS mitigation work on 5.10. These are the prime target of scrutiny: x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions x86/alternatives: Introduce int3_emulate_jcc() x86/bhi: Define SPEC_CTRL_BHI_DIS_S --- Borislav Petkov (AMD) (1): x86/alternative: Optimize returns patching Daniel Sneddon (1): x86/bhi: Define SPEC_CTRL_BHI_DIS_S Eric Biggers (1): x86/its: Fix build errors when CONFIG_MODULES=n Josh Poimboeuf (1): x86/alternatives: Remove faulty optimization Pawan Gupta (7): Documentation: x86/bugs/its: Add ITS documentation x86/its: Enumerate Indirect Target Selection (ITS) bug x86/its: Add support for ITS-safe indirect thunk x86/its: Add support for ITS-safe return thunk x86/its: Fix undefined reference to cpu_wants_rethunk_at() x86/its: Enable Indirect Target Selection mitigation x86/its: Add "vmexit" option to skip mitigation on some CPUs Peter Zijlstra (4): x86/alternatives: Introduce int3_emulate_jcc() x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions x86/its: Use dynamic thunks for indirect branches x86/its: FineIBT-paranoid vs ITS Thomas Gleixner (1): x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/admin-guide/hw-vuln/index.rst | 1 + .../hw-vuln/indirect-target-selection.rst | 156 +++++++++++ Documentation/admin-guide/kernel-parameters.txt | 15 + arch/x86/Kconfig | 11 + arch/x86/include/asm/alternative.h | 26 ++ arch/x86/include/asm/cpufeatures.h | 6 +- arch/x86/include/asm/msr-index.h | 13 +- arch/x86/include/asm/nospec-branch.h | 11 + arch/x86/include/asm/text-patching.h | 31 +++ arch/x86/kernel/alternative.c | 308 ++++++++++++++++++++- arch/x86/kernel/cpu/bugs.c | 139 +++++++++- arch/x86/kernel/cpu/common.c | 63 ++++- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/ftrace.c | 4 +- arch/x86/kernel/kprobes/core.c | 39 +-- arch/x86/kernel/module.c | 14 +- arch/x86/kernel/static_call.c | 2 +- arch/x86/kernel/vmlinux.lds.S | 8 + arch/x86/kvm/x86.c | 4 +- arch/x86/lib/retpoline.S | 39 +++ arch/x86/net/bpf_jit_comp.c | 8 +- drivers/base/cpu.c | 8 + include/linux/cpu.h | 2 + include/linux/module.h | 5 + 25 files changed, 842 insertions(+), 73 deletions(-) --- base-commit: 01e7e36b8606e5d4fddf795938010f7bfa3aa277 change-id: 20250609-its-5-10-a656ce2e08ce Best regards, -- Pawan

5 days, 18 hours

1
16
0 0

Tulip 21142 panic on physical link disconnect

by Greg Chandler

This is a from-scratch build (non-vendor/non-distribution) Host/Target = alpha ev6 Kernel source = 6.12.12 My last working kernel on this was a 2.6.x, it's been a while since I've had time to bring this system up to date, so I don't know when this may have started. I had a 3.0.102 in there, but I didn't test the networking while using it. Please let me know what I can do to help out with figuring this one out. The kernel output: [ 0.692382] net eth0: Digital DS21142/43 Tulip rev 65 at MMIO 0xa120000, 08:00:2b:86:ab:b1, IRQ 29 [ 0.710937] net eth1: Digital DS21142/43 Tulip rev 65 at MMIO 0xa121000, 08:00:2b:86:a8:5b, IRQ 30 [ 0.989257] e1000 0000:00:10.0 eth2: (PCI:33MHz:64-bit) 00:02:b3:f3:e6:3d [ 0.990233] e1000 0000:00:10.0 eth2: Intel(R) PRO/1000 Network Connection [ 6.088864] tulip 0000:00:09.0 eth126: renamed from eth0 [ 6.103512] tulip 0000:00:09.0 rename_eth126: renamed from eth126 [ 6.164059] e1000 0000:00:10.0 eth124: renamed from eth2 [ 6.172848] e1000 0000:00:10.0 eth0: renamed from eth124 [ 6.207028] tulip 0000:00:09.0 eth2: renamed from rename_eth126 [ 18.957998] net eth2: Using user-specified media 10baseT-FDX [ 19.082021] net eth2: 21143 10baseT link beat good I attempted to set the interface to 100MB/FDX with mii-tool but didn't seem to be having any luck, so I disconnected the cord, and it dropped this immediately: [ 195.170798] ------------[ cut here ]------------ [ 195.170798] WARNING: CPU: 0 PID: 0 at kernel/time/timer.c:1657 __timer_delete_sync+0x104/0x120 [ 195.170798] Modules linked in: loop [ 195.170798] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.12.12 #4 [ 195.170798] fffffc0000c83ab0 fffffc0000388c94 fffffc0000326744 fffffc0000afbee8 [ 195.170798] 0000000000000000 fffffc0000388c94 fffffc00009e0d70 0000000000000000 [ 195.170798] fffffc0000afbee8 0000000000000679 fffffc0000388c94 0000000000000009 [ 195.170798] fffffc0000cf9100 0000000000000000 fffffc0000388c94 0000000000000000 [ 195.170798] fffffc00020e6000 fffffc00020e73d0 fffffffff0669000 fffffd000a120000 [ 195.170798] fffffc00007cff70 fffffc00024b5c00 0000000000000000 0000000000000122 [ 195.170798] Trace: [ 195.170798] [<fffffc0000388c94>] __timer_delete_sync+0x104/0x120 [ 195.170798] [<fffffc0000326744>] __warn+0x194/0x1a0 [ 195.170798] [<fffffc0000388c94>] __timer_delete_sync+0x104/0x120 [ 195.170798] [<fffffc00009e0d70>] warn_slowpath_fmt+0x84/0xf0 [ 195.170798] [<fffffc0000388c94>] __timer_delete_sync+0x104/0x120 [ 195.170798] [<fffffc0000388c94>] __timer_delete_sync+0x104/0x120 [ 195.170798] [<fffffc00007cff70>] usb_hcd_poll_rh_status+0x140/0x1a0 [ 195.170798] [<fffffc0000919a2c>] tcp_orphan_update+0x6c/0x90 [ 195.170798] [<fffffc000038be64>] timekeeping_update+0xd4/0x290 [ 195.170798] [<fffffc0000780fdc>] t21142_lnk_change+0x1bc/0x790 [ 195.170798] [<fffffc000077a890>] tulip_interrupt+0x280/0xac0 [ 195.170798] [<fffffc0000372b90>] __handle_irq_event_percpu+0x60/0x180 [ 195.170798] [<fffffc0000372d30>] handle_irq_event_percpu+0x80/0xa0 [ 195.170798] [<fffffc0000372d98>] handle_irq_event+0x48/0xe0 [ 195.170798] [<fffffc0000377af0>] handle_level_irq+0xc0/0x1f0 [ 195.170798] [<fffffc0000315300>] handle_irq+0x70/0xe0 [ 195.170798] [<fffffc000031d6c0>] dp264_srm_device_interrupt+0x30/0x50 [ 195.170798] [<fffffc00003153dc>] do_entInt+0x6c/0x1c0 [ 195.170798] [<fffffc0000310cc0>] ret_from_sys_call+0x0/0x10 [ 195.170798] [<fffffc000035c69c>] pick_task_fair+0x3c/0x100 [ 195.170798] [<fffffc000035d89c>] task_non_contending+0x6c/0x2a0 [ 195.170798] [<fffffc000035fc28>] do_idle+0x58/0x190 [ 195.170798] [<fffffc00009eda20>] cpu_idle_poll.isra.0+0x0/0x60 [ 195.170798] [<fffffc00009eda50>] cpu_idle_poll.isra.0+0x30/0x60 [ 195.170798] [<fffffc0000360058>] cpu_startup_entry+0x38/0x50 [ 195.170798] [<fffffc00009edbc8>] rest_init+0xe8/0xec [ 195.170798] [<fffffc000031001c>] _stext+0x1c/0x20 [ 195.170798] [<fffffc0000312460>] common_shutdown_1+0x0/0x150 [ 195.170798] ---[ end trace 0000000000000000 ]--- Kernel options that may be relevant: CONFIG_ALPHA_DP264=y CONFIG_NET_TULIP=y CONFIG_TULIP=y CONFIG_TULIP_MWI=y CONFIG_TULIP_MMIO=y CONFIG_TULIP_NAPI=y CONFIG_TULIP_NAPI_HW_MITIGATION=y Device info: root@bigbang:~# lspci -vvv |more 00:09.0 Ethernet controller: Digital Equipment Corporation DECchip 21142/43 (rev 41) Subsystem: Digital Equipment Corporation DE500B Fast Ethernet Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 255 (5000ns min, 10000ns max), Cache Line Size: 64 bytes Interrupt: pin A routed to IRQ 29 Region 0: I/O ports at 8400 [size=128] Region 1: Memory at 0a120000 (32-bit, non-prefetchable) [size=1K] Expansion ROM at 0a000000 [disabled] [size=256K] Kernel driver in use: tulip 00:0b.0 Ethernet controller: Digital Equipment Corporation DECchip 21142/43 (rev 41) Subsystem: Digital Equipment Corporation DE500B Fast Ethernet Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx- Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 255 (5000ns min, 10000ns max), Cache Line Size: 64 bytes Interrupt: pin A routed to IRQ 30 Region 0: I/O ports at 8480 [size=128] Region 1: Memory at 0a121000 (32-bit, non-prefetchable) [size=1K] Expansion ROM at 0a040000 [disabled] [size=256K] Kernel driver in use: tulip

5 days, 19 hours

2
3
0 0

[PATCH v2] tools/resolve_btfids: Fix build when cross compiling kernel with clang.

by Suleiman Souhlal

When cross compiling the kernel with clang, we need to override CLANG_CROSS_FLAGS when preparing the step libraries. Prior to commit d1d096312176 ("tools: fix annoying "mkdir -p ..." logs when building tools in parallel"), MAKEFLAGS would have been set to a value that wouldn't set a value for CLANG_CROSS_FLAGS, hiding the fact that we weren't properly overriding it. Cc: stable(a)vger.kernel.org Fixes: 56a2df7615fa ("tools/resolve_btfids: Compile resolve_btfids as host program") Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> --- v2: - "Signed-off-by:" instead of "Signed-of-by". v1: https://lore.kernel.org/lkml/20250606052301.810338-1-suleiman@google.com/ --- tools/bpf/resolve_btfids/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/bpf/resolve_btfids/Makefile b/tools/bpf/resolve_btfids/Makefile index afbddea3a39c..ce1b556dfa90 100644 --- a/tools/bpf/resolve_btfids/Makefile +++ b/tools/bpf/resolve_btfids/Makefile @@ -17,7 +17,7 @@ endif # Overrides for the prepare step libraries. HOST_OVERRIDES := AR="$(HOSTAR)" CC="$(HOSTCC)" LD="$(HOSTLD)" ARCH="$(HOSTARCH)" \ - CROSS_COMPILE="" EXTRA_CFLAGS="$(HOSTCFLAGS)" + CROSS_COMPILE="" CLANG_CROSS_FLAGS="" EXTRA_CFLAGS="$(HOSTCFLAGS)" RM ?= rm HOSTCC ?= gcc -- 2.50.0.rc0.642.g800a2b2222-goog

5 days, 21 hours

3
2
0 0

Re: [PATCH net] netrom: fix possible deadlock in nr_rt_device_down

by Jakub Kicinski

On Mon, 9 Jun 2025 16:16:32 -0700 David Ranch wrote: > I'm not sure what you mean by "the only user of this code". There are > many people using the Linux AX.25 + NETROM stack but we unfortunately > don't have a active kernel maintainer for this code today. Alright, sorry. Either way - these locks are not performance critical for you, right?

5 days, 21 hours

3
3
0 0

RE: Patch "Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests" has been added to the 6.15-stable tree

by Michael Kelley

From: Sasha Levin <sashal(a)kernel.org> > > This is a note to let you know that I've just added the patch titled > > Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests > > to the 6.15-stable tree which can be found at: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git > > The filename of the patch is: > drivers-hv-always-select-config_sysfb-for-hyper-v-gu.patch > and it can be found in the queue-6.15 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please DO NOT backport this patch to ANY stable trees, at least not at the moment. It is causing a config problem that we're trying to work out. Once the resolution is decided upon, we can figure out what to backport. Thanks, Michael Kelley > > > > commit 9766859ee9884c35dde0411df167a06452fee3ce > Author: Michael Kelley <mhklinux(a)outlook.com> > Date: Mon May 19 21:01:43 2025 -0700 > > Drivers: hv: Always select CONFIG_SYSFB for Hyper-V guests > > [ Upstream commit 96959283a58d91ae20d025546f00e16f0a555208 ] > > The Hyper-V host provides guest VMs with a range of MMIO addresses > that guest VMBus drivers can use. The VMBus driver in Linux manages > that MMIO space, and allocates portions to drivers upon request. As > part of managing that MMIO space in a Generation 2 VM, the VMBus > driver must reserve the portion of the MMIO space that Hyper-V has > designated for the synthetic frame buffer, and not allocate this > space to VMBus drivers other than graphics framebuffer drivers. The > synthetic frame buffer MMIO area is described by the screen_info data > structure that is passed to the Linux kernel at boot time, so the > VMBus driver must access screen_info for Generation 2 VMs. (In > Generation 1 VMs, the framebuffer MMIO space is communicated to > the guest via a PCI pseudo-device, and access to screen_info is > not needed.) > > In commit a07b50d80ab6 ("hyperv: avoid dependency on screen_info") > the VMBus driver's access to screen_info is restricted to when > CONFIG_SYSFB is enabled. CONFIG_SYSFB is typically enabled in kernels > built for Hyper-V by virtue of having at least one of CONFIG_FB_EFI, > CONFIG_FB_VESA, or CONFIG_SYSFB_SIMPLEFB enabled, so the restriction > doesn't usually affect anything. But it's valid to have none of these > enabled, in which case CONFIG_SYSFB is not enabled, and the VMBus driver > is unable to properly reserve the framebuffer MMIO space for graphics > framebuffer drivers. The framebuffer MMIO space may be assigned to > some other VMBus driver, with undefined results. As an example, if > a VM is using a PCI pass-thru NVMe controller to host the OS disk, > the PCI NVMe controller is probed before any graphics devices, and the > NVMe controller is assigned a portion of the framebuffer MMIO space. > Hyper-V reports an error to Linux during the probe, and the OS disk > fails to get setup. Then Linux fails to boot in the VM. > > Fix this by having CONFIG_HYPERV always select SYSFB. Then the > VMBus driver in a Gen 2 VM can always reserve the MMIO space for the > graphics framebuffer driver, and prevent the undefined behavior. But > don't select SYSFB when building for HYPERV_VTL_MODE as VTLs other > than VTL 0 don't have a framebuffer and aren't subject to the issue. > Adding SYSFB in such cases is harmless, but would increase the image > size for no purpose. > > Fixes: a07b50d80ab6 ("hyperv: avoid dependency on screen_info") > Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> > Reviewed-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> > Link: > https://lore.kernel.org/st > able%2F20250520040143.6964-1- > mhklinux%2540outlook.com&data=05%7C02%7C%7C516ef64661c145eb315d08dda81861 > 51%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638851544842065319%7CUn > known%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXa > W4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FZnrM9REMICWp > JqW88gD7CxeTwcztS2y8%2B8GqHNtF3E%3D&reserved=0 > Link: > https://lore.kernel.org/r%25 > 2F20250520040143.6964-1- > mhklinux%40outlook.com&data=05%7C02%7C%7C516ef64661c145eb315d08dda8186151 > %7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638851544842081386%7CUnkn > own%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4 > zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=j%2F5AvOlxwTKfVUL > vmNr%2FZliwRVrd9rSlVECyFGqFErE%3D&reserved=0 > Signed-off-by: Wei Liu <wei.liu(a)kernel.org> > Message-ID: <20250520040143.6964-1-mhklinux(a)outlook.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig > index 6c1416167bd2e..724fc08a73e70 100644 > --- a/drivers/hv/Kconfig > +++ b/drivers/hv/Kconfig > @@ -9,6 +9,7 @@ config HYPERV > select PARAVIRT > select X86_HV_CALLBACK_VECTOR if X86 > select OF_EARLY_FLATTREE if OF > + select SYSFB if !HYPERV_VTL_MODE > help > Select this option to run Linux as a Hyper-V client operating > system.

5 days, 22 hours

1
0
0 0

WTS Available laptops and Memory

by Exceptional One PC

Hello, Looking for a buyer to move any of the following Items located in USA. Used MICRON SSD 7300 PRO 3.84TB U.2 HTFDHBE3T8TDF SSD 2.5" NVMe 3480GB Quantity 400, price $100 EACH 005052112 _ 7.68TB HDD -$200 PER w/ caddies refurbished Quantity 76, price $100 Brand New CISCO C9300-48UXM-E Available 5 $2000 EACH Brand New C9200L-48T-4X-E $1,200 EACH QTY4 HP 1040G3 Elite Book Folio Processor :- Intel Core i5 ◻Processor :- Intel Core i5 ◻Generation :- 6th ◻RAM :- 16GB ◻Storage :- 256G SSD ◻Display :- 14 inch" Touch Screen QTY 340 $90 EA SK HYNIX 16GB 2RX4 PC4 - 2133P-RAO-10 HMA42GR7AFR4N-TF TD AB 1526 QTY560 $20 EA Xeon Gold 6442Y (60M Cache, 2.60 GHz) PK8071305120500 QTY670 700 each SAMSUNG 64GB 4DRX4 PC4-2666V-LD2-12-MAO M386A8K40BM2-CTD60 S QTY 320 $42 each Brand New CISCO C9300-48UXM-E Available 5 $2500 EACH Core i3-1315U (10M Cache, up to 4.50 GHz) FJ8071505258601 QTY50 $80 EA Intel Xeon Gold 5418Y Processors QTY28 $780 each Brand New C9200L-48T-4X-E $1000 EACH QTY4 Brand New Gigabyte NVIDIA GeForce RTX 5090 AORUS MASTER OC Graphics Card GPU 32GB GDDR7 QTY50 $1,300 Brand New N9K-C93108TC-FX-24 Nexus 9300-FX w/ 24p 100M/1/10GT & 6p 40/100G Available 4 $3000 each Brand New NVIDIA GeForce RTX 4090 Founders Edition 24GB - QTY: 56 - $700 each Charles Lawson Exceptional One PC 3645 Central Ave, Riverside CA 92506, United States www.exceptionalonepc.com info(a)exceptionalonepc.com Office: (951)-556-3104

5 days, 23 hours

1
0
0 0

[PATCH v4 01/10] platform/x86/intel/pmt: fix a crashlog NULL pointer access

by Michael J. Ruhl

Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Augment the inte_pmt_entry to include the pcidev to allow for access to the pcidev and avoid the NULL pointer exception. Fixes: 416eeb2e1fc7 ("platform/x86/intel/pmt: telemetry: Export API to read telemetry") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/platform/x86/intel/pmt/class.c | 3 ++- drivers/platform/x86/intel/pmt/class.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/intel/pmt/class.c b/drivers/platform/x86/intel/pmt/class.c index 7233b654bbad..d046e8752173 100644 --- a/drivers/platform/x86/intel/pmt/class.c +++ b/drivers/platform/x86/intel/pmt/class.c @@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct kobject *kobj, if (count > entry->size - off) count = entry->size - off; - count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf, + count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf, entry->base, off, count); return count; @@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(struct intel_pmt_entry *entry, return -EINVAL; } + entry->pcidev = pci_dev; entry->guid = header->guid; entry->size = header->size; entry->cb = ivdev->priv_data; diff --git a/drivers/platform/x86/intel/pmt/class.h b/drivers/platform/x86/intel/pmt/class.h index b2006d57779d..f6ce80c4e051 100644 --- a/drivers/platform/x86/intel/pmt/class.h +++ b/drivers/platform/x86/intel/pmt/class.h @@ -39,6 +39,7 @@ struct intel_pmt_header { struct intel_pmt_entry { struct telem_endpoint *ep; + struct pci_dev *pcidev; struct intel_pmt_header header; struct bin_attribute pmt_bin_attr; struct kobject *kobj; -- 2.49.0

5 days, 23 hours

1
0
0 0

[PATCH] ASoC: sdw_utils: Fix potential NULL pointer deref in is_sdca_endpoint_present()

by Thorsten Blum

Check the return value of kzalloc() and exit early to avoid a potential NULL pointer dereference. Cc: stable(a)vger.kernel.org Fixes: 4f8ef33dd44a ("ASoC: soc_sdw_utils: skip the endpoint that doesn't present") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- sound/soc/sdw_utils/soc_sdw_utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/sdw_utils/soc_sdw_utils.c b/sound/soc/sdw_utils/soc_sdw_utils.c index 30f84f4e7637..b70cb3793d8f 100644 --- a/sound/soc/sdw_utils/soc_sdw_utils.c +++ b/sound/soc/sdw_utils/soc_sdw_utils.c @@ -1180,6 +1180,8 @@ static int is_sdca_endpoint_present(struct device *dev, int i; dlc = kzalloc(sizeof(*dlc), GFP_KERNEL); + if (!dlc) + return -ENOMEM; adr_end = &adr_dev->endpoints[end_index]; dai_info = &codec_info->dais[adr_end->num]; -- 2.49.0

6 days

3
2
0 0

FAILED: patch "[PATCH] dt-bindings: pwm: adi,axi-pwmgen: Fix clocks" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x e683131e64f71e957ca77743cb3d313646157329 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025060734-elated-juvenile-da5c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e683131e64f71e957ca77743cb3d313646157329 Mon Sep 17 00:00:00 2001 From: David Lechner <dlechner(a)baylibre.com> Date: Thu, 29 May 2025 11:53:19 -0500 Subject: [PATCH] dt-bindings: pwm: adi,axi-pwmgen: Fix clocks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a shortcoming in the bindings that doesn't allow for a separate external clock. The AXI PWMGEN IP block has a compile option ASYNC_CLK_EN that allows the use of an external clock for the PWM output separate from the AXI clock that runs the peripheral. This was missed in the original bindings and so users were writing dts files where the one and only clock specified would be the external clock, if there was one, incorrectly missing the separate AXI clock. The correct bindings are that the AXI clock is always required and the external clock is optional (must be given only when HDL compile option ASYNC_CLK_EN=1). Fixes: 1edf2c2a2841 ("dt-bindings: pwm: Add AXI PWM generator") Cc: stable(a)vger.kernel.org Signed-off-by: David Lechner <dlechner(a)baylibre.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Link: https://lore.kernel.org/r/20250529-pwm-axi-pwmgen-add-external-clock-v3-2-5… Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> diff --git a/Documentation/devicetree/bindings/pwm/adi,axi-pwmgen.yaml b/Documentation/devicetree/bindings/pwm/adi,axi-pwmgen.yaml index 45e112d0efb4..5575c58357d6 100644 --- a/Documentation/devicetree/bindings/pwm/adi,axi-pwmgen.yaml +++ b/Documentation/devicetree/bindings/pwm/adi,axi-pwmgen.yaml @@ -30,11 +30,19 @@ properties: const: 3 clocks: - maxItems: 1 + minItems: 1 + maxItems: 2 + + clock-names: + minItems: 1 + items: + - const: axi + - const: ext required: - reg - clocks + - clock-names unevaluatedProperties: false @@ -43,6 +51,7 @@ examples: pwm@44b00000 { compatible = "adi,axi-pwmgen-2.00.a"; reg = <0x44b00000 0x1000>; - clocks = <&spi_clk>; + clocks = <&fpga_clk>, <&spi_clk>; + clock-names = "axi", "ext"; #pwm-cells = <3>; };

6 days

3
3
0 0

[PATCH] sched: Fix preemption string of preempt_dynamic_none

by Thomas Weißschuh

Zero is a valid value for "preempt_dynamic_mode", namely "preempt_dynamic_none". Fix the off-by-one in preempt_model_str(), so that "preempty_dynamic_none" is correctly formatted as PREEMPT(none) instead of PREEMPT(undef). Fixes: 8bdc5daaa01e ("sched: Add a generic function to return the preemption string") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- kernel/sched/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index dce50fa57471dffc4311b9d393ae300a43d38d20..021b0a703d094b3386c5ba50e0e111e3a7c2b3df 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -7663,7 +7663,7 @@ const char *preempt_model_str(void) if (IS_ENABLED(CONFIG_PREEMPT_DYNAMIC)) { seq_buf_printf(&s, "(%s)%s", - preempt_dynamic_mode > 0 ? + preempt_dynamic_mode >= 0 ? preempt_modes[preempt_dynamic_mode] : "undef", brace ? "}" : ""); return seq_buf_str(&s); --- base-commit: 546b1c9e93c2bb8cf5ed24e0be1c86bb089b3253 change-id: 20250603-preempt-str-none-d21231cc2238 Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

6 days

3
3
0 0

[PATCH 5.10] usb: dwc3: dwc3-qcom: Add missing platform_device_put() in dwc3_qcom_acpi_register_core

by Denis Arefev

From: Miaoqian Lin <linmq006(a)gmail.com> commit fa0ef93868a6062babe1144df2807a8b1d4924d2 upstream. Add the missing platform_device_put() before return from dwc3_qcom_acpi_register_core in the error handling case. Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Link: https://lore.kernel.org/r/20211231113641.31474-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Denis: minor fix to resolve merge conflict and add tag Fixes.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2023-22995 Link: https://nvd.nist.gov/vuln/detail/cve-2023-22995 --- drivers/usb/dwc3/dwc3-qcom.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c index db3559a10207..568973582b75 100644 --- a/drivers/usb/dwc3/dwc3-qcom.c +++ b/drivers/usb/dwc3/dwc3-qcom.c @@ -622,8 +622,10 @@ static int dwc3_qcom_acpi_register_core(struct platform_device *pdev) qcom->dwc3->dev.coherent_dma_mask = dev->coherent_dma_mask; child_res = kcalloc(2, sizeof(*child_res), GFP_KERNEL); - if (!child_res) + if (!child_res) { + platform_device_put(qcom->dwc3); return -ENOMEM; + } res = platform_get_resource(pdev, IORESOURCE_MEM, 0); if (!res) { @@ -659,10 +661,15 @@ static int dwc3_qcom_acpi_register_core(struct platform_device *pdev) } ret = platform_device_add(qcom->dwc3); - if (ret) + if (ret) { dev_err(&pdev->dev, "failed to add device\n"); + goto out; + } + kfree(child_res); + return 0; out: + platform_device_put(qcom->dwc3); kfree(child_res); return ret; } -- 2.43.0

6 days, 2 hours

1
0
0 0

Re: Patch "USB: serial: bus: fix const issue in usb_serial_device_match()" has been added to the 6.15-stable tree

by Johan Hovold

Hi Sasha, On Tue, Jun 10, 2025 at 08:18:13AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > USB: serial: bus: fix const issue in usb_serial_device_match() > > to the 6.15-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > usb-serial-bus-fix-const-issue-in-usb_serial_device_.patch > and it can be found in the queue-6.15 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 0e91be50efc1a26ec9047dadc980631d31ef8578 > Author: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > Date: Wed May 21 15:41:34 2025 +0200 > > USB: serial: bus: fix const issue in usb_serial_device_match() > > [ Upstream commit 92cd405b648605db4da866f3b9818b271ae84ef0 ] > > usb_serial_device_match() takes a const pointer, and then decides to > cast it away into a non-const one, which is not a good thing to do > overall. Fix this up by properly setting the pointers to be const to > preserve that attribute. > > Fixes: d69d80484598 ("driver core: have match() callback in struct bus_type take a const *") > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > Signed-off-by: Johan Hovold <johan(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> This patch does not need to be backported and I left out the stable patch on purpose as usual. Please drop. Johan

6 days, 2 hours

1
0
0 0

[PATCH] ipmi: fix underflow in ipmi_create_user()

by Yi Yang

Syzkaller reported this bug: ================================================================== BUG: KASAN: global-out-of-bounds in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: global-out-of-bounds in atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] BUG: KASAN: global-out-of-bounds in ipmi_create_user.part.0+0x5e5/0x790 drivers/char/ipmi/ipmi_msghandler.c:1291 Write of size 4 at addr ffffffff8fc6a438 by task syz.5.1074/5888 CPU: 0 PID: 5888 Comm: syz.5.1074 Not tainted 6.6.0+ #60 ...... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364 print_report+0xba/0x280 mm/kasan/report.c:475 kasan_report+0xa9/0xe0 mm/kasan/report.c:588 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x100/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] ipmi_create_user.part.0+0x5e5/0x790 drivers/char/ipmi/ipmi_msghandler.c:1291 ipmi_create_user+0x56/0x80 drivers/char/ipmi/ipmi_msghandler.c:1236 ipmi_open+0xac/0x2b0 drivers/char/ipmi/ipmi_devintf.c:97 chrdev_open+0x276/0x700 fs/char_dev.c:414 do_dentry_open+0x6a7/0x1410 fs/open.c:929 vfs_open+0xd1/0x440 fs/open.c:1060 do_open+0x957/0x10d0 fs/namei.c:3671 path_openat+0x258/0x770 fs/namei.c:3830 do_filp_open+0x1c7/0x410 fs/namei.c:3857 do_sys_openat2+0x5bd/0x6a0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x17a/0x210 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 RIP: 0033:0x54d2cd Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4751920048 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000796080 RCX: 000000000054d2cd RDX: 0000000000000000 RSI: 0000000020004280 RDI: ffffffffffffff9c RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000001e R11: 0000000000000246 R12: 000000000079608c R13: 0000000000000000 R14: 0000000000796080 R15: 00007f4751900000 </TASK> The buggy address belongs to the variable: ipmi_interfaces+0x38/0x40 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x45a6a flags: 0x3fffff00004000(reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004000 ffffea0001169a88 ffffea0001169a88 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff8fc6a300: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ffffffff8fc6a380: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 >ffffffff8fc6a400: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ^ ffffffff8fc6a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff8fc6a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 ================================================================== In the ipmi_create_user() function, the intf->nr_users variable has an underflow issue. Specifically, on the exception path (goto out_kfree;) before atomic_add_return(), calling atomic_dec() when intf->nr_users has not been incremented will result in an underflow. The relevant code has been completely rewritten in the next tree and has been fixed with commit 9e91f8a6c868 ("ipmi:msghandler: Remove srcu for the ipmi_interfaces list"). However, the issue still exists in the 5.19+ stable branches and needs to be fixed on those branches. Cc: stable(a)vger.kernel.org # 5.19+ Fixes: 8e76741c3d8b ("ipmi: Add a limit on the number of users that may use IPMI") Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/char/ipmi/ipmi_msghandler.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 186f1fee7534..0293fad2f4f2 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -1246,18 +1246,18 @@ int ipmi_create_user(unsigned int if_num, found: if (atomic_add_return(1, &intf->nr_users) > max_users) { rv = -EBUSY; - goto out_kfree; + goto out_dec; } INIT_WORK(&new_user->remove_work, free_user_work); rv = init_srcu_struct(&new_user->release_barrier); if (rv) - goto out_kfree; + goto out_dec; if (!try_module_get(intf->owner)) { rv = -ENODEV; - goto out_kfree; + goto out_dec; } /* Note that each existing user holds a refcount to the interface. */ @@ -1281,8 +1281,9 @@ int ipmi_create_user(unsigned int if_num, *user = new_user; return 0; -out_kfree: +out_dec: atomic_dec(&intf->nr_users); +out_kfree: srcu_read_unlock(&ipmi_interfaces_srcu, index); vfree(new_user); return rv; -- 2.25.1

6 days, 2 hours

1
0
0 0

Re: [PATCH v2] mm/shmem, swap: fix softlockup with mTHP swapin

by Kairui Song

On Tue, Jun 10, 2025 at 1:18 AM Kairui Song <ryncsn(a)gmail.com> wrote: > > From: Kairui Song <kasong(a)tencent.com> > > Following softlockup can be easily reproduced on my test machine with: > > echo always > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled > swapon /dev/zram0 # zram0 is a 48G swap device > mkdir -p /sys/fs/cgroup/memory/test > echo 1G > /sys/fs/cgroup/test/memory.max > echo $BASHPID > /sys/fs/cgroup/test/cgroup.procs > while true; do > dd if=/dev/zero of=/tmp/test.img bs=1M count=5120 > cat /tmp/test.img > /dev/null > rm /tmp/test.img > done > > Then after a while: > watchdog: BUG: soft lockup - CPU#0 stuck for 763s! [cat:5787] > Modules linked in: zram virtiofs > CPU: 0 UID: 0 PID: 5787 Comm: cat Kdump: loaded Tainted: G L 6.15.0.orig-gf3021d9246bc-dirty #118 PREEMPT(voluntary)· > Tainted: [L]=SOFTLOCKUP > Hardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015 > RIP: 0010:mpol_shared_policy_lookup+0xd/0x70 > Code: e9 b8 b4 ff ff 31 c0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 54 55 53 <48> 8b 1f 48 85 db 74 41 4c 8d 67 08 48 89 fb 48 89 f5 4c 89 e7 e8 > RSP: 0018:ffffc90002b1fc28 EFLAGS: 00000202 > RAX: 00000000001c20ca RBX: 0000000000724e1e RCX: 0000000000000001 > RDX: ffff888118e214c8 RSI: 0000000000057d42 RDI: ffff888118e21518 > RBP: 000000000002bec8 R08: 0000000000000001 R09: 0000000000000000 > R10: 0000000000000bf4 R11: 0000000000000000 R12: 0000000000000001 > R13: 00000000001c20ca R14: 00000000001c20ca R15: 0000000000000000 > FS: 00007f03f995c740(0000) GS:ffff88a07ad9a000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f03f98f1000 CR3: 0000000144626004 CR4: 0000000000770eb0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > <TASK> > shmem_alloc_folio+0x31/0xc0 > shmem_swapin_folio+0x309/0xcf0 > ? filemap_get_entry+0x117/0x1e0 > ? xas_load+0xd/0xb0 > ? filemap_get_entry+0x101/0x1e0 > shmem_get_folio_gfp+0x2ed/0x5b0 > shmem_file_read_iter+0x7f/0x2e0 > vfs_read+0x252/0x330 > ksys_read+0x68/0xf0 > do_syscall_64+0x4c/0x1c0 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > RIP: 0033:0x7f03f9a46991 > Code: 00 48 8b 15 81 14 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d 35 97 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec > RSP: 002b:00007fff3c52bd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 > RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f03f9a46991 > RDX: 0000000000040000 RSI: 00007f03f98ba000 RDI: 0000000000000003 > RBP: 00007fff3c52bd50 R08: 0000000000000000 R09: 00007f03f9b9a380 > R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 > R13: 00007f03f98ba000 R14: 0000000000000003 R15: 0000000000000000 > </TASK> > > The reason is simple, readahead brought some order 0 folio in swap > cache, and the swapin mTHP folio being allocated is in confict with it, > so swapcache_prepare fails and causes shmem_swap_alloc_folio to return > -EEXIST, and shmem simply retries again and again causing this loop. > > Fix it by applying a similar fix for anon mTHP swapin. > > The performance change is very slight, time of swapin 10g zero folios > with shmem (test for 12 times): > Before: 2.47s > After: 2.48s > > Fixes: 1dd44c0af4fa1 ("mm: shmem: skip swapcache for swapin of synchronous swap device") > Signed-off-by: Kairui Song <kasong(a)tencent.com> > > --- > > V1: https://lore.kernel.org/linux-mm/20250608192713.95875-1-ryncsn@gmail.com/ > Updates: > - Move non_swapcache_batch check before swapcache_prepare, I was > expecting this could improve the performance, turns out it barely > helps and may even cause more overhead in some cases. [ Barry Song ] > - Remove zero map check, no need to do that for shmem [ Barry Song, > Baolin Wang ] > - Fix build bot error. > > mm/memory.c | 20 -------------------- > mm/shmem.c | 4 +++- > mm/swap.h | 23 +++++++++++++++++++++++ > 3 files changed, 26 insertions(+), 21 deletions(-) > > diff --git a/mm/memory.c b/mm/memory.c > index 9ead7ab07e8e..3845ed068d74 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -4313,26 +4313,6 @@ static struct folio *__alloc_swap_folio(struct vm_fault *vmf) > } > > #ifdef CONFIG_TRANSPARENT_HUGEPAGE > -static inline int non_swapcache_batch(swp_entry_t entry, int max_nr) > -{ > - struct swap_info_struct *si = swp_swap_info(entry); > - pgoff_t offset = swp_offset(entry); > - int i; > - > - /* > - * While allocating a large folio and doing swap_read_folio, which is > - * the case the being faulted pte doesn't have swapcache. We need to > - * ensure all PTEs have no cache as well, otherwise, we might go to > - * swap devices while the content is in swapcache. > - */ > - for (i = 0; i < max_nr; i++) { > - if ((si->swap_map[offset + i] & SWAP_HAS_CACHE)) > - return i; > - } > - > - return i; > -} > - > /* > * Check if the PTEs within a range are contiguous swap entries > * and have consistent swapcache, zeromap. > diff --git a/mm/shmem.c b/mm/shmem.c > index 73182e904f9c..a4fdfbd086f1 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -2256,6 +2256,7 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > folio = swap_cache_get_folio(swap, NULL, 0); > order = xa_get_order(&mapping->i_pages, index); > if (!folio) { > + int nr_pages = 1 << order; > bool fallback_order0 = false; > > /* Or update major stats only when swapin succeeds?? */ > @@ -2271,7 +2272,8 @@ static int shmem_swapin_folio(struct inode *inode, pgoff_t index, > * to swapin order-0 folio, as well as for zswap case. > */ > if (order > 0 && ((vma && unlikely(userfaultfd_armed(vma))) || > - !zswap_never_enabled())) > + !zswap_never_enabled() || > + non_swapcache_batch(swap, nr_pages) != nr_pages)) > fallback_order0 = true; > > /* Skip swapcache for synchronous device. */ > diff --git a/mm/swap.h b/mm/swap.h > index e87a0f19a0ee..911ad5ff0f89 100644 > --- a/mm/swap.h > +++ b/mm/swap.h > @@ -108,6 +108,25 @@ static inline int swap_zeromap_batch(swp_entry_t entry, int max_nr, > return find_next_bit(sis->zeromap, end, start) - start; > } > > +static inline int non_swapcache_batch(swp_entry_t entry, int max_nr) > +{ > + struct swap_info_struct *si = swp_swap_info(entry); > + pgoff_t offset = swp_offset(entry); > + int i; > + > + /* > + * While allocating a large folio and doing mTHP swapin, we need to > + * ensure all entries are not cached, otherwise, the mTHP folio will > + * be in conflict with the folio in swap cache. > + */ > + for (i = 0; i < max_nr; i++) { > + if ((si->swap_map[offset + i] & SWAP_HAS_CACHE)) > + return i; > + } > + > + return i; > +} > + > #else /* CONFIG_SWAP */ > struct swap_iocb; > static inline void swap_read_folio(struct folio *folio, struct swap_iocb **plug) > @@ -202,6 +221,10 @@ static inline int swap_zeromap_batch(swp_entry_t entry, int max_nr, > return 0; > } > > +static inline int non_swapcache_batch(swp_entry_t entry, int max_nr) > +{ > + return 0; > +} > #endif /* CONFIG_SWAP */ > > /** > -- > 2.49.0 > I really should Cc stable for this, sorry I forgot it. Cc: stable(a)vger.kernel.org # 6.14

6 days, 2 hours

2
2
0 0

[PATCH] staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()

by Nathan Chancellor

After commit 6f110a5e4f99 ("Disable SLUB_TINY for build testing"), which causes CONFIG_KASAN to be enabled in allmodconfig again, arm64 allmodconfig builds with older versions of clang (15 through 17) show an instance of -Wframe-larger-than (which breaks the build with CONFIG_WERROR=y): drivers/staging/rtl8723bs/core/rtw_security.c:1287:5: error: stack frame size (2208) exceeds limit (2048) in 'rtw_aes_decrypt' [-Werror,-Wframe-larger-than] 1287 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) | ^ This comes from aes_decipher() being inlined in rtw_aes_decrypt(). Running the same build with CONFIG_FRAME_WARN=128 shows aes_cipher() also uses a decent amount of stack, just under the limit of 2048: drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1952) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than] 864 | static signed int aes_cipher(u8 *key, uint hdrlen, | ^ -Rpass-analysis=stack-frame-layout only shows one large structure on the stack, which is the ctx variable inlined from aes128k128d(). A good number of the other variables come from the additional checks of fortified string routines, which are present in memset(), which both aes_cipher() and aes_decipher() use to initialize some temporary buffers. In this case, since the size is known at compile time, these additional checks should not result in any code generation changes but allmodconfig has several sanitizers enabled, which may make it harder for the compiler to eliminate the compile time checks and the variables that come about from them. The memset() calls are just initializing these buffers to zero, so use '= {}' instead, which is used all over the kernel and does the exact same thing as memset() without the fortify checks, which drops the stack usage of these functions by a few hundred kilobytes. drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1584) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than] 864 | static signed int aes_cipher(u8 *key, uint hdrlen, | ^ drivers/staging/rtl8723bs/core/rtw_security.c:1271:5: warning: stack frame size (1456) exceeds limit (128) in 'rtw_aes_decrypt' [-Wframe-larger-than] 1271 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe) | ^ Cc: stable(a)vger.kernel.org Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/staging/rtl8723bs/core/rtw_security.c | 44 +++++++++------------------ 1 file changed, 14 insertions(+), 30 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/staging/rtl8723bs/core/rtw_security.c index 1e9eff01b1aa..e9f382c280d9 100644 --- a/drivers/staging/rtl8723bs/core/rtw_security.c +++ b/drivers/staging/rtl8723bs/core/rtw_security.c @@ -868,29 +868,21 @@ static signed int aes_cipher(u8 *key, uint hdrlen, num_blocks, payload_index; u8 pn_vector[6]; - u8 mic_iv[16]; - u8 mic_header1[16]; - u8 mic_header2[16]; - u8 ctr_preload[16]; + u8 mic_iv[16] = {}; + u8 mic_header1[16] = {}; + u8 mic_header2[16] = {}; + u8 ctr_preload[16] = {}; /* Intermediate Buffers */ - u8 chain_buffer[16]; - u8 aes_out[16]; - u8 padded_buffer[16]; + u8 chain_buffer[16] = {}; + u8 aes_out[16] = {}; + u8 padded_buffer[16] = {}; u8 mic[8]; uint frtype = GetFrameType(pframe); uint frsubtype = GetFrameSubType(pframe); frsubtype = frsubtype>>4; - memset((void *)mic_iv, 0, 16); - memset((void *)mic_header1, 0, 16); - memset((void *)mic_header2, 0, 16); - memset((void *)ctr_preload, 0, 16); - memset((void *)chain_buffer, 0, 16); - memset((void *)aes_out, 0, 16); - memset((void *)padded_buffer, 0, 16); - if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN)) a4_exists = 0; else @@ -1080,15 +1072,15 @@ static signed int aes_decipher(u8 *key, uint hdrlen, num_blocks, payload_index; signed int res = _SUCCESS; u8 pn_vector[6]; - u8 mic_iv[16]; - u8 mic_header1[16]; - u8 mic_header2[16]; - u8 ctr_preload[16]; + u8 mic_iv[16] = {}; + u8 mic_header1[16] = {}; + u8 mic_header2[16] = {}; + u8 ctr_preload[16] = {}; /* Intermediate Buffers */ - u8 chain_buffer[16]; - u8 aes_out[16]; - u8 padded_buffer[16]; + u8 chain_buffer[16] = {}; + u8 aes_out[16] = {}; + u8 padded_buffer[16] = {}; u8 mic[8]; uint frtype = GetFrameType(pframe); @@ -1096,14 +1088,6 @@ static signed int aes_decipher(u8 *key, uint hdrlen, frsubtype = frsubtype>>4; - memset((void *)mic_iv, 0, 16); - memset((void *)mic_header1, 0, 16); - memset((void *)mic_header2, 0, 16); - memset((void *)ctr_preload, 0, 16); - memset((void *)chain_buffer, 0, 16); - memset((void *)aes_out, 0, 16); - memset((void *)padded_buffer, 0, 16); - /* start to decrypt the payload */ num_blocks = (plen-8) / 16; /* plen including LLC, payload_length and mic) */ --- base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494 change-id: 20250609-rtl8723bs-fix-clang-arm64-wflt-b4b9652904b5 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

6 days, 2 hours

2
1
0 0

Linux 6.14.11

by Greg Kroah-Hartman

----------------- Note this is the LAST 6.14.y release. This kernel branch is now end-of-life. Please move to the 6.15.y kernel branch at this time. If you notice, this has happened a bit more "early" than previous end-of-life announcements. Normally, after -rc1 is out there is a TON of stable patches happening due to the changes that come into the merge-window that were marked for stable backports but didn't get into Linus's release before -final. As some people have objected to this large influx being added to a stable kernel that is just about to go end-of-life, let's try marking this end-of-life a bit earlier to see how it goes. It might also spur maintainers/developers to get fixes into -final a bit more as well :) ----------------- I'm announcing the release of the 6.14.11 kernel. All users of the 6.14 kernel series must upgrade. The updated 6.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.14.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/phy/fsl,imx8mq-usb-phy.yaml | 3 - Documentation/devicetree/bindings/pwm/adi,axi-pwmgen.yaml | 13 ++++- Documentation/devicetree/bindings/usb/cypress,hx3.yaml | 19 ++++++- Documentation/firmware-guide/acpi/dsd/data-node-references.rst | 26 ++++------ Documentation/firmware-guide/acpi/dsd/graph.rst | 11 +--- Documentation/firmware-guide/acpi/dsd/leds.rst | 7 -- Makefile | 2 drivers/android/binder.c | 16 +++++- drivers/android/binder_internal.h | 8 ++- drivers/android/binderfs.c | 2 drivers/bluetooth/hci_qca.c | 14 ++--- drivers/clk/samsung/clk-exynosautov920.c | 2 drivers/cpufreq/acpi-cpufreq.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 +----- drivers/nvmem/Kconfig | 1 drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 14 +++-- drivers/rtc/class.c | 2 drivers/rtc/lib.c | 24 +++++++-- drivers/thunderbolt/ctl.c | 5 + drivers/tty/serial/jsm/jsm_tty.c | 1 drivers/usb/class/usbtmc.c | 4 + drivers/usb/core/quirks.c | 3 + drivers/usb/serial/pl2303.c | 2 drivers/usb/storage/unusual_uas.h | 7 ++ drivers/usb/typec/ucsi/ucsi.h | 2 fs/orangefs/inode.c | 9 +-- kernel/trace/trace.c | 2 27 files changed, 138 insertions(+), 79 deletions(-) Alexandre Mergnat (2): rtc: Make rtc_time64_to_tm() support dates before 1970 rtc: Fix offset calculation for .start_secs < 0 Arnd Bergmann (1): nvmem: rmem: select CONFIG_CRC32 Aurabindo Pillai (1): Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Bartosz Golaszewski (1): Bluetooth: hci_qca: move the SoC type check to the right place Carlos Llamas (1): binder: fix yet another UAF in binder_devices Charles Yeh (1): USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Dave Penkler (1): usb: usbtmc: Fix timeout value in get_stb David Lechner (1): dt-bindings: pwm: adi,axi-pwmgen: Fix clocks Dmitry Antipov (1): binder: fix use-after-free in binderfs_evict_inode() Dustin Lundquist (1): serial: jsm: fix NPE during jsm_uart_port_init Gabor Juhos (2): pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 pinctrl: armada-37xx: set GPIO output value before setting direction Gautham R. Shenoy (1): acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman (1): Linux 6.14.11 Hongyu Xie (1): usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li (1): usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Lukasz Czechowski (1): dt-bindings: usb: cypress,hx3: Add support for all variants Mike Marshall (1): orangefs: adjust counting code to recover from 665575cf Pan Taixi (1): tracing: Fix compilation warning on arm32 Pritam Manohar Sutar (1): clk: samsung: correct clock summary for hsi1 block Qasim Ijaz (1): usb: typec: ucsi: fix Clang -Wsign-conversion warning Sakari Ailus (1): Documentation: ACPI: Use all-string data node references Sergey Senozhatsky (1): thunderbolt: Do not double dequeue a configuration request Xu Yang (1): dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property

6 days, 2 hours

1
1
0 0

Linux 6.15.2

by Greg Kroah-Hartman

I'm announcing the release of the 6.15.2 kernel. All users of the 6.15 kernel series must upgrade. The updated 6.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/phy/fsl,imx8mq-usb-phy.yaml | 3 Documentation/devicetree/bindings/pwm/adi,axi-pwmgen.yaml | 13 + Documentation/devicetree/bindings/remoteproc/qcom,sm8150-pas.yaml | 3 Documentation/devicetree/bindings/usb/cypress,hx3.yaml | 19 ++ Documentation/firmware-guide/acpi/dsd/data-node-references.rst | 26 +-- Documentation/firmware-guide/acpi/dsd/graph.rst | 11 - Documentation/firmware-guide/acpi/dsd/leds.rst | 7 Makefile | 2 arch/x86/kernel/smpboot.c | 54 ++++++- drivers/acpi/acpica/acdebug.h | 2 drivers/acpi/acpica/aclocal.h | 4 drivers/acpi/acpica/nsnames.c | 2 drivers/acpi/acpica/nsrepair2.c | 2 drivers/android/binder.c | 16 +- drivers/android/binder_internal.h | 8 - drivers/android/binderfs.c | 2 drivers/bluetooth/hci_qca.c | 14 - drivers/clk/samsung/clk-exynosautov920.c | 2 drivers/cpufreq/acpi-cpufreq.c | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 -- drivers/nvmem/Kconfig | 1 drivers/pinctrl/mediatek/mtk-eint.c | 26 +-- drivers/pinctrl/mediatek/mtk-eint.h | 5 drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 2 drivers/pinctrl/mediatek/pinctrl-mtk-common.c | 2 drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 14 + drivers/rtc/class.c | 2 drivers/rtc/lib.c | 24 ++- drivers/thunderbolt/ctl.c | 5 drivers/tty/serial/jsm/jsm_tty.c | 1 drivers/usb/class/usbtmc.c | 4 drivers/usb/core/quirks.c | 3 drivers/usb/serial/pl2303.c | 2 drivers/usb/storage/unusual_uas.h | 7 drivers/usb/typec/ucsi/ucsi.h | 2 fs/bcachefs/dirent.c | 12 - fs/bcachefs/dirent.h | 4 fs/bcachefs/errcode.h | 2 fs/bcachefs/fs.c | 8 - fs/bcachefs/fsck.c | 8 + fs/bcachefs/inode.c | 77 ++++++---- fs/bcachefs/namei.c | 4 fs/bcachefs/sb-errors_format.h | 4 fs/bcachefs/subvolume.c | 19 +- include/acpi/actbl.h | 6 include/acpi/actypes.h | 4 include/acpi/platform/acgcc.h | 8 + kernel/trace/trace.c | 2 tools/power/acpi/os_specific/service_layers/oslinuxtbl.c | 2 tools/power/acpi/tools/acpidump/apfiles.c | 2 50 files changed, 313 insertions(+), 157 deletions(-) Ahmed Salem (1): ACPICA: Apply ACPI_NONSTRING in more places Alexandre Mergnat (2): rtc: Make rtc_time64_to_tm() support dates before 1970 rtc: Fix offset calculation for .start_secs < 0 Arnd Bergmann (1): nvmem: rmem: select CONFIG_CRC32 Aurabindo Pillai (1): Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Bartosz Golaszewski (1): Bluetooth: hci_qca: move the SoC type check to the right place Carlos Llamas (1): binder: fix yet another UAF in binder_devices Charles Yeh (1): USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Dave Penkler (1): usb: usbtmc: Fix timeout value in get_stb David Lechner (1): dt-bindings: pwm: adi,axi-pwmgen: Fix clocks Dmitry Antipov (1): binder: fix use-after-free in binderfs_evict_inode() Dustin Lundquist (1): serial: jsm: fix NPE during jsm_uart_port_init Gabor Juhos (2): pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 pinctrl: armada-37xx: set GPIO output value before setting direction Gautham R. Shenoy (1): acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman (1): Linux 6.15.2 Hongyu Xie (1): usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li (1): usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Kees Cook (2): ACPICA: Introduce ACPI_NONSTRING ACPICA: Apply ACPI_NONSTRING Kent Overstreet (5): bcachefs: Kill un-reverted directory i_size code bcachefs: Repair code for directory i_size bcachefs: delete dead code from may_delete_deleted_inode() bcachefs: Run may_delete_deleted_inode() checks in bch2_inode_rm() bcachefs: Fix subvol to missing root repair Krzysztof Kozlowski (1): dt-bindings: remoteproc: qcom,sm8150-pas: Add missing SC8180X compatible Lukasz Czechowski (1): dt-bindings: usb: cypress,hx3: Add support for all variants Nícolas F. R. A. Prado (1): pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms Pan Taixi (1): tracing: Fix compilation warning on arm32 Pritam Manohar Sutar (1): clk: samsung: correct clock summary for hsi1 block Qasim Ijaz (1): usb: typec: ucsi: fix Clang -Wsign-conversion warning Rafael J. Wysocki (1): Revert "x86/smp: Eliminate mwait_play_dead_cpuid_hint()" Sakari Ailus (1): Documentation: ACPI: Use all-string data node references Sergey Senozhatsky (1): thunderbolt: Do not double dequeue a configuration request Xu Yang (1): dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property

6 days, 2 hours

1
1
0 0

Linux 6.12.33

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.33 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/phy/fsl,imx8mq-usb-phy.yaml | 3 Documentation/devicetree/bindings/usb/cypress,hx3.yaml | 19 +- Documentation/firmware-guide/acpi/dsd/data-node-references.rst | 26 +- Documentation/firmware-guide/acpi/dsd/graph.rst | 11 - Documentation/firmware-guide/acpi/dsd/leds.rst | 7 Makefile | 2 block/bio.c | 11 - drivers/accel/ivpu/ivpu_drv.c | 1 drivers/accel/ivpu/ivpu_drv.h | 10 - drivers/accel/ivpu/ivpu_fw.c | 3 drivers/accel/ivpu/ivpu_hw_40xx_reg.h | 2 drivers/accel/ivpu/ivpu_hw_ip.c | 49 +++-- drivers/bluetooth/hci_qca.c | 14 - drivers/cpufreq/acpi-cpufreq.c | 2 drivers/cpufreq/tegra186-cpufreq.c | 7 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 - drivers/pci/pcie/aspm.c | 92 +++++----- drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 14 - drivers/rtc/class.c | 2 drivers/rtc/lib.c | 24 ++ drivers/thunderbolt/ctl.c | 5 drivers/tty/serial/jsm/jsm_tty.c | 1 drivers/usb/class/usbtmc.c | 4 drivers/usb/core/quirks.c | 3 drivers/usb/serial/pl2303.c | 2 drivers/usb/storage/unusual_uas.h | 7 drivers/usb/typec/ucsi/ucsi.h | 2 fs/f2fs/inode.c | 7 fs/f2fs/segment.h | 9 kernel/trace/trace.c | 2 30 files changed, 216 insertions(+), 141 deletions(-) Ajay Agarwal (1): PCI/ASPM: Disable L1 before disabling L1 PM Substates Alexandre Mergnat (2): rtc: Make rtc_time64_to_tm() support dates before 1970 rtc: Fix offset calculation for .start_secs < 0 Aurabindo Pillai (1): Revert "drm/amd/display: more liberal vmin/vmax update for freesync" Bartosz Golaszewski (1): Bluetooth: hci_qca: move the SoC type check to the right place Chao Yu (1): f2fs: fix to avoid accessing uninitialized curseg Charles Yeh (1): USB: serial: pl2303: add new chip PL2303GC-Q20 and PL2303GT-2AB Dave Penkler (1): usb: usbtmc: Fix timeout value in get_stb Dustin Lundquist (1): serial: jsm: fix NPE during jsm_uart_port_init Gabor Juhos (2): pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 pinctrl: armada-37xx: set GPIO output value before setting direction Gautham R. Shenoy (1): acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() Greg Kroah-Hartman (1): Linux 6.12.33 Hongyu Xie (1): usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li (1): usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Jon Hunter (1): Revert "cpufreq: tegra186: Share policy per cluster" Karol Wachowski (1): accel/ivpu: Update power island delays Lukasz Czechowski (1): dt-bindings: usb: cypress,hx3: Add support for all variants Maciej Falkowski (1): accel/ivpu: Add initial Panther Lake support Ming Lei (1): block: fix adding folio to bio Pan Taixi (1): tracing: Fix compilation warning on arm32 Qasim Ijaz (1): usb: typec: ucsi: fix Clang -Wsign-conversion warning Sakari Ailus (1): Documentation: ACPI: Use all-string data node references Sergey Senozhatsky (1): thunderbolt: Do not double dequeue a configuration request Xu Yang (1): dt-bindings: phy: imx8mq-usb: fix fsl,phy-tx-vboost-level-microvolt property

6 days, 2 hours

1
1
0 0

[PATCH 1/2] PCI: Relaxed tail alignment should never increase min_align

by Ilpo Järvinen

When using relaxed tail alignment for the bridge window, pbus_size_mem() also tries to minimize min_align, which can under certain scenarios end up increasing min_align from that found by calculate_mem_align(). Ensure min_align is not increased by the relaxed tail alignment. Eventually, it would be better to add calculate_relaxed_head_align() similar to calculate_mem_align() which finds out what alignment can be used for the head without introducing any gaps into the bridge window to give flexibility on head address too. But that looks relatively complex algorithm so it requires much more testing than fixing the immediate problem causing a regression. Fixes: 67f9085596ee ("PCI: Allow relaxed bridge window tail sizing for optional resources") Reported-by: Rio <rio(a)r26.me> Tested-by: Rio <rio(a)r26.me> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> --- drivers/pci/setup-bus.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c index 07c3d021a47e..f90d49cd07da 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c @@ -1169,6 +1169,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, resource_size_t children_add_size = 0; resource_size_t children_add_align = 0; resource_size_t add_align = 0; + resource_size_t relaxed_align; if (!b_res) return -ENOSPC; @@ -1246,8 +1247,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, if (bus->self && size0 && !pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type, size0, min_align)) { - min_align = 1ULL << (max_order + __ffs(SZ_1M)); - min_align = max(min_align, win_align); + relaxed_align = 1ULL << (max_order + __ffs(SZ_1M)); + relaxed_align = max(relaxed_align, win_align); + min_align = min(min_align, relaxed_align); size0 = calculate_memsize(size, min_size, 0, 0, resource_size(b_res), win_align); pci_info(bus->self, "bridge window %pR to %pR requires relaxed alignment rules\n", b_res, &bus->busn_res); @@ -1261,8 +1263,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, if (bus->self && size1 && !pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type, size1, add_align)) { - min_align = 1ULL << (max_order + __ffs(SZ_1M)); - min_align = max(min_align, win_align); + relaxed_align = 1ULL << (max_order + __ffs(SZ_1M)); + relaxed_align = max(min_align, win_align); + min_align = min(min_align, relaxed_align); size1 = calculate_memsize(size, min_size, add_size, children_add_size, resource_size(b_res), win_align); pci_info(bus->self, -- 2.39.5

6 days, 2 hours

2
2
0 0

[PATCH v1 0/4] Fix uprobe pte be overwritten when expanding vma

by Pu Lehui

From: Pu Lehui <pulehui(a)huawei.com> patch 1: the mainly fix for uprobe pte be overwritten issue. patch 2: WARN_ON_ONCE for new_pte not NULL during move_ptes. patch 3: extract some utils function for upcomming selftest. patch 4: selftest related to this series. v1: - limit skip uprobe_mmap to copy_vma flow. - add related selftest. - correct Fixes tag. RFC v2: https://lore.kernel.org/all/20250527132351.2050820-1-pulehui@huaweicloud.co… - skip uprobe_mmap on expanded vma. - add skip_vma_uprobe field to struct vma_prepare and vma_merge_struct. (Lorenzo) - add WARN_ON_ONCE when new_pte is not NULL. (Oleg) - Corrected some of the comments. RFC v1: https://lore.kernel.org/all/20250521092503.3116340-1-pulehui@huaweicloud.co… Pu Lehui (4): mm: Fix uprobe pte be overwritten when expanding vma mm: Expose abnormal new_pte during move_ptes selftests/mm: Extract read_sysfs and write_sysfs into vm_util selftests/mm: Add test about uprobe pte be orphan during vma merge mm/mremap.c | 2 ++ mm/vma.c | 20 ++++++++++-- mm/vma.h | 7 +++++ tools/testing/selftests/mm/ksm_tests.c | 32 ++------------------ tools/testing/selftests/mm/merge.c | 42 ++++++++++++++++++++++++++ tools/testing/selftests/mm/thuge-gen.c | 6 ++-- tools/testing/selftests/mm/vm_util.c | 38 +++++++++++++++++++++++ tools/testing/selftests/mm/vm_util.h | 2 ++ 8 files changed, 113 insertions(+), 36 deletions(-) -- 2.34.1

6 days, 2 hours

9
29
0 0

[PATCH v1] xhci: dbctty: disable ECHO flag by default

by Łukasz Bartosik

When /dev/ttyDBC0 device is created then by default ECHO flag is set for the terminal device. However if data arrives from a peer before application using /dev/ttyDBC0 applies its set of terminal flags then the arriving data will be echoed which might not be desired behavior. Fixes: 4521f1613940 ("xhci: dbctty: split dbc tty driver registration and unregistration functions.") Signed-off-by: Łukasz Bartosik <ukaszb(a)chromium.org> --- drivers/usb/host/xhci-dbgtty.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index 60ed753c85bb..d894081d8d15 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -617,6 +617,7 @@ int dbc_tty_init(void) dbc_tty_driver->type = TTY_DRIVER_TYPE_SERIAL; dbc_tty_driver->subtype = SERIAL_TYPE_NORMAL; dbc_tty_driver->init_termios = tty_std_termios; + dbc_tty_driver->init_termios.c_lflag &= ~ECHO; dbc_tty_driver->init_termios.c_cflag = B9600 | CS8 | CREAD | HUPCL | CLOCAL; dbc_tty_driver->init_termios.c_ispeed = 9600; -- 2.50.0.rc0.642.g800a2b2222-goog

6 days, 3 hours

2
1
0 0

[PATCH 2/2] PCI: Fix pdev_resources_assignable() disparity

by Ilpo Järvinen

pdev_sort_resources() uses pdev_resources_assignable() helper to decide if device's resources cannot be assigned. pbus_size_mem(), on the other hand, does not do the same check. This could lead into a situation where a resource ends up on realloc_head list but is not on the head list, which is turn prevents emptying the resource from the realloc_head list in __assign_resources_sorted(). A non-empty realloc_head is unacceptable because it triggers an internal sanity check as show in this log with a device that has class 0 (PCI_CLASS_NOT_DEFINED): pci 0001:01:00.0: [144d:a5a5] type 00 class 0x000000 PCIe Endpoint pci 0001:01:00.0: BAR 0 [mem 0x00000000-0x000fffff 64bit] pci 0001:01:00.0: ROM [mem 0x00000000-0x0000ffff pref] pci 0001:01:00.0: enabling Extended Tags pci 0001:01:00.0: PME# supported from D0 D3hot D3cold pci 0001:01:00.0: 15.752 Gb/s available PCIe bandwidth, limited by 8.0 GT/s PCIe x2 link at 0001:00:00.0 (capable of 31.506 Gb/s with 16.0 GT/s PCIe x2 link) pcieport 0001:00:00.0: bridge window [mem 0x00100000-0x001fffff] to [bus 01-ff] add_size 100000 add_align 100000 pcieport 0001:00:00.0: bridge window [mem 0x40000000-0x401fffff]: assigned ------------[ cut here ]------------ kernel BUG at drivers/pci/setup-bus.c:2532! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... Call trace: pci_assign_unassigned_bus_resources+0x110/0x114 (P) pci_rescan_bus+0x28/0x48 Use pdev_resources_assignable() also within pbus_size_mem() to skip processing of non-assignable resources which removes the disparity in between what resources pdev_sort_resources() and pbus_size_mem() consider. As non-assignable resources are no longer processed, they are not added to the realloc_head list, thus the sanity check no longer triggers. This disparity problem is very old but only now became apparent after the commit 2499f5348431 ("PCI: Rework optional resource handling") that made the ROM resources optional when calculating bridge window sizes which required adding the resource to the realloc_head list. Previously, bridge windows were just sized larger than necessary. Fixes: 2499f5348431 ("PCI: Rework optional resource handling") Reported-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> --- The reporter was perhaps not happy with this fix as behavior of PCI core isn't identical after this fix even if this patch fixes the problem on the PCI core side which causes the internal sanity check to fire. It seems that in the reporter's case, an out-of-tree driver was involved that performed things and made assumptions a driver should not do in its probe function such as assuming a bridge window is assigned even if there are not child resources to be put into it (the child device in reporter's case doesn't have a valid class and gets therefore skipped by the resource fitting/assignment): https://lore.kernel.org/all/bd579412-d07c-476d-8932-55c1f69adc9f@linaro.org/ In other words, the out-of-tree driver relies on the disparity in the PCI core's resource fitting code which is now eliminated by this fix. drivers/pci/setup-bus.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c index f90d49cd07da..24863d8d0053 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c @@ -1191,6 +1191,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, resource_size_t r_size; if (r->parent || (r->flags & IORESOURCE_PCI_FIXED) || + !pdev_resources_assignable(dev) || ((r->flags & mask) != type && (r->flags & mask) != type2 && (r->flags & mask) != type3)) -- 2.39.5

6 days, 3 hours

2
1
0 0

[PATCH 5.10] blk-mq: Fix kmemleak in blk_mq_init_allocated_queue

by Denis Arefev

From: Chen Jun <chenjun102(a)huawei.com> commit 943f45b9399ed8b2b5190cbc797995edaa97f58f upstream. There is a kmemleak caused by modprobe null_blk.ko unreferenced object 0xffff8881acb1f000 (size 1024): comm "modprobe", pid 836, jiffies 4294971190 (age 27.068s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S...... backtrace: [<000000004a10c249>] kmalloc_node_trace+0x22/0x60 [<00000000648f7950>] blk_mq_alloc_and_init_hctx+0x289/0x350 [<00000000af06de0e>] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0 [<00000000e00c1872>] blk_mq_init_allocated_queue+0x48c/0x1440 [<00000000d16b4e68>] __blk_mq_alloc_disk+0xc8/0x1c0 [<00000000d10c98c3>] 0xffffffffc450d69d [<00000000b9299f48>] 0xffffffffc4538392 [<0000000061c39ed6>] do_one_initcall+0xd0/0x4f0 [<00000000b389383b>] do_init_module+0x1a4/0x680 [<0000000087cf3542>] load_module+0x6249/0x7110 [<00000000beba61b8>] __do_sys_finit_module+0x140/0x200 [<00000000fdcfff51>] do_syscall_64+0x35/0x80 [<000000003c0f1f71>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 That is because q->ma_ops is set to NULL before blk_release_queue is called. blk_mq_init_queue_data blk_mq_init_allocated_queue blk_mq_realloc_hw_ctxs for (i = 0; i < set->nr_hw_queues; i++) { old_hctx = xa_load(&q->hctx_table, i); if (!blk_mq_alloc_and_init_hctx(.., i, ..)) [1] if (!old_hctx) break; xa_for_each_start(&q->hctx_table, j, hctx, j) blk_mq_exit_hctx(q, set, hctx, j); [2] if (!q->nr_hw_queues) [3] goto err_hctxs; err_exit: q->mq_ops = NULL; [4] blk_put_queue blk_release_queue if (queue_is_mq(q)) [5] blk_mq_release(q); [1]: blk_mq_alloc_and_init_hctx failed at i != 0. [2]: The hctxs allocated by [1] are moved to q->unused_hctx_list and will be cleaned up in blk_mq_release. [3]: q->nr_hw_queues is 0. [4]: Set q->mq_ops to NULL. [5]: queue_is_mq returns false due to [4]. And blk_mq_release will not be called. The hctxs in q->unused_hctx_list are leaked. To fix it, call blk_release_queue in exception path. Fixes: 2f8f1336a48b ("blk-mq: always free hctx after request queue is freed") Signed-off-by: Yuan Can <yuancan(a)huawei.com> Signed-off-by: Chen Jun <chenjun102(a)huawei.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20221031031242.94107-1-chenjun102@huawei.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2022-49901 Link: https://nvd.nist.gov/vuln/detail/CVE-2022-49901 --- block/blk-mq.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 21531aa163cb..6dd1398d0301 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -3335,9 +3335,8 @@ struct request_queue *blk_mq_init_allocated_queue(struct blk_mq_tag_set *set, return q; err_hctxs: - kfree(q->queue_hw_ctx); - q->nr_hw_queues = 0; - blk_mq_sysfs_deinit(q); + blk_mq_release(q); + err_poll: blk_stat_free_callback(q->poll_cb); q->poll_cb = NULL; -- 2.43.0

6 days, 3 hours

1
0
0 0

[PATCH] usb: hub: fix detection of high tier USB3 devices behind suspended hubs

by Mathias Nyman

USB3 devices connected behind several external suspended hubs may not be detected when plugged in due to aggressive hub runtime pm suspend. The hub driver immediately runtime-suspends hubs if there are no active children or port activity. There is a delay between the wake signal causing hub resume, and driver visible port activity on the hub downstream facing ports. Most of the LFPS handshake, resume signaling and link training done on the downstream ports is not visible to the hub driver until completed, when device then will appear fully enabled and running on the port. This delay between wake signal and detectable port change is even more significant with chained suspended hubs where the wake signal will propagate upstream first. Suspended hubs will only start resuming downstream ports after upstream facing port resumes. The hub driver may resume a USB3 hub, read status of all ports, not yet see any activity, and runtime suspend back the hub before any port activity is visible. This exact case was seen when conncting USB3 devices to a suspended Thunderbolt dock. USB3 specification defines a 100ms tU3WakeupRetryDelay, indicating USB3 devices expect to be resumed within 100ms after signaling wake. if not then device will resend the wake signal. Give the USB3 hubs twice this time (200ms) to detect any port changes after resume, before allowing hub to runtime suspend again. Cc: stable(a)vger.kernel.org Fixes: 596d789a211d ("USB: set hub's default autosuspend delay as 0") Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/core/hub.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 770d1e91183c..5c12dfdef569 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -68,6 +68,12 @@ */ #define USB_SHORT_SET_ADDRESS_REQ_TIMEOUT 500 /* ms */ +/* + * Give SS hubs 200ms time after wake to train downstream links before + * assuming no port activity and allowing hub to runtime suspend back. + */ +#define USB_SS_PORT_U0_WAKE_TIME 200 /* ms */ + /* Protect struct usb_device->state and ->children members * Note: Both are also protected by ->dev.sem, except that ->state can * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ @@ -1068,11 +1074,12 @@ int usb_remove_device(struct usb_device *udev) enum hub_activation_type { HUB_INIT, HUB_INIT2, HUB_INIT3, /* INITs must come first */ - HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, + HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, HUB_POST_RESUME, }; static void hub_init_func2(struct work_struct *ws); static void hub_init_func3(struct work_struct *ws); +static void hub_post_resume(struct work_struct *ws); static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) { @@ -1095,6 +1102,13 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) goto init2; goto init3; } + + if (type == HUB_POST_RESUME) { + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); + hub_put(hub); + return; + } + hub_get(hub); /* The superspeed hub except for root hub has to use Hub Depth @@ -1343,6 +1357,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) device_unlock(&hdev->dev); } + if (type == HUB_RESUME && hub_is_superspeed(hub->hdev)) { + /* give usb3 downstream links training time after hub resume */ + INIT_DELAYED_WORK(&hub->init_work, hub_post_resume); + queue_delayed_work(system_power_efficient_wq, &hub->init_work, + msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME)); + usb_autopm_get_interface_no_resume( + to_usb_interface(hub->intfdev)); + return; + } + hub_put(hub); } @@ -1361,6 +1385,13 @@ static void hub_init_func3(struct work_struct *ws) hub_activate(hub, HUB_INIT3); } +static void hub_post_resume(struct work_struct *ws) +{ + struct usb_hub *hub = container_of(ws, struct usb_hub, init_work.work); + + hub_activate(hub, HUB_POST_RESUME); +} + enum hub_quiescing_type { HUB_DISCONNECT, HUB_PRE_RESET, HUB_SUSPEND }; -- 2.43.0

6 days, 3 hours

3
3
0 0

[PATCH 5.10] lib/generic-radix-tree.c: Don't overflow in peek()

by Denis Arefev

From: Kent Overstreet <kent.overstreet(a)gmail.com> commit 9492261ff2460252cf2d8de89cdf854c7e2b28a0 upstream. When we started spreading new inode numbers throughout most of the 64 bit inode space, that triggered some corner case bugs, in particular some integer overflows related to the radix tree code. Oops. Fixes: ba20ba2e3743 ("generic radix trees") Signed-off-by: Kent Overstreet <kent.overstreet(a)gmail.com> [Denis: minor fix to resolve merge conflict and add tag Fixes] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2021-47432 Link: https://nvd.nist.gov/vuln/detail/cve-2021-47432 --- include/linux/generic-radix-tree.h | 7 +++++++ lib/generic-radix-tree.c | 17 ++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/include/linux/generic-radix-tree.h b/include/linux/generic-radix-tree.h index bfd00320c7f3..0e7abc635e5f 100644 --- a/include/linux/generic-radix-tree.h +++ b/include/linux/generic-radix-tree.h @@ -39,6 +39,7 @@ #include <asm/page.h> #include <linux/bug.h> #include <linux/kernel.h> +#include <linux/limits.h> #include <linux/log2.h> struct genradix_root; @@ -183,6 +184,12 @@ void *__genradix_iter_peek(struct genradix_iter *, struct __genradix *, size_t); static inline void __genradix_iter_advance(struct genradix_iter *iter, size_t obj_size) { + if (iter->offset + obj_size < iter->offset) { + iter->offset = SIZE_MAX; + iter->pos = SIZE_MAX; + return; + } + iter->offset += obj_size; if (!is_power_of_2(obj_size) && diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c index 34d3ac52de89..78f081d695d0 100644 --- a/lib/generic-radix-tree.c +++ b/lib/generic-radix-tree.c @@ -168,6 +168,10 @@ void *__genradix_iter_peek(struct genradix_iter *iter, struct genradix_root *r; struct genradix_node *n; unsigned level, i; + + if (iter->offset == SIZE_MAX) + return NULL; + restart: r = READ_ONCE(radix->root); if (!r) @@ -186,10 +190,17 @@ void *__genradix_iter_peek(struct genradix_iter *iter, (GENRADIX_ARY - 1); while (!n->children[i]) { + size_t objs_per_ptr = genradix_depth_size(level); + + if (iter->offset + objs_per_ptr < iter->offset) { + iter->offset = SIZE_MAX; + iter->pos = SIZE_MAX; + return NULL; + } + i++; - iter->offset = round_down(iter->offset + - genradix_depth_size(level), - genradix_depth_size(level)); + iter->offset = round_down(iter->offset + objs_per_ptr, + objs_per_ptr); iter->pos = (iter->offset >> PAGE_SHIFT) * objs_per_page; if (i == GENRADIX_ARY) -- 2.43.0

6 days, 4 hours

1
0
0 0

[PATCH v9 2/4] serial: 8250_dw: fix PSLVERR on RX_TIMEOUT

by Yunhui Cui

The DW UART may trigger the RX_TIMEOUT interrupt without data present and remain stuck in this state indefinitely. The dw8250_handle_irq() function detects this condition by checking if the UART_LSR_DR bit is not set when RX_TIMEOUT occurs. When detected, it performs a "dummy read" to recover the DW UART from this state. When the PSLVERR_RESP_EN parameter is set to 1, reading the UART_RX while the FIFO is enabled and UART_LSR_DR is not set will generate a PSLVERR error, which may lead to a system panic. There are two methods to prevent PSLVERR: one is to check if UART_LSR_DR is set before reading UART_RX when the FIFO is enabled, and the other is to read UART_RX when the FIFO is disabled. Given these two scenarios, the FIFO must be disabled before the "dummy read" operation and re-enabled afterward to maintain normal UART functionality. Fixes: 424d79183af0 ("serial: 8250_dw: Avoid "too much work" from bogus rx timeout interrupt") Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_dw.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c index 1902f29444a1c..082b7fcf251db 100644 --- a/drivers/tty/serial/8250/8250_dw.c +++ b/drivers/tty/serial/8250/8250_dw.c @@ -297,9 +297,17 @@ static int dw8250_handle_irq(struct uart_port *p) uart_port_lock_irqsave(p, &flags); status = serial_lsr_in(up); - if (!(status & (UART_LSR_DR | UART_LSR_BI))) + if (!(status & (UART_LSR_DR | UART_LSR_BI))) { + /* To avoid PSLVERR, disable the FIFO first. */ + if (up->fcr & UART_FCR_ENABLE_FIFO) + serial_out(up, UART_FCR, 0); + serial_port_in(p, UART_RX); + if (up->fcr & UART_FCR_ENABLE_FIFO) + serial_out(up, UART_FCR, up->fcr); + } + uart_port_unlock_irqrestore(p, flags); } -- 2.39.5

6 days, 5 hours

1
0
0 0

[PATCH v9 1/4] serial: 8250: fix panic due to PSLVERR

by Yunhui Cui

When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_port.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 6d7b8c4667c9c..07fe818dffa34 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2376,9 +2376,10 @@ int serial8250_do_startup(struct uart_port *port) /* * Now, initialize the UART */ - serial_port_out(port, UART_LCR, UART_LCR_WLEN8); uart_port_lock_irqsave(port, &flags); + serial_port_out(port, UART_LCR, UART_LCR_WLEN8); + if (up->port.flags & UPF_FOURPORT) { if (!up->port.irq) up->port.mctrl |= TIOCM_OUT1; -- 2.39.5

6 days, 5 hours

1
0
0 0

[PATCH v8 1/4] serial: 8250: fix panic due to PSLVERR

by Yunhui Cui

When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FIFO via serial_out(p, UART_FCR, p->fcr). Execution proceeds to the serial_port_in(port, UART_RX). This satisfies the PSLVERR trigger condition. When another CPU (e.g., using printk()) is accessing the UART (UART is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) == (lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter dw8250_force_idle(). Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock to fix this issue. Panic backtrace: [ 0.442336] Oops - unknown exception [#1] [ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a [ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e ... [ 0.442416] console_on_rootfs+0x26/0x70 Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround") Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/ Signed-off-by: Yunhui Cui <cuiyunhui(a)bytedance.com> Cc: stable(a)vger.kernel.org --- drivers/tty/serial/8250/8250_port.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 6d7b8c4667c9c..07fe818dffa34 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2376,9 +2376,10 @@ int serial8250_do_startup(struct uart_port *port) /* * Now, initialize the UART */ - serial_port_out(port, UART_LCR, UART_LCR_WLEN8); uart_port_lock_irqsave(port, &flags); + serial_port_out(port, UART_LCR, UART_LCR_WLEN8); + if (up->port.flags & UPF_FOURPORT) { if (!up->port.irq) up->port.mctrl |= TIOCM_OUT1; -- 2.39.5

6 days, 5 hours

5
9
0 0

[PATCH 0/3] clk: samsung: gs101 & exynos850 fixes

by André Draszik

Hi, The patches fix some errors in the gs101 clock driver as well as a trivial comment typo in the Exynos E850 clock driver. Cheers, Andre Signed-off-by: André Draszik <andre.draszik(a)linaro.org> --- André Draszik (3): clk: samsung: gs101: fix CLK_DOUT_CMU_G3D_BUSD clk: samsung: gs101: fix alternate mout_hsi0_usb20_ref parent clock clk: samsung: exynos850: fix a comment drivers/clk/samsung/clk-exynos850.c | 2 +- drivers/clk/samsung/clk-gs101.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) --- base-commit: a0bea9e39035edc56a994630e6048c8a191a99d8 change-id: 20250519-samsung-clk-fixes-a4f5bfb54c73 Best regards, -- André Draszik <andre.draszik(a)linaro.org>

6 days, 6 hours

2
4
0 0

[PATCH] uapi: bitops: use UAPI-safe variant of BITS_PER_LONG again

by Thomas Weißschuh

Commit 1e7933a575ed ("uapi: Revert "bitops: avoid integer overflow in GENMASK(_ULL)"") did not take in account that the usage of BITS_PER_LONG in __GENMASK() was changed to __BITS_PER_LONG for UAPI-safety in commit 3c7a8e190bc5 ("uapi: introduce uapi-friendly macros for GENMASK"). BITS_PER_LONG can not be used in UAPI headers as it derives from the kernel configuration and not from the current compiler invocation. When building compat userspace code or a compat vDSO its value will be incorrect. Switch back to __BITS_PER_LONG. Fixes: 1e7933a575ed ("uapi: Revert "bitops: avoid integer overflow in GENMASK(_ULL)"") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- include/uapi/linux/bits.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/bits.h b/include/uapi/linux/bits.h index 682b406e10679dc8baa188830ab0811e7e3e13e3..a04afef9efca42f062e142fcb33f5d267512b1e5 100644 --- a/include/uapi/linux/bits.h +++ b/include/uapi/linux/bits.h @@ -4,9 +4,9 @@ #ifndef _UAPI_LINUX_BITS_H #define _UAPI_LINUX_BITS_H -#define __GENMASK(h, l) (((~_UL(0)) << (l)) & (~_UL(0) >> (BITS_PER_LONG - 1 - (h)))) +#define __GENMASK(h, l) (((~_UL(0)) << (l)) & (~_UL(0) >> (__BITS_PER_LONG - 1 - (h)))) -#define __GENMASK_ULL(h, l) (((~_ULL(0)) << (l)) & (~_ULL(0) >> (BITS_PER_LONG_LONG - 1 - (h)))) +#define __GENMASK_ULL(h, l) (((~_ULL(0)) << (l)) & (~_ULL(0) >> (__BITS_PER_LONG_LONG - 1 - (h)))) #define __GENMASK_U128(h, l) \ ((_BIT128((h)) << 1) - (_BIT128(l))) --- base-commit: e271ed52b344ac02d4581286961d0c40acc54c03 change-id: 20250606-uapi-genmask-e07667de69ec Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

6 days, 7 hours

3
4
0 0

[PATCH AUTOSEL 6.1 1/9] cifs: Correctly set SMB1 SessionKey field in Session Setup Request

by Sasha Levin

From: Pali Rohár <pali(a)kernel.org> [ Upstream commit 89381c72d52094988e11d23ef24a00066a0fa458 ] [MS-CIFS] specification in section 2.2.4.53.1 where is described SMB_COM_SESSION_SETUP_ANDX Request, for SessionKey field says: The client MUST set this field to be equal to the SessionKey field in the SMB_COM_NEGOTIATE Response for this SMB connection. Linux SMB client currently set this field to zero. This is working fine against Windows NT SMB servers thanks to [MS-CIFS] product behavior <94>: Windows NT Server ignores the client's SessionKey. For compatibility with [MS-CIFS], set this SessionKey field in Session Setup Request to value retrieved from Negotiate response. Signed-off-by: Pali Rohár <pali(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my comprehensive analysis of both the commit message and code changes, examining the current kernel tree context: **YES** ## Extensive Analysis ### **Nature of the Fix** This is a **specification compliance fix** for SMB1 protocol handling. The commit addresses a clear violation of the MS-CIFS specification section 2.2.4.53.1, which mandates that the SessionKey field in SMB_COM_SESSION_SETUP_ANDX Request must be set to the value from the SMB_COM_NEGOTIATE Response. ### **Code Changes Analysis** **1. Structural Changes (Low Risk)** - **cifsglob.h**: Adds `__le32 session_key_id` to `TCP_Server_Info` structure - minimal ABI impact as this is kernel-internal - **cifspdu.h**: Corrects endianness annotations from `__u32` to `__le32` - pure annotation fix, no behavioral change **2. Functional Changes (Contained and Safe)** - **cifssmb.c**: Captures SessionKey from negotiate response (`server->session_key_id = pSMBr->SessionKey`) - simple field assignment - **sess.c**: Sets SessionKey in session setup request (`pSMB->req.SessionKey = server->session_key_id`) - follows specification requirement ### **Risk Assessment** **Minimal Regression Risk:** - Changes are isolated to SMB1 legacy protocol code - Current behavior (setting SessionKey to zero) works with Windows NT due to MS- CIFS product behavior <94> - New behavior follows specification exactly, improving compatibility with non-Windows SMB1 servers - No security implications - purely a protocol compliance improvement **Code Maturity:** - SMB1 session setup code is very mature and stable - Limited recent changes in this area except compatibility fixes - Well- understood code path with clear specification backing ### **Backport Suitability Criteria Met** **1. Important Bug Fix:** ✅ Fixes protocol specification violation that could cause compatibility issues with strict SMB1 implementations **2. Small and Contained:** ✅ Four minimal changes across related files, all implementing the same specification requirement **3. Clear Side Effects:** ✅ No side effects beyond fixing the specification compliance issue **4. No Architectural Changes:** ✅ Simple field additions and assignments, no structural changes **5. Non- Critical Subsystem:** ✅ Legacy SMB1 protocol code, deprecated since 2017 **6. Minimal Risk:** ✅ Maintains backward compatibility while improving forward compatibility **7. Stable Tree Rules Compliance:** ✅ Important compatibility bugfix with minimal regression risk ### **Comparison to Similar Commits** This commit closely matches the pattern of **Similar Commit #3** and **Similar Commit #5** (both marked YES for backporting): - Protocol compliance improvements - Session setup related fixes - Clear specification backing - Minimal, contained changes - Authored by maintainers (Steve French involvement) ### **Conclusion** This commit represents an ideal stable backport candidate: a clear specification compliance fix with minimal code changes, no security implications, and improvement in interoperability. The fix ensures Linux kernel SMB client properly follows MS-CIFS specification, which is valuable for enterprise environments using diverse SMB1 server implementations. fs/smb/client/cifsglob.h | 1 + fs/smb/client/cifspdu.h | 6 +++--- fs/smb/client/cifssmb.c | 1 + fs/smb/client/sess.c | 1 + 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index 17fce0afb297f..9c5aa646b8cc8 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -675,6 +675,7 @@ struct TCP_Server_Info { char workstation_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL]; __u32 sequence_number; /* for signing, protected by srv_mutex */ __u32 reconnect_instance; /* incremented on each reconnect */ + __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */ struct session_key session_key; unsigned long lstrp; /* when we got last response from this server */ struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */ diff --git a/fs/smb/client/cifspdu.h b/fs/smb/client/cifspdu.h index 9cb4577063344..a682c50d7ace4 100644 --- a/fs/smb/client/cifspdu.h +++ b/fs/smb/client/cifspdu.h @@ -557,7 +557,7 @@ typedef union smb_com_session_setup_andx { __le16 MaxBufferSize; __le16 MaxMpxCount; __le16 VcNumber; - __u32 SessionKey; + __le32 SessionKey; __le16 SecurityBlobLength; __u32 Reserved; __le32 Capabilities; /* see below */ @@ -576,7 +576,7 @@ typedef union smb_com_session_setup_andx { __le16 MaxBufferSize; __le16 MaxMpxCount; __le16 VcNumber; - __u32 SessionKey; + __le32 SessionKey; __le16 CaseInsensitivePasswordLength; /* ASCII password len */ __le16 CaseSensitivePasswordLength; /* Unicode password length*/ __u32 Reserved; /* see below */ @@ -614,7 +614,7 @@ typedef union smb_com_session_setup_andx { __le16 MaxBufferSize; __le16 MaxMpxCount; __le16 VcNumber; - __u32 SessionKey; + __le32 SessionKey; __le16 PasswordLength; __u32 Reserved; /* encrypt key len and offset */ __le16 ByteCount; diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c index 6077fe1dcc9ce..0c6ade1968947 100644 --- a/fs/smb/client/cifssmb.c +++ b/fs/smb/client/cifssmb.c @@ -469,6 +469,7 @@ CIFSSMBNegotiate(const unsigned int xid, server->max_rw = le32_to_cpu(pSMBr->MaxRawSize); cifs_dbg(NOISY, "Max buf = %d\n", ses->server->maxBuf); server->capabilities = le32_to_cpu(pSMBr->Capabilities); + server->session_key_id = pSMBr->SessionKey; server->timeAdj = (int)(__s16)le16_to_cpu(pSMBr->ServerTimeZone); server->timeAdj *= 60; diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c index c8f7ae0a20064..883d1cb1fc8b0 100644 --- a/fs/smb/client/sess.c +++ b/fs/smb/client/sess.c @@ -605,6 +605,7 @@ static __u32 cifs_ssetup_hdr(struct cifs_ses *ses, USHRT_MAX)); pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq); pSMB->req.VcNumber = cpu_to_le16(1); + pSMB->req.SessionKey = server->session_key_id; /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */ -- 2.39.5

6 days, 10 hours

3
10
0 0

[PATCH] x86/fpu: Ensure XFD state on signal delivery

by Chang S. Bae

Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: <TASK> fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenarios involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if the dynamic feature is enabled. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. Fixes: 672365477ae8a ("x86/fpu: Update XFD state where required") Reported-by: Sean Christopherson <seanjc(a)google.com> Closes: https://lore.kernel.org/lkml/aDCo_SczQOUaB2rS@google.com [1] Tested-by: Chao Gao <chao.gao(a)intel.com> Signed-off-by: Chang S. Bae <chang.seok.bae(a)intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/aDWbctO%2FRfTGiCg3@intel.com [2] --- arch/x86/kernel/fpu/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c index ea138583dd92..5fa782a2ae7c 100644 --- a/arch/x86/kernel/fpu/core.c +++ b/arch/x86/kernel/fpu/core.c @@ -800,6 +800,9 @@ void fpu__clear_user_states(struct fpu *fpu) !fpregs_state_valid(fpu, smp_processor_id())) os_xrstor_supervisor(fpu->fpstate); + /* Ensure XFD state is in sync before reloading XSTATE */ + xfd_update_state(fpu->fpstate); + /* Reset user states in registers. */ restore_fpregs_from_init_fpstate(XFEATURE_MASK_USER_RESTORE); -- 2.48.1

6 days, 13 hours

2
1
0 0

[PATCH net] netrom: fix possible deadlock in nr_rt_device_down

by Denis Arefev

Syzkaller detected a possible deadlock in nr_rt_device_down [1] Locking in concurrent threads can cause deadlock. CPU0 ---- nr_rt_device_down() |-> spin_lock_bh(&nr_neigh_list_lock); capture . . . |-> spin_lock_bh(&nr_node_list_lock); waiting and deadlock CPU1 ---- nr_del_node() |-> spin_lock_bh(&nr_node_list_lock); capture . . . |-> nr_remove_neigh(nr_neigh); |-> spin_lock_bh(&nr_neigh_list_lock); waiting for capture Make sure we always get nr_neigh_list_lock before nr_node_list_lock. [1] WARNING: possible circular locking dependency detected 6.15.0-rc2-syzkaller-00278-gfc96b232f8e7 #0 Not tainted ------------------------------------------------------ syz-executor107/6105 is trying to acquire lock: ffffffff902543b8 (nr_node_list_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffffffff902543b8 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xb5/0x7b0 net/netrom/nr_route.c:517 but task is already holding lock: ffffffff90254358 (nr_neigh_list_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffffffff90254358 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x7b0 net/netrom/nr_route.c:514 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (nr_neigh_list_lock){+...}-{3:3}: lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_remove_neigh net/netrom/nr_route.c:307 [inline] nr_dec_obs net/netrom/nr_route.c:472 [inline] nr_rt_ioctl+0x39a/0xff0 net/netrom/nr_route.c:692 sock_do_ioctl+0x152/0x400 net/socket.c:1190 sock_ioctl+0x644/0x900 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (&nr_node->node_lock){+...}-{3:3}: lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_node_lock include/net/netrom.h:152 [inline] nr_dec_obs net/netrom/nr_route.c:459 [inline] nr_rt_ioctl+0x194/0xff0 net/netrom/nr_route.c:692 sock_do_ioctl+0x152/0x400 net/socket.c:1190 sock_ioctl+0x644/0x900 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (nr_node_list_lock){+...}-{3:3}: check_prev_add kernel/locking/lockdep.c:3166 [inline] check_prevs_add kernel/locking/lockdep.c:3285 [inline] validate_chain+0xa69/0x24e0 kernel/locking/lockdep.c:3909 __lock_acquire+0xad5/0xd80 kernel/locking/lockdep.c:5235 lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_rt_device_down+0xb5/0x7b0 net/netrom/nr_route.c:517 nr_device_event+0x134/0x150 net/netrom/af_netrom.c:126 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x209/0x410 net/core/dev.c:-1 netif_change_flags+0xf0/0x1a0 net/core/dev.c:9434 dev_change_flags+0x146/0x270 net/core/dev_api.c:68 dev_ioctl+0x80f/0x1260 net/core/dev_ioctl.c:821 sock_do_ioctl+0x22f/0x400 net/socket.c:1204 sock_ioctl+0x644/0x900 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(nr_neigh_list_lock); lock(&nr_node->node_lock); lock(nr_neigh_list_lock); lock(nr_node_list_lock); *** DEADLOCK *** 2 locks held by syz-executor107/6105: #0: ffffffff900fd788 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] #0: ffffffff900fd788 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7fd/0x1260 net/core/dev_ioctl.c:820 #1: ffffffff90254358 (nr_neigh_list_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffffffff90254358 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x7b0 net/netrom/nr_route.c:514 stack backtrace: CPU: 0 UID: 0 PID: 6105 Comm: syz-executor107 Not tainted 6.15.0-rc2-syzkaller-00278-gfc96b232f8e7 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2079 check_noncircular+0x142/0x160 kernel/locking/lockdep.c:2211 check_prev_add kernel/locking/lockdep.c:3166 [inline] check_prevs_add kernel/locking/lockdep.c:3285 [inline] validate_chain+0xa69/0x24e0 kernel/locking/lockdep.c:3909 __lock_acquire+0xad5/0xd80 kernel/locking/lockdep.c:5235 lock_acquire+0x116/0x2f0 kernel/locking/lockdep.c:5866 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_rt_device_down+0xb5/0x7b0 net/netrom/nr_route.c:517 nr_device_event+0x134/0x150 net/netrom/af_netrom.c:126 notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85 __dev_notify_flags+0x209/0x410 net/core/dev.c:-1 netif_change_flags+0xf0/0x1a0 net/core/dev.c:9434 dev_change_flags+0x146/0x270 net/core/dev_api.c:68 dev_ioctl+0x80f/0x1260 net/core/dev_ioctl.c:821 sock_do_ioctl+0x22f/0x400 net/socket.c:1204 sock_ioctl+0x644/0x900 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Reported-by: syzbot+ccdfb85a561b973219c7(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ccdfb85a561b973219c7 Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- net/netrom/nr_route.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c index b94cb2ffbaf8..aae0923dbcf0 100644 --- a/net/netrom/nr_route.c +++ b/net/netrom/nr_route.c @@ -331,6 +331,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n return -EINVAL; } + spin_lock_bh(&nr_neigh_list_lock); spin_lock_bh(&nr_node_list_lock); nr_node_lock(nr_node); for (i = 0; i < nr_node->count; i++) { @@ -339,7 +340,7 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n nr_neigh_put(nr_neigh); if (nr_neigh->count == 0 && !nr_neigh->locked) - nr_remove_neigh(nr_neigh); + nr_remove_neigh_locked(nr_neigh); nr_neigh_put(nr_neigh); nr_node->count--; @@ -361,13 +362,14 @@ static int nr_del_node(ax25_address *callsign, ax25_address *neighbour, struct n } nr_node_unlock(nr_node); spin_unlock_bh(&nr_node_list_lock); - + spin_unlock_bh(&nr_neigh_list_lock); return 0; } } nr_neigh_put(nr_neigh); nr_node_unlock(nr_node); spin_unlock_bh(&nr_node_list_lock); + spin_unlock_bh(&nr_neigh_list_lock); nr_node_put(nr_node); return -EINVAL; -- 2.43.0

6 days, 15 hours

2
1
0 0

[PATCH AUTOSEL 5.4 1/3] ALSA: hda: Ignore unsol events for cards being shut down

by Sasha Levin

From: Cezary Rojewski <cezary.rojewski(a)intel.com> [ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ] For the classic snd_hda_intel driver, codec->card and bus->card point to the exact same thing. When snd_card_diconnect() fires, bus->shutdown is set thanks to azx_dev_disconnect(). card->shutdown is already set when that happens but both provide basically the same functionality. For the DSP snd_soc_avs driver where multiple codecs are located on multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec card may be unregistered while other codecs are still operational. Proper check in form of card->shutdown must be used to verify whether the codec's card is being shut down. Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Technical Analysis ### Core Problem Being Fixed The commit addresses a **shutdown race condition** in multi-codec HDA systems, specifically in DSP/AVS drivers where multiple HDA codecs exist on the same sound card but with separate bus instances. The change modifies line 47 in `sound/pci/hda/hda_bind.c`: **Before:** ```c if (codec->bus->shutdown) return; ``` **After:** ```c if (codec->card->shutdown || codec->bus->shutdown) return; ``` ### Why This is a Good Backport Candidate **1. Bug Fix Nature - Small and Contained** - This is a clear **bug fix** addressing a specific shutdown race condition - The change is **minimal** (adding one condition check) and **well- contained** - No architectural changes or new features introduced - Low risk of introducing regressions **2. Critical Subsystem Impact** - Affects **HD-audio subsystem** which is critical for audio functionality - Could prevent system crashes or hangs during shutdown in multi-codec scenarios - Improves system stability during shutdown sequences **3. Technical Correctness** The fix addresses a **fundamental timing issue**: - In multi-codec systems, `card->shutdown` is set at the ALSA core level during `snd_card_disconnect()` - `bus->shutdown` is set later at the HDA controller level during individual codec shutdown - **Gap exists** where unsol events could be processed after card shutdown but before bus shutdown - This can cause codec operations on an already-disconnected sound card **4. Follows Stable Tree Criteria** - **Important bug fix**: Prevents potential system instability during shutdown - **Minimal risk**: Only adds an additional safety check, doesn't change existing logic - **Well-understood**: The change is straightforward and follows existing patterns seen in similar commits - **Confined to subsystem**: Only affects HDA audio subsystem **5. Consistency with Similar Backported Commits** This follows the exact same pattern as the historical commits that were successfully backported: - **Similar Commit #1**: Added `bus->shutdown` check to prevent unsol events during shutdown - **Backported (YES)** - **Similar Commit #2**: Added suspend/resume state check to unsol handler - **Backported (YES)** - **Similar Commit #3**: Added jack disconnection during codec unbind - **Backported (YES)** - **Similar Commit #4**: Added bus_probing flag to serialize codec registration - **Backported (YES)** All these commits follow the same pattern: **small, targeted fixes to prevent race conditions in HDA shutdown/initialization sequences**. **6. Real-World Impact** - Affects **DSP/AVS audio systems** which are increasingly common in modern hardware - Without this fix, systems with multiple audio codecs could experience: - Kernel oops during shutdown - System hangs - Audio subsystem corruption - Unpredictable behavior during reboot sequences ### Risk Assessment **Very Low Risk:** - The change only **adds** a safety check, doesn't remove existing functionality - `card->shutdown` check is used extensively throughout the ALSA subsystem already - Maintains **backward compatibility** completely - If `card->shutdown` is false, behavior is identical to before - No changes to data structures, APIs, or functional logic ### Conclusion This commit represents a **textbook stable backport candidate**: it's a small, well-understood bug fix that addresses a real stability issue in a critical subsystem with minimal risk of regression. The pattern matches multiple previously successful backports in the same subsystem, and the technical merit is clear. sound/pci/hda/hda_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c index 17a25e453f60c..047fe6cca7f1a 100644 --- a/sound/pci/hda/hda_bind.c +++ b/sound/pci/hda/hda_bind.c @@ -44,7 +44,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev) struct hda_codec *codec = container_of(dev, struct hda_codec, core); /* ignore unsol events during shutdown */ - if (codec->bus->shutdown) + if (codec->card->shutdown || codec->bus->shutdown) return; /* ignore unsol events during system suspend/resume */ -- 2.39.5

6 days, 15 hours

1
2
0 0

[PATCH AUTOSEL 5.10 1/4] ALSA: hda: Ignore unsol events for cards being shut down

by Sasha Levin

From: Cezary Rojewski <cezary.rojewski(a)intel.com> [ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ] For the classic snd_hda_intel driver, codec->card and bus->card point to the exact same thing. When snd_card_diconnect() fires, bus->shutdown is set thanks to azx_dev_disconnect(). card->shutdown is already set when that happens but both provide basically the same functionality. For the DSP snd_soc_avs driver where multiple codecs are located on multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec card may be unregistered while other codecs are still operational. Proper check in form of card->shutdown must be used to verify whether the codec's card is being shut down. Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Technical Analysis ### Core Problem Being Fixed The commit addresses a **shutdown race condition** in multi-codec HDA systems, specifically in DSP/AVS drivers where multiple HDA codecs exist on the same sound card but with separate bus instances. The change modifies line 47 in `sound/pci/hda/hda_bind.c`: **Before:** ```c if (codec->bus->shutdown) return; ``` **After:** ```c if (codec->card->shutdown || codec->bus->shutdown) return; ``` ### Why This is a Good Backport Candidate **1. Bug Fix Nature - Small and Contained** - This is a clear **bug fix** addressing a specific shutdown race condition - The change is **minimal** (adding one condition check) and **well- contained** - No architectural changes or new features introduced - Low risk of introducing regressions **2. Critical Subsystem Impact** - Affects **HD-audio subsystem** which is critical for audio functionality - Could prevent system crashes or hangs during shutdown in multi-codec scenarios - Improves system stability during shutdown sequences **3. Technical Correctness** The fix addresses a **fundamental timing issue**: - In multi-codec systems, `card->shutdown` is set at the ALSA core level during `snd_card_disconnect()` - `bus->shutdown` is set later at the HDA controller level during individual codec shutdown - **Gap exists** where unsol events could be processed after card shutdown but before bus shutdown - This can cause codec operations on an already-disconnected sound card **4. Follows Stable Tree Criteria** - **Important bug fix**: Prevents potential system instability during shutdown - **Minimal risk**: Only adds an additional safety check, doesn't change existing logic - **Well-understood**: The change is straightforward and follows existing patterns seen in similar commits - **Confined to subsystem**: Only affects HDA audio subsystem **5. Consistency with Similar Backported Commits** This follows the exact same pattern as the historical commits that were successfully backported: - **Similar Commit #1**: Added `bus->shutdown` check to prevent unsol events during shutdown - **Backported (YES)** - **Similar Commit #2**: Added suspend/resume state check to unsol handler - **Backported (YES)** - **Similar Commit #3**: Added jack disconnection during codec unbind - **Backported (YES)** - **Similar Commit #4**: Added bus_probing flag to serialize codec registration - **Backported (YES)** All these commits follow the same pattern: **small, targeted fixes to prevent race conditions in HDA shutdown/initialization sequences**. **6. Real-World Impact** - Affects **DSP/AVS audio systems** which are increasingly common in modern hardware - Without this fix, systems with multiple audio codecs could experience: - Kernel oops during shutdown - System hangs - Audio subsystem corruption - Unpredictable behavior during reboot sequences ### Risk Assessment **Very Low Risk:** - The change only **adds** a safety check, doesn't remove existing functionality - `card->shutdown` check is used extensively throughout the ALSA subsystem already - Maintains **backward compatibility** completely - If `card->shutdown` is false, behavior is identical to before - No changes to data structures, APIs, or functional logic ### Conclusion This commit represents a **textbook stable backport candidate**: it's a small, well-understood bug fix that addresses a real stability issue in a critical subsystem with minimal risk of regression. The pattern matches multiple previously successful backports in the same subsystem, and the technical merit is clear. sound/pci/hda/hda_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c index 0a83afa5f373c..6625643f333e8 100644 --- a/sound/pci/hda/hda_bind.c +++ b/sound/pci/hda/hda_bind.c @@ -44,7 +44,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev) struct hda_codec *codec = container_of(dev, struct hda_codec, core); /* ignore unsol events during shutdown */ - if (codec->bus->shutdown) + if (codec->card->shutdown || codec->bus->shutdown) return; /* ignore unsol events during system suspend/resume */ -- 2.39.5

6 days, 15 hours

1
3
0 0

[PATCH AUTOSEL 5.15 1/5] ALSA: hda: Ignore unsol events for cards being shut down

by Sasha Levin

From: Cezary Rojewski <cezary.rojewski(a)intel.com> [ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ] For the classic snd_hda_intel driver, codec->card and bus->card point to the exact same thing. When snd_card_diconnect() fires, bus->shutdown is set thanks to azx_dev_disconnect(). card->shutdown is already set when that happens but both provide basically the same functionality. For the DSP snd_soc_avs driver where multiple codecs are located on multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec card may be unregistered while other codecs are still operational. Proper check in form of card->shutdown must be used to verify whether the codec's card is being shut down. Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Technical Analysis ### Core Problem Being Fixed The commit addresses a **shutdown race condition** in multi-codec HDA systems, specifically in DSP/AVS drivers where multiple HDA codecs exist on the same sound card but with separate bus instances. The change modifies line 47 in `sound/pci/hda/hda_bind.c`: **Before:** ```c if (codec->bus->shutdown) return; ``` **After:** ```c if (codec->card->shutdown || codec->bus->shutdown) return; ``` ### Why This is a Good Backport Candidate **1. Bug Fix Nature - Small and Contained** - This is a clear **bug fix** addressing a specific shutdown race condition - The change is **minimal** (adding one condition check) and **well- contained** - No architectural changes or new features introduced - Low risk of introducing regressions **2. Critical Subsystem Impact** - Affects **HD-audio subsystem** which is critical for audio functionality - Could prevent system crashes or hangs during shutdown in multi-codec scenarios - Improves system stability during shutdown sequences **3. Technical Correctness** The fix addresses a **fundamental timing issue**: - In multi-codec systems, `card->shutdown` is set at the ALSA core level during `snd_card_disconnect()` - `bus->shutdown` is set later at the HDA controller level during individual codec shutdown - **Gap exists** where unsol events could be processed after card shutdown but before bus shutdown - This can cause codec operations on an already-disconnected sound card **4. Follows Stable Tree Criteria** - **Important bug fix**: Prevents potential system instability during shutdown - **Minimal risk**: Only adds an additional safety check, doesn't change existing logic - **Well-understood**: The change is straightforward and follows existing patterns seen in similar commits - **Confined to subsystem**: Only affects HDA audio subsystem **5. Consistency with Similar Backported Commits** This follows the exact same pattern as the historical commits that were successfully backported: - **Similar Commit #1**: Added `bus->shutdown` check to prevent unsol events during shutdown - **Backported (YES)** - **Similar Commit #2**: Added suspend/resume state check to unsol handler - **Backported (YES)** - **Similar Commit #3**: Added jack disconnection during codec unbind - **Backported (YES)** - **Similar Commit #4**: Added bus_probing flag to serialize codec registration - **Backported (YES)** All these commits follow the same pattern: **small, targeted fixes to prevent race conditions in HDA shutdown/initialization sequences**. **6. Real-World Impact** - Affects **DSP/AVS audio systems** which are increasingly common in modern hardware - Without this fix, systems with multiple audio codecs could experience: - Kernel oops during shutdown - System hangs - Audio subsystem corruption - Unpredictable behavior during reboot sequences ### Risk Assessment **Very Low Risk:** - The change only **adds** a safety check, doesn't remove existing functionality - `card->shutdown` check is used extensively throughout the ALSA subsystem already - Maintains **backward compatibility** completely - If `card->shutdown` is false, behavior is identical to before - No changes to data structures, APIs, or functional logic ### Conclusion This commit represents a **textbook stable backport candidate**: it's a small, well-understood bug fix that addresses a real stability issue in a critical subsystem with minimal risk of regression. The pattern matches multiple previously successful backports in the same subsystem, and the technical merit is clear. sound/pci/hda/hda_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c index 8e35009ec25cb..a22f723ab3ab6 100644 --- a/sound/pci/hda/hda_bind.c +++ b/sound/pci/hda/hda_bind.c @@ -45,7 +45,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev) struct hda_codec *codec = container_of(dev, struct hda_codec, core); /* ignore unsol events during shutdown */ - if (codec->bus->shutdown) + if (codec->card->shutdown || codec->bus->shutdown) return; /* ignore unsol events during system suspend/resume */ -- 2.39.5

6 days, 15 hours

1
4
0 0

[PATCH AUTOSEL 6.1 1/5] ALSA: hda: Ignore unsol events for cards being shut down

by Sasha Levin

From: Cezary Rojewski <cezary.rojewski(a)intel.com> [ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ] For the classic snd_hda_intel driver, codec->card and bus->card point to the exact same thing. When snd_card_diconnect() fires, bus->shutdown is set thanks to azx_dev_disconnect(). card->shutdown is already set when that happens but both provide basically the same functionality. For the DSP snd_soc_avs driver where multiple codecs are located on multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec card may be unregistered while other codecs are still operational. Proper check in form of card->shutdown must be used to verify whether the codec's card is being shut down. Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Technical Analysis ### Core Problem Being Fixed The commit addresses a **shutdown race condition** in multi-codec HDA systems, specifically in DSP/AVS drivers where multiple HDA codecs exist on the same sound card but with separate bus instances. The change modifies line 47 in `sound/pci/hda/hda_bind.c`: **Before:** ```c if (codec->bus->shutdown) return; ``` **After:** ```c if (codec->card->shutdown || codec->bus->shutdown) return; ``` ### Why This is a Good Backport Candidate **1. Bug Fix Nature - Small and Contained** - This is a clear **bug fix** addressing a specific shutdown race condition - The change is **minimal** (adding one condition check) and **well- contained** - No architectural changes or new features introduced - Low risk of introducing regressions **2. Critical Subsystem Impact** - Affects **HD-audio subsystem** which is critical for audio functionality - Could prevent system crashes or hangs during shutdown in multi-codec scenarios - Improves system stability during shutdown sequences **3. Technical Correctness** The fix addresses a **fundamental timing issue**: - In multi-codec systems, `card->shutdown` is set at the ALSA core level during `snd_card_disconnect()` - `bus->shutdown` is set later at the HDA controller level during individual codec shutdown - **Gap exists** where unsol events could be processed after card shutdown but before bus shutdown - This can cause codec operations on an already-disconnected sound card **4. Follows Stable Tree Criteria** - **Important bug fix**: Prevents potential system instability during shutdown - **Minimal risk**: Only adds an additional safety check, doesn't change existing logic - **Well-understood**: The change is straightforward and follows existing patterns seen in similar commits - **Confined to subsystem**: Only affects HDA audio subsystem **5. Consistency with Similar Backported Commits** This follows the exact same pattern as the historical commits that were successfully backported: - **Similar Commit #1**: Added `bus->shutdown` check to prevent unsol events during shutdown - **Backported (YES)** - **Similar Commit #2**: Added suspend/resume state check to unsol handler - **Backported (YES)** - **Similar Commit #3**: Added jack disconnection during codec unbind - **Backported (YES)** - **Similar Commit #4**: Added bus_probing flag to serialize codec registration - **Backported (YES)** All these commits follow the same pattern: **small, targeted fixes to prevent race conditions in HDA shutdown/initialization sequences**. **6. Real-World Impact** - Affects **DSP/AVS audio systems** which are increasingly common in modern hardware - Without this fix, systems with multiple audio codecs could experience: - Kernel oops during shutdown - System hangs - Audio subsystem corruption - Unpredictable behavior during reboot sequences ### Risk Assessment **Very Low Risk:** - The change only **adds** a safety check, doesn't remove existing functionality - `card->shutdown` check is used extensively throughout the ALSA subsystem already - Maintains **backward compatibility** completely - If `card->shutdown` is false, behavior is identical to before - No changes to data structures, APIs, or functional logic ### Conclusion This commit represents a **textbook stable backport candidate**: it's a small, well-understood bug fix that addresses a real stability issue in a critical subsystem with minimal risk of regression. The pattern matches multiple previously successful backports in the same subsystem, and the technical merit is clear. sound/pci/hda/hda_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c index 890c2f7c33fc2..4c7355a0814d1 100644 --- a/sound/pci/hda/hda_bind.c +++ b/sound/pci/hda/hda_bind.c @@ -45,7 +45,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev) struct hda_codec *codec = container_of(dev, struct hda_codec, core); /* ignore unsol events during shutdown */ - if (codec->bus->shutdown) + if (codec->card->shutdown || codec->bus->shutdown) return; /* ignore unsol events during system suspend/resume */ -- 2.39.5

6 days, 15 hours

1
4
0 0

[PATCH AUTOSEL 6.6 1/6] ALSA: hda: Ignore unsol events for cards being shut down

by Sasha Levin

From: Cezary Rojewski <cezary.rojewski(a)intel.com> [ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ] For the classic snd_hda_intel driver, codec->card and bus->card point to the exact same thing. When snd_card_diconnect() fires, bus->shutdown is set thanks to azx_dev_disconnect(). card->shutdown is already set when that happens but both provide basically the same functionality. For the DSP snd_soc_avs driver where multiple codecs are located on multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec card may be unregistered while other codecs are still operational. Proper check in form of card->shutdown must be used to verify whether the codec's card is being shut down. Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Technical Analysis ### Core Problem Being Fixed The commit addresses a **shutdown race condition** in multi-codec HDA systems, specifically in DSP/AVS drivers where multiple HDA codecs exist on the same sound card but with separate bus instances. The change modifies line 47 in `sound/pci/hda/hda_bind.c`: **Before:** ```c if (codec->bus->shutdown) return; ``` **After:** ```c if (codec->card->shutdown || codec->bus->shutdown) return; ``` ### Why This is a Good Backport Candidate **1. Bug Fix Nature - Small and Contained** - This is a clear **bug fix** addressing a specific shutdown race condition - The change is **minimal** (adding one condition check) and **well- contained** - No architectural changes or new features introduced - Low risk of introducing regressions **2. Critical Subsystem Impact** - Affects **HD-audio subsystem** which is critical for audio functionality - Could prevent system crashes or hangs during shutdown in multi-codec scenarios - Improves system stability during shutdown sequences **3. Technical Correctness** The fix addresses a **fundamental timing issue**: - In multi-codec systems, `card->shutdown` is set at the ALSA core level during `snd_card_disconnect()` - `bus->shutdown` is set later at the HDA controller level during individual codec shutdown - **Gap exists** where unsol events could be processed after card shutdown but before bus shutdown - This can cause codec operations on an already-disconnected sound card **4. Follows Stable Tree Criteria** - **Important bug fix**: Prevents potential system instability during shutdown - **Minimal risk**: Only adds an additional safety check, doesn't change existing logic - **Well-understood**: The change is straightforward and follows existing patterns seen in similar commits - **Confined to subsystem**: Only affects HDA audio subsystem **5. Consistency with Similar Backported Commits** This follows the exact same pattern as the historical commits that were successfully backported: - **Similar Commit #1**: Added `bus->shutdown` check to prevent unsol events during shutdown - **Backported (YES)** - **Similar Commit #2**: Added suspend/resume state check to unsol handler - **Backported (YES)** - **Similar Commit #3**: Added jack disconnection during codec unbind - **Backported (YES)** - **Similar Commit #4**: Added bus_probing flag to serialize codec registration - **Backported (YES)** All these commits follow the same pattern: **small, targeted fixes to prevent race conditions in HDA shutdown/initialization sequences**. **6. Real-World Impact** - Affects **DSP/AVS audio systems** which are increasingly common in modern hardware - Without this fix, systems with multiple audio codecs could experience: - Kernel oops during shutdown - System hangs - Audio subsystem corruption - Unpredictable behavior during reboot sequences ### Risk Assessment **Very Low Risk:** - The change only **adds** a safety check, doesn't remove existing functionality - `card->shutdown` check is used extensively throughout the ALSA subsystem already - Maintains **backward compatibility** completely - If `card->shutdown` is false, behavior is identical to before - No changes to data structures, APIs, or functional logic ### Conclusion This commit represents a **textbook stable backport candidate**: it's a small, well-understood bug fix that addresses a real stability issue in a critical subsystem with minimal risk of regression. The pattern matches multiple previously successful backports in the same subsystem, and the technical merit is clear. sound/pci/hda/hda_bind.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c index b7ca2a83fbb08..95786bdadfe6a 100644 --- a/sound/pci/hda/hda_bind.c +++ b/sound/pci/hda/hda_bind.c @@ -44,7 +44,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev) struct hda_codec *codec = container_of(dev, struct hda_codec, core); /* ignore unsol events during shutdown */ - if (codec->bus->shutdown) + if (codec->card->shutdown || codec->bus->shutdown) return; /* ignore unsol events during system suspend/resume */ -- 2.39.5

6 days, 15 hours

1
5
0 0

[PATCH AUTOSEL 6.12 1/8] riscv: add a data fence for CMODX in the kernel mode

by Sasha Levin

From: Andy Chiu <andybnac(a)gmail.com> [ Upstream commit ca358692de41b273468e625f96926fa53e13bd8c ] RISC-V spec explicitly calls out that a local fence.i is not enough for the code modification to be visble from a remote hart. In fact, it states: To make a store to instruction memory visible to all RISC-V harts, the writing hart also has to execute a data FENCE before requesting that all remote RISC-V harts execute a FENCE.I. Although current riscv drivers for IPI use ordered MMIO when sending IPIs in order to synchronize the action between previous csd writes, riscv does not restrict itself to any particular flavor of IPI. Any driver or firmware implementation that does not order data writes before the IPI may pose a risk for code-modifying race. Thus, add a fence here to order data writes before making the IPI. Signed-off-by: Andy Chiu <andybnac(a)gmail.com> Reviewed-by: Björn Töpel <bjorn(a)rivosinc.com> Link: https://lore.kernel.org/r/20250407180838.42877-8-andybnac@gmail.com Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> Signed-off-by: Palmer Dabbelt <palmer(a)dabbelt.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- Based on my analysis of the commit and the RISC-V kernel codebase, here is my assessment: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Code Analysis The commit adds a critical memory fence (`RISCV_FENCE(w, o)`) before sending IPIs in the `flush_icache_all()` function in `arch/riscv/mm/cacheflush.c`. Specifically, it: 1. **Adds a data fence before IPI**: The `RISCV_FENCE(w, o)` instruction ensures that all previous memory writes (w) are ordered before device output operations (o), which includes MMIO writes for sending IPIs. 2. **Addresses RISC-V specification requirement**: The commit message explicitly references the RISC-V Platform Specification Section 2.1, which requires a data FENCE before requesting remote FENCE.I operations to ensure code modifications are visible across harts (hardware threads). 3. **Fixes a potential race condition**: Without this fence, there's a risk that code modifications made by one hart might not be visible to other harts when they receive the IPI to flush their instruction caches. ## Why This Should Be Backported ### 1. **Critical Correctness Issue** This fixes a fundamental correctness issue in code modification (CMODX) operations on RISC-V multiprocessor systems. The lack of proper ordering can lead to: - Stale instruction execution on remote cores - Race conditions in dynamic code modification scenarios - Potential security vulnerabilities in JIT compilers, kernel modules, and other code-patching mechanisms ### 2. **Specification Compliance** The fix ensures compliance with the RISC-V specification requirements. The spec explicitly states that a data fence is required before remote fence.i operations, making this a standards compliance fix rather than an optimization. ### 3. **Small and Contained Change** The change is minimal and surgical: - Adds only one fence instruction (`RISCV_FENCE(w, o)`) - No functional logic changes - Affects only the `flush_icache_all()` path - Low risk of introducing regressions ### 4. **Wide Impact on Code Modification** The `flush_icache_all()` function is used by: - Kernel module loading/unloading - JIT compilers (eBPF, etc.) - Dynamic code patching - Debugging infrastructure (kprobes, uprobes) - Any code that modifies executable instructions ### 5. **Similarity to Accepted Backports** Looking at similar commit #1 in the reference examples (irqchip fence ordering), which was marked as backportable, this commit addresses the same class of memory ordering issues that are critical for correctness on RISC-V systems. ### 6. **Platform Independence** The fix applies to all RISC-V implementations, as it addresses a fundamental architectural requirement rather than a specific hardware bug. ## Risk Assessment **Low Risk**: The fence instruction is a standard RISC-V barrier that: - Does not change control flow - Only adds necessary ordering constraints - Is already used extensively throughout the RISC-V kernel code - Has predictable performance impact (minimal additional latency) ## Comparison with Reference Commits This commit is most similar to reference commit #1 (irqchip memory ordering fix), which was correctly marked for backporting. Both commits: - Fix memory ordering issues in IPI/interrupt subsystems - Address RISC-V specification requirements - Have minimal code changes with high correctness impact - Fix potential race conditions in multi-hart systems The commit fixes a critical specification compliance issue that could lead to correctness problems in code modification scenarios across all RISC-V multiprocessor systems, making it an excellent candidate for stable backporting. arch/riscv/mm/cacheflush.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/riscv/mm/cacheflush.c b/arch/riscv/mm/cacheflush.c index b816727298872..b2e4b81763f88 100644 --- a/arch/riscv/mm/cacheflush.c +++ b/arch/riscv/mm/cacheflush.c @@ -24,7 +24,20 @@ void flush_icache_all(void) if (num_online_cpus() < 2) return; - else if (riscv_use_sbi_for_rfence()) + + /* + * Make sure all previous writes to the D$ are ordered before making + * the IPI. The RISC-V spec states that a hart must execute a data fence + * before triggering a remote fence.i in order to make the modification + * visable for remote harts. + * + * IPIs on RISC-V are triggered by MMIO writes to either CLINT or + * S-IMSIC, so the fence ensures previous data writes "happen before" + * the MMIO. + */ + RISCV_FENCE(w, o); + + if (riscv_use_sbi_for_rfence()) sbi_remote_fence_i(NULL); else on_each_cpu(ipi_remote_fence_i, NULL, 1); -- 2.39.5

6 days, 15 hours

1
7
0 0