- Linux-stable-mirror - lists.linaro.org

+ mm-shmem-fix-thp-allocation-and-fallback-loop.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/shmem: fix THP allocation and fallback loop has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-shmem-fix-thp-allocation-and-fallback-loop.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: mm/shmem: fix THP allocation and fallback loop Date: Wed, 22 Oct 2025 18:57:19 +0800 The order check and fallback loop is updating the index value on every loop, this will cause the index to be aligned by a larger value while the loop shrinks the order. This may result in inserting and returning a folio of the wrong index and cause data corruption with some userspace workloads [1]. Link: https://lkml.kernel.org/r/20251022105719.18321-1-ryncsn@gmail.com Link: https://lore.kernel.org/linux-mm/CAMgjq7DqgAmj25nDUwwu1U2cSGSn8n4-Hqpgotted… [1] Fixes: e7a2ab7b3bb5d ("mm: shmem: add mTHP support for anonymous shmem") Signed-off-by: Kairui Song <kasong(a)tencent.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nico Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/mm/shmem.c~mm-shmem-fix-thp-allocation-and-fallback-loop +++ a/mm/shmem.c @@ -1895,10 +1895,11 @@ static struct folio *shmem_alloc_and_add order = highest_order(suitable_orders); while (suitable_orders) { pages = 1UL << order; - index = round_down(index, pages); - folio = shmem_alloc_folio(gfp, order, info, index); - if (folio) + folio = shmem_alloc_folio(gfp, order, info, round_down(index, pages)); + if (folio) { + index = round_down(index, pages); goto allocated; + } if (pages == HPAGE_PMD_NR) count_vm_event(THP_FILE_FALLBACK); _ Patches currently in -mm which might be from kasong(a)tencent.com are mm-shmem-fix-thp-allocation-and-fallback-loop.patch

1 month, 1 week

1
0
0 0

[PATCH 5.10/5.15] cpufreq: davinci: Fix clk use after free

by Vasiliy Kovalev

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> [ Upstream commit 5d8f384a9b4fc50f6a18405f1c08e5a87a77b5b3 ] The remove function first frees the clks and only then calls cpufreq_unregister_driver(). If one of the cpufreq callbacks is called just before cpufreq_unregister_driver() is run, the freed clks might be used. Fixes: 6601b8030de3 ("davinci: add generic CPUFreq driver for DaVinci") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Acked-by: Viresh Kumar <viresh.kumar(a)linaro.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit a5f024d0e6f91e05c816ad4ee8837173369dd5cb) [ kovalev: bp to fix CVE-2023-53544 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/cpufreq/davinci-cpufreq.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/cpufreq/davinci-cpufreq.c b/drivers/cpufreq/davinci-cpufreq.c index 91f477a6cbc4..62380f05aec8 100644 --- a/drivers/cpufreq/davinci-cpufreq.c +++ b/drivers/cpufreq/davinci-cpufreq.c @@ -133,12 +133,14 @@ static int __init davinci_cpufreq_probe(struct platform_device *pdev) static int __exit davinci_cpufreq_remove(struct platform_device *pdev) { + cpufreq_unregister_driver(&davinci_driver); + clk_put(cpufreq.armclk); if (cpufreq.asyncclk) clk_put(cpufreq.asyncclk); - return cpufreq_unregister_driver(&davinci_driver); + return 0; } static struct platform_driver davinci_cpufreq_driver = { -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH v2] ACPI: video: Fix use-after-free in acpi_video_switch_brightness()

by Yuhao Jiang

The switch_brightness_work delayed work accesses device->brightness and device->backlight, which are freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work before unregistering its backlight resources. This ensures the work completes before the memory is freed. Fixes: 8ab58e8e7e097 ("ACPI / video: Fix backlight taking 2 steps on a brightness up/down keypress") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- Changes in v2: - Move cancel_delayed_work_sync() to acpi_video_bus_unregister_backlight() instead of acpi_video_bus_put_devices() for better logic clarity and to prevent potential UAF of device->brightness - Correct Fixes tag to point to 8ab58e8e7e097 which introduced the delayed work - Link to v1: https://lore.kernel.org/all/20251022040859.2102914-1-danisjiang@gmail.com --- drivers/acpi/acpi_video.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index 103f29661576..64709658bdc4 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -1869,8 +1869,10 @@ static int acpi_video_bus_unregister_backlight(struct acpi_video_bus *video) error = unregister_pm_notifier(&video->pm_nb); mutex_lock(&video->device_list_lock); - list_for_each_entry(dev, &video->video_device_list, entry) + list_for_each_entry(dev, &video->video_device_list, entry) { + cancel_delayed_work_sync(&dev->switch_brightness_work); acpi_video_dev_unregister_backlight(dev); + } mutex_unlock(&video->device_list_lock); video->backlight_registered = false; -- 2.34.1

1 month, 1 week

2
2
0 0

[PATCH 5.10.y] ionic: catch failure from devlink_alloc

by Vasiliy Kovalev

From: Shannon Nelson <shannon.nelson(a)amd.com> commit 4a54903ff68ddb33b6463c94b4eb37fc584ef760 upstream. Add a check for NULL on the alloc return. If devlink_alloc() fails and we try to use devlink_priv() on the NULL return, the kernel gets very unhappy and panics. With this fix, the driver load will still fail, but at least it won't panic the kernel. Fixes: df69ba43217d ("ionic: Add basic framework for IONIC Network device driver") Signed-off-by: Shannon Nelson <shannon.nelson(a)amd.com> Reviewed-by: Simon Horman <simon.horman(a)corigine.com> Reviewed-by: Jiri Pirko <jiri(a)nvidia.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [ kovalev: bp to fix CVE-2023-53470 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/net/ethernet/pensando/ionic/ionic_devlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/pensando/ionic/ionic_devlink.c b/drivers/net/ethernet/pensando/ionic/ionic_devlink.c index 3d94064c685d..52ebecf2521e 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_devlink.c +++ b/drivers/net/ethernet/pensando/ionic/ionic_devlink.c @@ -65,6 +65,8 @@ struct ionic *ionic_devlink_alloc(struct device *dev) struct devlink *dl; dl = devlink_alloc(&ionic_dl_ops, sizeof(struct ionic)); + if (!dl) + return NULL; return devlink_priv(dl); } -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH v7 1/8] iommu: Disable SVA when CONFIG_X86 is set

by Lu Baolu

In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Cc: stable(a)vger.kernel.org Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> --- drivers/iommu/iommu-sva.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c index 1a51cfd82808..a0442faad952 100644 --- a/drivers/iommu/iommu-sva.c +++ b/drivers/iommu/iommu-sva.c @@ -77,6 +77,9 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm if (!group) return ERR_PTR(-ENODEV); + if (IS_ENABLED(CONFIG_X86)) + return ERR_PTR(-EOPNOTSUPP); + mutex_lock(&iommu_sva_lock); /* Allocate mm->pasid if necessary. */ -- 2.43.0

1 month, 1 week

2
1
0 0

[PATCH 5.10.y] firewire: net: fix use after free in fwnet_finish_incoming_packet()

by Vasiliy Kovalev

From: Zhang Shurong <zhang_shurong(a)foxmail.com> commit 3ff256751a2853e1ffaa36958ff933ccc98c6cb5 upstream. The netif_rx() function frees the skb so we can't dereference it to save the skb->len. Signed-off-by: Zhang Shurong <zhang_shurong(a)foxmail.com> Link: https://lore.kernel.org/r/tencent_3B3D24B66ED66A6BB73CC0E63C6A14E45109@qq.c… Signed-off-by: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> [ kovalev: bp to fix CVE-2023-53432 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/firewire/net.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c index 715e491dfbc3..8504e95ede90 100644 --- a/drivers/firewire/net.c +++ b/drivers/firewire/net.c @@ -489,7 +489,7 @@ static int fwnet_finish_incoming_packet(struct net_device *net, bool is_broadcast, u16 ether_type) { struct fwnet_device *dev; - int status; + int status, len; __be64 guid; switch (ether_type) { @@ -546,13 +546,15 @@ static int fwnet_finish_incoming_packet(struct net_device *net, } skb->protocol = protocol; } + + len = skb->len; status = netif_rx(skb); if (status == NET_RX_DROP) { net->stats.rx_errors++; net->stats.rx_dropped++; } else { net->stats.rx_packets++; - net->stats.rx_bytes += skb->len; + net->stats.rx_bytes += len; } return 0; -- 2.50.1

1 month, 1 week

1
0
0 0

+ iommu-disable-sva-when-config_x86-is-set.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: iommu: disable SVA when CONFIG_X86 is set has been added to the -mm mm-new branch. Its filename is iommu-disable-sva-when-config_x86-is-set.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lu Baolu <baolu.lu(a)linux.intel.com> Subject: iommu: disable SVA when CONFIG_X86 is set Date: Wed, 22 Oct 2025 16:26:27 +0800 Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Suggested-by: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jann Horn <jannh(a)google.com> Cc: Jean-Philippe Brucker <jean-philippe(a)linaro.org> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: Kevin Tian <kevin.tian(a)intel.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Robin Murohy <robin.murphy(a)arm.com> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vasant Hegde <vasant.hegde(a)amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Will Deacon <will(a)kernel.org> Cc: Yi Lai <yi1.lai(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/iommu/iommu-sva.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/iommu/iommu-sva.c~iommu-disable-sva-when-config_x86-is-set +++ a/drivers/iommu/iommu-sva.c @@ -77,6 +77,9 @@ struct iommu_sva *iommu_sva_bind_device( if (!group) return ERR_PTR(-ENODEV); + if (IS_ENABLED(CONFIG_X86)) + return ERR_PTR(-EOPNOTSUPP); + mutex_lock(&iommu_sva_lock); /* Allocate mm->pasid if necessary. */ _ Patches currently in -mm which might be from baolu.lu(a)linux.intel.com are iommu-disable-sva-when-config_x86-is-set.patch x86-mm-use-pagetable_free.patch iommu-sva-invalidate-stale-iotlb-entries-for-kernel-address-space.patch

1 month, 1 week

1
0
0 0

[PATCH 5.10.y] RDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device

by Vasiliy Kovalev

From: Shay Drory <shayd(a)nvidia.com> commit 38b50aa44495d5eb4218f0b82fc2da76505cec53 upstream. Currently, when mlx5_ib_get_hw_stats() is used for device (port_num = 0), there is a special handling in order to use the correct counters, but, port_num is being passed down the stack without any change. Also, some functions assume that port_num >=1. As a result, the following oops can occur. BUG: unable to handle page fault for address: ffff89510294f1a8 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP CPU: 8 PID: 1382 Comm: devlink Tainted: G W 6.1.0-rc4_for_upstream_base_2022_11_10_16_12 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:_raw_spin_lock+0xc/0x20 Call Trace: <TASK> mlx5_ib_get_native_port_mdev+0x73/0xe0 [mlx5_ib] do_get_hw_stats.constprop.0+0x109/0x160 [mlx5_ib] mlx5_ib_get_hw_stats+0xad/0x180 [mlx5_ib] ib_setup_device_attrs+0xf0/0x290 [ib_core] ib_register_device+0x3bb/0x510 [ib_core] ? atomic_notifier_chain_register+0x67/0x80 __mlx5_ib_add+0x2b/0x80 [mlx5_ib] mlx5r_probe+0xb8/0x150 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x3c/0x70 ? driver_sysfs_add+0x6b/0x90 really_probe+0xcd/0x380 __driver_probe_device+0x80/0x170 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 ? driver_allows_async_probing+0x60/0x60 ? driver_allows_async_probing+0x60/0x60 bus_for_each_drv+0x7b/0xc0 __device_attach+0xbc/0x200 bus_probe_device+0x87/0xa0 device_add+0x404/0x940 ? dev_set_name+0x53/0x70 __auxiliary_device_add+0x43/0x60 add_adev+0x99/0xe0 [mlx5_core] mlx5_attach_device+0xc8/0x120 [mlx5_core] mlx5_load_one_devl_locked+0xb2/0xe0 [mlx5_core] devlink_reload+0x133/0x250 devlink_nl_cmd_reload+0x480/0x570 ? devlink_nl_pre_doit+0x44/0x2b0 genl_family_rcv_msg_doit.isra.0+0xc2/0x110 genl_rcv_msg+0x180/0x2b0 ? devlink_nl_cmd_region_read_dumpit+0x540/0x540 ? devlink_reload+0x250/0x250 ? devlink_put+0x50/0x50 ? genl_family_rcv_msg_doit.isra.0+0x110/0x110 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1f6/0x2c0 netlink_sendmsg+0x237/0x490 sock_sendmsg+0x33/0x40 __sys_sendto+0x103/0x160 ? handle_mm_fault+0x10e/0x290 ? do_user_addr_fault+0x1c0/0x5f0 __x64_sys_sendto+0x25/0x30 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Fix it by setting port_num to 1 in order to get device status and remove unused variable. Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE") Link: https://lore.kernel.org/r/98b82994c3cd3fa593b8a75ed3f3901e208beb0f.16722317… Signed-off-by: Shay Drory <shayd(a)nvidia.com> Reviewed-by: Patrisious Haddad <phaddad(a)nvidia.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> [ kovalev: bp to fix CVE-2023-53393 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/infiniband/hw/mlx5/counters.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c index 33636268d43d..29b38cf055be 100644 --- a/drivers/infiniband/hw/mlx5/counters.c +++ b/drivers/infiniband/hw/mlx5/counters.c @@ -249,7 +249,6 @@ static int mlx5_ib_get_hw_stats(struct ib_device *ibdev, const struct mlx5_ib_counters *cnts = get_counters(dev, port_num - 1); struct mlx5_core_dev *mdev; int ret, num_counters; - u8 mdev_port_num; if (!stats) return -EINVAL; @@ -270,8 +269,9 @@ static int mlx5_ib_get_hw_stats(struct ib_device *ibdev, } if (MLX5_CAP_GEN(dev->mdev, cc_query_allowed)) { - mdev = mlx5_ib_get_native_port_mdev(dev, port_num, - &mdev_port_num); + if (!port_num) + port_num = 1; + mdev = mlx5_ib_get_native_port_mdev(dev, port_num, NULL); if (!mdev) { /* If port is not affiliated yet, its in down state * which doesn't have any counters yet, so it would be -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH 2/2] io_uring/sqpoll: be smarter on when to update the stime usage

by Jens Axboe

The current approach is a bit naive, and hence calls the time querying way too often. Only start the "doing work" timer when there's actual work to do, and then use that information to terminate (and account) the work time once done. This greatly reduces the frequency of these calls, when they cannot have changed anyway. Running a basic random reader that is setup to use SQPOLL, a profile before this change shows these as the top cycle consumers: + 32.60% iou-sqp-1074 [kernel.kallsyms] [k] thread_group_cputime_adjusted + 19.97% iou-sqp-1074 [kernel.kallsyms] [k] thread_group_cputime + 12.20% io_uring io_uring [.] submitter_uring_fn + 4.13% iou-sqp-1074 [kernel.kallsyms] [k] getrusage + 2.45% iou-sqp-1074 [kernel.kallsyms] [k] io_submit_sqes + 2.18% iou-sqp-1074 [kernel.kallsyms] [k] __pi_memset_generic + 2.09% iou-sqp-1074 [kernel.kallsyms] [k] cputime_adjust and after this change, top of profile looks as follows: + 36.23% io_uring io_uring [.] submitter_uring_fn + 23.26% iou-sqp-819 [kernel.kallsyms] [k] io_sq_thread + 10.14% iou-sqp-819 [kernel.kallsyms] [k] io_sq_tw + 6.52% iou-sqp-819 [kernel.kallsyms] [k] tctx_task_work_run + 4.82% iou-sqp-819 [kernel.kallsyms] [k] nvme_submit_cmds.part.0 + 2.91% iou-sqp-819 [kernel.kallsyms] [k] io_submit_sqes [...] 0.02% iou-sqp-819 [kernel.kallsyms] [k] cputime_adjust where it's spending the cycles on things that actually matter. Reported-by: Fengnan Chang <changfengnan(a)bytedance.com> Cc: stable(a)vger.kernel.org Fixes: 3fcb9d17206e ("io_uring/sqpoll: statistics of the true utilization of sq threads") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- io_uring/sqpoll.c | 43 ++++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c index 2b816fdb9866..e22f072c7d5f 100644 --- a/io_uring/sqpoll.c +++ b/io_uring/sqpoll.c @@ -170,6 +170,11 @@ static inline bool io_sqd_events_pending(struct io_sq_data *sqd) return READ_ONCE(sqd->state); } +struct io_sq_time { + bool started; + u64 usec; +}; + u64 io_sq_cpu_usec(struct task_struct *tsk) { u64 utime, stime; @@ -179,12 +184,24 @@ u64 io_sq_cpu_usec(struct task_struct *tsk) return stime; } -static void io_sq_update_worktime(struct io_sq_data *sqd, u64 usec) +static void io_sq_update_worktime(struct io_sq_data *sqd, struct io_sq_time *ist) +{ + if (!ist->started) + return; + ist->started = false; + sqd->work_time += io_sq_cpu_usec(current) - ist->usec; +} + +static void io_sq_start_worktime(struct io_sq_time *ist) { - sqd->work_time += io_sq_cpu_usec(current) - usec; + if (ist->started) + return; + ist->started = true; + ist->usec = io_sq_cpu_usec(current); } -static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries) +static int __io_sq_thread(struct io_ring_ctx *ctx, struct io_sq_data *sqd, + bool cap_entries, struct io_sq_time *ist) { unsigned int to_submit; int ret = 0; @@ -197,6 +214,8 @@ static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries) if (to_submit || !wq_list_empty(&ctx->iopoll_list)) { const struct cred *creds = NULL; + io_sq_start_worktime(ist); + if (ctx->sq_creds != current_cred()) creds = override_creds(ctx->sq_creds); @@ -278,7 +297,6 @@ static int io_sq_thread(void *data) unsigned long timeout = 0; char buf[TASK_COMM_LEN] = {}; DEFINE_WAIT(wait); - u64 start; /* offload context creation failed, just exit */ if (!current->io_uring) { @@ -313,6 +331,7 @@ static int io_sq_thread(void *data) mutex_lock(&sqd->lock); while (1) { bool cap_entries, sqt_spin = false; + struct io_sq_time ist = { }; if (io_sqd_events_pending(sqd) || signal_pending(current)) { if (io_sqd_handle_event(sqd)) @@ -321,9 +340,8 @@ static int io_sq_thread(void *data) } cap_entries = !list_is_singular(&sqd->ctx_list); - start = io_sq_cpu_usec(current); list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) { - int ret = __io_sq_thread(ctx, cap_entries); + int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist); if (!sqt_spin && (ret > 0 || !wq_list_empty(&ctx->iopoll_list))) sqt_spin = true; @@ -331,15 +349,18 @@ static int io_sq_thread(void *data) if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE)) sqt_spin = true; - list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) - if (io_napi(ctx)) + list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) { + if (io_napi(ctx)) { + io_sq_start_worktime(&ist); io_napi_sqpoll_busy_poll(ctx); + } + } + + io_sq_update_worktime(sqd, &ist); if (sqt_spin || !time_after(jiffies, timeout)) { - if (sqt_spin) { - io_sq_update_worktime(sqd, start); + if (sqt_spin) timeout = jiffies + sqd->sq_thread_idle; - } if (unlikely(need_resched())) { mutex_unlock(&sqd->lock); cond_resched(); -- 2.51.0

1 month, 1 week

1
0
0 0

[PATCH 1/2] io_uring/sqpoll: switch away from getrusage() for CPU accounting

by Jens Axboe

getrusage() does a lot more than what the SQPOLL accounting needs, the latter only cares about (and uses) the stime. Rather than do a full RUSAGE_SELF summation, just query the used stime instead. Cc: stable(a)vger.kernel.org Fixes: 3fcb9d17206e ("io_uring/sqpoll: statistics of the true utilization of sq threads") Reviewed-by: Gabriel Krisman Bertazi <krisman(a)suse.de> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- io_uring/fdinfo.c | 8 ++++---- io_uring/sqpoll.c | 32 ++++++++++++++++++-------------- io_uring/sqpoll.h | 1 + 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c index ff3364531c77..294c75a8a3bd 100644 --- a/io_uring/fdinfo.c +++ b/io_uring/fdinfo.c @@ -59,7 +59,6 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) { struct io_overflow_cqe *ocqe; struct io_rings *r = ctx->rings; - struct rusage sq_usage; unsigned int sq_mask = ctx->sq_entries - 1, cq_mask = ctx->cq_entries - 1; unsigned int sq_head = READ_ONCE(r->sq.head); unsigned int sq_tail = READ_ONCE(r->sq.tail); @@ -152,14 +151,15 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) * thread termination. */ if (tsk) { + u64 usec; + get_task_struct(tsk); rcu_read_unlock(); - getrusage(tsk, RUSAGE_SELF, &sq_usage); + usec = io_sq_cpu_usec(tsk); put_task_struct(tsk); sq_pid = sq->task_pid; sq_cpu = sq->sq_cpu; - sq_total_time = (sq_usage.ru_stime.tv_sec * 1000000 - + sq_usage.ru_stime.tv_usec); + sq_total_time = usec; sq_work_time = sq->work_time; } else { rcu_read_unlock(); diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c index a3f11349ce06..2b816fdb9866 100644 --- a/io_uring/sqpoll.c +++ b/io_uring/sqpoll.c @@ -11,6 +11,7 @@ #include <linux/audit.h> #include <linux/security.h> #include <linux/cpuset.h> +#include <linux/sched/cputime.h> #include <linux/io_uring.h> #include <uapi/linux/io_uring.h> @@ -169,6 +170,20 @@ static inline bool io_sqd_events_pending(struct io_sq_data *sqd) return READ_ONCE(sqd->state); } +u64 io_sq_cpu_usec(struct task_struct *tsk) +{ + u64 utime, stime; + + task_cputime_adjusted(tsk, &utime, &stime); + do_div(stime, 1000); + return stime; +} + +static void io_sq_update_worktime(struct io_sq_data *sqd, u64 usec) +{ + sqd->work_time += io_sq_cpu_usec(current) - usec; +} + static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries) { unsigned int to_submit; @@ -255,26 +270,15 @@ static bool io_sq_tw_pending(struct llist_node *retry_list) return retry_list || !llist_empty(&tctx->task_list); } -static void io_sq_update_worktime(struct io_sq_data *sqd, struct rusage *start) -{ - struct rusage end; - - getrusage(current, RUSAGE_SELF, &end); - end.ru_stime.tv_sec -= start->ru_stime.tv_sec; - end.ru_stime.tv_usec -= start->ru_stime.tv_usec; - - sqd->work_time += end.ru_stime.tv_usec + end.ru_stime.tv_sec * 1000000; -} - static int io_sq_thread(void *data) { struct llist_node *retry_list = NULL; struct io_sq_data *sqd = data; struct io_ring_ctx *ctx; - struct rusage start; unsigned long timeout = 0; char buf[TASK_COMM_LEN] = {}; DEFINE_WAIT(wait); + u64 start; /* offload context creation failed, just exit */ if (!current->io_uring) { @@ -317,7 +321,7 @@ static int io_sq_thread(void *data) } cap_entries = !list_is_singular(&sqd->ctx_list); - getrusage(current, RUSAGE_SELF, &start); + start = io_sq_cpu_usec(current); list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) { int ret = __io_sq_thread(ctx, cap_entries); @@ -333,7 +337,7 @@ static int io_sq_thread(void *data) if (sqt_spin || !time_after(jiffies, timeout)) { if (sqt_spin) { - io_sq_update_worktime(sqd, &start); + io_sq_update_worktime(sqd, start); timeout = jiffies + sqd->sq_thread_idle; } if (unlikely(need_resched())) { diff --git a/io_uring/sqpoll.h b/io_uring/sqpoll.h index b83dcdec9765..fd2f6f29b516 100644 --- a/io_uring/sqpoll.h +++ b/io_uring/sqpoll.h @@ -29,6 +29,7 @@ void io_sq_thread_unpark(struct io_sq_data *sqd); void io_put_sq_data(struct io_sq_data *sqd); void io_sqpoll_wait_sq(struct io_ring_ctx *ctx); int io_sqpoll_wq_cpu_affinity(struct io_ring_ctx *ctx, cpumask_var_t mask); +u64 io_sq_cpu_usec(struct task_struct *tsk); static inline struct task_struct *sqpoll_task_locked(struct io_sq_data *sqd) { -- 2.51.0

1 month, 1 week

1
0
0 0

[PATCH 1/2] io_uring/sqpoll: switch away from getrusage() for CPU accounting

by Jens Axboe

getrusage() does a lot more than what the SQPOLL accounting needs, the latter only cares about (and uses) the stime. Rather than do a full RUSAGE_SELF summation, just query the used stime instead. Cc: stable(a)vger.kernel.org Fixes: 3fcb9d17206e ("io_uring/sqpoll: statistics of the true utilization of sq threads") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- io_uring/fdinfo.c | 9 +++++---- io_uring/sqpoll.c | 34 ++++++++++++++++++++-------------- io_uring/sqpoll.h | 1 + 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c index ff3364531c77..966e06b078f6 100644 --- a/io_uring/fdinfo.c +++ b/io_uring/fdinfo.c @@ -59,7 +59,6 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) { struct io_overflow_cqe *ocqe; struct io_rings *r = ctx->rings; - struct rusage sq_usage; unsigned int sq_mask = ctx->sq_entries - 1, cq_mask = ctx->cq_entries - 1; unsigned int sq_head = READ_ONCE(r->sq.head); unsigned int sq_tail = READ_ONCE(r->sq.tail); @@ -152,14 +151,16 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) * thread termination. */ if (tsk) { + struct timespec64 ts; + get_task_struct(tsk); rcu_read_unlock(); - getrusage(tsk, RUSAGE_SELF, &sq_usage); + ts = io_sq_cpu_time(tsk); put_task_struct(tsk); sq_pid = sq->task_pid; sq_cpu = sq->sq_cpu; - sq_total_time = (sq_usage.ru_stime.tv_sec * 1000000 - + sq_usage.ru_stime.tv_usec); + sq_total_time = (ts.tv_sec * 1000000 + + ts.tv_nsec / 1000); sq_work_time = sq->work_time; } else { rcu_read_unlock(); diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c index a3f11349ce06..8705b0aa82e0 100644 --- a/io_uring/sqpoll.c +++ b/io_uring/sqpoll.c @@ -11,6 +11,7 @@ #include <linux/audit.h> #include <linux/security.h> #include <linux/cpuset.h> +#include <linux/sched/cputime.h> #include <linux/io_uring.h> #include <uapi/linux/io_uring.h> @@ -169,6 +170,22 @@ static inline bool io_sqd_events_pending(struct io_sq_data *sqd) return READ_ONCE(sqd->state); } +struct timespec64 io_sq_cpu_time(struct task_struct *tsk) +{ + u64 utime, stime; + + task_cputime_adjusted(tsk, &utime, &stime); + return ns_to_timespec64(stime); +} + +static void io_sq_update_worktime(struct io_sq_data *sqd, struct timespec64 start) +{ + struct timespec64 ts; + + ts = timespec64_sub(io_sq_cpu_time(current), start); + sqd->work_time += ts.tv_sec * 1000000 + ts.tv_nsec / 1000; +} + static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries) { unsigned int to_submit; @@ -255,23 +272,12 @@ static bool io_sq_tw_pending(struct llist_node *retry_list) return retry_list || !llist_empty(&tctx->task_list); } -static void io_sq_update_worktime(struct io_sq_data *sqd, struct rusage *start) -{ - struct rusage end; - - getrusage(current, RUSAGE_SELF, &end); - end.ru_stime.tv_sec -= start->ru_stime.tv_sec; - end.ru_stime.tv_usec -= start->ru_stime.tv_usec; - - sqd->work_time += end.ru_stime.tv_usec + end.ru_stime.tv_sec * 1000000; -} - static int io_sq_thread(void *data) { struct llist_node *retry_list = NULL; struct io_sq_data *sqd = data; struct io_ring_ctx *ctx; - struct rusage start; + struct timespec64 start; unsigned long timeout = 0; char buf[TASK_COMM_LEN] = {}; DEFINE_WAIT(wait); @@ -317,7 +323,7 @@ static int io_sq_thread(void *data) } cap_entries = !list_is_singular(&sqd->ctx_list); - getrusage(current, RUSAGE_SELF, &start); + start = io_sq_cpu_time(current); list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) { int ret = __io_sq_thread(ctx, cap_entries); @@ -333,7 +339,7 @@ static int io_sq_thread(void *data) if (sqt_spin || !time_after(jiffies, timeout)) { if (sqt_spin) { - io_sq_update_worktime(sqd, &start); + io_sq_update_worktime(sqd, start); timeout = jiffies + sqd->sq_thread_idle; } if (unlikely(need_resched())) { diff --git a/io_uring/sqpoll.h b/io_uring/sqpoll.h index b83dcdec9765..84ed2b312e88 100644 --- a/io_uring/sqpoll.h +++ b/io_uring/sqpoll.h @@ -29,6 +29,7 @@ void io_sq_thread_unpark(struct io_sq_data *sqd); void io_put_sq_data(struct io_sq_data *sqd); void io_sqpoll_wait_sq(struct io_ring_ctx *ctx); int io_sqpoll_wq_cpu_affinity(struct io_ring_ctx *ctx, cpumask_var_t mask); +struct timespec64 io_sq_cpu_time(struct task_struct *tsk); static inline struct task_struct *sqpoll_task_locked(struct io_sq_data *sqd) { -- 2.51.0

1 month, 1 week

2
2
0 0

[PATCH 6.6 000/105] 6.6.114-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.114 release. There are 105 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Oct 2025 19:49:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.114-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.114-rc1 Niklas Cassel <cassel(a)kernel.org> PCI: tegra194: Reset BARs when running in PCIe endpoint mode Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: j721e: Fix programming sequence of "strap" settings Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: j721e: Enable ACSPCIE Refclk if "ti,syscon-acspcie-proxy-ctrl" exists Jakub Acs <acsjakub(a)amazon.de> mm/ksm: fix flag-dropping behavior in ksm_madvise Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL Brian Norris <briannorris(a)google.com> PCI/sysfs: Ensure devices are powered for config reads (part 2) Scott Mayhew <smayhew(a)redhat.com> nfsd: decouple the xprtsec policy check from check_nfsd_access() Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbevf: fix mailbox API compatibility by negotiating supported features Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbevf: fix getting link speed data for E610 devices Piotr Kwapulinski <piotr.kwapulinski(a)intel.com> ixgbevf: Add support for Intel(R) E610 device Piotr Kwapulinski <piotr.kwapulinski(a)intel.com> PCI: Add PCI_VDEVICE_SUB helper macro Devarsh Thakkar <devarsht(a)ti.com> phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Theodore Ts'o <tytso(a)mit.edu> ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Jan Kara <jack(a)suse.cz> vfs: Don't leak disconnected dentries on umount Chuck Lever <chuck.lever(a)oracle.com> NFSD: Define a proc_layoutcommit for the FlexFiles layout type Shashank A P <shashank.ap(a)samsung.com> fs: quota: create dedicated workqueue for quota_release_work Kemeng Shi <shikemeng(a)huaweicloud.com> quota: remove unneeded return value of register_quota_format Xiao Liang <shaw.leon(a)gmail.com> padata: Reset next CPU when reorder sequence wraps around Darrick J. Wong <djwong(a)kernel.org> xfs: use deferred intent items for reaping crosslinked blocks Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: reorganize DMA aligned buffers in structure Devarsh Thakkar <devarsht(a)ti.com> phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> phy: cdns-dphy: Store hs_clk_rate and return it Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Simplify pm_runtime setup Bence Csókás <csokas.bence(a)prolan.hu> PM: runtime: Add new devm functions Christoph Hellwig <hch(a)lst.de> xfs: fix log CRC mismatches between i386 and other architectures Christoph Hellwig <hch(a)lst.de> xfs: rename the old_crc variable in xlog_recover_process Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Fix last write offset handling in layoutcommit Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Minor cleanup in layoutcommit processing Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Rework encoding and decoding of nfsd4_deviceid Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs() Darrick J. Wong <djwong(a)kernel.org> block: fix race between set_blocksize and read paths Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Apply workarounds for Neoverse-V3AE Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-V3AE definitions Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Xing Guo <higuoxing(a)gmail.com> selftests: arg_parsing: Ensure data is flushed to disk before reading. Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> HID: multitouch: fix name of Stylus input devices Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: hid-input: only ignore 0 battery events for digitizers Jiaming Zhang <r772577952(a)gmail.com> ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card Andrii Nakryiko <andrii(a)kernel.org> selftests/bpf: make arg_parsing.c more robust to crashes Youssef Samir <quic_yabdulra(a)quicinc.com> accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Randy Dunlap <rdunlap(a)infradead.org> ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Vincent Guittot <vincent.guittot(a)linaro.org> sched/fair: Fix pelt lost idle time detection Ingo Molnar <mingo(a)kernel.org> sched/balancing: Rename newidle_balance() => sched_balance_newidle() Alok Tiwari <alok.a.tiwari(a)oracle.com> drm/rockchip: vop2: use correct destination rectangle height check Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/powerplay: Fix CIK shutdown temperature Zhanjun Dong <zhanjun.dong(a)intel.com> drm/i915/guc: Skip communication warning on reset in progress Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Generalize helper to clear IRQ status Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Cancel jdet_work before handling jack ejection Christophe Leroy <christophe.leroy(a)csgroup.eu> ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec Marek Vasut <marek.vasut(a)mailbox.org> drm/bridge: lt9211: Drop check for last nibble of version register Fabian Vogt <fvogt(a)suse.de> riscv: kprobes: Fix probe address validation Amit Chaudhary <achaudhary(a)purestorage.com> nvme-multipath: Skip nr_active increments in RETRY disposition I Viswanath <viswanathiyyappan(a)gmail.com> net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: lan78xx: Add error handling to lan78xx_init_mac_address Sabrina Dubroca <sd(a)queasysnail.net> tls: don't rely on tx_work during send() Sabrina Dubroca <sd(a)queasysnail.net> tls: wait for pending async decryptions if tls_strp_msg_hold fails Sabrina Dubroca <sd(a)queasysnail.net> tls: always set record_type in tls_process_cmsg Sabrina Dubroca <sd(a)queasysnail.net> tls: wait for async encrypt in case of error during latter iterations of sendmsg Sascha Hauer <s.hauer(a)pengutronix.de> net: tls: wait for async completion on last message Sabrina Dubroca <sd(a)queasysnail.net> tls: trim encrypted message to match the plaintext on short splice Alexey Simakov <bigalex934(a)gmail.com> tg3: prevent use of uninitialized remote_adv and local_adv variables Eric Dumazet <edumazet(a)google.com> tcp: fix tcp_tso_should_defer() vs large RTT Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: Avoid spurious link down messages during interface toggle Dmitry Safonov <0x7f454c46(a)gmail.com> net/ip6_tunnel: Prevent perpetual tunnel growth Linmao Li <lilinmao(a)kylinos.cn> r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H Nicolas Dichtel <nicolas.dichtel(a)6wind.com> doc: fix seg6_flowlabel path Yeounsu Moon <yyyynoom(a)gmail.com> net: dlink: handle dma_map_single() failure properly Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_plat_remove(): add missing pm_runtime_disable() Yuezhang Mo <Yuezhang.Mo(a)sony.com> dax: skip read lock assertion for read-only filesystems Benjamin Tissoires <bentiss(a)kernel.org> HID: multitouch: fix sticky fingers Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_rndis: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_ncm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_acm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_ecm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: Introduce free_usb_request helper Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: Store endpoint pointer in usb_request Guoniu Zhou <guoniu.zhou(a)nxp.com> media: nxp: imx8-isi: m2m: Fix streaming cleanup on release Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> media: nxp: imx8-isi: Drop unused argument to mxc_isi_channel_chain() Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: remove ctx->suspended Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: properly clear channels during bind Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions Akhil P Oommen <akhilpo(a)oss.qualcomm.com> drm/msm/a6xx: Fix PDC sleep sequence Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/adreno: De-spaghettify the use of memory barriers Nam Cao <namcao(a)linutronix.de> eventpoll: Replace rwlock with spinlock Huang Xiaojia <huangxiaojia2(a)huawei.com> epoll: Remove ep_scan_ready_list() in comments Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Check whether secure display TA loaded successfully Gui-Dong Han <hanguidong02(a)gmail.com> drm/amdgpu: use atomic functions with memory barriers for vm fault info Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies Eugene Korenevsky <ekorenevsky(a)aliyun.com> cifs: parse_dfs_referrals: prevent oob on malformed input Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: increase max interface to U8_MAX Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: gs_make_candev(): populate net_device->dev_port Filipe Manana <fdmanana(a)suse.com> btrfs: do not assert we found block group item when creating free space tree Boris Burkov <boris(a)bur.io> btrfs: fix incorrect readahead expansion length Filipe Manana <fdmanana(a)suse.com> btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running Deepanshu Kartikey <kartikey406(a)gmail.com> ext4: detect invalid INLINE_DATA + EXTENTS flag combination Zhang Yi <yi.zhang(a)huawei.com> ext4: wait for ongoing I/O to complete before freeing blocks Zhang Yi <yi.zhang(a)huawei.com> jbd2: ensure that all ongoing I/O complete before freeing blocks Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix wrong block mapping for multi-devices Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: Prevent access to vCPU events before init Yi Cong <yicong(a)kylinos.cn> r8152: add error handling in rtl8152_driver_init Shuhao Fu <sfual(a)cse.ust.hk> smb: client: Fix refcount leak for cifs_sb_tlink ------------- Diffstat: Documentation/arch/arm64/silicon-errata.rst | 2 + Documentation/networking/seg6-sysctl.rst | 3 + Makefile | 4 +- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/cputype.h | 2 + arch/arm64/kernel/cpu_errata.c | 1 + arch/arm64/kvm/arm.c | 6 + arch/riscv/kernel/probes/kprobes.c | 13 +- block/bdev.c | 17 ++ block/blk-zoned.c | 5 +- block/fops.c | 16 ++ block/ioctl.c | 6 + drivers/accel/qaic/qaic_control.c | 2 +- drivers/base/power/runtime.c | 44 ++++ drivers/bluetooth/btusb.c | 2 + drivers/cpufreq/cppc_cpufreq.c | 14 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +- .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 3 +- drivers/gpu/drm/bridge/lontium-lt9211.c | 3 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 98 ++++----- drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c | 9 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 38 ++-- drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 6 + drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 10 +- drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 2 +- drivers/gpu/drm/scheduler/sched_main.c | 13 +- drivers/hid/hid-input.c | 5 +- drivers/hid/hid-multitouch.c | 28 +-- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 8 +- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 35 ++-- .../media/platform/nxp/imx8-isi/imx8-isi-core.h | 2 +- drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c | 2 +- drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 225 +++++++++------------ .../media/platform/nxp/imx8-isi/imx8-isi-pipe.c | 2 +- drivers/net/can/m_can/m_can_platform.c | 2 +- drivers/net/can/usb/gs_usb.c | 23 +-- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 1 - drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 1 + drivers/net/ethernet/broadcom/tg3.c | 5 +- drivers/net/ethernet/dlink/dl2k.c | 23 ++- drivers/net/ethernet/intel/ixgbevf/defines.h | 6 +- drivers/net/ethernet/intel/ixgbevf/ipsec.c | 10 + drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 13 +- drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 46 ++++- drivers/net/ethernet/intel/ixgbevf/mbx.h | 8 + drivers/net/ethernet/intel/ixgbevf/vf.c | 194 +++++++++++++++--- drivers/net/ethernet/intel/ixgbevf/vf.h | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 5 +- drivers/net/usb/lan78xx.c | 38 +++- drivers/net/usb/r8152.c | 7 +- drivers/nvme/host/multipath.c | 6 +- drivers/pci/controller/cadence/pci-j721e.c | 64 +++++- drivers/pci/controller/dwc/pcie-tegra194.c | 10 + drivers/pci/pci-sysfs.c | 10 +- drivers/phy/cadence/cdns-dphy.c | 133 +++++++++--- drivers/usb/gadget/function/f_acm.c | 42 ++-- drivers/usb/gadget/function/f_ecm.c | 48 ++--- drivers/usb/gadget/function/f_ncm.c | 78 +++---- drivers/usb/gadget/function/f_rndis.c | 85 ++++---- drivers/usb/gadget/udc/core.c | 3 + fs/btrfs/extent_io.c | 2 +- fs/btrfs/free-space-tree.c | 15 +- fs/btrfs/relocation.c | 13 +- fs/dax.c | 2 +- fs/dcache.c | 2 + fs/eventpoll.c | 145 +++---------- fs/ext4/ext4_jbd2.c | 11 +- fs/ext4/inode.c | 8 + fs/ext4/super.c | 17 +- fs/f2fs/data.c | 2 +- fs/hfsplus/unicode.c | 24 +++ fs/jbd2/transaction.c | 13 +- fs/nfsd/blocklayout.c | 5 +- fs/nfsd/blocklayoutxdr.c | 7 +- fs/nfsd/export.c | 60 +++++- fs/nfsd/export.h | 2 + fs/nfsd/flexfilelayout.c | 8 + fs/nfsd/flexfilelayoutxdr.c | 3 +- fs/nfsd/nfs4layouts.c | 1 - fs/nfsd/nfs4proc.c | 34 ++-- fs/nfsd/nfs4xdr.c | 14 +- fs/nfsd/nfsfh.c | 12 +- fs/nfsd/xdr4.h | 36 +++- fs/nilfs2/the_nilfs.c | 3 - fs/ocfs2/super.c | 6 +- fs/quota/dquot.c | 13 +- fs/quota/quota_v1.c | 3 +- fs/quota/quota_v2.c | 9 +- fs/smb/client/inode.c | 6 +- fs/smb/client/misc.c | 17 ++ fs/smb/client/smb2ops.c | 8 +- fs/smb/server/ksmbd_netlink.h | 3 +- fs/smb/server/server.h | 1 + fs/smb/server/smb2pdu.c | 4 + fs/smb/server/transport_ipc.c | 1 + fs/smb/server/transport_tcp.c | 67 +++--- fs/smb/server/transport_tcp.h | 1 + fs/xfs/libxfs/xfs_log_format.h | 30 ++- fs/xfs/scrub/reap.c | 19 +- fs/xfs/xfs_log.c | 8 +- fs/xfs/xfs_log_priv.h | 4 +- fs/xfs/xfs_log_recover.c | 34 +++- fs/xfs/xfs_ondisk.h | 2 + include/linux/cpufreq.h | 3 + include/linux/mm.h | 2 +- include/linux/pci.h | 14 ++ include/linux/pm_runtime.h | 4 + include/linux/quota.h | 2 +- include/linux/usb/gadget.h | 25 +++ include/net/ip_tunnels.h | 15 ++ kernel/padata.c | 6 +- kernel/sched/fair.c | 38 ++-- mm/shmem.c | 7 +- net/ipv4/ip_tunnel.c | 14 -- net/ipv4/tcp_output.c | 19 +- net/ipv6/ip6_tunnel.c | 3 +- net/tls/tls_main.c | 7 +- net/tls/tls_sw.c | 33 ++- rust/bindings/bindings_helper.h | 2 + rust/bindings/lib.rs | 1 + sound/firewire/amdtp-stream.h | 2 +- sound/soc/codecs/idt821034.c | 12 +- sound/soc/codecs/nau8821.c | 53 +++-- sound/usb/card.c | 10 +- .../testing/selftests/bpf/prog_tests/arg_parsing.c | 12 +- 128 files changed, 1549 insertions(+), 924 deletions(-)

1 month, 1 week

11
115
0 0

[PATCHSET] xfs: random fixes for 6.18

by Darrick J. Wong

Hi all, Random fixes for 6.18. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. This has been running on the djcloud for months with no problems. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=xf… --- Commits in this patchset: * xfs: don't set bt_nr_sectors to a negative number * xfs: always warn about deprecated mount options * xfs: loudly complain about defunct mount options * xfs: fix locking in xchk_nlinks_collect_dir --- fs/xfs/xfs_buf.h | 1 + fs/xfs/scrub/nlinks.c | 34 +++++++++++++++++++++++++++++++--- fs/xfs/xfs_buf.c | 2 +- fs/xfs/xfs_super.c | 45 +++++++++++++++++++++++++++++++++++---------- 4 files changed, 68 insertions(+), 14 deletions(-)

1 month, 1 week

3
9
0 0

[PATCH 6.12 000/136] 6.12.55-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.55 release. There are 136 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Oct 2025 19:49:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.55-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.55-rc1 Guenter Roeck <linux(a)roeck-us.net> dmaengine: Add missing cleanup on module unload Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Apply workarounds for Neoverse-V3AE Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-V3AE definitions Jakub Acs <acsjakub(a)amazon.de> mm/ksm: fix flag-dropping behavior in ksm_madvise Chuck Lever <chuck.lever(a)oracle.com> NFSD: Define a proc_layoutcommit for the FlexFiles layout type Devarsh Thakkar <devarsht(a)ti.com> phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: reset blackhole on success with non-loopback ifaces Kuniyuki Iwashima <kuniyu(a)google.com> mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). Kuniyuki Iwashima <kuniyu(a)google.com> mptcp: Call dst_release() in mptcp_active_enable(). Sharath Chandra Vurukala <quic_sharathv(a)quicinc.com> net: Add locking to protect skb->dev access in ip_output Eric Dumazet <edumazet(a)google.com> ipv4: adopt dst_dev, skb_dst_dev and skb_dst_dev_net[_rcu] Eric Dumazet <edumazet(a)google.com> net: dst: add four helpers to annotate data-races around dst->dev Eric Dumazet <edumazet(a)google.com> tcp: cache RTAX_QUICKACK metric in a hot cache line Eric Dumazet <edumazet(a)google.com> tcp: convert to dev_net_rcu() Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbevf: fix mailbox API compatibility by negotiating supported features Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbevf: fix getting link speed data for E610 devices Piotr Kwapulinski <piotr.kwapulinski(a)intel.com> ixgbevf: Add support for Intel(R) E610 device Piotr Kwapulinski <piotr.kwapulinski(a)intel.com> PCI: Add PCI_VDEVICE_SUB helper macro Jan Kara <jack(a)suse.cz> vfs: Don't leak disconnected dentries on umount Al Viro <viro(a)zeniv.linux.org.uk> d_alloc_parallel(): set DCACHE_PAR_LOOKUP earlier Babu Moger <babu.moger(a)amd.com> x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Babu Moger <babu.moger(a)amd.com> x86/resctrl: Refactor resctrl_arch_rmid_read() Yu Kuai <yukuai3(a)huawei.com> md: fix mssing blktrace bio split events John Garry <john.g.garry(a)oracle.com> md/raid10: Handle bio_split() errors John Garry <john.g.garry(a)oracle.com> md/raid1: Handle bio_split() errors John Garry <john.g.garry(a)oracle.com> md/raid0: Handle bio_split() errors Xiao Liang <shaw.leon(a)gmail.com> padata: Reset next CPU when reorder sequence wraps around Darrick J. Wong <djwong(a)kernel.org> xfs: use deferred intent items for reaping crosslinked blocks Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: rtw89: avoid possible TX wait initialization race Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Fix last write offset handling in layoutcommit Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Implement large extent array support in pNFS Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Minor cleanup in layoutcommit processing Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Rework encoding and decoding of nfsd4_deviceid Sergey Bashirov <sergeybashirov(a)gmail.com> nfsd: Drop dprintk in blocklayout xdr functions Sergey Bashirov <sergeybashirov(a)gmail.com> nfsd: Use correct error code when decoding extents Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Sean Nyekjaer <sean(a)geanix.com> iio: imu: inv_icm42600: Simplify pm_runtime setup Bence Csókás <csokas.bence(a)prolan.hu> PM: runtime: Add new devm functions Devarsh Thakkar <devarsht(a)ti.com> phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> phy: cdns-dphy: Store hs_clk_rate and return it Christoph Hellwig <hch(a)lst.de> xfs: fix log CRC mismatches between i386 and other architectures Christoph Hellwig <hch(a)lst.de> xfs: rename the old_crc variable in xlog_recover_process Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Wilfred Mallawa <wilfred.mallawa(a)wdc.com> nvme/tcp: handle tls partially sent records in write_space() Xing Guo <higuoxing(a)gmail.com> selftests: arg_parsing: Ensure data is flushed to disk before reading. Li Qiang <liqiang01(a)kylinos.cn> ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> HID: multitouch: fix name of Stylus input devices Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: hid-input: only ignore 0 battery events for digitizers Jiaming Zhang <r772577952(a)gmail.com> ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card Andrii Nakryiko <andrii(a)kernel.org> selftests/bpf: make arg_parsing.c more robust to crashes Pranjal Ramajor Asha Kanojiya <quic_pkanojiy(a)quicinc.com> accel/qaic: Synchronize access to DBC request queue head & tail pointer Youssef Samir <quic_yabdulra(a)quicinc.com> accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Jeffrey Hugo <quic_jhugo(a)quicinc.com> accel/qaic: Fix bootlog initialization ordering Randy Dunlap <rdunlap(a)infradead.org> ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Vincent Guittot <vincent.guittot(a)linaro.org> sched/fair: Fix pelt lost idle time detection Alok Tiwari <alok.a.tiwari(a)oracle.com> drm/rockchip: vop2: use correct destination rectangle height check Francesco Valla <francesco(a)valla.it> drm/draw: fix color truncation in drm_draw_fill24 Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/powerplay: Fix CIK shutdown temperature Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix handling of harvesting for ip_discovery firmware Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add support for cyan skillfish without IP discovery Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add ip offset support for cyan skillfish Zhanjun Dong <zhanjun.dong(a)intel.com> drm/i915/guc: Skip communication warning on reset in progress Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Generalize helper to clear IRQ status Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Cancel jdet_work before handling jack ejection Christophe Leroy <christophe.leroy(a)csgroup.eu> ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec Marek Vasut <marek.vasut(a)mailbox.org> drm/bridge: lt9211: Drop check for last nibble of version register Fabian Vogt <fvogt(a)suse.de> riscv: kprobes: Fix probe address validation Amit Chaudhary <achaudhary(a)purestorage.com> nvme-multipath: Skip nr_active increments in RETRY disposition Ketil Johnsen <ketil.johnsen(a)arm.com> drm/panthor: Ensure MCU is disabled on suspend I Viswanath <viswanathiyyappan(a)gmail.com> net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: lan78xx: Add error handling to lan78xx_init_mac_address Breno Leitao <leitao(a)debian.org> netdevsim: set the carrier when the device goes up Sabrina Dubroca <sd(a)queasysnail.net> tls: don't rely on tx_work during send() Sabrina Dubroca <sd(a)queasysnail.net> tls: wait for pending async decryptions if tls_strp_msg_hold fails Sabrina Dubroca <sd(a)queasysnail.net> tls: always set record_type in tls_process_cmsg Sabrina Dubroca <sd(a)queasysnail.net> tls: wait for async encrypt in case of error during latter iterations of sendmsg Sabrina Dubroca <sd(a)queasysnail.net> tls: trim encrypted message to match the plaintext on short splice Alexey Simakov <bigalex934(a)gmail.com> tg3: prevent use of uninitialized remote_adv and local_adv variables Marios Makassikis <mmakassikis(a)freebox.fr> ksmbd: fix recursive locking in RPC handle list access Eric Dumazet <edumazet(a)google.com> tcp: fix tcp_tso_should_defer() vs large RTT Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: Avoid spurious link down messages during interface toggle Dmitry Safonov <0x7f454c46(a)gmail.com> net/ip6_tunnel: Prevent perpetual tunnel growth Linmao Li <lilinmao(a)kylinos.cn> r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H Nicolas Dichtel <nicolas.dichtel(a)6wind.com> doc: fix seg6_flowlabel path Yeounsu Moon <yyyynoom(a)gmail.com> net: dlink: handle dma_map_single() failure properly Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: fix CAN state in system PM Sean Nyekjaer <sean(a)geanix.com> can: m_can: call deinit/init callback when going into suspend/resume Sean Nyekjaer <sean(a)geanix.com> can: m_can: add deinit callback Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_chip_config(): bring up interface in correct state Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_handle_state_errors(): fix CAN state transition to Error Active Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_plat_remove(): add missing pm_runtime_disable() Yuezhang Mo <Yuezhang.Mo(a)sony.com> dax: skip read lock assertion for read-only filesystems Benjamin Tissoires <bentiss(a)kernel.org> HID: multitouch: fix sticky fingers Jens Axboe <axboe(a)kernel.dk> Revert "io_uring/rw: drop -EOPNOTSUPP check in __io_complete_rw_common()" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_rndis: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_ecm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_acm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_ncm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: Introduce free_usb_request helper Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: Store endpoint pointer in usb_request Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: remove ctx->suspended Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: properly clear channels during bind Kaustabh Chakraborty <kauschluss(a)disroot.org> drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions Guoniu Zhou <guoniu.zhou(a)nxp.com> media: nxp: imx8-isi: m2m: Fix streaming cleanup on release Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> media: nxp: imx8-isi: Drop unused argument to mxc_isi_channel_chain() Akhil P Oommen <akhilpo(a)oss.qualcomm.com> drm/msm/a6xx: Fix PDC sleep sequence Miaoqian Lin <linmq006(a)gmail.com> cdx: Fix device node reference leak in cdx_msi_domain_init Jiri Slaby (SUSE) <jirislaby(a)kernel.org> irqdomain: cdx: Switch to of_fwnode_handle() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Check whether secure display TA loaded successfully Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Fix MMAP2 event device with backing files Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Fix MMAP event path names with backing files Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Fix address filter match with backing files Jonathan Kim <jonathan.kim(a)amd.com> drm/amdgpu: fix gfx12 mes packet status return check Gui-Dong Han <hanguidong02(a)gmail.com> drm/amdgpu: use atomic functions with memory barriers for vm fault info Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Blank with VGACR17 sync enable, always clear VGACRB6 sync off Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies Eugene Korenevsky <ekorenevsky(a)aliyun.com> cifs: parse_dfs_referrals: prevent oob on malformed input Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: increase max interface to U8_MAX Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: gs_make_candev(): populate net_device->dev_port Filipe Manana <fdmanana(a)suse.com> btrfs: do not assert we found block group item when creating free space tree Miquel Sabaté Solà <mssola(a)mssola.com> btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST Boris Burkov <boris(a)bur.io> btrfs: fix incorrect readahead expansion length Miquel Sabaté Solà <mssola(a)mssola.com> btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl Filipe Manana <fdmanana(a)suse.com> btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running Deepanshu Kartikey <kartikey406(a)gmail.com> ext4: detect invalid INLINE_DATA + EXTENTS flag combination Zhang Yi <yi.zhang(a)huawei.com> ext4: wait for ongoing I/O to complete before freeing blocks Zhang Yi <yi.zhang(a)huawei.com> jbd2: ensure that all ongoing I/O complete before freeing blocks Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix wrong block mapping for multi-devices Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: Prevent access to vCPU events before init Yi Cong <yicong(a)kylinos.cn> r8152: add error handling in rtl8152_driver_init Hao Ge <gehao(a)kylinos.cn> slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL Shuhao Fu <sfual(a)cse.ust.hk> smb: client: Fix refcount leak for cifs_sb_tlink Conor Dooley <conor.dooley(a)microchip.com> rust: cfi: only 64-bit arm and x86 support CFI_CLANG Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/guc: Check GuC running state before deregistering exec queue ------------- Diffstat: Documentation/arch/arm64/silicon-errata.rst | 2 + Documentation/networking/seg6-sysctl.rst | 3 + Makefile | 4 +- arch/Kconfig | 1 + arch/arm64/Kconfig | 1 + arch/arm64/include/asm/cputype.h | 2 + arch/arm64/kernel/cpu_errata.c | 1 + arch/arm64/kvm/arm.c | 6 + arch/riscv/kernel/probes/kprobes.c | 13 +- arch/x86/kernel/cpu/resctrl/monitor.c | 46 +++-- drivers/accel/qaic/qaic.h | 2 + drivers/accel/qaic/qaic_control.c | 2 +- drivers/accel/qaic/qaic_data.c | 12 +- drivers/accel/qaic/qaic_debugfs.c | 5 +- drivers/accel/qaic/qaic_drv.c | 3 + drivers/base/power/runtime.c | 44 ++++ drivers/cdx/cdx_msi.c | 5 +- drivers/cpufreq/cppc_cpufreq.c | 14 +- drivers/dma/idxd/init.c | 2 + drivers/gpu/drm/amd/amdgpu/Makefile | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 48 ++++- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- .../gpu/drm/amd/amdgpu/cyan_skillfish_reg_init.c | 56 +++++ drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/nv.h | 1 + .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 3 +- drivers/gpu/drm/ast/ast_mode.c | 18 +- drivers/gpu/drm/ast/ast_reg.h | 1 + drivers/gpu/drm/bridge/lontium-lt9211.c | 3 +- drivers/gpu/drm/drm_draw.c | 2 +- drivers/gpu/drm/drm_draw_internal.h | 2 +- drivers/gpu/drm/exynos/exynos7_drm_decon.c | 98 ++++----- drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c | 9 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 28 ++- drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 6 + drivers/gpu/drm/panthor/panthor_fw.c | 1 + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 2 +- drivers/gpu/drm/scheduler/sched_main.c | 13 +- drivers/gpu/drm/xe/xe_guc_submit.c | 13 +- drivers/hid/hid-input.c | 5 +- drivers/hid/hid-multitouch.c | 28 +-- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 35 ++-- drivers/md/md-linear.c | 1 + drivers/md/raid0.c | 16 ++ drivers/md/raid1.c | 37 +++- drivers/md/raid10.c | 55 ++++- drivers/md/raid5.c | 2 + .../media/platform/nxp/imx8-isi/imx8-isi-core.h | 2 +- drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c | 2 +- drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 225 +++++++++------------ .../media/platform/nxp/imx8-isi/imx8-isi-pipe.c | 2 +- drivers/net/can/m_can/m_can.c | 86 +++++--- drivers/net/can/m_can/m_can.h | 1 + drivers/net/can/m_can/m_can_platform.c | 2 +- drivers/net/can/usb/gs_usb.c | 23 +-- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 1 - drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 1 + drivers/net/ethernet/broadcom/tg3.c | 5 +- drivers/net/ethernet/dlink/dl2k.c | 23 ++- drivers/net/ethernet/intel/ixgbevf/defines.h | 6 +- drivers/net/ethernet/intel/ixgbevf/ipsec.c | 10 + drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 13 +- drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 46 ++++- drivers/net/ethernet/intel/ixgbevf/mbx.h | 8 + drivers/net/ethernet/intel/ixgbevf/vf.c | 194 +++++++++++++++--- drivers/net/ethernet/intel/ixgbevf/vf.h | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 5 +- drivers/net/netdevsim/netdev.c | 7 + drivers/net/usb/lan78xx.c | 38 +++- drivers/net/usb/r8152.c | 7 +- drivers/net/wireless/realtek/rtw89/core.c | 39 ++-- drivers/net/wireless/realtek/rtw89/core.h | 6 +- drivers/net/wireless/realtek/rtw89/mac80211.c | 2 +- drivers/net/wireless/realtek/rtw89/pci.c | 2 - drivers/nvme/host/multipath.c | 6 +- drivers/nvme/host/tcp.c | 3 + drivers/phy/cadence/cdns-dphy.c | 133 +++++++++--- drivers/usb/gadget/function/f_acm.c | 42 ++-- drivers/usb/gadget/function/f_ecm.c | 48 ++--- drivers/usb/gadget/function/f_ncm.c | 78 +++---- drivers/usb/gadget/function/f_rndis.c | 85 ++++---- drivers/usb/gadget/udc/core.c | 3 + fs/btrfs/extent_io.c | 2 +- fs/btrfs/free-space-tree.c | 15 +- fs/btrfs/ioctl.c | 2 +- fs/btrfs/relocation.c | 13 +- fs/btrfs/zoned.c | 2 +- fs/dax.c | 2 +- fs/dcache.c | 12 +- fs/ext4/ext4_jbd2.c | 11 +- fs/ext4/inode.c | 8 + fs/f2fs/data.c | 2 +- fs/hfsplus/unicode.c | 24 +++ fs/jbd2/transaction.c | 13 +- fs/nfsd/blocklayout.c | 33 +-- fs/nfsd/blocklayoutxdr.c | 171 ++++++++++------ fs/nfsd/blocklayoutxdr.h | 8 +- fs/nfsd/flexfilelayout.c | 8 + fs/nfsd/flexfilelayoutxdr.c | 3 +- fs/nfsd/nfs4layouts.c | 1 - fs/nfsd/nfs4proc.c | 36 ++-- fs/nfsd/nfs4xdr.c | 25 +-- fs/nfsd/nfsd.h | 1 + fs/nfsd/pnfs.h | 1 + fs/nfsd/xdr4.h | 39 +++- fs/smb/client/inode.c | 6 +- fs/smb/client/misc.c | 17 ++ fs/smb/client/smb2ops.c | 8 +- fs/smb/server/mgmt/user_session.c | 7 +- fs/smb/server/smb2pdu.c | 9 +- fs/smb/server/transport_ipc.c | 12 ++ fs/xfs/libxfs/xfs_log_format.h | 30 ++- fs/xfs/libxfs/xfs_ondisk.h | 2 + fs/xfs/scrub/reap.c | 9 +- fs/xfs/xfs_log.c | 8 +- fs/xfs/xfs_log_priv.h | 4 +- fs/xfs/xfs_log_recover.c | 34 +++- include/linux/mm.h | 2 +- include/linux/pci.h | 14 ++ include/linux/pm_runtime.h | 4 + include/linux/usb/gadget.h | 25 +++ include/net/dst.h | 32 +++ include/net/inet6_hashtables.h | 2 +- include/net/inet_connection_sock.h | 3 +- include/net/inet_hashtables.h | 2 +- include/net/ip.h | 11 +- include/net/ip_tunnels.h | 15 ++ include/net/route.h | 2 +- io_uring/rw.c | 2 +- kernel/events/core.c | 8 +- kernel/padata.c | 6 +- kernel/sched/fair.c | 26 +-- mm/slub.c | 9 +- net/core/dst.c | 4 +- net/core/sock.c | 14 +- net/ipv4/icmp.c | 24 ++- net/ipv4/igmp.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_output.c | 19 +- net/ipv4/ip_tunnel.c | 14 -- net/ipv4/ip_vti.c | 4 +- net/ipv4/netfilter.c | 4 +- net/ipv4/route.c | 8 +- net/ipv4/tcp_fastopen.c | 4 +- net/ipv4/tcp_input.c | 3 +- net/ipv4/tcp_ipv4.c | 12 +- net/ipv4/tcp_metrics.c | 8 +- net/ipv4/tcp_output.c | 19 +- net/ipv4/xfrm4_output.c | 2 +- net/ipv6/ip6_tunnel.c | 3 +- net/ipv6/tcp_ipv6.c | 22 +- net/mptcp/ctrl.c | 9 +- net/tls/tls_main.c | 7 +- net/tls/tls_sw.c | 31 ++- rust/bindings/bindings_helper.h | 1 + sound/firewire/amdtp-stream.h | 2 +- sound/soc/amd/acp/acp-sdw-sof-mach.c | 2 +- sound/soc/codecs/idt821034.c | 12 +- sound/soc/codecs/nau8821.c | 53 +++-- sound/usb/card.c | 10 +- .../testing/selftests/bpf/prog_tests/arg_parsing.c | 12 +- 164 files changed, 1922 insertions(+), 967 deletions(-)

1 month, 1 week

8
146
0 0

[PATCH 6.17 000/159] 6.17.5-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.17.5 release. There are 159 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Oct 2025 19:49:51 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.17.5-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.17.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.17.5-rc1 Matthew Brost <matthew.brost(a)intel.com> drm/xe: Don't allow evicting of BOs in same VM in array of VM binds Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Move rebar to be done earlier Piotr Piórkowski <piotr.piorkowski(a)intel.com> drm/xe: Unify the initialization of VRAM regions Piotr Piórkowski <piotr.piorkowski(a)intel.com> drm/xe: Move struct xe_vram_region to a dedicated header Piotr Piórkowski <piotr.piorkowski(a)intel.com> drm/xe: Use dynamic allocation for tile and device VRAM region structures Piotr Piórkowski <piotr.piorkowski(a)intel.com> drm/xe: Use devm_ioremap_wc for VRAM mapping and drop manual unmap Devarsh Thakkar <devarsht(a)ti.com> phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Dave Jiang <dave.jiang(a)intel.com> cxl: Fix match_region_by_range() to use region_res_match_cxl_range() Babu Moger <babu.moger(a)amd.com> x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Babu Moger <babu.moger(a)amd.com> x86/resctrl: Refactor resctrl_arch_rmid_read() Chuck Lever <chuck.lever(a)oracle.com> NFSD: Define a proc_layoutcommit for the FlexFiles layout type Devarsh Thakkar <devarsht(a)ti.com> phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> phy: cdns-dphy: Store hs_clk_rate and return it Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Fix last write offset handling in layoutcommit Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Implement large extent array support in pNFS Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Minor cleanup in layoutcommit processing Sergey Bashirov <sergeybashirov(a)gmail.com> NFSD: Rework encoding and decoding of nfsd4_deviceid Christoph Hellwig <hch(a)lst.de> xfs: fix log CRC mismatches between i386 and other architectures Christoph Hellwig <hch(a)lst.de> xfs: rename the old_crc variable in xlog_recover_process Mark Rutland <mark.rutland(a)arm.com> arm64: errata: Apply workarounds for Neoverse-V3AE Mark Rutland <mark.rutland(a)arm.com> arm64: cputype: Add Neoverse-V3AE definitions Ada Couprie Diaz <ada.coupriediaz(a)arm.com> arm64: debug: always unmask interrupts in el0_softstp() Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Miguel Ojeda <ojeda(a)kernel.org> rust: cpufreq: fix formatting Wilfred Mallawa <wilfred.mallawa(a)wdc.com> nvme/tcp: handle tls partially sent records in write_space() Xing Guo <higuoxing(a)gmail.com> selftests: arg_parsing: Ensure data is flushed to disk before reading. Matthew Auld <matthew.auld(a)intel.com> drm/xe/evict: drop bogus assert Li Qiang <liqiang01(a)kylinos.cn> ASoC: amd/sdw_utils: avoid NULL deref when devm_kasprintf() fails Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> HID: multitouch: fix name of Stylus input devices Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: hid-input: only ignore 0 battery events for digitizers Ming Lei <ming.lei(a)redhat.com> block: Remove elevator_lock usage from blkg_conf frozen operations Yu Kuai <yukuai3(a)huawei.com> blk-mq: fix stale tag depth for shared sched tags in blk_mq_update_nr_requests() Jiaming Zhang <r772577952(a)gmail.com> ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card Andrii Nakryiko <andrii(a)kernel.org> selftests/bpf: make arg_parsing.c more robust to crashes Alison Schofield <alison.schofield(a)intel.com> cxl/trace: Subtract to find an hpa_alias0 in cxl_poison events Martin George <martinus.gpy(a)gmail.com> nvme-auth: update sc_c in host response Pranjal Ramajor Asha Kanojiya <quic_pkanojiy(a)quicinc.com> accel/qaic: Synchronize access to DBC request queue head & tail pointer Youssef Samir <quic_yabdulra(a)quicinc.com> accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages() Jeff Hugo <jeff.hugo(a)oss.qualcomm.com> accel/qaic: Fix bootlog initialization ordering Randy Dunlap <rdunlap(a)infradead.org> ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Vincent Guittot <vincent.guittot(a)linaro.org> sched/fair: Fix pelt lost idle time detection Peter Zijlstra (Intel) <peterz(a)infradead.org> sched/deadline: Stop dl_server before CPU goes offline Even Xu <even.xu(a)intel.com> HID: intel-thc-hid: Intel-quickspi: switch first interrupt from level to edge detection Alok Tiwari <alok.a.tiwari(a)oracle.com> drm/rockchip: vop2: use correct destination rectangle height check Francesco Valla <francesco(a)valla.it> drm/draw: fix color truncation in drm_draw_fill24 Ingo Molnar <mingo(a)kernel.org> x86/mm: Fix SMP ordering in switch_mm_irqs_off() Dave Jiang <dave.jiang(a)intel.com> cxl/features: Add check for no entries in cxl_feature_info Vinay Belgaumkar <vinay.belgaumkar(a)intel.com> drm/xe: Enable media sampler power gating Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/powerplay: Fix CIK shutdown temperature Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop unused structures in amdgpu_drm.h Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: set an error on all fences from a bad context Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: handle wrap around in reemit handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix handling of harvesting for ip_discovery firmware Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add support for cyan skillfish without IP discovery Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add ip offset support for cyan skillfish Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Fix the set_tiling vs. addfb race, again Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/frontbuffer: Move bo refcounting intel_frontbuffer_{get,release}() Zhanjun Dong <zhanjun.dong(a)intel.com> drm/i915/guc: Skip communication warning on reset in progress Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Add DMI quirk to bypass jack debounce circuit Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Consistently clear interrupts before unmasking Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Generalize helper to clear IRQ status Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: nau8821: Cancel jdet_work before handling jack ejection Christophe Leroy <christophe.leroy(a)csgroup.eu> ASoC: codecs: Fix gain setting ranges for Renesas IDT821034 codec Sourabh Jain <sourabhjain(a)linux.ibm.com> powerpc/fadump: skip parameter area allocation when fadump is disabled Marek Vasut <marek.vasut(a)mailbox.org> drm/bridge: lt9211: Drop check for last nibble of version register Fabian Vogt <fvogt(a)suse.de> riscv: kprobes: Fix probe address validation Amit Chaudhary <achaudhary(a)purestorage.com> nvme-multipath: Skip nr_active increments in RETRY disposition Ketil Johnsen <ketil.johnsen(a)arm.com> drm/panthor: Ensure MCU is disabled on suspend I Viswanath <viswanathiyyappan(a)gmail.com> net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset Breno Leitao <leitao(a)debian.org> netdevsim: set the carrier when the device goes up Sabrina Dubroca <sd(a)queasysnail.net> tls: don't rely on tx_work during send() Sabrina Dubroca <sd(a)queasysnail.net> tls: wait for pending async decryptions if tls_strp_msg_hold fails Sabrina Dubroca <sd(a)queasysnail.net> tls: always set record_type in tls_process_cmsg Sabrina Dubroca <sd(a)queasysnail.net> tls: wait for async encrypt in case of error during latter iterations of sendmsg Sabrina Dubroca <sd(a)queasysnail.net> tls: trim encrypted message to match the plaintext on short splice Alexey Simakov <bigalex934(a)gmail.com> tg3: prevent use of uninitialized remote_adv and local_adv variables Marios Makassikis <mmakassikis(a)freebox.fr> ksmbd: fix recursive locking in RPC handle list access Florian Westphal <fw(a)strlen.de> net: core: fix lockdep splat on device unregister Wang Liang <wangliang74(a)huawei.com> selftests: net: check jq command is supported Lorenzo Bianconi <lorenzo(a)kernel.org> net: airoha: Take into account out-of-order tx completions in airoha_dev_xmit() Eric Dumazet <edumazet(a)google.com> tcp: fix tcp_tso_should_defer() vs large RTT Zqiang <qiang.zhang(a)linux.dev> usbnet: Fix using smp_processor_id() in preemptible code warnings Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Octeontx2-af: Fix missing error code in cgx_probe() Raju Rangoju <Raju.Rangoju(a)amd.com> amd-xgbe: Avoid spurious link down messages during interface toggle Marek Vasut <marek.vasut(a)mailbox.org> net: phy: realtek: Avoid PHYCR2 access if PHYCR2 not present Koichiro Den <den(a)valinux.co.jp> ixgbe: fix too early devlink_free() in ixgbe_remove() Milena Olech <milena.olech(a)intel.com> idpf: cleanup remaining SKBs in PTP flows Dmitry Safonov <0x7f454c46(a)gmail.com> net/ip6_tunnel: Prevent perpetual tunnel growth Kamil Horák - 2N <kamilh(a)axis.com> net: phy: bcm54811: Fix GMII/MII/MII-Lite selection Linmao Li <lilinmao(a)kylinos.cn> r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H Ivan Vecera <ivecera(a)redhat.com> dpll: zl3073x: Handle missing or corrupted flash configuration Ivan Vecera <ivecera(a)redhat.com> dpll: zl3073x: Refactor DPLL initialization Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: add missing calls in NETDEV_UNREGISTER notification handler Nicolas Dichtel <nicolas.dichtel(a)6wind.com> doc: fix seg6_flowlabel path Yeounsu Moon <yyyynoom(a)gmail.com> net: dlink: handle dma_map_single() failure properly Rex Lu <rex.lu(a)mediatek.com> net: mtk: wed: add dma mask limitation and GFP_DMA32 for device with more than 4GB DRAM Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: fix CAN state in system PM Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_chip_config(): bring up interface in correct state Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_handle_state_errors(): fix CAN state transition to Error Active Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_plat_remove(): add missing pm_runtime_disable() Christian Brauner <brauner(a)kernel.org> coredump: fix core_pattern input validation Yuezhang Mo <Yuezhang.Mo(a)sony.com> dax: skip read lock assertion for read-only filesystems Benjamin Tissoires <bentiss(a)kernel.org> HID: multitouch: fix sticky fingers Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_ncm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_ecm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_acm: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: f_rndis: Refactor bind path to use __free() Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: Introduce free_usb_request helper Kuen-Han Tsai <khtsai(a)google.com> usb: gadget: Store endpoint pointer in usb_request Guoniu Zhou <guoniu.zhou(a)nxp.com> media: nxp: imx8-isi: m2m: Fix streaming cleanup on release Mario Limonciello (AMD) <superm1(a)kernel.org> drm/amd: Fix hybrid sleep Mario Limonciello (AMD) <superm1(a)kernel.org> PM: hibernate: Add pm_hibernation_mode_is_suspend() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Check whether secure display TA loaded successfully Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Fix MMAP2 event device with backing files Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Fix MMAP event path names with backing files Adrian Hunter <adrian.hunter(a)intel.com> perf/core: Fix address filter match with backing files Kenneth Graunke <kenneth(a)whitecape.org> drm/xe: Increase global invalidation timeout to 1000us Jonathan Kim <jonathan.kim(a)amd.com> drm/amdgpu: fix gfx12 mes packet status return check Gui-Dong Han <hanguidong02(a)gmail.com> drm/amdgpu: use atomic functions with memory barriers for vm fault info Thomas Zimmermann <tzimmermann(a)suse.de> drm/ast: Blank with VGACR17 sync enable, always clear VGACRB6 sync off Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies Denis Arefev <arefev(a)swemel.ru> ALSA: hda: Fix missing pointer check in hda_component_manager_init function Denis Arefev <arefev(a)swemel.ru> ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/realtek: Add quirk entry for HP ZBook 17 G6 Stuart Hayhurst <stuart.a.hayhurst(a)gmail.com> ALSA: hda/intel: Add MSI X870E Tomahawk to denylist Dave Jiang <dave.jiang(a)intel.com> cxl/acpi: Fix setup of memory resource in cxl_acpi_set_cache_size() Eugene Korenevsky <ekorenevsky(a)aliyun.com> cifs: parse_dfs_referrals: prevent oob on malformed input Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: increase max interface to U8_MAX Celeste Liu <uwu(a)coelacanthus.name> can: gs_usb: gs_make_candev(): populate net_device->dev_port Filipe Manana <fdmanana(a)suse.com> btrfs: do not assert we found block group item when creating free space tree Miquel Sabaté Solà <mssola(a)mssola.com> btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST Boris Burkov <boris(a)bur.io> btrfs: fix incorrect readahead expansion length Qu Wenruo <wqu(a)suse.com> btrfs: only set the device specific options after devices are opened Miquel Sabaté Solà <mssola(a)mssola.com> btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl Filipe Manana <fdmanana(a)suse.com> btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running Deepanshu Kartikey <kartikey406(a)gmail.com> ext4: detect invalid INLINE_DATA + EXTENTS flag combination Zhang Yi <yi.zhang(a)huawei.com> ext4: wait for ongoing I/O to complete before freeing blocks Zhang Yi <yi.zhang(a)huawei.com> jbd2: ensure that all ongoing I/O complete before freeing blocks Tim Hostetler <thostet(a)google.com> gve: Check valid ts bit on RX descriptor before hw timestamping Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix wrong block mapping for multi-devices Oliver Upton <oliver.upton(a)linux.dev> KVM: arm64: Prevent access to vCPU events before init Bhanu Seshu Kumar Valluri <bhanuseshukumar(a)gmail.com> net: usb: lan78xx: Fix lost EEPROM write timeout error(-ETIMEDOUT) in lan78xx_write_raw_eeprom Yi Cong <yicong(a)kylinos.cn> r8152: add error handling in rtl8152_driver_init Matthew Schwartz <matthew.schwartz(a)linux.dev> Revert "drm/amd/display: Only restore backlight after amdgpu_dm_init or dm_resume" Pavel Begunkov <asml.silence(a)gmail.com> io_uring: protect mem region deregistration Jens Axboe <axboe(a)kernel.dk> Revert "io_uring/rw: drop -EOPNOTSUPP check in __io_complete_rw_common()" Hao Ge <gehao(a)kylinos.cn> slab: reset slab->obj_ext when freeing and it is OBJEXTS_ALLOC_FAIL Rong Zhang <i(a)rong.moe> x86/CPU/AMD: Prevent reset reasons from being retained across reboot Shuhao Fu <sfual(a)cse.ust.hk> smb: client: Fix refcount leak for cifs_sb_tlink Conor Dooley <conor.dooley(a)microchip.com> rust: cfi: only 64-bit arm and x86 support CFI_CLANG Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbevf: fix mailbox API compatibility by negotiating supported features Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbevf: fix getting link speed data for E610 devices Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/guc: Check GuC running state before deregistering exec queue Lorenzo Pieralisi <lpieralisi(a)kernel.org> arm64/sysreg: Fix GIC CDEOI instruction encoding Damien Le Moal <dlemoal(a)kernel.org> ata: libata-core: relax checks in ata_read_log_directory() Jan Kara <jack(a)suse.cz> vfs: Don't leak disconnected dentries on umount Inochi Amaoto <inochiama(a)gmail.com> PCI: vmd: Override irq_startup()/irq_shutdown() in vmd_init_dev_msi_info() Andrey Albershteyn <aalbersh(a)redhat.com> Revert "fs: make vfs_fileattr_[get|set] return -EOPNOTSUPP" Jonathan Corbet <corbet(a)lwn.net> docs: kdoc: handle the obsolescensce of docutils.ErrorString() ------------- Diffstat: Documentation/arch/arm64/silicon-errata.rst | 2 + Documentation/networking/seg6-sysctl.rst | 3 + Documentation/sphinx/kernel_feat.py | 4 +- Documentation/sphinx/kernel_include.py | 6 +- Documentation/sphinx/maintainers_include.py | 4 +- Makefile | 4 +- arch/Kconfig | 1 + arch/arm64/Kconfig | 1 + arch/arm64/include/asm/cputype.h | 2 + arch/arm64/include/asm/sysreg.h | 11 +- arch/arm64/kernel/cpu_errata.c | 1 + arch/arm64/kernel/entry-common.c | 8 +- arch/arm64/kvm/arm.c | 6 + arch/powerpc/kernel/fadump.c | 3 + arch/riscv/kernel/probes/kprobes.c | 13 +- arch/x86/kernel/cpu/amd.c | 16 +- arch/x86/kernel/cpu/resctrl/monitor.c | 46 ++-- arch/x86/mm/tlb.c | 24 +- block/blk-cgroup.c | 13 +- block/blk-mq-sched.c | 2 +- block/blk-mq-tag.c | 5 +- block/blk-mq.c | 2 +- block/blk-mq.h | 3 +- drivers/accel/qaic/qaic.h | 2 + drivers/accel/qaic/qaic_control.c | 2 +- drivers/accel/qaic/qaic_data.c | 12 +- drivers/accel/qaic/qaic_debugfs.c | 5 +- drivers/accel/qaic/qaic_drv.c | 3 + drivers/ata/libata-core.c | 11 +- drivers/cxl/acpi.c | 2 +- drivers/cxl/core/features.c | 3 + drivers/cxl/core/region.c | 7 +- drivers/cxl/core/trace.h | 2 +- drivers/dpll/zl3073x/core.c | 280 +++++++++++++-------- drivers/dpll/zl3073x/core.h | 3 + drivers/dpll/zl3073x/devlink.c | 18 +- drivers/dpll/zl3073x/regs.h | 3 + drivers/gpu/drm/amd/amdgpu/Makefile | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 48 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 54 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 2 +- .../gpu/drm/amd/amdgpu/cyan_skillfish_reg_init.c | 56 +++++ drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 7 +- drivers/gpu/drm/amd/amdgpu/nv.h | 1 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 7 - .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 3 +- drivers/gpu/drm/ast/ast_mode.c | 18 +- drivers/gpu/drm/ast/ast_reg.h | 1 + drivers/gpu/drm/bridge/lontium-lt9211.c | 3 +- drivers/gpu/drm/drm_draw.c | 2 +- drivers/gpu/drm/drm_draw_internal.h | 2 +- drivers/gpu/drm/i915/display/intel_fb.c | 38 +-- drivers/gpu/drm/i915/display/intel_frontbuffer.c | 10 +- .../gpu/drm/i915/gem/i915_gem_object_frontbuffer.h | 2 - drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c | 9 +- drivers/gpu/drm/panthor/panthor_fw.c | 1 + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 2 +- drivers/gpu/drm/scheduler/sched_main.c | 13 +- drivers/gpu/drm/xe/display/xe_fb_pin.c | 5 +- drivers/gpu/drm/xe/display/xe_plane_initial.c | 3 +- drivers/gpu/drm/xe/regs/xe_gt_regs.h | 1 + drivers/gpu/drm/xe/xe_assert.h | 4 +- drivers/gpu/drm/xe/xe_bo.c | 1 + drivers/gpu/drm/xe/xe_bo.h | 4 +- drivers/gpu/drm/xe/xe_bo_evict.c | 8 - drivers/gpu/drm/xe/xe_bo_types.h | 1 + drivers/gpu/drm/xe/xe_device.c | 22 +- drivers/gpu/drm/xe/xe_device_types.h | 62 +---- drivers/gpu/drm/xe/xe_gt_idle.c | 8 + drivers/gpu/drm/xe/xe_gt_pagefault.c | 13 +- drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 3 +- drivers/gpu/drm/xe/xe_guc_submit.c | 13 +- drivers/gpu/drm/xe/xe_migrate.c | 25 +- drivers/gpu/drm/xe/xe_pci.c | 8 + drivers/gpu/drm/xe/xe_query.c | 5 +- drivers/gpu/drm/xe/xe_svm.c | 63 ++--- drivers/gpu/drm/xe/xe_tile.c | 58 +++-- drivers/gpu/drm/xe/xe_tile.h | 14 +- drivers/gpu/drm/xe/xe_ttm_stolen_mgr.c | 10 +- drivers/gpu/drm/xe/xe_ttm_vram_mgr.c | 22 +- drivers/gpu/drm/xe/xe_ttm_vram_mgr.h | 3 +- drivers/gpu/drm/xe/xe_vm.c | 32 ++- drivers/gpu/drm/xe/xe_vm_types.h | 2 + drivers/gpu/drm/xe/xe_vram.c | 245 +++++++++++++----- drivers/gpu/drm/xe/xe_vram.h | 14 +- drivers/gpu/drm/xe/xe_vram_types.h | 85 +++++++ drivers/hid/hid-input.c | 5 +- drivers/hid/hid-multitouch.c | 28 ++- .../intel-quickspi/quickspi-protocol.c | 3 +- drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 226 +++++++---------- drivers/net/can/m_can/m_can.c | 64 +++-- drivers/net/can/m_can/m_can_platform.c | 2 +- drivers/net/can/usb/gs_usb.c | 23 +- drivers/net/ethernet/airoha/airoha_eth.c | 16 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 1 - drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 1 + drivers/net/ethernet/broadcom/tg3.c | 5 +- drivers/net/ethernet/dlink/dl2k.c | 23 +- drivers/net/ethernet/google/gve/gve.h | 2 + drivers/net/ethernet/google/gve/gve_desc_dqo.h | 3 +- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 16 +- drivers/net/ethernet/intel/idpf/idpf_ptp.c | 3 + .../net/ethernet/intel/idpf/idpf_virtchnl_ptp.c | 1 + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +- drivers/net/ethernet/intel/ixgbevf/defines.h | 1 + drivers/net/ethernet/intel/ixgbevf/ipsec.c | 10 + drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 7 + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 34 ++- drivers/net/ethernet/intel/ixgbevf/mbx.h | 8 + drivers/net/ethernet/intel/ixgbevf/vf.c | 182 +++++++++++--- drivers/net/ethernet/intel/ixgbevf/vf.h | 1 + drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 1 + drivers/net/ethernet/mediatek/mtk_wed.c | 8 +- drivers/net/ethernet/realtek/r8169_main.c | 5 +- drivers/net/netdevsim/netdev.c | 7 + drivers/net/phy/broadcom.c | 20 +- drivers/net/phy/realtek/realtek_main.c | 23 +- drivers/net/usb/lan78xx.c | 19 +- drivers/net/usb/r8152.c | 7 +- drivers/net/usb/usbnet.c | 2 + drivers/nvme/host/auth.c | 6 +- drivers/nvme/host/multipath.c | 6 +- drivers/nvme/host/tcp.c | 3 + drivers/pci/controller/vmd.c | 13 + drivers/phy/cadence/cdns-dphy.c | 133 +++++++--- drivers/usb/gadget/function/f_acm.c | 42 ++-- drivers/usb/gadget/function/f_ecm.c | 48 ++-- drivers/usb/gadget/function/f_ncm.c | 78 +++--- drivers/usb/gadget/function/f_rndis.c | 85 +++---- drivers/usb/gadget/udc/core.c | 3 + fs/btrfs/extent_io.c | 2 +- fs/btrfs/free-space-tree.c | 15 +- fs/btrfs/ioctl.c | 2 +- fs/btrfs/relocation.c | 13 +- fs/btrfs/super.c | 3 +- fs/btrfs/zoned.c | 2 +- fs/coredump.c | 2 +- fs/dax.c | 2 +- fs/dcache.c | 2 + fs/exec.c | 2 +- fs/ext4/ext4_jbd2.c | 11 +- fs/ext4/inode.c | 8 + fs/f2fs/data.c | 2 +- fs/file_attr.c | 12 +- fs/fuse/ioctl.c | 4 - fs/hfsplus/unicode.c | 24 ++ fs/jbd2/transaction.c | 13 +- fs/nfsd/blocklayout.c | 25 +- fs/nfsd/blocklayoutxdr.c | 86 ++++--- fs/nfsd/blocklayoutxdr.h | 4 +- fs/nfsd/flexfilelayout.c | 8 + fs/nfsd/flexfilelayoutxdr.c | 3 +- fs/nfsd/nfs4layouts.c | 1 - fs/nfsd/nfs4proc.c | 36 ++- fs/nfsd/nfs4xdr.c | 25 +- fs/nfsd/pnfs.h | 1 + fs/nfsd/xdr4.h | 39 ++- fs/overlayfs/copy_up.c | 2 +- fs/overlayfs/inode.c | 5 +- fs/smb/client/inode.c | 6 +- fs/smb/client/misc.c | 17 ++ fs/smb/client/smb2ops.c | 8 +- fs/smb/server/mgmt/user_session.c | 7 +- fs/smb/server/smb2pdu.c | 9 +- fs/smb/server/transport_ipc.c | 12 + fs/xfs/libxfs/xfs_log_format.h | 30 ++- fs/xfs/libxfs/xfs_ondisk.h | 2 + fs/xfs/xfs_log.c | 8 +- fs/xfs/xfs_log_priv.h | 4 +- fs/xfs/xfs_log_recover.c | 34 ++- include/linux/brcmphy.h | 1 + include/linux/libata.h | 6 + include/linux/suspend.h | 2 + include/linux/usb/gadget.h | 25 ++ include/net/ip_tunnels.h | 15 ++ include/uapi/drm/amdgpu_drm.h | 21 -- io_uring/register.c | 1 + io_uring/rw.c | 2 +- kernel/events/core.c | 8 +- kernel/power/hibernate.c | 11 + kernel/sched/core.c | 2 + kernel/sched/deadline.c | 3 + kernel/sched/fair.c | 26 +- mm/slub.c | 9 +- net/can/j1939/main.c | 2 + net/core/dev.c | 40 ++- net/ipv4/ip_tunnel.c | 14 -- net/ipv4/tcp_output.c | 19 +- net/ipv6/ip6_tunnel.c | 3 +- net/tls/tls_main.c | 7 +- net/tls/tls_sw.c | 31 ++- rust/kernel/cpufreq.rs | 3 +- sound/firewire/amdtp-stream.h | 2 +- sound/hda/codecs/realtek/alc269.c | 1 + sound/hda/codecs/side-codecs/cs35l41_hda.c | 2 + sound/hda/codecs/side-codecs/hda_component.c | 4 + sound/hda/controllers/intel.c | 1 + sound/soc/amd/acp/acp-sdw-sof-mach.c | 2 +- sound/soc/codecs/idt821034.c | 12 +- sound/soc/codecs/nau8821.c | 115 +++++---- sound/usb/card.c | 10 +- .../testing/selftests/bpf/prog_tests/arg_parsing.c | 12 +- tools/testing/selftests/net/rtnetlink.sh | 2 + tools/testing/selftests/net/vlan_bridge_binding.sh | 2 + 211 files changed, 2408 insertions(+), 1262 deletions(-)

1 month, 1 week

9
172
0 0

[PATCH 6.4 000/797] 6.4.4-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.4.4 release. There are 797 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 19 Jul 2023 18:55:19 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.4.4-rc2.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.4.4-rc2 Andres Freund <andres(a)anarazel.de> io_uring: Use io_schedule* in cqring wait Sherry Sun <sherry.sun(a)nxp.com> tty: serial: fsl_lpuart: add earlycon for imx8ulp platform Jason A. Donenfeld <Jason(a)zx2c4.com> wireguard: netlink: send staged packets when setting initial private key Jason A. Donenfeld <Jason(a)zx2c4.com> wireguard: queueing: use saner cpu selection wrapping Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> netfilter: nf_tables: prevent OOB access in nft_byteorder_eval Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> netfilter: nf_tables: do not ignore genmask when looking up chain by id Florent Revest <revest(a)chromium.org> netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Tao Zhou <tao.zhou1(a)amd.com> drm/amdgpu: check RAS irq existence for VCN/JPEG Kenneth Feng <kenneth.feng(a)amd.com> drm/amd/pm: add abnormal fan detection for smu 13.0.0 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/sdma4: set align mask to 255 Evan Quan <evan.quan(a)amd.com> drm/amd/pm: revise the ASPM settings for thunderbolt attached scenario Jiadong Zhu <Jiadong.Zhu(a)amd.com> drm/amdgpu: Skip mark offset for high priority rings Christian König <christian.koenig(a)amd.com> drm/amdgpu: make sure that BOs have a backing store Christian König <christian.koenig(a)amd.com> drm/amdgpu: make sure BOs are locked in amdgpu_vm_get_memory WANG Xuerui <git(a)xen0n.name> LoongArch: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Zhihao Cheng <chengzhihao1(a)huawei.com> ovl: fix null pointer dereference in ovl_get_acl_rcu() Zhihao Cheng <chengzhihao1(a)huawei.com> ovl: let helper ovl_i_path_real() return the realinode Zhihao Cheng <chengzhihao1(a)huawei.com> ovl: fix null pointer dereference in ovl_permission() Masahiro Yamada <masahiroy(a)kernel.org> kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Nathan Chancellor <nathan(a)kernel.org> kbuild: Add KBUILD_CPPFLAGS to as-option invocation Nathan Chancellor <nathan(a)kernel.org> kbuild: Add CLANG_FLAGS to as-instr Nathan Chancellor <nathan(a)kernel.org> powerpc/vdso: Include CLANG_FLAGS explicitly in ldflags-y Nathan Chancellor <nathan(a)kernel.org> mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation Arnd Bergmann <arnd(a)arndb.de> Input: ads7846 - fix pointer cast warning Jan Kara <jack(a)suse.cz> fs: no need to check source Yu Kuai <yukuai3(a)huawei.com> md/raid1-10: fix casting from randomized structure in raid1_submit_write() Linus Walleij <linus.walleij(a)linaro.org> Input: ads7846 - Fix usage of match data Yu Kuai <yukuai3(a)huawei.com> blktrace: use inline function for blk_trace_remove() while blktrace is disabled Christian Marangi <ansuelsmth(a)gmail.com> leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename Arnd Bergmann <arnd(a)arndb.de> ARM: orion5x: fix d2net gpio initialization Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: ipq4019: fix broken NAND controller properties override Linus Walleij <linus.walleij(a)linaro.org> ARM: dts: qcom: msm8660: Fix regulator node names Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> regulator: tps65219: Fix matching interrupts for their regulators Ricardo Ribalda Delgado <ribalda(a)chromium.org> ASoC: mediatek: mt8173: Fix snd_soc_component_initialize error path Ricardo Ribalda Delgado <ribalda(a)chromium.org> ASoC: mediatek: mt8173: Fix irq error path Filipe Manana <fdmanana(a)suse.com> btrfs: do not BUG_ON() on tree mod log failure at __btrfs_cow_block() Filipe Manana <fdmanana(a)suse.com> btrfs: fix extent buffer leak after tree mod log failure at split_node() Filipe Manana <fdmanana(a)suse.com> btrfs: add missing error handling when logging operation while COWing extent buffer Filipe Manana <fdmanana(a)suse.com> btrfs: fix race when deleting quota root from the dirty cow roots list Naohiro Aota <naota(a)elisp.net> btrfs: move out now unused BG from the reclaim list Naohiro Aota <naota(a)elisp.net> btrfs: reinsert BGs failed to reclaim David Sterba <dsterba(a)suse.com> btrfs: add block-group tree to lockdep classes Naohiro Aota <naota(a)elisp.net> btrfs: bail out reclaim process if filesystem is read-only Naohiro Aota <naota(a)elisp.net> btrfs: delete unused BGs while reclaiming BGs Boris Burkov <boris(a)bur.io> btrfs: warn on invalid slot in tree mod log rewind Boris Burkov <boris(a)bur.io> btrfs: insert tree mod log move in push_node_left Christoph Hellwig <hch(a)lst.de> btrfs: fix dirty_metadata_bytes for redirtied buffers Matt Corallo <blnxfsl(a)bluematt.me> btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile Abhijeet Rastogi <abhijeet.1989(a)gmail.com> ipvs: increase ip_vs_conn_tab_bits range for 64BIT Mario Limonciello <mario.limonciello(a)amd.com> usb: typec: ucsi: Mark dGPUs as DEVICE scope Jan Kara <jack(a)suse.cz> fs: Lock moved directories Jan Kara <jack(a)suse.cz> fs: Establish locking order for unrelated directories Jan Kara <jack(a)suse.cz> Revert "udf: Protect rename against modification of moved directory" Jan Kara <jack(a)suse.cz> Revert "f2fs: fix potential corruption when moving a directory" Jan Kara <jack(a)suse.cz> ext4: Remove ext4 locking of moved directory Thomas Weißschuh <linux(a)weissschuh.net> fs: avoid empty option when generating legacy mount string Fabian Frederick <fabf(a)skynet.be> jffs2: reduce stack usage in jffs2_build_xattr_subsystem() Christian Brauner <brauner(a)kernel.org> nfsd: use vfs setgid helper Roberto Sassu <roberto.sassu(a)huawei.com> shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs Ryan Roberts <ryan.roberts(a)arm.com> mm/damon/ops-common: atomically test and clear young on ptes and pmds Arnd Bergmann <arnd(a)arndb.de> autofs: use flexible array in ioctl structure Tianjia Zhang <tianjia.zhang(a)linux.alibaba.com> integrity: Fix possible multiple allocation in integrity_inode_get() Kees Cook <keescook(a)chromium.org> um: Use HOST_DIR for mrproper Siddh Raman Pant <code(a)siddh.me> watch_queue: prevent dangling pipe pointer Zheng Wang <zyytlz.wz(a)163.com> bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent Zheng Wang <zyytlz.wz(a)163.com> bcache: Remove unnecessary NULL point check in node allocations Mingzhe Zou <mingzhe.zou(a)easystack.cn> bcache: fixup btree_cache_wait list damage Quan Zhou <quan.zhou(a)mediatek.com> wifi: mt76: mt7921e: fix init command fail with enabled device Felix Fietkau <nbd(a)nbd.name> wifi: cfg80211: fix receiving mesh packets without RFC1042 header Alexander Wetzel <alexander(a)wetzel-home.de> wifi: ath10k: Serialize wake_tx_queue ops Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: fix regulatory disconnect for non-MLO Chevron Li <chevron.li(a)bayhubtech.com> mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. Ulf Hansson <ulf.hansson(a)linaro.org> mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS Robert Marko <robimarko(a)gmail.com> mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M Robert Marko <robimarko(a)gmail.com> mmc: core: disable TRIM on Kingston EMMC04G-M627 Yu Zhao <yuzhao(a)google.com> mm/mglru: make memcg_lru->lock irq safe Jens Axboe <axboe(a)kernel.dk> io_uring: wait interruptibly for request completions on exit Jianmin Lv <lvjianmin(a)loongson.cn> irqchip/loongson-pch-pic: Fix initialization of HT vector register Dai Ngo <dai.ngo(a)oracle.com> NFSD: add encoding of op_recall flag for write delegation Liu Peibao <liupeibao(a)loongson.cn> irqchip/loongson-pch-pic: Fix potential incorrect hwirq assignment Jeff Layton <jlayton(a)kernel.org> nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Jianmin Lv <lvjianmin(a)loongson.cn> irqchip/loongson-liointc: Fix IRQ trigger polarity Mark Brown <broonie(a)kernel.org> arm64/signal: Restore TPIDR2 register rather than memory state Daniel Miess <daniel.miess(a)amd.com> Revert "drm/amd/display: Move DCN314 DOMAIN power control to DMCUB" Geert Uytterhoeven <geert+renesas(a)glider.be> lib: dhry: fix sleeping allocations inside non-preemptable section Matthew Wilcox (Oracle) <willy(a)infradead.org> writeback: account the number of pages written back Robert Hancock <robert.hancock(a)calian.com> i2c: xiic: Don't try to handle more interrupt events after error John Johansen <john.johansen(a)canonical.com> apparmor: fix profile verification and enable it John Johansen <john.johansen(a)canonical.com> apparmor: fix policy_compat permission remap with extended permissions John Johansen <john.johansen(a)canonical.com> apparmor: add missing failure check in compute_xmatch_perms Danila Chernetsov <listdansp(a)mail.ru> apparmor: fix missing error check for rhashtable_insert_fast Artur Rojek <contact(a)artur-rojek.eu> sh: dma: Fix DMA channel offset calculation Marc Zyngier <maz(a)kernel.org> risc-v: Fix order of IPI enablement vs RCU startup Thorsten Winkler <twinkler(a)linux.ibm.com> s390/qeth: Fix vipa deletion David Howells <dhowells(a)redhat.com> afs: Fix accidental truncation when storing data Hariprasad Kelam <hkelam(a)marvell.com> octeontx-af: fix hardware timestamp configuration Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: always enable the send_meta options Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: tag_sja1105: fix MAC DA patching from meta frames Guillaume Nault <gnault(a)redhat.com> pptp: Fix fib lookup calls. Woody Zhang <woodylab(a)foxmail.com> riscv: move memblock_allow_resize() after linear mapping is ready Amir Goldstein <amir73il(a)gmail.com> fanotify: disallow mount/sb marks on kernel internal pseudo fs Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/psr: Fix BDW PSR AUX CH data register offsets Lin Ma <linma(a)zju.edu.cn> net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX Ilya Maximets <i.maximets(a)ovn.org> xsk: Honor SO_BINDTODEVICE on bind SeongJae Park <sj(a)kernel.org> bpf, btf: Warn but return no error for NULL btf from __register_btf_kfunc_id_set() Maxime Coquelin <maxime.coquelin(a)redhat.com> vduse: fix NULL pointer dereference Eric Dumazet <edumazet(a)google.com> tcp: annotate data races in __tcp_oow_rate_limited() Eric Dumazet <edumazet(a)google.com> net: fix net_dev_start_xmit trace event vs skb_transport_offset() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: tag_sja1105: fix source port decoding in vlan_filtering=0 bridge mode Vladimir Oltean <vladimir.oltean(a)nxp.com> net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode Pali Rohár <pali(a)kernel.org> powerpc: dts: turris1x.dts: Fix PCIe MEM size for pci2 node Randy Dunlap <rdunlap(a)infradead.org> powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y Zeng Heng <zengheng4(a)huawei.com> ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr() Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-af: Reset MAC features in FLR Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-af: Add validation before accessing cgx and lmac Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-af: Fix mapping for NIX block from CGX connection Hariprasad Kelam <hkelam(a)marvell.com> octeontx2-af: cn10kb: fix interrupt csr addresses Chao Yu <chao(a)kernel.org> f2fs: fix error path handling in truncate_dnode() Nishanth Menon <nm(a)ti.com> mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Don't try to enable secure display TA multiple times Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix number of fence calculations Jonas Gorski <jonas.gorski(a)gmail.com> spi: bcm-qspi: return error if neither hif_mspi nor mspi is available Zhengchao Shao <shaozhengchao(a)huawei.com> mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: fix MTU configuration Nick Child <nnac123(a)linux.ibm.com> ibmvnic: Do not reset dql stats on NON_FATAL err Martin Habets <habetsm.xilinx(a)gmail.com> sfc: support for devlink port requires MAE access Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix marking SCAN_RSP as not connectable Pauli Virtanen <pav(a)iki.fi> Bluetooth: ISO: use hci_sync for setting CIG parameters Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: fix invalid-bdaddr quirk for non-persistent setup Tobias Heider <me(a)tobhe.de> Add MODULE_FIRMWARE() for FIRMWARE_TG357766. Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: always enable the INCL_SRCPT option Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: felix: don't drop PTP frames with tag_8021q when RX timestamping is disabled Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: don't keep PTP configuration of all ports in single structure Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: don't report that RX timestamping is enabled by default Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> spi: spi-geni-qcom: enable SPI_CONTROLLER_MUST_TX for GPI DMA mode Florian Westphal <fw(a)strlen.de> net/sched: act_ipt: zero skb->cb before calling target Florian Westphal <fw(a)strlen.de> net/sched: act_ipt: add sanity checks on skb before calling target Florian Westphal <fw(a)strlen.de> net/sched: act_ipt: add sanity checks on table name and hook locations Chengfeng Ye <dg573847474(a)gmail.com> sctp: fix potential deadlock on &net->sctp.addr_wq_lock Randy Dunlap <rdunlap(a)infradead.org> media: cec: i2c: ch7322: also select REGMAP Arnd Bergmann <arnd(a)arndb.de> media: tc358746: select CONFIG_GENERIC_PHY Peng Fan <peng.fan(a)nxp.com> tools/virtio: fix build break for aarch64 Dragos Tatulea <dtatulea(a)nvidia.com> virtio-vdpa: Fix unchecked call to NULL set_vq_affinity Chao Yu <chao(a)kernel.org> f2fs: check return value of freeze_super() Vinay Belgaumkar <vinay.belgaumkar(a)intel.com> drm/i915/guc/slpc: Apply min softlimit correctly Jouni Högander <jouni.hogander(a)intel.com> drm/i915/psr: Use hw.adjusted mode when calculating io/fast wake times Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> rtc: st-lpc: Release some resources in st_rtc_probe() in case of error Jinke Han <hanjinke.666(a)bytedance.com> blk-throttle: Fix io statistics for cgroup v1 Ian Rogers <irogers(a)google.com> perf bpf: Move the declaration of struct rq Li Nan <linan122(a)huawei.com> md/raid10: fix the condition to call bio_end_io_acct() Shuijing Li <shuijing.li(a)mediatek.com> pwm: mtk_disp: Fix the disable flow of disp_pwm Dan Carpenter <dan.carpenter(a)linaro.org> pwm: ab8500: Fix error code in probe() Marek Vasut <marex(a)denx.de> pwm: sysfs: Do not apply state to already disabled PWMs Fancy Fang <chen.fang(a)nxp.com> pwm: imx-tpm: force 'real_period' to be zero in suspend Yury Norov <yury.norov(a)gmail.com> lib/bitmap: drop optimization of bitmap_{from,to}_arr64 Claudiu Beznea <claudiu.beznea(a)microchip.com> phy: tegra: xusb: check return value of devm_kzalloc() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mfd: stmpe: Only disable the regulators if they are enabled Neil Armstrong <neil.armstrong(a)linaro.org> phy: qcom: qmp-combo: fix Display Port PHY configuration for SM8550 Yicong Yang <yangyicong(a)hisilicon.com> hwtracing: hisi_ptt: Fix potential sleep in atomic context Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: mmcc-msm8974: fix MDSS_GDSC power flags Claudiu Beznea <claudiu.beznea(a)microchip.com> misc: fastrpc: check return value of devm_kasprintf() Daniel Golle <daniel(a)makrotopia.org> cpufreq: mediatek: correct voltages for MT7622 and MT7623 Christian Borntraeger <borntraeger(a)linux.ibm.com> KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler Pierre Morel <pmorel(a)linux.ibm.com> KVM: s390: vsie: fix the length of APCB bitmap Amelie Delaunay <amelie.delaunay(a)foss.st.com> mfd: stmfx: Nullify stmfx->vdd in case of error Amelie Delaunay <amelie.delaunay(a)foss.st.com> mfd: stmfx: Fix error path in stmfx_chip_init Laurentiu Tudor <laurentiu.tudor(a)nxp.com> bus: fsl-mc: don't assume child devices are all fsl-mc devices Phil Elwell <phil(a)raspberrypi.com> nvmem: rmem: Use NVMEM_DEVID_AUTO Mirsad Goran Todorovac <mirsad.todorovac(a)alu.unizg.hr> test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation Alexander Stein <alexander.stein(a)ew.tq-group.com> nvmem: imx-ocotp: Reverse MAC addresses on all i.MX derivates Yi Yingao <m202271736(a)hust.edu.cn> nvmem: sunplus-ocotp: release otp->clk before return Nipun Gupta <nipun.gupta(a)amd.com> cdx: fix driver managed dma support Matti Vaittinen <mazziesaccount(a)gmail.com> drivers: fwnode: fix fwnode_irq_get[_byname]() Tony Lindgren <tony(a)atomide.com> serial: 8250_omap: Use force_suspend and resume for system suspend Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: common: usb-conn-gpio: Set last role to unknown before initial detection" Jiasheng Jiang <jiasheng(a)iscas.ac.cn> mfd: intel-lpss: Add missing check for platform_get_resource Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mfd: wcd934x: Fix an error handling path in wcd934x_slim_probe() Daniel Bristot de Oliveira <bristot(a)kernel.org> rtla/hwnoise: Reduce runtime to 75% Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> usb: dwc3-meson-g12a: Fix an error handling path in dwc3_meson_g12a_probe() Prashanth K <quic_prashk(a)quicinc.com> usb: common: usb-conn-gpio: Set last role to unknown before initial detection Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() Nico Boehr <nrb(a)linux.ibm.com> KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes Chao Yu <chao(a)kernel.org> f2fs: flush error flags in workqueue Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: fix the wrong condition to determine atomic context Chao Yu <chao(a)kernel.org> f2fs: support errors=remount-ro|continue|panic mountoption Chao Yu <chao(a)kernel.org> f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() Chao Yu <chao(a)kernel.org> f2fs: fix potential deadlock due to unpaired node_write lock use Bob Peterson <rpeterso(a)redhat.com> gfs2: Fix duplicate should_fault_in_pages() call Sergey Shtylyov <s.shtylyov(a)omp.ru> sh: Avoid using IRQ0 on SH3 and SH4 Hans de Goede <hdegoede(a)redhat.com> media: atomisp: ov2680: Stop using half pixelclock for binned modes Dan Carpenter <dan.carpenter(a)linaro.org> media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var() Hans de Goede <hdegoede(a)redhat.com> media: atomisp: gc0310: Fix double free in gc0310_remove() Rikard Falkeborn <rikard.falkeborn(a)gmail.com> media: venus: helpers: Fix ALIGN() of non power of two Stephan Gerhold <stephan(a)gerhold.net> mfd: rt5033: Drop rt5033-battery sub-device ChiYuan Huang <cy_huang(a)richtek.com> power: supply: rt9467: Make charger-enable control as logic level Mike Leach <mike.leach(a)linaro.org> coresight: etm4x: Fix missing trctraceidr file in sysfs James Clark <james.clark(a)arm.com> coresight: Fix loss of connection info when a module is unloaded Clark Wang <xiaoning.wang(a)nxp.com> i3c: master: svc: fix cpu schedule in spin lock Yue Zhao <findns94(a)gmail.com> lkdtm: replace ll_rw_block with submit_bh Muchun Song <muchun.song(a)linux.dev> kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR John Ogness <john.ogness(a)linutronix.de> serial: 8250: lock port for UART_IER access in omap8250_irq() John Ogness <john.ogness(a)linutronix.de> serial: core: lock port for start_rx() in uart_resume_port() John Ogness <john.ogness(a)linutronix.de> serial: 8250: lock port for stop_rx() in omap8250_irq() John Ogness <john.ogness(a)linutronix.de> serial: core: lock port for stop_rx() in uart_suspend_port() Bhupesh Sharma <bhupesh.sharma(a)linaro.org> usb: misc: eud: Fix eud sysfs path (use 'qcom_eud') Arnd Bergmann <arnd(a)arndb.de> usb: hide unused usbfs_notify_suspend/resume functions Li Yang <lidaxian(a)hust.edu.cn> usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> extcon: Fix kernel doc of property capability fields to avoid warnings Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> extcon: Fix kernel doc of property fields to avoid warnings Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: u_serial: Add null pointer check in gserial_suspend Vladislav Efanov <VEfanov(a)ispras.ru> usb: dwc3: qcom: Fix potential memory leak Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: debugfs: fix unbalanced pm_runtime_put() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: qcom: fix unbalanced pm_runtime_put() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: qcom: use consistently 'ctrl' as state variable name Arnd Bergmann <arnd(a)arndb.de> staging: vchiq_arm: mark vchiq_platform_init() static Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: mmcc-msm8974: use clk_rcg2_shared_ops for mdp_clk_src clock Kathiravan T <quic_kathirav(a)quicinc.com> clk: qcom: ipq5332: fix the order of SLEEP_CLK and XO clock Kathiravan T <quic_kathirav(a)quicinc.com> clk: qcom: ipq5332: fix the src parameter in ftbl_gcc_apss_axi_clk_src Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: dispcc-qcm2290: Fix GPLL0_OUT_DIV handling Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: dispcc-qcm2290: Fix BI_TCXO_AO handling Robert Marko <robimarko(a)gmail.com> clk: qcom: ipq6018: fix networking resets Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: using decoder status instead of core work count Martin Kepplinger <martink(a)posteo.de> media: hi846: fix usage of pm_runtime_get_if_in_use() Geert Uytterhoeven <geert+renesas(a)glider.be> media: renesas: fdp1: Identify R-Car Gen2 versions Daniel Scally <dan.scally(a)ideasonboard.com> media: i2c: Correct format propagation for st-mipid02 Dan Carpenter <error27(a)gmail.com> media: i2c: imx296: fix error checking in imx296_read_temperature() Duoming Zhou <duoming(a)zju.edu.cn> media: usb: siano: Fix warning due to null work_func_t function pointer Marek Vasut <marex(a)denx.de> media: videodev2.h: Fix struct v4l2_input tuner index comment Ming Qian <ming.qian(a)nxp.com> media: amphion: initiate a drain of the capture queue in dynamic resolution change Daniel Lundberg Pedersen <dlp(a)qtec.com> media: videodev2.h: Fix p_s32 and p_s64 pointer types Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> media: common: saa7146: Avoid a leak in vmalloc_to_sg() Ming Qian <ming.qian(a)nxp.com> media: amphion: drop repeated codec data for vc1g format Ming Qian <ming.qian(a)nxp.com> media: amphion: drop repeated codec data for vc1l format Daniil Dulov <d.dulov(a)aladdin.ru> media: usb: Check az6007_read() return value Konrad Dybcio <konrad.dybcio(a)linaro.org> clk: qcom: gcc-qcm2290: Mark RCGs shared where applicable Mantas Pucka <mantas(a)8devices.com> clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: camcc-sc7180: Add parent dependency to all camera GDSCs Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> clk: qcom: mmcc-msm8974: remove oxili_ocmemgx_clk Kathiravan T <quic_kathirav(a)quicinc.com> clk: qcom: gcc: ipq5332: Use floor ops for SDCC clocks Konrad Dybcio <konrad.dybcio(a)linaro.org> interconnect: qcom: rpm: Don't use clk_get_optional for bus clocks anymore Konrad Dybcio <konrad.dybcio(a)linaro.org> interconnect: qcom: rpm: Rename icc provider num_clocks to num_bus_clocks Tony Lindgren <tony(a)atomide.com> serial: 8250: omap: Fix freeing of resources on failed register Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> usb: dwc2: Fix some error handling paths Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> xhci: Improve the XHCI system resume time Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> USB: Extend pci resume function to handle PM events Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> cpufreq: tegra194: Fix an error handling path in tegra194_cpufreq_probe() John Paul Adrian Glaubitz <glaubitz(a)physik.fu-berlin.de> sh: j2: Use ioremap() to translate device tree address into kernel memory Yangtao Li <frank.li(a)vivo.com> f2fs: do not allow to defragment files have FI_COMPRESS_RELEASED Konrad Dybcio <konrad.dybcio(a)linaro.org> dt-bindings: power: reset: qcom-pon: Only allow reboot-mode pre-pmk8350 Dan Carpenter <error27(a)gmail.com> w1: fix loop in w1_fini() Stefan Wahren <stefan.wahren(a)i2se.com> w1: w1_therm: fix locking behavior in convert_t Thomas Gleixner <tglx(a)linutronix.de> x86/efi: Make efi_set_virtual_address_map IBT safe Will Deacon <will(a)kernel.org> arm64: sme: Use STR P to clear FFR context field in streaming SVE mode Arnd Bergmann <arnd(a)arndb.de> ksmbd: avoid field overflow warning Paulo Alcantara <pc(a)manguebit.com> smb: client: fix shared DFS root mounts with different prefixes Paulo Alcantara <pc(a)manguebit.com> smb: client: fix broken file attrs with nodfs mounts Shyam Prasad N <sprasad(a)microsoft.com> cifs: do all necessary checks for credits within or before locking Shyam Prasad N <sprasad(a)microsoft.com> cifs: prevent use-after-free by freeing the cfile later Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Disable PCI DMA before grabbing the EFI memory map Masahiro Yamada <masahiroy(a)kernel.org> kbuild: deb-pkg: remove the CONFIG_MODULES check in buildeb Josh Triplett <josh(a)joshtriplett.org> kbuild: builddeb: always make modules_install, to install modules.builtin* Vishal Verma <vishal.l.verma(a)intel.com> tools/testing/cxl: Fix command effects for inject/clear poison Dan Williams <dan.j.williams(a)intel.com> cxl/region: Fix state transitions after reset failure Dan Williams <dan.j.williams(a)intel.com> cxl/region: Flag partially torn down regions as unusable Dan Williams <dan.j.williams(a)intel.com> cxl/region: Move cache invalidation before region teardown, and before setup Sami Tolvanen <samitolvanen(a)google.com> kbuild: Disable GCOV for *.mod.o Sami Tolvanen <samitolvanen(a)google.com> kbuild: Fix CFI failures with GCOV Ding Hui <dinghui(a)sangfor.com.cn> SUNRPC: Fix UAF in svc_tcp_listen_data_ready() Filipe Manana <fdmanana(a)suse.com> btrfs: do not BUG_ON() on tree mod log failure at balance_level() Filipe Manana <fdmanana(a)suse.com> btrfs: fix race when deleting free space root from the dirty cow roots list Christian Loehle <CLoehle(a)hyperstone.com> mmc: block: ioctl: do write error check for spi Demi Marie Obenour <demi(a)invisiblethingslab.com> block: increment diskseq on all media change events Michael Schmitz <schmitzmic(a)gmail.com> block: change all __u32 annotations to __be32 in affs_hardblocks.h Michael Schmitz <schmitzmic(a)gmail.com> block: add overflow checks for Amiga partition support Michael Schmitz <schmitzmic(a)gmail.com> block: fix signed int overflow in Amiga partition support John Johansen <john.johansen(a)canonical.com> apparmor: fix: kzalloc perms tables for shared dfas Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix potential data race at PCM memory allocation helpers Takashi Iwai <tiwai(a)suse.de> ALSA: jack: Fix mutex call in snd_jack_report() Werner Sembach <wse(a)tuxedocomputers.com> ALSA: hda/realtek: Add quirk for Clevo NPx0SNx Andy Chi <andy.chi(a)canonical.com> ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook Martin Kaiser <martin(a)kaiser.cx> hwrng: st - keep clock enabled while hwrng is registered Tarun Sahu <tsahu(a)linux.ibm.com> dax/kmem: Pass valid argument to memory_group_register_static Dan Williams <dan.j.williams(a)intel.com> dax: Introduce alloc_dev_dax_id() Dan Williams <dan.j.williams(a)intel.com> dax: Fix dax_mapping_release() use after free Bharath SM <bharathsm(a)microsoft.com> SMB3: Do not send lease break acknowledgment if all file handles have been closed Olga Kornievskaia <kolga(a)netapp.com> NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION Qi Zheng <zhengqi.arch(a)bytedance.com> NFSv4.2: fix wrong shrinker_id Hareshx Sankar Raj <hareshx.sankar.raj(a)intel.com> crypto: qat - unmap buffers before free for RSA Hareshx Sankar Raj <hareshx.sankar.raj(a)intel.com> crypto: qat - unmap buffer before free for DH Masahiro Yamada <masahiroy(a)kernel.org> ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard Dan Carpenter <dan.carpenter(a)linaro.org> modpost: fix off by one in is_executable_section() Pierre-Clément Tosi <ptosi(a)google.com> scripts/mksysmap: Fix badly escaped '$' Bhupesh Sharma <bhupesh.sharma(a)linaro.org> dt-bindings: qcom-qce: Fix compatible combinations for SM8150 and IPQ4019 SoCs Stephan Müller <smueller(a)chronox.de> crypto: jitter - correct health test during initialization Arnd Bergmann <arnd(a)arndb.de> crypto: marvell/cesa - Fix type mismatch warning Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} Masahiro Yamada <masahiroy(a)kernel.org> modpost: fix section mismatch message for R_ARM_ABS32 Randy Dunlap <rdunlap(a)infradead.org> crypto: nx - fix build warnings when DEBUG_FS is not enabled Masahiro Yamada <masahiroy(a)kernel.org> modpost: remove broken calculation of exception_table_entry size Herbert Xu <herbert(a)gondor.apana.org.au> hwrng: virtio - Fix race on data_avail and actual data Eric Farman <farman(a)linux.ibm.com> vfio/mdev: Move the compat_class initialization to module init Xinghui Li <korantli(a)tencent.com> PCI: vmd: Fix uninitialized variable usage in vmd_enable_domain() Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> PCI: endpoint: functions/pci-epf-test: Fix dma_chan direction Shunsuke Mie <mie(a)igel.co.jp> PCI: endpoint: Fix a Kconfig prompt of vNTB driver Song Shuai <songshuaishuai(a)tinylab.org> riscv: hibernate: remove WARN_ON in save_processor_state Namhyung Kim <namhyung(a)kernel.org> perf test: Set PERF_EXEC_PATH for script execution Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo Tiezhu Yang <yangtiezhu(a)loongson.cn> riscv: uprobes: Restore thread.bad_cause Xi Pardee <xi.pardee(a)intel.com> platform/x86:intel/pmc: Update maps for Meteor Lake P/M platforms Manivannan Sadhasivam <mani(a)kernel.org> PCI: qcom: Disable write access to read only registers for IP v2.9.0 Manivannan Sadhasivam <mani(a)kernel.org> PCI: qcom: Use DWC helpers for modifying the read-only DBI registers Song Shuai <songshuaishuai(a)tinylab.org> riscv: hibernation: Remove duplicate call of suspend_restore_csrs Aditya Gupta <adityag(a)linux.ibm.com> powerpc: update ppc_save_regs to save current r1 in pt_regs Colin Ian King <colin.i.king(a)gmail.com> powerpc/powernv/sriov: perform null check on iov before dereferencing iov Stanley Chu <stanley.chu(a)mediatek.com> scsi: ufs: core: mcq: Fix the incorrect OCS value for the device command Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Remove a ufshcd_add_command_trace() call Namhyung Kim <namhyung(a)kernel.org> perf stat: Reset aggr stats for each run Claudiu Beznea <claudiu.beznea(a)microchip.com> pinctrl: at91-pio4: check return value of devm_kasprintf() Claudiu Beznea <claudiu.beznea(a)microchip.com> pinctrl: microchip-sgpio: check return value of devm_kasprintf() Xiaolei Wang <xiaolei.wang(a)windriver.com> pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s: Fix VAS mm use after free Ian Rogers <irogers(a)google.com> perf tool x86: Fix perf_env memory leak Ravi Bangoria <ravi.bangoria(a)amd.com> perf tool x86: Consolidate is_amd check into single function Michal Wilczynski <michal.wilczynski(a)intel.com> platform/x86/dell/dell-rbtn: Fix resources leaking on error path Aditya Gupta <adityag(a)linux.ibm.com> perf tests task_analyzer: Skip tests if no libtraceevent support Aditya Gupta <adityag(a)linux.ibm.com> perf tests task_analyzer: Fix bad substitution ${$1} Kan Liang <kan.liang(a)linux.intel.com> perf metric: Fix no group check Namhyung Kim <namhyung(a)kernel.org> perf dwarf-aux: Fix off-by-one in die_get_varname() David E. Box <david.e.box(a)linux.intel.com> platform/x86/intel/pmc/mtl: Put devices in D3 during resume David E. Box <david.e.box(a)linux.intel.com> platform/x86/intel/pmc: Add resume callback Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Fix lkp-tests warnings for platform profiles Arnaldo Carvalho de Melo <acme(a)redhat.com> perf script: Fix allocation of evsel->priv related to per-event dump files Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/signal32: Force inlining of __unsafe_save_user_regs() and save_tm_user_regs_unsafe() Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/interrupt: Don't read MSR from interrupt_exit_kernel_prepare() Christophe Leroy <christophe.leroy(a)csgroup.eu> kcsan: Don't expect 64 bits atomic builtins from 32 bits architectures Jiasheng Jiang <jiasheng(a)iscas.ac.cn> pinctrl: npcm7xx: Add missing check for ioremap Wells Lu <wellslutw(a)gmail.com> pinctrl:sunplus: Add check for kmalloc Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: think-lmi: Correct NVME password handling Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: think-lmi: Correct System password interface Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: think-lmi: mutex protection around multiple WMI calls Xi Pardee <xi.pardee(a)intel.com> platform/x86:intel/pmc: Remove Meteor Lake S platform support Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> pinctrl: cherryview: Return correct value if pin in push-pull mode Arnaldo Carvalho de Melo <acme(a)redhat.com> perf bench: Add missing setlocale() call to allow usage of %'d style formatting Thierry Reding <treding(a)nvidia.com> pinctrl: tegra: Duplicate pinmux functions table Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Fix handling of lrbp->cmd Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Increase the START STOP UNIT timeout from one to ten seconds Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Revise NPIV ELS unsol rcv cmpl logic to drop ndlp based on nlp_state Sui Jingfeng <suijingfeng(a)loongson.cn> PCI: Add pci_clear_master() stub for non-CONFIG_PCI Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: Declare ufshcd_{hold,release}() once Wells Lu <wellslutw(a)gmail.com> pinctrl: sunplus: Add check for kmalloc Junyan Ye <yejunyan(a)hust.edu.cn> PCI: ftpci100: Release the clock resources Ian Rogers <irogers(a)google.com> perf evsel: Don't let for_each_group() treat the head of the list as one of its nodes Rongguang Wei <weirongguang(a)kylinos.cn> PCI: pciehp: Cancel bringup sequence if card is not present Dan Carpenter <dan.carpenter(a)linaro.org> pinctrl: at91: fix a couple NULL vs IS_ERR() checks Yuchen Yang <u202114568(a)hust.edu.cn> scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() Ding Hui <dinghui(a)sangfor.com.cn> PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free Hans de Goede <hdegoede(a)redhat.com> platform/x86: lenovo-yogabook: Set default keyboard backligh brightness on probe() Hans de Goede <hdegoede(a)redhat.com> platform/x86: lenovo-yogabook: Reprobe devices on remove() Hans de Goede <hdegoede(a)redhat.com> platform/x86: lenovo-yogabook: Fix work race on remove() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> pinctrl: bcm2835: Handle gpiochip_add_pin_range() errors Jinhong Zhu <jinhongzhu(a)hust.edu.cn> scsi: qedf: Fix NULL dereference in error handling Nirmal Patel <nirmal.patel(a)linux.intel.com> PCI: vmd: Reset VMD config register between soft reboots Siddharth Vadapalli <s-vadapalli(a)ti.com> PCI: cadence: Fix Gen2 Link Retraining process Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Call iopt_area_contig_done() under the lock Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Do not access the area pointer after unlocking Syed Saba Kareem <Syed.SabaKareem(a)amd.com> ASoC: amd: acp: clear pdm dma interrupt mask Michael Walle <mwalle(a)kernel.org> ARM: dts: lan966x: kontron-d10: fix SPI CS Michael Walle <mwalle(a)kernel.org> ARM: dts: lan966x: kontron-d10: fix board reset Fei Shao <fshao(a)chromium.org> clk: Fix memory leak in devm_clk_notifier_register() Claudiu Beznea <claudiu.beznea(a)microchip.com> ASoC: imx-audmix: check return value of devm_kasprintf() Amir Goldstein <amir73il(a)gmail.com> ovl: update of dentry revalidate flags after copy up Alexey Romanov <avromanov(a)sberdevices.ru> drivers: meson: secure-pwrc: always enable DMA domain Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: clocking-wizard: check return value of devm_kasprintf() Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: ti: clkctrl: check return value of kasprintf() Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: keystone: sci-clk: check return value of kasprintf() Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: si5341: free unused memory on probe failure Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: si5341: check return value of {devm_}kasprintf() Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: si5341: return error if one synth clock registration fails Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: cdce925: check return value of kasprintf() Claudiu Beznea <claudiu.beznea(a)microchip.com> clk: vc5: check memory returned by kasprintf() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> clk: mediatek: clk-mt8173-apmixedsys: Fix iomap not released issue AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> clk: mediatek: clk-mt8173-apmixedsys: Fix return value for of_iomap() error AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> clk: mediatek: clk-mtk: Grab iomem pointer for divider clocks Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: correct MERGE_3D length Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: fix sc7280 and sc7180 PINGPONG done interrupts Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Disable pingpong TE on DPU 5.0.0 and above Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Move autorefresh disable from CMD encoder to pingpong Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Drop unused poll_timeout_wr_ptr PINGPONG callback Luben Tuikov <luben.tuikov(a)amd.com> drm/amdgpu: Fix usage of UMC fill record in RAS Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amdgpu: Fix memcpy() in sienna_cichlid_append_powerplay_table function. Daniel Golle <daniel(a)makrotopia.org> arm64: dts: mt7986: increase bl2 partition on NAND of Bananapi R3 Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8192: Fix CPUs capacity-dmips-mhz Allen-KH Cheng <allen-kh.cheng(a)mediatek.com> arm64: dts: mediatek: Add cpufreq nodes for MT8192 Bjorn Andersson <quic_bjorande(a)quicinc.com> drm/msm/dp: Free resources after unregistering them Bjorn Andersson <quic_bjorande(a)quicinc.com> drm/msm/dp: Drop aux devices together with DP controller Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dsi: Remove incorrect references to slice_count Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: Fix slice_last_group_size calculation Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: do not enable color-management if DSPPs are not available Su Hui <suhui(a)nfschina.com> ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer Nishanth Menon <nm(a)ti.com> arm64: dts: ti: k3-am69-sk: Fix main_i2c0 alias Thejasvi Konduru <t-konduru(a)ti.com> arm64: dts: ti: k3-j784s4: Fix wakeup pinmux range and pinctrl node offsets Nishanth Menon <nm(a)ti.com> arm64: dts: ti: k3-j784s4-evm: Fix main_i2c0 alias Andrew Davis <afd(a)ti.com> arm64: dts: ti: k3-j721e-beagleboneai64: Fix mailbox node status Yuan Can <yuancan(a)huawei.com> clk: tegra: tegra124-emc: Fix potential memory leak Dan Carpenter <dan.carpenter(a)linaro.org> clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() Dan Carpenter <dan.carpenter(a)linaro.org> clk: bcm: rpi: Fix off by one in raspberrypi_discover_clocks() Abel Vesa <abel.vesa(a)linaro.org> arm64: dts: qcom: sm8550: Add missing interconnect path to USB HC Marijn Suijten <marijn.suijten(a)somainline.org> arm64: dts: qcom: sm8250-edo: Panel framebuffer is 2.5k instead of 4k Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sm8550: Flush RSC sleep & wake votes Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sdm845: Flush RSC sleep & wake votes Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: sdm670: Flush RSC sleep & wake votes Konrad Dybcio <konrad.dybcio(a)linaro.org> arm64: dts: qcom: qdu1000: Flush RSC sleep & wake votes Bosi Zhang <u201911157(a)hust.edu.cn> clk: mediatek: fix of_iomap memory leak Yuxing Liu <lyx2022(a)hust.edu.cn> clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe() Zhanhao Hu <zero12113(a)hust.edu.cn> clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe Hao Luo <m202171776(a)hust.edu.cn> clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe Kai Ma <kaima(a)hust.edu.cn> clk: imx: clk-imxrt1050: fix memory leak in imxrt1050_clocks_probe Adam Ford <aford173(a)gmail.com> clk: imx: composite-8m: Add imx8m_divider_determine_rate Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: wraparound mbox producer index Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/a5xx: really check for A510 in a5xx_gpu_init Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/a6xx: don't set IO_PGTABLE_QUIRK_ARM_OUTER_WBWA with coherent SMMU Chia-I Wu <olvaffe(a)gmail.com> amdgpu: validate offset_in_bo of drm_amdgpu_gem_va Bob Pearson <rpearsonhpe(a)gmail.com> RDMA/rxe: Fix access checks in rxe_check_bind_mw Geert Uytterhoeven <geert+renesas(a)glider.be> HID: uclogic: Modular KUnit tests should not depend on KUNIT=y Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix possible division-by-zero errors Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: Fix artifacting on eDP panels when engaging freesync video mode Chen-Yu Tsai <wenst(a)chromium.org> soc: mediatek: SVS: Fix MT8192 GPU node name Daniil Dulov <d.dulov(a)aladdin.ru> drm/amdkfd: Fix potential deallocation of previously deallocated memory. Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/amd/display: Fix a test dml32_rq_dlg_get_rq_reg() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/amd/display: Fix a test CalculatePrefetchSchedule() Paul Cercueil <paul(a)crapouillou.net> MIPS: DTS: CI20: Fix ACT8600 regulator node names Maxime Ripard <maxime(a)cerno.tech> clk: Export clk_hw_forward_rate_request() Christian Lamparter <chunkeey(a)gmail.com> ARM: dts: BCM5301X: fix duplex-full => full-duplex Guenter Roeck <linux(a)roeck-us.net> hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272 Tim Harvey <tharvey(a)gateworks.com> hwmon: (gsc-hwmon) fix fan pwm temperature scaling Olivier Moysan <olivier.moysan(a)foss.st.com> ARM: dts: stm32: fix i2s endpoint format property for stm32mp15xx-dkx Dan Carpenter <dan.carpenter(a)linaro.org> accel/habanalabs: fix gaudi2_get_tpc_idle_status() return Marek Vasut <marex(a)denx.de> ARM: dts: stm32: Fix audio routing on STM32MP15xx DHCOM PDK2 Chris Morgan <macromorgan(a)hotmail.com> arm64: dts: rockchip: Fix compatible for Bluetooth on rk3566-anbernic Caleb Connolly <caleb.connolly(a)linaro.org> Input: pm8941-powerkey - fix debounce on gen2+ PMICs Keerthy <j-keerthy(a)ti.com> arm64: dts: ti: k3-j7200: Fix physical address of pin Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> arm64: dts: rockchip: Assign ES8316 MCLK rate on rk3588-rock-5b Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: No 10bit gamma on desktop gen3 parts Matt Roper <matthew.d.roper(a)intel.com> drm/i915/display: Make display responsible for probing its own IP Matt Roper <matthew.d.roper(a)intel.com> drm/i915/display: Move display runtime info to display structure Matt Roper <matthew.d.roper(a)intel.com> drm/i915: Convert INTEL_INFO()->display to a pointer Matt Roper <matthew.d.roper(a)intel.com> drm/i915/display: Move display device info to header under display/ Jani Nikula <jani.nikula(a)intel.com> drm/i915: hide mkwrite_device_info() better Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915: Fix limited range csc matrix Bjorn Andersson <quic_bjorande(a)quicinc.com> dt-bindings: arm-smmu: Fix SC8280XP Adreno binding Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dpu: always clear every individual pending flush mask Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dpu: set DSC flush bit correctly at MDP CTL flush register Wolfram Sang <wsa+renesas(a)sang-engineering.com> arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: iwg20d-q7-common: Fix backlight pwm specifier Chengchang Tang <tangchengchang(a)huawei.com> RDMA/hns: Fix hns_roce_table_get return value Brendan Cunningham <bcunningham(a)cornelisnetworks.com> IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate Arnd Bergmann <arnd(a)arndb.de> RDMA/irdma: avoid fortify-string warning in irdma_clr_wqes Randy Dunlap <rdunlap(a)infradead.org> soc/fsl/qe: fix usb.c build errors Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> ARM: dts: meson8: correct uart_B and uart_C clock references Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: es8316: Do not set rate constraints for unsupported MCLKs Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ASoC: es8316: Increment max value for ALC Capture Target Volume control Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> ARM: dts: qcom: apq8074-dragonboard: Set DMA as remotely controlled Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> memory: brcmstb_dpfe: fix testing array offset after use Marek Vasut <marex(a)denx.de> ARM: dts: stm32: Shorten the AV96 HDMI sound card name Douglas Anderson <dianders(a)chromium.org> arm64: dts: mediatek: mt8195: Add mediatek,broken-save-restore-fw to cherry Douglas Anderson <dianders(a)chromium.org> arm64: dts: mediatek: mt8192: Add mediatek,broken-save-restore-fw to asurada Douglas Anderson <dianders(a)chromium.org> arm64: dts: mediatek: mt8183: Add mediatek,broken-save-restore-fw to kukui Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: apq8096: fix fixed regulator name property Luca Weiss <luca.weiss(a)fairphone.com> arm64: dts: qcom: pm7250b: add missing spmi-vadc include Arnd Bergmann <arnd(a)arndb.de> ARM: omap2: fix missing tick_broadcast() prototype Arnd Bergmann <arnd(a)arndb.de> ARM: ep93xx: fix missing-prototype warnings Dario Binacchi <dario.binacchi(a)amarulasolutions.com> drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H Adam Ford <aford173(a)gmail.com> drm: bridge: samsung-dsim: Fix PMS Calculator on imx8m[mnp] Frieder Schrempf <frieder.schrempf(a)kontron.de> drm/bridge: ti-sn65dsi83: Fix enable/disable flow to meet spec Stephan Gerhold <stephan(a)gerhold.net> arm64: dts: qcom: apq8016-sbc: Fix 1.8V power rail on LS expansion Stephan Gerhold <stephan(a)gerhold.net> arm64: dts: qcom: apq8016-sbc: Fix regulator constraints Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sdm845-polaris: add missing touchscreen child node reg Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8550: correct pinctrl unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8550: correct crypto unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8350: correct USB phy unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8350: correct PCI phy unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm8350: correct DMA controller unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sm6115: correct thermal-sensor unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sdm845: correct camss unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: sdm630: correct camss unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8996: correct camss unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8994: correct SPMI unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8976: correct MMC unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8953: correct WCNSS unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8953: correct IOMMU unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8916: correct WCNSS unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8916: correct MMC unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: msm8916: correct camss unit address Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> arm64: dts: qcom: ipq6018: correct qrng unit address Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: pm8998: don't use GIC_SPI for SPMI interrupts Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: qcom: msm8974: do not use underscore in node name (again) Linus Walleij <linus.walleij(a)linaro.org> ARM/musb: omap2: Remove global GPIO numbers from TUSB6010 Linus Walleij <linus.walleij(a)linaro.org> ARM: omap2: Rewrite WLAN quirk to use GPIO descriptors Linus Walleij <linus.walleij(a)linaro.org> ARM: omap2: Get USB hub reset GPIO from descriptor Linus Walleij <linus.walleij(a)linaro.org> ARM/gpio: Push OMAP2 quirk down into TWL4030 driver Linus Walleij <linus.walleij(a)linaro.org> ARM: omap1: Exorcise the legacy GPIO header Linus Walleij <linus.walleij(a)linaro.org> ARM: omap1: Make serial wakeup GPIOs use descriptors Linus Walleij <linus.walleij(a)linaro.org> ARM: omap1: Fix up the Nokia 770 board device IRQs Linus Walleij <linus.walleij(a)linaro.org> ARM/mmc: Convert old mmci-omap to GPIO descriptors Linus Walleij <linus.walleij(a)linaro.org> Input: ads7846 - Convert to use software nodes Linus Walleij <linus.walleij(a)linaro.org> ARM: omap1: Remove reliance on GPIO numbers from SX1 Linus Walleij <linus.walleij(a)linaro.org> ARM: omap1: Remove reliance on GPIO numbers from PalmTE Linus Walleij <linus.walleij(a)linaro.org> ARM: omap1: Drop header on AMS Delta Linus Walleij <linus.walleij(a)linaro.org> ARM/mfd/gpio: Fixup TPS65010 regression on OMAP1 OSK1 Nícolas F. R. A. Prado <nfraprado(a)collabora.com> drm/bridge: anx7625: Prevent endless probe loop Bhupesh Sharma <bhupesh.sharma(a)linaro.org> arm64: dts: qcom: qrb4210-rb2: Fix CD gpio for SDHC2 Tony Lindgren <tony(a)atomide.com> ARM: dts: gta04: Move model property out of pinctrl node Biju Das <biju.das.jz(a)bp.renesas.com> clk: renesas: rzg2l: Fix CPG_SIPLL5_CLK1 register write Jean-Philippe Brucker <jean-philippe(a)linaro.org> iommu/virtio: Return size mapped for a detached domain Jean-Philippe Brucker <jean-philippe(a)linaro.org> iommu/virtio: Detach domain on endpoint release Arnd Bergmann <arnd(a)arndb.de> drm/nouveau: dispnv50: fix missing-prototypes warning Konrad Dybcio <konrad.dybcio(a)linaro.org> drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Use V4.0 PCC DSPP sub-block in SC7[12]80 Arnaud Vrac <avrac(a)freebox.fr> drm/msm/dpu: fix cursor block register bit offset in msm8998 hw catalog Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dsi: don't allow enabling 14nm VCO with unprogrammed rate Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: enable DSPP_2/3 for LM_2/3 on sm8450 Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix to remove an unnecessary log Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Remove a redundant check inside bnxt_re_update_gid Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Use unique names while registering interrupts Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix to remove unnecessary return labels Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Disable/kill tasklet only if it is enabled Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> hwmon: (f71882fg) prevent possible division by zero Dan Carpenter <dan.carpenter(a)linaro.org> clk: imx: scu: use _safe list iterator to avoid a use after free Devi Priya <quic_devipriy(a)quicinc.com> arm64: dts: qcom: ipq9574: Update the size of GICC & GICV regions Alexander Stein <alexander.stein(a)ew.tq-group.com> drm/bridge: tc358767: Switch to devm MIPI-DSI helpers Robert Marko <robert.marko(a)sartura.hr> arm64: dts: microchip: sparx5: do not use PSCI on reference boards Tony Lindgren <tony(a)atomide.com> bus: ti-sysc: Fix dispc quirk masking bool variables Marek Vasut <marex(a)denx.de> ARM: dts: stm32: Move ethernet MAC EEPROM from SoM to carrier boards Maíra Canal <mcanal(a)igalia.com> drm/vkms: Fix RGB565 pixel conversion Maíra Canal <mcanal(a)igalia.com> drm: Add fixed-point helper to get rounded integer values Maíra Canal <mcanal(a)igalia.com> drm/vkms: isolate pixel conversion functionality Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: sof_sdw: start set codec init function with an adr index Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: sof_sdw: remove SOF_SDW_TGL_HDMI for MeteorLake devices Trevor Wu <trevor.wu(a)mediatek.com> ASoC: dt-bindings: mediatek,mt8188-afe: correct clock name Dan Carpenter <dan.carpenter(a)linaro.org> driver: soc: xilinx: use _safe loop iterator to avoid a use after free Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/panel: sharp-ls043t1le01: adjust mode settings XuDong Liu <m202071377(a)hust.edu.cn> drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` Marek Vasut <marex(a)denx.de> Input: adxl34x - do not hardcode interrupt trigger type Marek Vasut <marek.vasut+renesas(a)mailbox.org> clk: rs9: Fix .driver_data content in i2c_device_id Marek Vasut <marek.vasut+renesas(a)mailbox.org> clk: vc7: Fix .driver_data content in i2c_device_id Marek Vasut <marek.vasut+renesas(a)mailbox.org> clk: vc5: Fix .driver_data content in i2c_device_id hfdevel(a)gmx.net <hfdevel(a)gmx.net> ARM: dts: meson8b: correct uart_B and uart_C clock references Rafał Miłecki <rafal(a)milecki.pl> ARM: dts: BCM5301X: Drop "clock-names" from the SPI node Luc Ma <luc(a)sietium.com> drm/vram-helper: fix function names in vram helper doc Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: tests - fix input_test_match_device_id test Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix THS_TRAILCNT computation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix TXTAGOCNT computation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix THS_ZEROCNT computation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix TCLK_TRAILCNT computation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix TCLK_ZEROCNT computation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix PLL target frequency Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: fix PLL parameters computation Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: always enable HS video mode Alexander Stein <alexander.stein(a)ew.tq-group.com> drm/bridge: ti-sn65dsi83: Fix enable error path Geert Uytterhoeven <geert+renesas(a)glider.be> Input: tests - modular KUnit tests should not depend on KUNIT=y Geert Uytterhoeven <geert+renesas(a)glider.be> Input: tests - fix use-after-free and refcount underflow in input_test_exit() Duoming Zhou <duoming(a)zju.edu.cn> Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync() Luca Weiss <luca(a)z3ntu.xyz> Input: drv260x - sleep between polling GO bit Markus Elfring <elfring(a)users.sourceforge.net> drm/bridge: it6505: Move a variable assignment behind a null pointer check in receive_timing_debugfs_show() Vinay Belgaumkar <vinay.belgaumkar(a)intel.com> drm/i915/guc/slpc: Provide sysfs for efficient freq Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> drm/amd/display: Explicitly specify update type per plane info change Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> radeon: avoid double free in ci_dpm_init() Arnd Bergmann <arnd(a)arndb.de> drm/amd/display: fix is_timing_changed() prototype Wesley Chalmers <Wesley.Chalmers(a)amd.com> drm/amd/display: Add logging for display MALL refresh setting Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Unconditionally print when DP sink power state fails Dan Carpenter <error27(a)gmail.com> drm/imx/lcdc: fix a NULL vs IS_ERR() bug in probe Kuniyuki Iwashima <kuniyu(a)amazon.com> netlink: Add __sock_i_ino() for __netlink_diag_dump(). Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses Cambda Zhu <cambda(a)linux.alibaba.com> ipvlan: Fix return value of ipvlan_queue_xmit() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: fix underflow in chain reference counter Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: unbind non-anonymous set if rule construction fails Ilia.Gavrilov <Ilia.Gavrilov(a)infotecs.ru> netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. Florian Westphal <fw(a)strlen.de> netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Jeremy Sowden <jeremy(a)azazel.net> lib/ts_bm: reset initial match offset for every block of text Lin Ma <linma(a)zju.edu.cn> net: nfc: Fix use-after-free caused by nfc_llcp_find_local Edward Cree <ecree.xilinx(a)gmail.com> sfc: fix crash when reading stats while NIC is resetting David Howells <dhowells(a)redhat.com> ocfs2: Fix use of slab data with sendpage Maxim Kochetkov <fido_max(a)inbox.ru> net: axienet: Move reset before 64-bit DMA detection Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Fix use-after-free in __gtp_encap_destroy(). Sabrina Dubroca <sd(a)queasysnail.net> selftests: rtnetlink: remove netdevsim device after ipsec offload test Eric Dumazet <edumazet(a)google.com> sch_netem: fix issues in netem_change() vs get_dist_table() Eric Dumazet <edumazet(a)google.com> bonding: do not assume skb mac_header is set Eric Dumazet <edumazet(a)google.com> netlink: do not hard code device address lenth in fdb dumps Eric Dumazet <edumazet(a)google.com> netlink: fix potential deadlock in netlink_set_err() Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> net: stmmac: fix double serdes powerdown Vinicius Costa Gomes <vinicius.gomes(a)intel.com> igc: Work around HW bug causing missing timestamps Vinicius Costa Gomes <vinicius.gomes(a)intel.com> igc: Retrieve TX timestamp during interrupt handling Vinicius Costa Gomes <vinicius.gomes(a)intel.com> igc: Check if hardware TX timestamping is enabled earlier Vinicius Costa Gomes <vinicius.gomes(a)intel.com> igc: Fix race condition in PTP tx code Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_pciefd: Set hardware timestamp on transmitted packets Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_pciefd: Add function to set skb hwtstamps Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> can: length: fix bitstuffing count Gilad Sever <gilad9366(a)gmail.com> bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings Gilad Sever <gilad9366(a)gmail.com> bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC hookpoint Gilad Sever <gilad9366(a)gmail.com> bpf: Factor out socket lookup functions for the TC hookpoint. Dmitry Antipov <dmantipov(a)yandex.ru> wifi: ath9k: convert msecs to jiffies where needed Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: check only affected links Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: indicate HW decrypt for beacon protection Marek Vasut <marex(a)denx.de> mmc: Add MMC_QUIRK_BROKEN_SD_CACHE for Kingston Canvas Go Plus from 11/2019 Douglas Anderson <dianders(a)chromium.org> watchdog/hardlockup: keep kernel.nmi_watchdog sysctl as 0444 if probe fails Lecopzer Chen <lecopzer.chen(a)mediatek.com> watchdog/perf: adapt the watchdog_perf interface for async model Douglas Anderson <dianders(a)chromium.org> watchdog/hardlockup: rename some "NMI watchdog" constants/function Douglas Anderson <dianders(a)chromium.org> watchdog/hardlockup: move perf hardlockup checking/panic to common watchdog.c Lecopzer Chen <lecopzer.chen(a)mediatek.com> watchdog/hardlockup: change watchdog_nmi_enable() to void Lecopzer Chen <lecopzer.chen(a)mediatek.com> watchdog: remove WATCHDOG_DEFAULT Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> mm: move mm_count into its own cache line Ilan Peer <ilan.peer(a)intel.com> wifi: ieee80211: Fix the common size calculation for reconfiguration ML Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: fix regulatory disconnect with OCB/NAN Benjamin Berg <benjamin.berg(a)intel.com> wifi: cfg80211: drop incorrect nontransmitted BSS update code Benjamin Berg <benjamin.berg(a)intel.com> wifi: cfg80211: rewrite merging of inherited elements Nicolas Cavallari <nicolas.cavallari(a)green-communications.fr> wifi: mac80211: Remove "Missing iftype sband data/EHT cap" spam Anjaneyulu <pagadala.yesu.anjaneyulu(a)intel.com> wifi: iwlwifi: pcie: fix NULL pointer dereference in iwl_pcie_irq_rx_msix_handler() Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: pull from TXQs with softirqs disabled Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: correctly access HE/EHT sband capa Gregory Greenman <gregory.greenman(a)intel.com> wifi: iwlwifi: mvm: add support for Extra EHT LTF Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: add helpers to access sband iftype data Ziyang Huang <hzyitc(a)outlook.com> wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018 Ziyang Huang <hzyitc(a)outlook.com> wifi: ath11k: Restart firmware after cold boot calibration for IPQ5018 Ziyang Huang <hzyitc(a)outlook.com> wifi: ath11k: Add missing ops config for IPQ5018 in ath11k_ahb_probe() Jiasheng Jiang <jiasheng(a)iscas.ac.cn> wifi: ath11k: Add missing check for ioremap Edwin Peer <edwin.peer(a)broadcom.com> rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO Mukesh Sisodiya <mukesh.sisodiya(a)intel.com> wifi: iwlwifi: fw: print PC register value instead of address Mukesh Sisodiya <mukesh.sisodiya(a)intel.com> wifi: iwlwifi: mvm: Handle return value for iwl_mvm_sta_init Ilan Peer <ilan.peer(a)intel.com> wifi: mac80211: Fix permissions for valid_links debugfs entry Eduard Zingerman <eddyz87(a)gmail.com> bpf: Verify scalar ids mapping in regsafe() using check_ids() Eduard Zingerman <eddyz87(a)gmail.com> bpf: Use scalar ids in mark_chain_precision() Remi Pommarel <repk(a)triplefau.lt> wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() Eduard Zingerman <eddyz87(a)gmail.com> selftests/bpf: Fix invalid pointer check in get_xlated_program() Arnd Bergmann <arnd(a)arndb.de> memstick r592: make memstick_debug_get_tpc_name() static Douglas Anderson <dianders(a)chromium.org> mmc: mediatek: Avoid ugly error message when SDIO wakeup IRQ isn't used Zhen Lei <thunder.leizhen(a)huawei.com> kexec: fix a memory leak in crash_shrink_memory() Douglas Anderson <dianders(a)chromium.org> watchdog/perf: more properly prevent false positives with turbo modes Douglas Anderson <dianders(a)chromium.org> watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config Haifeng Xu <haifeng.xu(a)shopee.com> selftests: cgroup: fix unexpected failure on test_memcg_low Karol Kolacinski <karol.kolacinski(a)intel.com> ice: handle extts in the miscellaneous interrupt thread Marek Vasut <marex(a)denx.de> wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown Marek Vasut <marex(a)denx.de> wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled Vijaya Krishna Nivarthi <quic_vnivarth(a)quicinc.com> spi: spi-geni-qcom: Do not do DMA map/unmap inside driver, use framework instead Vijaya Krishna Nivarthi <quic_vnivarth(a)quicinc.com> soc: qcom: geni-se: Add interfaces geni_se_tx_init_dma() and geni_se_rx_init_dma() Jesper Dangaard Brouer <brouer(a)redhat.com> selftests/bpf: Fix check_mtu using wrong variable type Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: recalc min chandef for new STA links Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: mvm: send time sync only if needed Viktor Malik <vmalik(a)redhat.com> tools/resolve_btfids: Fix setting HOSTCFLAGS Dave Marchevsky <davemarchevsky(a)fb.com> bpf: Make bpf_refcount_acquire fallible for non-owning refs Dave Marchevsky <davemarchevsky(a)fb.com> bpf: Fix __bpf_{list,rbtree}_add's beginning-of-node calculation Dave Marchevsky <davemarchevsky(a)fb.com> bpf: Set kptr_struct_meta for node param to list and rbtree insert funcs Dave Marchevsky <davemarchevsky(a)fb.com> bpf: Remove anonymous union in bpf_kfunc_call_arg_meta Youghandhar Chintala <quic_youghand(a)quicinc.com> wifi: ath10k: Trigger STA disconnect after reconfig complete on hardware restart Jesper Dangaard Brouer <brouer(a)redhat.com> samples/bpf: xdp1 and xdp2 reduce XDPBUFSIZE to 60 Sascha Hauer <s.hauer(a)pengutronix.de> wifi: rtw88: usb: silence log flooding error message Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> wifi: ray_cs: Fix an error handling path in ray_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> wifi: wl3501_cs: Fix an error handling path in wl3501_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> wifi: atmel: Fix an error handling path in atmel_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> wifi: orinoco: Fix an error handling path in orinoco_cs_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> wifi: orinoco: Fix an error handling path in spectrum_cs_probe() Geert Uytterhoeven <geert+renesas(a)glider.be> regulator: core: Streamline debugfs operations Geert Uytterhoeven <geert+renesas(a)glider.be> regulator: core: Fix more error checking for debugfs_create_dir() Sebastian Reichel <sebastian.reichel(a)collabora.com> regulator: rk808: fix asynchronous probing Alexey Gladkov <legion(a)kernel.org> selftests/bpf: Do not use sign-file as testcase Yafang Shao <laoar.shao(a)gmail.com> bpf: Fix memleak due to fentry attach failure Yafang Shao <laoar.shao(a)gmail.com> bpf: Remove bpf trampoline selector Alan Maguire <alan.maguire(a)oracle.com> bpftool: JIT limited misreported as negative value on aarch64 Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect() Joy Chakraborty <joychakr(a)google.com> spi: dw: Round of n_bytes to power of 2 Stanislav Fomichev <sdf(a)google.com> bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen Andrii Nakryiko <andrii(a)kernel.org> libbpf: fix offsetof() and container_of() to work with CO-RE Edward Cree <ecree.xilinx(a)gmail.com> sfc: release encap match in efx_tc_flow_free() Alexander Mikhalitsyn <alexander(a)mihalicyn.com> sctp: add bpf_bypass_getsockopt proto callback Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: rtw88: unlock on error path in rtw_ops_add_interface() Amisha Patel <amisha.patel(a)microchip.com> wifi: wilc1000: fix for absent RSN capabilities WFA testcase Vijaya Krishna Nivarthi <quic_vnivarth(a)quicinc.com> spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG Pengcheng Yang <yangpc(a)wangsu.com> samples/bpf: Fix buffer overflow in tcp_basertt Dan Carpenter <dan.carpenter(a)linaro.org> wifi: rtw89: fix rtw89_read_chip_ver() for RTL8852B and RTL8851B Andrii Nakryiko <andrii(a)kernel.org> bpf: fix propagate_precision() logic for inner frames Andrii Nakryiko <andrii(a)kernel.org> bpf: maintain bitmasks across all active frames in __mark_chain_precision Andrii Nakryiko <andrii(a)kernel.org> bpf: improve precision backtrack logging Andrii Nakryiko <andrii(a)kernel.org> bpf: encapsulate precision backtracking bookkeeping Martin KaFai Lau <martin.lau(a)kernel.org> libbpf: btf_dump_type_data_check_overflow needs to consider BTF_MEMBER_BITFIELD_SIZE Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx Peter Seiderer <ps.report(a)gmx.net> wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation Jesper Dangaard Brouer <brouer(a)redhat.com> igc: Enable and fix RX hash usage by netstack Hao Jia <jiahao.os(a)bytedance.com> sched/core: Avoid multiple calling update_rq_clock() in __cfsb_csd_unthrottle() Jiasheng Jiang <jiasheng(a)iscas.ac.cn> pstore/ram: Add check for kstrdup Roberto Sassu <roberto.sassu(a)huawei.com> ima: Fix build warnings Roberto Sassu <roberto.sassu(a)huawei.com> evm: Fix build warnings Roberto Sassu <roberto.sassu(a)huawei.com> evm: Complete description of evm_inode_setattr() Mark Rutland <mark.rutland(a)arm.com> locking/atomic: arm: fix sync ops Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> reiserfs: Initialize sec->length in reiserfs_security_init(). Juergen Gross <jgross(a)suse.com> x86/mm: Fix __swp_entry_to_pte() for Xen PV guests Ravi Bangoria <ravi.bangoria(a)amd.com> perf/ibs: Fix interface via core pmu events Mark Brown <broonie(a)kernel.org> selftests/ftace: Fix KTAP output ordering Colin Ian King <colin.i.king(a)gmail.com> kselftest: vDSO: Fix accumulation of uninitialized ret when CLOCK_REALTIME is undefined Thomas Weißschuh <linux(a)weissschuh.net> tools/nolibc: ensure fast64 integer types have 64 bits Juergen Gross <jgross(a)suse.com> x86/xen: Set MTRR state when running as Xen PV initial domain Juergen Gross <jgross(a)suse.com> x86/mtrr: Replace size_or_mask and size_and_mask with a much easier concept Juergen Gross <jgross(a)suse.com> x86/hyperv: Set MTRR state when running as SEV-SNP Hyper-V guest Juergen Gross <jgross(a)suse.com> x86/mtrr: Support setting MTRR state for software defined MTRRs Juergen Gross <jgross(a)suse.com> x86/mtrr: Remove physical address size calculation Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> rcu/rcuscale: Move rcu_scale_*() after kfree_scale_cleanup() Paul E. McKenney <paulmck(a)kernel.org> rcutorture: Correct name of use_softirq module parameter Paul E. McKenney <paulmck(a)kernel.org> rcu-tasks: Stop rcu_tasks_invoke_cbs() from using never-onlined CPUs Paul E. McKenney <paulmck(a)kernel.org> rcu: Make rcu_cpu_starting() rely on interrupts being disabled Daniel Latypov <dlatypov(a)google.com> kunit: tool: undo type subscripts for subprocess.Popen Peng Fan <peng.fan(a)nxp.com> thermal/drivers/qoriq: Only enable supported sensors Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe() Stephan Gerhold <stephan.gerhold(a)kernkonzept.com> thermal/drivers/qcom/tsens-v0_1: Add mdm9607 correction offsets Stephan Gerhold <stephan.gerhold(a)kernkonzept.com> thermal/drivers/qcom/tsens-v0_1: Fix mdm9607 slope values Matti Lehtimäki <matti.lehtimaki(a)gmail.com> thermal/drivers/qcom/tsens-v0_1: Add support for MSM8226 Tero Kristo <tero.kristo(a)linux.intel.com> cpufreq: intel_pstate: Fix energy_performance_preference for passive Arnd Bergmann <arnd(a)arndb.de> ARM: 9303/1: kprobes: avoid missing-declaration warnings Ulf Hansson <ulf.hansson(a)linaro.org> PM: domains: Move the verification of in-params from genpd_add_device() Zhang Rui <rui.zhang(a)intel.com> powercap: RAPL: Fix CONFIG_IOSF_MBI dependency Sumeet Pawnikar <sumeet.r.pawnikar(a)intel.com> powercap: RAPL: fix invalid initialization for pl4_supported field Li Yang <leoyang.li(a)nxp.com> APEI: GHES: correctly return NULL for ghes_get_devices() Robin Murphy <robin.murphy(a)arm.com> perf/arm_cspmu: Fix event attribute type Ilkka Koskinen <ilkka(a)os.amperecomputing.com> perf: arm_cspmu: Set irq affinitiy only if overflow interrupt is used Junhao He <hejunhao3(a)huawei.com> drivers/perf: hisi: Don't migrate perf to the CPU going to teardown Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/tdx: Fix race between set_memory_encrypted() and load_unaligned_zeropad() Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/mm: Allow guest.enc_status_change_prepare() to fail Marc Zyngier <maz(a)kernel.org> drivers/perf: apple_m1: Force 63bit counters for M2 CPUs Robin Murphy <robin.murphy(a)arm.com> perf/arm-cmn: Fix DTC reset Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> PM: domains: fix integer overflow issues in genpd_parse_state() Feng Mingxi <m202271825(a)hust.edu.cn> clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe Ming Lei <ming.lei(a)redhat.com> blk-mq: don't insert passthrough request into sw queue Christoph Hellwig <hch(a)lst.de> btrfs: fix file_offset for REQ_BTRFS_ONE_ORDERED bios that get split Christoph Hellwig <hch(a)lst.de> btrfs: don't treat zoned writeback as being from an async helper thread Christoph Hellwig <hch(a)lst.de> btrfs: only call __extent_writepage_io from extent_write_locked_range Christoph Hellwig <hch(a)lst.de> btrfs: don't fail writeback when allocating the compression context fails Christoph Hellwig <hch(a)lst.de> btrfs: fix range_end calculation in extent_write_locked_range Christoph Hellwig <hch(a)lst.de> btrfs: submit a writeback bio per extent_buffer Christoph Hellwig <hch(a)lst.de> btrfs: return bool from lock_extent_buffer_for_io Christoph Hellwig <hch(a)lst.de> btrfs: don't use btrfs_bio_ctrl for extent buffer reading Christoph Hellwig <hch(a)lst.de> btrfs: always read the entire extent_buffer Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). Wen Yang <wenyang.linux(a)foxmail.com> tick/rcu: Fix bogus ratelimit condition Thomas Gleixner <tglx(a)linutronix.de> posix-timers: Prevent RT livelock in itimer_delete() Gao Xiang <xiang(a)kernel.org> erofs: fix compact 4B support for 16k block size Chuck Lever <chuck.lever(a)oracle.com> svcrdma: Prevent page release when nothing was received John Paul Adrian Glaubitz <glaubitz(a)physik.fu-berlin.de> irqchip/jcore-aic: Fix missing allocation of IRQ descriptors Antonio Borneo <antonio.borneo(a)foss.st.com> irqchip/stm32-exti: Fix warning on initialized field overwritten Christoph Hellwig <hch(a)lst.de> splice: don't call file_accessed in copy_splice_read Jianmin Lv <lvjianmin(a)loongson.cn> irqchip/loongson-eiointc: Fix irq affinity setting during resume Yu Kuai <yukuai3(a)huawei.com> block: fix blktrace debugfs entries leakage Yu Kuai <yukuai3(a)huawei.com> md/raid1-10: submit write io directly if bitmap is not enabled Yu Kuai <yukuai3(a)huawei.com> md/raid1-10: factor out a helper to submit normal write Yu Kuai <yukuai3(a)huawei.com> md/raid1-10: factor out a helper to add bio to plug Li Nan <linan122(a)huawei.com> md/raid10: fix io loss while replacement replace rdev Li Nan <linan122(a)huawei.com> md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request Li Nan <linan122(a)huawei.com> md/raid10: fix wrong setting of max_corr_read_errors Li Nan <linan122(a)huawei.com> md/raid10: fix overflow of md/safe_mode_delay Li Nan <linan122(a)huawei.com> md/raid10: check slab-out-of-bounds in md_bitmap_get_counter Chaitanya Kulkarni <kch(a)nvidia.com> nvme-core: fix dev_pm_qos memleak Chaitanya Kulkarni <kch(a)nvidia.com> nvme-core: add missing fault-injection cleanup Chaitanya Kulkarni <kch(a)nvidia.com> nvme-core: fix memory leak in dhchap_ctrl_secret Chaitanya Kulkarni <kch(a)nvidia.com> nvme-core: fix memory leak in dhchap_secret_store NeilBrown <neilb(a)suse.de> lockd: drop inappropriate svc_get() from locked_get() Yu Kuai <yukuai3(a)huawei.com> blk-mq: fix potential io hang by wrong 'wake_batch' Arnd Bergmann <arnd(a)arndb.de> virt: sevguest: Add CONFIG_CRYPTO dependency Waiman Long <longman(a)redhat.com> blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Fix calculation of end address based on number of pages Li Nan <linan122(a)huawei.com> blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost Eric Biggers <ebiggers(a)google.com> fsverity: don't use bio_first_page_all() in fsverity_verify_bio() Eric Biggers <ebiggers(a)google.com> fsverity: use shash API instead of ahash API Shawn Wang <shawnwang(a)linux.alibaba.com> x86/resctrl: Only show tasks' pid in current pid namespace Gao Xiang <xiang(a)kernel.org> erofs: kill hooked chains to avoid loops on deduplicated compressed images David Howells <dhowells(a)redhat.com> splice: Fix filemap_splice_read() to use the correct inode Yu Kuai <yukuai3(a)huawei.com> block/rq_qos: protect rq_qos apis with a new lock Bart Van Assche <bvanassche(a)acm.org> block: Fix the type of the second bdev_op_is_zoned_write() argument Ming Lei <ming.lei(a)redhat.com> blk-mq: don't queue plugged passthrough requests into scheduler Alexander Gordeev <agordeev(a)linux.ibm.com> s390/kasan: fix insecure W+X mapping warning Arnd Bergmann <arnd(a)arndb.de> fs: pipe: reveal missing function protoypes Hersen Wu <hersenxs.wu(a)amd.com> Revert "drm/amd/display: edp do not add non-edid timings" Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: fixup buffer scan element type Sean Nyekjaer <sean(a)geanix.com> iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF Fabrizio Lamarque <fl.scratchpad(a)gmail.com> iio: adc: ad7192: Fix internal/external clock selection Fabrizio Lamarque <fl.scratchpad(a)gmail.com> iio: adc: ad7192: Fix null ad7192_state pointer access Rasmus Villemoes <linux(a)rasmusvillemoes.dk> iio: addac: ad74413: don't set DIN_SINK for functions other than digital input Fabrizio Lamarque <fl.scratchpad(a)gmail.com> dt-bindings: iio: ad7192: Add mandatory reference voltage source Alvin Šipraga <alsi(a)bang-olufsen.dk> extcon: usbc-tusb320: Unregister typec port on driver removal EJ Hsu <ejh(a)nvidia.com> phy: tegra: xusb: Clear the driver reference in usb-phy dev Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: dwc3: gadget: Propagate core init errors to UDC during pullup Davide Tronchin <davide.tronchin.94(a)gmail.com> USB: serial: option: add LARA-R6 01B PIDs ndesaulniers(a)google.com <ndesaulniers(a)google.com> start_kernel: Add __no_stack_protector function attribute ------------- Diffstat: Documentation/ABI/testing/sysfs-driver-eud | 2 +- .../devicetree/bindings/crypto/qcom-qce.yaml | 6 + .../devicetree/bindings/iio/adc/adi,ad7192.yaml | 5 + .../devicetree/bindings/iommu/arm,smmu.yaml | 6 +- .../devicetree/bindings/power/reset/qcom,pon.yaml | 4 +- .../bindings/sound/mediatek,mt8188-afe.yaml | 36 +- Documentation/fault-injection/provoke-crashes.rst | 2 +- Documentation/filesystems/autofs-mount-control.rst | 2 +- Documentation/filesystems/autofs.rst | 2 +- Documentation/filesystems/directory-locking.rst | 26 +- Documentation/filesystems/f2fs.rst | 16 + Documentation/networking/af_xdp.rst | 9 + Makefile | 4 +- arch/arc/include/asm/linkage.h | 8 +- arch/arm/boot/dts/bcm53015-meraki-mr26.dts | 2 +- arch/arm/boot/dts/bcm53016-meraki-mr32.dts | 2 +- arch/arm/boot/dts/bcm5301x.dtsi | 1 - arch/arm/boot/dts/iwg20d-q7-common.dtsi | 2 +- .../boot/dts/lan966x-kontron-kswitch-d10-mmt.dtsi | 16 +- arch/arm/boot/dts/meson8.dtsi | 4 +- arch/arm/boot/dts/meson8b.dtsi | 4 +- arch/arm/boot/dts/omap3-gta04a5one.dts | 4 +- arch/arm/boot/dts/qcom-apq8060-dragonboard.dts | 4 +- arch/arm/boot/dts/qcom-apq8074-dragonboard.dts | 4 + arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts | 8 +- arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi | 10 +- arch/arm/boot/dts/qcom-ipq4019-ap.dk07.1.dtsi | 12 +- arch/arm/boot/dts/qcom-msm8974.dtsi | 2 +- arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi | 11 +- arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 8 +- .../boot/dts/stm32mp15xx-dhcor-drc-compact.dtsi | 6 + arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi | 6 - arch/arm/boot/dts/stm32mp15xx-dhcor-testbench.dtsi | 8 + arch/arm/boot/dts/stm32mp15xx-dkx.dtsi | 2 +- arch/arm/include/asm/assembler.h | 17 + arch/arm/include/asm/sync_bitops.h | 29 +- arch/arm/lib/bitops.h | 14 +- arch/arm/lib/testchangebit.S | 4 + arch/arm/lib/testclearbit.S | 4 + arch/arm/lib/testsetbit.S | 4 + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 +- arch/arm/mach-omap1/board-ams-delta.c | 1 - arch/arm/mach-omap1/board-nokia770.c | 207 +++--- arch/arm/mach-omap1/board-osk.c | 146 +++-- arch/arm/mach-omap1/board-palmte.c | 51 +- arch/arm/mach-omap1/board-sx1-mmc.c | 1 - arch/arm/mach-omap1/board-sx1.c | 40 +- arch/arm/mach-omap1/devices.c | 1 - arch/arm/mach-omap1/gpio15xx.c | 1 - arch/arm/mach-omap1/gpio16xx.c | 1 - arch/arm/mach-omap1/irq.c | 1 - arch/arm/mach-omap1/serial.c | 30 +- arch/arm/mach-omap2/board-generic.c | 1 + arch/arm/mach-omap2/board-n8x0.c | 156 ++--- arch/arm/mach-omap2/omap_device.c | 1 - arch/arm/mach-omap2/pdata-quirks.c | 132 ++-- arch/arm/mach-omap2/usb-tusb6010.c | 20 +- arch/arm/mach-omap2/usb-tusb6010.h | 12 + arch/arm/mach-orion5x/board-dt.c | 3 + arch/arm/mach-orion5x/common.h | 6 + arch/arm/mach-pxa/spitz.c | 11 +- arch/arm/probes/kprobes/checkers-common.c | 2 +- arch/arm/probes/kprobes/core.c | 2 +- arch/arm/probes/kprobes/opt-arm.c | 2 - arch/arm/probes/kprobes/test-core.c | 2 +- arch/arm/probes/kprobes/test-core.h | 4 + .../dts/mediatek/mt7986a-bananapi-bpi-r3-nand.dtso | 6 +- arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi | 4 + arch/arm64/boot/dts/mediatek/mt8192-asurada.dtsi | 4 + arch/arm64/boot/dts/mediatek/mt8192.dtsi | 22 +- arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 4 + arch/arm64/boot/dts/microchip/sparx5.dtsi | 2 +- .../boot/dts/microchip/sparx5_pcb_common.dtsi | 12 + arch/arm64/boot/dts/qcom/apq8016-sbc.dts | 78 ++- arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts | 4 +- arch/arm64/boot/dts/qcom/ipq6018.dtsi | 2 +- arch/arm64/boot/dts/qcom/ipq9574.dtsi | 6 +- arch/arm64/boot/dts/qcom/msm8916.dtsi | 8 +- arch/arm64/boot/dts/qcom/msm8953.dtsi | 4 +- arch/arm64/boot/dts/qcom/msm8976.dtsi | 6 +- arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +- arch/arm64/boot/dts/qcom/pm7250b.dtsi | 1 + arch/arm64/boot/dts/qcom/pm8998.dtsi | 2 +- arch/arm64/boot/dts/qcom/qdu1000.dtsi | 1 + arch/arm64/boot/dts/qcom/qrb4210-rb2.dts | 3 +- arch/arm64/boot/dts/qcom/sdm630.dtsi | 2 +- arch/arm64/boot/dts/qcom/sdm670.dtsi | 1 + arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 1 + arch/arm64/boot/dts/qcom/sdm845.dtsi | 3 +- arch/arm64/boot/dts/qcom/sm6115.dtsi | 2 +- .../boot/dts/qcom/sm8250-sony-xperia-edo.dtsi | 7 +- arch/arm64/boot/dts/qcom/sm8350.dtsi | 6 +- arch/arm64/boot/dts/qcom/sm8550.dtsi | 9 +- arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +- .../boot/dts/rockchip/rk3566-anbernic-rgxx3.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3588-rock-5b.dts | 2 + arch/arm64/boot/dts/ti/k3-am69-sk.dts | 2 +- .../boot/dts/ti/k3-j7200-common-proc-board.dts | 28 +- arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts | 5 + arch/arm64/boot/dts/ti/k3-j784s4-evm.dts | 32 +- arch/arm64/boot/dts/ti/k3-j784s4-mcu-wakeup.dtsi | 29 +- arch/arm64/include/asm/fpsimdmacros.h | 6 +- arch/arm64/kernel/signal.c | 2 +- arch/loongarch/Makefile | 2 +- arch/mips/Makefile | 2 +- arch/mips/alchemy/devboards/db1000.c | 11 +- arch/mips/boot/dts/ingenic/ci20.dts | 27 +- arch/powerpc/Kconfig.debug | 2 +- arch/powerpc/boot/dts/turris1x.dts | 6 +- arch/powerpc/include/asm/nmi.h | 4 +- arch/powerpc/kernel/interrupt.c | 3 +- arch/powerpc/kernel/ppc_save_regs.S | 6 +- arch/powerpc/kernel/signal_32.c | 15 +- arch/powerpc/kernel/smp.c | 1 + arch/powerpc/kernel/vdso/Makefile | 2 +- arch/powerpc/kernel/watchdog.c | 12 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 34 +- arch/powerpc/mm/init_64.c | 2 +- arch/powerpc/platforms/powernv/pci-sriov.c | 6 +- arch/powerpc/platforms/powernv/vas-window.c | 2 +- arch/powerpc/platforms/pseries/mobility.c | 4 +- arch/powerpc/platforms/pseries/vas.c | 2 +- arch/riscv/kernel/hibernate-asm.S | 1 - arch/riscv/kernel/hibernate.c | 1 - arch/riscv/kernel/probes/uprobes.c | 2 + arch/riscv/kernel/smpboot.c | 5 +- arch/riscv/mm/init.c | 4 +- arch/s390/kvm/diag.c | 8 +- arch/s390/kvm/kvm-s390.c | 4 + arch/s390/kvm/vsie.c | 6 +- arch/s390/mm/vmem.c | 14 +- arch/sh/drivers/dma/dma-sh.c | 37 +- arch/sh/include/mach-common/mach/highlander.h | 2 +- arch/sh/include/mach-common/mach/r2d.h | 2 +- arch/sh/include/mach-dreamcast/mach/sysasic.h | 2 +- arch/sh/include/mach-se/mach/se7724.h | 2 +- arch/sh/kernel/cpu/sh2/probe.c | 2 +- arch/sh/kernel/cpu/sh3/entry.S | 4 +- arch/sparc/kernel/nmi.c | 10 +- arch/um/Makefile | 2 +- arch/x86/coco/tdx/tdx.c | 51 +- arch/x86/events/amd/core.c | 2 +- arch/x86/events/amd/ibs.c | 53 +- arch/x86/hyperv/ivm.c | 4 + arch/x86/include/asm/mtrr.h | 40 +- arch/x86/include/asm/perf_event.h | 2 + arch/x86/include/asm/pgtable_64.h | 4 +- arch/x86/include/asm/sev.h | 16 +- arch/x86/include/asm/x86_init.h | 2 +- arch/x86/include/uapi/asm/mtrr.h | 8 - arch/x86/kernel/cpu/mtrr/cleanup.c | 18 +- arch/x86/kernel/cpu/mtrr/generic.c | 124 +++- arch/x86/kernel/cpu/mtrr/mtrr.c | 73 +-- arch/x86/kernel/cpu/mtrr/mtrr.h | 4 +- arch/x86/kernel/cpu/resctrl/rdtgroup.c | 8 +- arch/x86/kernel/setup.c | 2 + arch/x86/kernel/sev.c | 14 +- arch/x86/kernel/x86_init.c | 2 +- arch/x86/mm/mem_encrypt_amd.c | 4 +- arch/x86/mm/pat/set_memory.c | 3 +- arch/x86/platform/efi/efi_64.c | 6 +- arch/x86/xen/enlighten_pv.c | 52 ++ block/blk-cgroup.c | 20 +- block/blk-core.c | 1 + block/blk-iocost.c | 7 +- block/blk-mq-debugfs.c | 2 +- block/blk-mq-tag.c | 15 +- block/blk-mq.c | 13 +- block/blk-mq.h | 3 +- block/blk-rq-qos.c | 20 +- block/blk-throttle.c | 6 - block/blk-throttle.h | 9 + block/blk-wbt.c | 2 + block/disk-events.c | 1 + block/genhd.c | 5 +- block/partitions/amiga.c | 102 ++- crypto/jitterentropy.c | 9 +- drivers/accel/habanalabs/gaudi2/gaudi2.c | 2 +- drivers/acpi/apei/ghes.c | 2 + drivers/base/power/domain.c | 15 +- drivers/base/property.c | 12 +- drivers/bus/fsl-mc/dprc-driver.c | 6 + drivers/bus/ti-sysc.c | 4 +- drivers/cdx/cdx.c | 18 + drivers/char/hw_random/st-rng.c | 21 +- drivers/char/hw_random/virtio-rng.c | 10 +- drivers/clk/bcm/clk-raspberrypi.c | 4 +- drivers/clk/clk-cdce925.c | 12 + drivers/clk/clk-renesas-pcie.c | 4 +- drivers/clk/clk-si5341.c | 38 +- drivers/clk/clk-versaclock5.c | 45 +- drivers/clk/clk-versaclock7.c | 2 +- drivers/clk/clk.c | 2 + drivers/clk/imx/clk-composite-8m.c | 31 + drivers/clk/imx/clk-imx8mn.c | 8 +- drivers/clk/imx/clk-imx8mp.c | 24 +- drivers/clk/imx/clk-imx93.c | 15 +- drivers/clk/imx/clk-imxrt1050.c | 22 +- drivers/clk/imx/clk-scu.c | 4 +- drivers/clk/keystone/sci-clk.c | 2 + drivers/clk/mediatek/clk-mt8173-apmixedsys.c | 7 +- drivers/clk/mediatek/clk-mtk.c | 13 +- drivers/clk/qcom/camcc-sc7180.c | 19 +- drivers/clk/qcom/dispcc-qcm2290.c | 12 +- drivers/clk/qcom/gcc-ipq5332.c | 6 +- drivers/clk/qcom/gcc-ipq6018.c | 34 +- drivers/clk/qcom/gcc-qcm2290.c | 62 +- drivers/clk/qcom/mmcc-msm8974.c | 23 +- drivers/clk/renesas/rzg2l-cpg.c | 6 +- drivers/clk/renesas/rzg2l-cpg.h | 3 - drivers/clk/tegra/clk-tegra124-emc.c | 2 + drivers/clk/ti/clkctrl.c | 7 + drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 7 +- drivers/clocksource/timer-cadence-ttc.c | 19 +- drivers/cpufreq/intel_pstate.c | 2 + drivers/cpufreq/mediatek-cpufreq.c | 13 +- drivers/cpufreq/tegra194-cpufreq.c | 6 +- .../crypto/intel/qat/qat_common/qat_asym_algs.c | 14 +- drivers/crypto/marvell/cesa/cipher.c | 2 +- drivers/crypto/nx/Makefile | 2 +- drivers/crypto/nx/nx.h | 4 +- drivers/cxl/core/region.c | 102 +-- drivers/cxl/cxl.h | 16 +- drivers/dax/bus.c | 61 +- drivers/dax/dax-private.h | 4 +- drivers/dax/kmem.c | 2 +- drivers/extcon/extcon-usbc-tusb320.c | 42 +- drivers/extcon/extcon.c | 8 + drivers/firmware/efi/libstub/efi-stub-helper.c | 6 +- drivers/gpio/gpio-twl4030.c | 52 +- drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 11 +- drivers/gpu/drm/amd/amdgpu/amdgpu_jpeg.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 6 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring_mux.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 85 +-- drivers/gpu/drm/amd/amdgpu/nbio_v2_3.c | 11 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 4 +- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 5 +- .../dc/clk_mgr/dcn30/dcn30_clk_mgr_smu_msg.c | 3 + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 - drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 +- drivers/gpu/drm/amd/display/dc/dc.h | 3 + .../gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c | 23 - .../gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h | 2 - .../gpu/drm/amd/display/dc/dcn314/dcn314_init.c | 2 +- .../amd/display/dc/dml/dcn21/display_mode_vba_21.c | 2 +- .../display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 2 +- .../display/dc/link/protocols/link_dp_capability.c | 4 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 18 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 1 + drivers/gpu/drm/bridge/analogix/anx7625.c | 128 ++-- drivers/gpu/drm/bridge/ite-it6505.c | 3 +- drivers/gpu/drm/bridge/samsung-dsim.c | 22 +- drivers/gpu/drm/bridge/tc358767.c | 4 +- drivers/gpu/drm/bridge/tc358768.c | 93 ++- drivers/gpu/drm/bridge/ti-sn65dsi83.c | 20 +- drivers/gpu/drm/drm_gem_vram_helper.c | 6 +- drivers/gpu/drm/i915/Makefile | 2 + drivers/gpu/drm/i915/display/intel_color.c | 36 +- drivers/gpu/drm/i915/display/intel_crtc.c | 2 +- drivers/gpu/drm/i915/display/intel_cursor.c | 4 +- drivers/gpu/drm/i915/display/intel_display.c | 2 +- drivers/gpu/drm/i915/display/intel_display.h | 10 +- .../gpu/drm/i915/display/intel_display_device.c | 728 +++++++++++++++++++++ .../gpu/drm/i915/display/intel_display_device.h | 86 +++ drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- .../gpu/drm/i915/display/intel_display_reg_defs.h | 14 +- drivers/gpu/drm/i915/display/intel_fb_pin.c | 2 +- drivers/gpu/drm/i915/display/intel_fbc.c | 6 +- drivers/gpu/drm/i915/display/intel_hdcp.c | 2 +- drivers/gpu/drm/i915/display/intel_hti.c | 2 +- drivers/gpu/drm/i915/display/intel_psr.c | 4 +- drivers/gpu/drm/i915/display/intel_psr_regs.h | 2 +- drivers/gpu/drm/i915/display/skl_universal_plane.c | 2 +- drivers/gpu/drm/i915/display/skl_watermark.c | 8 +- drivers/gpu/drm/i915/gt/intel_gt_sysfs_pm.c | 35 + drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.c | 40 +- drivers/gpu/drm/i915/gt/uc/intel_guc_slpc.h | 1 + drivers/gpu/drm/i915/gt/uc/intel_guc_slpc_types.h | 1 + drivers/gpu/drm/i915/i915_driver.c | 12 +- drivers/gpu/drm/i915/i915_drv.h | 52 +- drivers/gpu/drm/i915/i915_pci.c | 384 +---------- drivers/gpu/drm/i915/i915_reg.h | 33 - drivers/gpu/drm/i915/intel_device_info.c | 140 ++-- drivers/gpu/drm/i915/intel_device_info.h | 69 +- drivers/gpu/drm/i915/intel_step.c | 8 +- drivers/gpu/drm/imx/lcdc/imx-lcdc.c | 4 +- drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 3 +- drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 3 +- .../drm/msm/disp/dpu1/catalog/dpu_3_0_msm8998.h | 12 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_4_0_sdm845.h | 8 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_5_0_sm8150.h | 12 +- .../drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 12 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_6_0_sm8250.h | 12 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_6_2_sc7180.h | 10 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_6_3_sm6115.h | 2 +- .../drm/msm/disp/dpu1/catalog/dpu_6_5_qcm2290.h | 2 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_7_2_sc7280.h | 18 +- .../gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h | 4 +- drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 5 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 60 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 36 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c | 5 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_dsc.c | 5 +- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.c | 75 ++- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_pingpong.h | 31 +- drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 4 + drivers/gpu/drm/msm/dp/dp_display.c | 16 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 26 +- drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c | 3 + drivers/gpu/drm/nouveau/dispnv50/disp.c | 1 + drivers/gpu/drm/nouveau/nv50_display.h | 4 +- drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 11 +- drivers/gpu/drm/panel/panel-simple.c | 4 +- drivers/gpu/drm/radeon/ci_dpm.c | 28 +- drivers/gpu/drm/radeon/cypress_dpm.c | 8 +- drivers/gpu/drm/radeon/ni_dpm.c | 8 +- drivers/gpu/drm/radeon/rv740_dpm.c | 8 +- drivers/gpu/drm/sun4i/sun4i_tcon.c | 19 +- drivers/gpu/drm/vkms/vkms_composer.c | 4 +- drivers/gpu/drm/vkms/vkms_drv.h | 4 +- drivers/gpu/drm/vkms/vkms_formats.c | 131 ++-- drivers/gpu/drm/vkms/vkms_formats.h | 2 +- drivers/gpu/drm/vkms/vkms_plane.c | 2 +- drivers/hid/Kconfig | 2 +- drivers/hwmon/f71882fg.c | 7 +- drivers/hwmon/gsc-hwmon.c | 6 +- drivers/hwmon/pmbus/adm1275.c | 52 +- drivers/hwtracing/coresight/coresight-core.c | 9 +- .../hwtracing/coresight/coresight-etm4x-sysfs.c | 27 +- drivers/hwtracing/ptt/hisi_ptt.c | 12 +- drivers/hwtracing/ptt/hisi_ptt.h | 2 + drivers/i2c/busses/i2c-designware-pcidrv.c | 13 +- drivers/i2c/busses/i2c-nvidia-gpu.c | 3 + drivers/i2c/busses/i2c-xiic.c | 2 + drivers/i3c/master/svc-i3c-master.c | 19 +- drivers/iio/accel/fxls8962af-core.c | 8 +- drivers/iio/adc/ad7192.c | 8 +- drivers/iio/addac/ad74413r.c | 11 +- drivers/infiniband/hw/bnxt_re/main.c | 20 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 40 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 46 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 + drivers/infiniband/hw/hfi1/ipoib_tx.c | 4 +- drivers/infiniband/hw/hfi1/mmu_rb.c | 101 +-- drivers/infiniband/hw/hfi1/mmu_rb.h | 3 + drivers/infiniband/hw/hfi1/sdma.c | 23 +- drivers/infiniband/hw/hfi1/sdma.h | 47 +- drivers/infiniband/hw/hfi1/sdma_txreq.h | 2 + drivers/infiniband/hw/hfi1/user_sdma.c | 137 ++-- drivers/infiniband/hw/hfi1/user_sdma.h | 1 - drivers/infiniband/hw/hfi1/vnic_sdma.c | 4 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 7 +- drivers/infiniband/hw/irdma/uk.c | 10 +- drivers/infiniband/sw/rxe/rxe_mw.c | 17 +- drivers/input/Kconfig | 2 +- drivers/input/misc/adxl34x.c | 3 +- drivers/input/misc/drv260x.c | 1 + drivers/input/misc/pm8941-pwrkey.c | 19 +- drivers/input/tests/input_test.c | 6 +- drivers/input/touchscreen/ads7846.c | 114 ++-- drivers/input/touchscreen/cyttsp4_core.c | 3 +- drivers/interconnect/qcom/icc-rpm.c | 12 +- drivers/interconnect/qcom/icc-rpm.h | 4 +- drivers/iommu/iommufd/device.c | 2 +- drivers/iommu/iommufd/io_pagetable.c | 14 +- drivers/iommu/virtio-iommu.c | 57 +- drivers/irqchip/irq-jcore-aic.c | 7 + drivers/irqchip/irq-loongson-eiointc.c | 2 +- drivers/irqchip/irq-loongson-liointc.c | 12 +- drivers/irqchip/irq-loongson-pch-pic.c | 10 +- drivers/irqchip/irq-stm32-exti.c | 12 + drivers/leds/trigger/ledtrig-netdev.c | 3 + drivers/mailbox/ti-msgmgr.c | 12 +- drivers/md/bcache/btree.c | 25 +- drivers/md/bcache/btree.h | 1 + drivers/md/bcache/super.c | 4 +- drivers/md/bcache/writeback.c | 10 + drivers/md/md-bitmap.c | 21 +- drivers/md/md-bitmap.h | 7 + drivers/md/md.c | 9 +- drivers/md/raid1-10.c | 42 ++ drivers/md/raid1.c | 25 +- drivers/md/raid10.c | 75 +-- drivers/media/cec/i2c/Kconfig | 1 + drivers/media/common/saa7146/saa7146_core.c | 6 +- drivers/media/i2c/Kconfig | 1 + drivers/media/i2c/hi846.c | 3 +- drivers/media/i2c/imx296.c | 4 +- drivers/media/i2c/st-mipid02.c | 9 +- drivers/media/platform/amphion/vdec.c | 7 +- drivers/media/platform/amphion/venc.c | 4 +- drivers/media/platform/amphion/vpu_malone.c | 12 + drivers/media/platform/amphion/vpu_v4l2.c | 5 +- drivers/media/platform/amphion/vpu_v4l2.h | 2 +- .../platform/mediatek/vcodec/vdec_msg_queue.c | 33 +- .../platform/mediatek/vcodec/vdec_msg_queue.h | 16 +- drivers/media/platform/qcom/venus/helpers.c | 4 +- drivers/media/platform/renesas/rcar_fdp1.c | 5 + drivers/media/usb/dvb-usb-v2/az6007.c | 3 +- drivers/media/usb/siano/smsusb.c | 3 +- drivers/memory/brcmstb_dpfe.c | 4 +- drivers/memstick/host/r592.c | 4 +- drivers/mfd/intel-lpss-acpi.c | 3 + drivers/mfd/rt5033.c | 3 - drivers/mfd/stmfx.c | 7 +- drivers/mfd/stmpe.c | 4 +- drivers/mfd/tps65010.c | 14 +- drivers/mfd/wcd934x.c | 9 +- drivers/misc/fastrpc.c | 3 + drivers/misc/lkdtm/core.c | 2 +- drivers/mmc/core/block.c | 6 + drivers/mmc/core/card.h | 30 +- drivers/mmc/core/quirks.h | 27 + drivers/mmc/core/sd.c | 2 +- drivers/mmc/host/mmci.c | 1 + drivers/mmc/host/mtk-sd.c | 2 +- drivers/mmc/host/omap.c | 46 +- drivers/mmc/host/sdhci.c | 4 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/can/kvaser_pciefd.c | 39 +- drivers/net/dsa/ocelot/felix.c | 12 + drivers/net/dsa/sja1105/sja1105.h | 2 +- drivers/net/dsa/sja1105/sja1105_main.c | 14 +- drivers/net/dsa/sja1105/sja1105_ptp.c | 48 +- drivers/net/dsa/vitesse-vsc73xx-core.c | 6 +- drivers/net/ethernet/broadcom/tg3.c | 1 + drivers/net/ethernet/ibm/ibmvnic.c | 9 +- drivers/net/ethernet/intel/ice/ice.h | 7 + drivers/net/ethernet/intel/ice/ice_main.c | 29 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 12 +- drivers/net/ethernet/intel/ice/ice_ptp.h | 4 +- drivers/net/ethernet/intel/igc/igc.h | 36 +- drivers/net/ethernet/intel/igc/igc_main.c | 45 +- drivers/net/ethernet/intel/igc/igc_ptp.c | 142 ++-- drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 33 +- drivers/net/ethernet/marvell/octeontx2/af/cgx.h | 2 + .../ethernet/marvell/octeontx2/af/lmac_common.h | 3 + drivers/net/ethernet/marvell/octeontx2/af/rpm.c | 32 +- drivers/net/ethernet/marvell/octeontx2/af/rpm.h | 5 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 1 + drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 12 + .../net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 22 +- drivers/net/ethernet/mellanox/mlxsw/minimal.c | 1 + drivers/net/ethernet/mscc/ocelot.c | 1 - drivers/net/ethernet/mscc/ocelot_ptp.c | 66 +- drivers/net/ethernet/sfc/ef10.c | 13 +- drivers/net/ethernet/sfc/efx_devlink.c | 3 + drivers/net/ethernet/sfc/tc.c | 32 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 - drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 +- drivers/net/gtp.c | 2 + drivers/net/ipvlan/ipvlan_core.c | 9 +- drivers/net/ppp/pptp.c | 31 +- drivers/net/wireguard/netlink.c | 14 +- drivers/net/wireguard/queueing.c | 1 + drivers/net/wireguard/queueing.h | 25 +- drivers/net/wireguard/receive.c | 2 +- drivers/net/wireguard/send.c | 2 +- drivers/net/wireless/ath/ath10k/core.c | 12 +- drivers/net/wireless/ath/ath10k/core.h | 3 + drivers/net/wireless/ath/ath10k/mac.c | 13 +- drivers/net/wireless/ath/ath11k/ahb.c | 1 + drivers/net/wireless/ath/ath11k/core.c | 1 + drivers/net/wireless/ath/ath11k/hw.c | 2 +- drivers/net/wireless/ath/ath11k/qmi.c | 5 + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 +- drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +- drivers/net/wireless/ath/ath9k/main.c | 11 +- drivers/net/wireless/ath/ath9k/wmi.c | 4 + drivers/net/wireless/atmel/atmel_cs.c | 13 +- drivers/net/wireless/intel/iwlwifi/fw/api/rs.h | 2 + drivers/net/wireless/intel/iwlwifi/fw/dump.c | 7 +- drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 8 +- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 10 +- drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 58 +- drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 + drivers/net/wireless/intel/iwlwifi/pcie/rx.c | 5 +- drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +- .../net/wireless/intersil/orinoco/spectrum_cs.c | 13 +- drivers/net/wireless/legacy/ray_cs.c | 16 +- drivers/net/wireless/legacy/wl3501_cs.c | 16 +- drivers/net/wireless/marvell/mwifiex/scan.c | 6 +- drivers/net/wireless/mediatek/mt76/mt7921/dma.c | 4 - drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 8 - drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 8 + drivers/net/wireless/microchip/wilc1000/hif.c | 8 +- drivers/net/wireless/realtek/rtw88/mac80211.c | 4 +- drivers/net/wireless/realtek/rtw88/usb.c | 2 +- drivers/net/wireless/realtek/rtw89/core.c | 2 +- drivers/net/wireless/rsi/rsi_91x_sdio.c | 9 +- drivers/nvme/host/core.c | 16 +- drivers/nvmem/imx-ocotp.c | 8 +- drivers/nvmem/rmem.c | 1 + drivers/nvmem/sunplus-ocotp.c | 9 +- drivers/pci/controller/cadence/pcie-cadence-host.c | 27 + drivers/pci/controller/dwc/pcie-qcom.c | 11 +- drivers/pci/controller/pci-ftpci100.c | 14 +- drivers/pci/controller/vmd.c | 11 +- drivers/pci/endpoint/functions/Kconfig | 2 +- drivers/pci/endpoint/functions/pci-epf-test.c | 2 +- drivers/pci/hotplug/pciehp_ctrl.c | 8 + drivers/pci/pcie/aspm.c | 21 +- drivers/perf/apple_m1_cpu_pmu.c | 30 +- drivers/perf/arm-cmn.c | 7 +- drivers/perf/arm_cspmu/arm_cspmu.c | 11 +- drivers/perf/arm_pmu.c | 2 + drivers/perf/hisilicon/hisi_pcie_pmu.c | 2 +- drivers/phy/Kconfig | 1 + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 8 +- drivers/phy/tegra/xusb.c | 4 + drivers/pinctrl/bcm/pinctrl-bcm2835.c | 6 +- drivers/pinctrl/freescale/pinctrl-scu.c | 3 +- drivers/pinctrl/intel/pinctrl-cherryview.c | 15 +- drivers/pinctrl/nuvoton/pinctrl-npcm7xx.c | 2 + drivers/pinctrl/pinctrl-at91-pio4.c | 2 + drivers/pinctrl/pinctrl-at91.c | 8 +- drivers/pinctrl/pinctrl-microchip-sgpio.c | 3 + drivers/pinctrl/sunplus/sppctl.c | 23 +- drivers/pinctrl/tegra/pinctrl-tegra.c | 15 +- drivers/pinctrl/tegra/pinctrl-tegra.h | 3 +- drivers/pinctrl/tegra/pinctrl-tegra114.c | 7 +- drivers/pinctrl/tegra/pinctrl-tegra124.c | 7 +- drivers/pinctrl/tegra/pinctrl-tegra194.c | 7 +- drivers/pinctrl/tegra/pinctrl-tegra20.c | 7 +- drivers/pinctrl/tegra/pinctrl-tegra210.c | 7 +- drivers/pinctrl/tegra/pinctrl-tegra30.c | 7 +- drivers/platform/x86/dell/dell-rbtn.c | 13 +- drivers/platform/x86/intel/pmc/core.c | 15 +- drivers/platform/x86/intel/pmc/core.h | 31 +- drivers/platform/x86/intel/pmc/mtl.c | 475 +++++++++++++- drivers/platform/x86/lenovo-yogabook-wmi.c | 34 +- drivers/platform/x86/think-lmi.c | 20 +- drivers/platform/x86/thinkpad_acpi.c | 6 +- drivers/power/supply/rt9467-charger.c | 2 +- drivers/powercap/Kconfig | 4 +- drivers/powercap/intel_rapl_msr.c | 17 +- drivers/pwm/pwm-ab8500.c | 2 +- drivers/pwm/pwm-imx-tpm.c | 7 + drivers/pwm/pwm-mtk-disp.c | 13 +- drivers/pwm/sysfs.c | 17 + drivers/regulator/core.c | 30 +- drivers/regulator/rk808-regulator.c | 1 + drivers/regulator/tps65219-regulator.c | 6 +- drivers/rtc/rtc-st-lpc.c | 2 +- drivers/s390/net/qeth_l3_sys.c | 2 +- drivers/scsi/3w-xxxx.c | 4 +- drivers/scsi/lpfc/lpfc_els.c | 14 +- drivers/scsi/qedf/qedf_main.c | 3 +- drivers/soc/amlogic/meson-secure-pwrc.c | 2 +- drivers/soc/fsl/qe/Kconfig | 1 + drivers/soc/mediatek/mtk-svs.c | 4 +- drivers/soc/qcom/qcom-geni-se.c | 67 +- drivers/soc/xilinx/xlnx_event_manager.c | 6 +- drivers/soundwire/debugfs.c | 3 +- drivers/soundwire/qcom.c | 179 ++--- drivers/spi/spi-bcm-qspi.c | 10 +- drivers/spi/spi-dw-core.c | 5 +- drivers/spi/spi-geni-qcom.c | 111 ++-- drivers/staging/media/atomisp/i2c/atomisp-gc0310.c | 2 +- drivers/staging/media/atomisp/i2c/atomisp-ov2680.c | 8 +- drivers/staging/media/atomisp/i2c/ov2680.h | 1 + .../media/atomisp/pci/atomisp_gmin_platform.c | 2 +- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +- drivers/thermal/qcom/tsens-v0_1.c | 56 +- drivers/thermal/qcom/tsens.c | 19 +- drivers/thermal/qcom/tsens.h | 6 +- drivers/thermal/qoriq_thermal.c | 30 +- drivers/thermal/sun8i_thermal.c | 55 +- drivers/tty/serial/8250/8250_omap.c | 25 +- drivers/tty/serial/fsl_lpuart.c | 1 + drivers/tty/serial/serial_core.c | 10 +- drivers/ufs/core/ufshcd-priv.h | 3 - drivers/ufs/core/ufshcd.c | 21 +- drivers/usb/core/devio.c | 2 + drivers/usb/core/hcd-pci.c | 24 +- drivers/usb/dwc2/platform.c | 16 +- drivers/usb/dwc3/dwc3-meson-g12a.c | 5 +- drivers/usb/dwc3/dwc3-qcom.c | 17 +- drivers/usb/dwc3/gadget.c | 4 +- drivers/usb/gadget/function/u_serial.c | 13 +- drivers/usb/host/ehci-pci.c | 3 +- drivers/usb/host/ohci-pci.c | 8 +- drivers/usb/host/uhci-pci.c | 7 +- drivers/usb/host/xhci-histb.c | 2 +- drivers/usb/host/xhci-pci.c | 4 +- drivers/usb/host/xhci-plat.c | 4 +- drivers/usb/host/xhci-tegra.c | 2 +- drivers/usb/host/xhci.c | 5 +- drivers/usb/host/xhci.h | 2 +- drivers/usb/musb/musb_core.c | 1 - drivers/usb/musb/musb_core.h | 2 - drivers/usb/musb/tusb6010.c | 53 +- drivers/usb/phy/phy-tahvo.c | 2 +- drivers/usb/serial/option.c | 4 + drivers/usb/typec/ucsi/psy.c | 14 + drivers/vdpa/vdpa_user/vduse_dev.c | 6 +- drivers/vfio/mdev/mdev_core.c | 23 +- drivers/video/fbdev/omap/lcd_mipid.c | 16 +- drivers/virt/coco/sev-guest/Kconfig | 1 + drivers/virtio/virtio_vdpa.c | 4 +- drivers/w1/slaves/w1_therm.c | 31 +- drivers/w1/w1.c | 4 +- fs/afs/write.c | 8 +- fs/btrfs/bio.c | 3 +- fs/btrfs/block-group.c | 41 +- fs/btrfs/ctree.c | 49 +- fs/btrfs/disk-io.c | 7 +- fs/btrfs/extent_io.c | 333 ++++------ fs/btrfs/extent_io.h | 5 +- fs/btrfs/free-space-tree.c | 3 + fs/btrfs/inode.c | 92 ++- fs/btrfs/locking.c | 5 +- fs/btrfs/qgroup.c | 2 + fs/btrfs/tree-mod-log.c | 115 +++- fs/erofs/zdata.c | 72 +- fs/erofs/zmap.c | 6 +- fs/ext4/namei.c | 17 +- fs/f2fs/checkpoint.c | 7 +- fs/f2fs/compress.c | 11 +- fs/f2fs/data.c | 11 +- fs/f2fs/f2fs.h | 23 +- fs/f2fs/file.c | 13 +- fs/f2fs/gc.c | 27 +- fs/f2fs/namei.c | 16 +- fs/f2fs/node.c | 7 +- fs/f2fs/super.c | 160 ++++- fs/fs_context.c | 3 +- fs/gfs2/file.c | 2 +- fs/inode.c | 42 ++ fs/internal.h | 2 + fs/jffs2/build.c | 5 +- fs/jffs2/xattr.c | 13 +- fs/jffs2/xattr.h | 4 +- fs/kernfs/dir.c | 2 + fs/lockd/svc.c | 1 - fs/namei.c | 25 +- fs/nfs/nfs42xattr.c | 79 ++- fs/nfs/nfs4proc.c | 1 + fs/nfsd/cache.h | 2 + fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfscache.c | 25 +- fs/nfsd/nfsctl.c | 10 +- fs/nfsd/vfs.c | 4 +- fs/notify/fanotify/fanotify_user.c | 14 + fs/ntfs3/xattr.c | 3 + fs/ocfs2/cluster/tcp.c | 23 +- fs/overlayfs/copy_up.c | 2 + fs/overlayfs/dir.c | 3 +- fs/overlayfs/export.c | 3 +- fs/overlayfs/inode.c | 17 +- fs/overlayfs/namei.c | 3 +- fs/overlayfs/overlayfs.h | 8 +- fs/overlayfs/super.c | 2 +- fs/overlayfs/util.c | 31 +- fs/pstore/ram_core.c | 2 + fs/ramfs/inode.c | 2 +- fs/reiserfs/xattr_security.c | 1 + fs/smb/client/cifs_debug.c | 16 +- fs/smb/client/cifsglob.h | 10 +- fs/smb/client/cifsproto.h | 2 +- fs/smb/client/connect.c | 70 +- fs/smb/client/dfs.c | 55 +- fs/smb/client/dfs.h | 19 +- fs/smb/client/dfs_cache.c | 8 +- fs/smb/client/file.c | 25 +- fs/smb/client/misc.c | 38 +- fs/smb/client/smb2inode.c | 9 +- fs/smb/client/smb2ops.c | 19 +- fs/smb/client/transport.c | 20 +- fs/smb/server/smb_common.c | 2 +- fs/splice.c | 1 - fs/udf/namei.c | 14 +- fs/verity/enable.c | 19 +- fs/verity/fsverity_private.h | 13 +- fs/verity/hash_algs.c | 131 +--- fs/verity/verify.c | 113 ++-- include/drm/bridge/samsung-dsim.h | 3 + include/drm/drm_fixed.h | 6 + include/linux/bitmap.h | 8 +- include/linux/blk-mq.h | 3 +- include/linux/blkdev.h | 3 +- include/linux/blktrace_api.h | 6 +- include/linux/bpf.h | 1 - include/linux/bpf_verifier.h | 52 +- include/linux/can/length.h | 14 +- include/linux/compiler_attributes.h | 12 + include/linux/dsa/sja1105.h | 4 - include/linux/ieee80211.h | 6 +- include/linux/mfd/tps65010.h | 11 +- include/linux/mfd/twl.h | 3 - include/linux/mm_types.h | 23 +- include/linux/mmc/card.h | 1 + include/linux/netdevice.h | 9 + include/linux/nmi.h | 35 +- include/linux/pci.h | 1 + include/linux/perf/arm_pmu.h | 2 + include/linux/pipe_fs_i.h | 4 - include/linux/platform_data/lcd-mipid.h | 2 - include/linux/platform_data/mmc-omap.h | 2 - include/linux/ramfs.h | 1 + include/linux/sh_intc.h | 6 +- include/linux/soc/qcom/geni-se.h | 4 + include/linux/spi/ads7846.h | 2 - include/linux/usb/hcd.h | 2 +- include/linux/usb/musb.h | 13 - include/linux/watch_queue.h | 3 +- include/net/bluetooth/mgmt.h | 1 + include/net/dsa.h | 12 +- include/net/mac80211.h | 44 +- include/net/regulatory.h | 13 +- include/net/sock.h | 1 + include/soc/mscc/ocelot.h | 10 +- include/trace/events/net.h | 3 +- include/trace/events/timer.h | 6 +- include/uapi/linux/affs_hardblocks.h | 68 +- include/uapi/linux/auto_dev-ioctl.h | 2 +- include/uapi/linux/videodev2.h | 6 +- include/ufs/ufshcd.h | 1 - init/Makefile | 1 + init/main.c | 3 +- io_uring/io_uring.c | 35 +- kernel/bpf/btf.c | 6 +- kernel/bpf/cgroup.c | 15 + kernel/bpf/helpers.c | 12 +- kernel/bpf/trampoline.c | 32 +- kernel/bpf/verifier.c | 716 +++++++++++++++----- kernel/kcsan/core.c | 2 + kernel/kexec_core.c | 5 +- kernel/rcu/rcu.h | 6 + kernel/rcu/rcuscale.c | 199 +++--- kernel/rcu/tasks.h | 7 +- kernel/rcu/tree.c | 23 +- kernel/sched/fair.c | 18 + kernel/sched/sched.h | 22 + kernel/time/posix-timers.c | 43 +- kernel/time/tick-sched.c | 2 +- kernel/watch_queue.c | 12 +- kernel/watchdog.c | 302 ++++++--- kernel/watchdog_hld.c | 48 +- lib/bitmap.c | 2 +- lib/dhry_1.c | 11 +- lib/test_firmware.c | 12 +- lib/ts_bm.c | 4 +- mm/damon/ops-common.c | 16 +- mm/damon/ops-common.h | 4 +- mm/damon/paddr.c | 4 +- mm/damon/vaddr.c | 4 +- mm/filemap.c | 4 +- mm/page-writeback.c | 8 +- mm/shmem.c | 2 +- mm/vmscan.c | 13 +- net/bluetooth/hci_conn.c | 47 +- net/bluetooth/hci_event.c | 15 +- net/bluetooth/hci_sync.c | 28 +- net/bridge/br_if.c | 5 +- net/core/filter.c | 126 +++- net/core/rtnetlink.c | 104 +-- net/core/sock.c | 17 +- net/dsa/dsa.c | 2 +- net/dsa/slave.c | 84 ++- net/dsa/switch.c | 4 +- net/dsa/switch.h | 3 + net/dsa/tag_sja1105.c | 90 +-- net/ipv4/tcp_input.c | 12 +- net/mac80211/debugfs_netdev.c | 2 +- net/mac80211/eht.c | 5 +- net/mac80211/he.c | 3 +- net/mac80211/mlme.c | 30 +- net/mac80211/sta_info.c | 2 + net/mac80211/util.c | 15 +- net/netfilter/ipvs/Kconfig | 27 +- net/netfilter/ipvs/ip_vs_conn.c | 4 +- net/netfilter/nf_conntrack_helper.c | 4 + net/netfilter/nf_conntrack_proto_dccp.c | 52 +- net/netfilter/nf_conntrack_sip.c | 2 +- net/netfilter/nf_tables_api.c | 17 +- net/netfilter/nft_byteorder.c | 14 +- net/netlink/af_netlink.c | 5 +- net/netlink/diag.c | 7 +- net/nfc/llcp.h | 1 - net/nfc/llcp_commands.c | 15 +- net/nfc/llcp_core.c | 49 +- net/nfc/llcp_sock.c | 18 +- net/nfc/netlink.c | 20 +- net/nfc/nfc.h | 1 + net/sched/act_ipt.c | 70 +- net/sched/act_pedit.c | 1 + net/sched/sch_netem.c | 59 +- net/sctp/socket.c | 22 +- net/sunrpc/svcsock.c | 23 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 12 +- net/wireless/core.c | 16 - net/wireless/reg.c | 16 +- net/wireless/scan.c | 367 ++++------- net/wireless/util.c | 2 + net/xdp/xsk.c | 5 + samples/bpf/tcp_basertt_kern.c | 2 +- samples/bpf/xdp1_kern.c | 2 +- samples/bpf/xdp2_kern.c | 2 +- scripts/Makefile.clang | 3 +- scripts/Makefile.compiler | 4 +- scripts/Makefile.modfinal | 2 +- scripts/Makefile.vmlinux | 1 + scripts/mksysmap | 4 +- scripts/mod/modpost.c | 86 +-- scripts/package/builddeb | 14 +- security/apparmor/policy.c | 13 + security/apparmor/policy_compat.c | 20 +- security/apparmor/policy_unpack.c | 100 +-- security/integrity/evm/evm_crypto.c | 2 +- security/integrity/evm/evm_main.c | 4 +- security/integrity/iint.c | 15 +- security/integrity/ima/ima_modsig.c | 3 + security/integrity/ima/ima_policy.c | 3 +- sound/core/jack.c | 15 +- sound/core/pcm_memory.c | 44 +- sound/pci/ac97/ac97_codec.c | 4 +- sound/pci/hda/patch_realtek.c | 7 +- sound/soc/amd/acp/acp-pdm.c | 2 +- sound/soc/codecs/es8316.c | 23 +- sound/soc/fsl/imx-audmix.c | 9 + sound/soc/intel/boards/sof_sdw.c | 18 +- sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 13 +- tools/bpf/bpftool/feature.c | 24 +- tools/bpf/resolve_btfids/Makefile | 4 +- tools/include/nolibc/stdint.h | 10 +- tools/lib/bpf/bpf_helpers.h | 15 +- tools/lib/bpf/btf_dump.c | 22 +- tools/perf/arch/x86/util/Build | 1 + tools/perf/arch/x86/util/env.c | 19 + tools/perf/arch/x86/util/env.h | 7 + tools/perf/arch/x86/util/evsel.c | 16 +- tools/perf/arch/x86/util/mem-events.c | 19 +- tools/perf/builtin-bench.c | 2 + tools/perf/builtin-script.c | 16 +- tools/perf/builtin-stat.c | 2 + tools/perf/tests/shell/test_task_analyzer.sh | 26 +- tools/perf/util/bpf_skel/lock_contention.bpf.c | 2 - tools/perf/util/bpf_skel/vmlinux.h | 10 + tools/perf/util/dwarf-aux.c | 2 +- tools/perf/util/evsel.h | 24 +- tools/perf/util/evsel_fprintf.c | 1 + tools/perf/util/metricgroup.c | 2 +- tools/testing/cxl/test/mem.c | 4 +- tools/testing/kunit/kunit_kernel.py | 6 +- tools/testing/kunit/mypy.ini | 6 + tools/testing/kunit/run_checks.py | 2 +- tools/testing/selftests/bpf/Makefile | 3 +- tools/testing/selftests/bpf/prog_tests/check_mtu.c | 2 +- .../testing/selftests/bpf/progs/refcounted_kptr.c | 2 + .../selftests/bpf/progs/refcounted_kptr_fail.c | 4 +- tools/testing/selftests/bpf/test_verifier.c | 24 +- tools/testing/selftests/bpf/verifier/precise.c | 106 +-- tools/testing/selftests/cgroup/test_memcontrol.c | 4 +- tools/testing/selftests/ftrace/ftracetest | 2 +- tools/testing/selftests/net/rtnetlink.sh | 1 + tools/testing/selftests/nolibc/nolibc-test.c | 6 +- .../rcutorture/configs/rcu/BUSTED-BOOST.boot | 2 +- .../selftests/rcutorture/configs/rcu/TREE03.boot | 2 +- .../selftests/vDSO/vdso_test_clock_getres.c | 4 +- tools/testing/selftests/wireguard/netns.sh | 30 +- tools/tracing/rtla/src/osnoise_top.c | 8 +- tools/virtio/Makefile | 13 +- 875 files changed, 10433 insertions(+), 6354 deletions(-)

1 month, 1 week

2
2
0 0

, el clima laboral también se gestiona

by Daniel Rodríguez

Mejora el clima organizacional body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Diagnostica el clima y cultura de tu organización con Vorecol Work Environment. Hola, , El desempeño de un equipo no solo depende del talento individual, también del entorno en el que trabaja. Muchas veces, los problemas de rotación o bajo compromiso tienen raíces invisibles... hasta que se miden. Por eso quiero presentarte Vorecol Work Environment, una herramienta diseñada para ayudarte a comprender mejor cómo se vive la cultura y el clima dentro de tu organización. Con Vorecol puedes: Aplicar evaluaciones periódicas de clima y cultura organizacional, personalizadas a tu contexto. Obtener resultados organizados por áreas, con alertas sobre temas críticos como liderazgo, carga laboral o reconocimiento. Acceder a paneles dinámicos que te permiten visualizar tendencias, puntos de mejora y fortalezas de forma clara. Ideal para organizaciones que quieren escuchar más, reaccionar mejor y construir un entorno donde las personas quieran quedarse. Si estás buscando mejorar tu ambiente laboral, vale la pena considerarlo. Si quieres conocer más puedes responder este correo o simplemente contactarme, mis datos están abajo. Saludos, -------------- Atte.: Daniel Rodríguez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewispprseup">click aquí</a>

1 month, 1 week

1
0
0 0

[PATCH 6.1.y] selftests/mm: Move default_huge_page_size to vm_util.c

by Leon Hwang

Fix the build error: map_hugetlb.c: In function 'main': map_hugetlb.c:79:25: warning: implicit declaration of function 'default_huge_page_size' [-Wimplicit-function-declaration] 79 | hugepage_size = default_huge_page_size(); | ^~~~~~~~~~~~~~~~~~~~~~ /usr/bin/ld: /tmp/ccYOogvJ.o: in function 'main': map_hugetlb.c:(.text+0x114): undefined reference to 'default_huge_page_size' According to the latest selftests, 'default_huge_page_size' has been moved to 'vm_util.c'. So fix the error by the same way. Reviewed-by: Lance Yang <lance.yang(a)linux.dev> Signed-off-by: Leon Hwang <leon.hwang(a)linux.dev> --- tools/testing/selftests/vm/Makefile | 1 + tools/testing/selftests/vm/userfaultfd.c | 24 ------------------------ tools/testing/selftests/vm/vm_util.c | 21 +++++++++++++++++++++ tools/testing/selftests/vm/vm_util.h | 1 + 4 files changed, 23 insertions(+), 24 deletions(-) diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile index 192ea3725c5c..ed90deebef0d 100644 --- a/tools/testing/selftests/vm/Makefile +++ b/tools/testing/selftests/vm/Makefile @@ -100,6 +100,7 @@ $(OUTPUT)/madv_populate: vm_util.c $(OUTPUT)/soft-dirty: vm_util.c $(OUTPUT)/split_huge_page_test: vm_util.c $(OUTPUT)/userfaultfd: vm_util.c +$(OUTPUT)/map_hugetlb: vm_util.c ifeq ($(MACHINE),x86_64) BINARIES_32 := $(patsubst %,$(OUTPUT)/%,$(BINARIES_32)) diff --git a/tools/testing/selftests/vm/userfaultfd.c b/tools/testing/selftests/vm/userfaultfd.c index 297f250c1d95..4751b28eba18 100644 --- a/tools/testing/selftests/vm/userfaultfd.c +++ b/tools/testing/selftests/vm/userfaultfd.c @@ -1674,30 +1674,6 @@ static int userfaultfd_stress(void) || userfaultfd_events_test() || userfaultfd_minor_test(); } -/* - * Copied from mlock2-tests.c - */ -unsigned long default_huge_page_size(void) -{ - unsigned long hps = 0; - char *line = NULL; - size_t linelen = 0; - FILE *f = fopen("/proc/meminfo", "r"); - - if (!f) - return 0; - while (getline(&line, &linelen, f) > 0) { - if (sscanf(line, "Hugepagesize: %lu kB", &hps) == 1) { - hps <<= 10; - break; - } - } - - free(line); - fclose(f); - return hps; -} - static void set_test_type(const char *type) { if (!strcmp(type, "anon")) { diff --git a/tools/testing/selftests/vm/vm_util.c b/tools/testing/selftests/vm/vm_util.c index fc5743bc1283..613cc61602c9 100644 --- a/tools/testing/selftests/vm/vm_util.c +++ b/tools/testing/selftests/vm/vm_util.c @@ -161,6 +161,27 @@ bool check_huge_shmem(void *addr, int nr_hpages, uint64_t hpage_size) return __check_huge(addr, "ShmemPmdMapped:", nr_hpages, hpage_size); } +unsigned long default_huge_page_size(void) +{ + unsigned long hps = 0; + char *line = NULL; + size_t linelen = 0; + FILE *f = fopen("/proc/meminfo", "r"); + + if (!f) + return 0; + while (getline(&line, &linelen, f) > 0) { + if (sscanf(line, "Hugepagesize: %lu kB", &hps) == 1) { + hps <<= 10; + break; + } + } + + free(line); + fclose(f); + return hps; +} + static bool check_vmflag(void *addr, const char *flag) { char buffer[MAX_LINE_LENGTH]; diff --git a/tools/testing/selftests/vm/vm_util.h b/tools/testing/selftests/vm/vm_util.h index 470f85fe9594..a4439db0d6f8 100644 --- a/tools/testing/selftests/vm/vm_util.h +++ b/tools/testing/selftests/vm/vm_util.h @@ -11,4 +11,5 @@ uint64_t read_pmd_pagesize(void); bool check_huge_anon(void *addr, int nr_hpages, uint64_t hpage_size); bool check_huge_file(void *addr, int nr_hpages, uint64_t hpage_size); bool check_huge_shmem(void *addr, int nr_hpages, uint64_t hpage_size); +unsigned long default_huge_page_size(void); bool softdirty_supported(void); -- 2.43.0

1 month, 1 week

4
10
0 0

[PATCH 2/8] USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC

by Johan Hovold

Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC should not deassert any lines that are not in the mask. Fix this long-standing issue dating back to 2003 when the support for these ioctls was added with the introduction of the tiocmset() callback. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/serial/kobil_sct.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/usb/serial/kobil_sct.c b/drivers/usb/serial/kobil_sct.c index 464433be2034..96ea571c436a 100644 --- a/drivers/usb/serial/kobil_sct.c +++ b/drivers/usb/serial/kobil_sct.c @@ -418,7 +418,7 @@ static int kobil_tiocmset(struct tty_struct *tty, struct usb_serial_port *port = tty->driver_data; struct device *dev = &port->dev; struct kobil_private *priv; - int result; + int result = 0; int dtr = 0; int rts = 0; @@ -435,12 +435,12 @@ static int kobil_tiocmset(struct tty_struct *tty, if (set & TIOCM_DTR) dtr = 1; if (clear & TIOCM_RTS) - rts = 0; + rts = 1; if (clear & TIOCM_DTR) - dtr = 0; + dtr = 1; - if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) { - if (dtr != 0) + if (dtr && priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) { + if (set & TIOCM_DTR) dev_dbg(dev, "%s - Setting DTR\n", __func__); else dev_dbg(dev, "%s - Clearing DTR\n", __func__); @@ -448,13 +448,13 @@ static int kobil_tiocmset(struct tty_struct *tty, usb_sndctrlpipe(port->serial->dev, 0), SUSBCRequest_SetStatusLinesOrQueues, USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT, - ((dtr != 0) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR), + ((set & TIOCM_DTR) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR), 0, NULL, 0, KOBIL_TIMEOUT); - } else { - if (rts != 0) + } else if (rts) { + if (set & TIOCM_RTS) dev_dbg(dev, "%s - Setting RTS\n", __func__); else dev_dbg(dev, "%s - Clearing RTS\n", __func__); @@ -462,7 +462,7 @@ static int kobil_tiocmset(struct tty_struct *tty, usb_sndctrlpipe(port->serial->dev, 0), SUSBCRequest_SetStatusLinesOrQueues, USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT, - ((rts != 0) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS), + ((set & TIOCM_RTS) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS), 0, NULL, 0, -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 1/8] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC

by Johan Hovold

Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC should not deassert any lines that are not in the mask. Fix this long-standing regression dating back to 2003 when the tiocmset() callback was introduced. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/serial/belkin_sa.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/drivers/usb/serial/belkin_sa.c b/drivers/usb/serial/belkin_sa.c index 44f5b58beec9..aa6b4c4ad5ec 100644 --- a/drivers/usb/serial/belkin_sa.c +++ b/drivers/usb/serial/belkin_sa.c @@ -435,7 +435,7 @@ static int belkin_sa_tiocmset(struct tty_struct *tty, struct belkin_sa_private *priv = usb_get_serial_port_data(port); unsigned long control_state; unsigned long flags; - int retval; + int retval = 0; int rts = 0; int dtr = 0; @@ -452,26 +452,32 @@ static int belkin_sa_tiocmset(struct tty_struct *tty, } if (clear & TIOCM_RTS) { control_state &= ~TIOCM_RTS; - rts = 0; + rts = 1; } if (clear & TIOCM_DTR) { control_state &= ~TIOCM_DTR; - dtr = 0; + dtr = 1; } priv->control_state = control_state; spin_unlock_irqrestore(&priv->lock, flags); - retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, rts); - if (retval < 0) { - dev_err(&port->dev, "Set RTS error %d\n", retval); - goto exit; + if (rts) { + retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, + !!(control_state & TIOCM_RTS)); + if (retval < 0) { + dev_err(&port->dev, "Set RTS error %d\n", retval); + goto exit; + } } - retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, dtr); - if (retval < 0) { - dev_err(&port->dev, "Set DTR error %d\n", retval); - goto exit; + if (dtr) { + retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, + !!(control_state & TIOCM_DTR)); + if (retval < 0) { + dev_err(&port->dev, "Set DTR error %d\n", retval); + goto exit; + } } exit: return retval; -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH RESEND] fsi/core: fix error handling in fsi_slave_init()

by Ma Ke

Once cdev_device_add() failed, we should use put_device() to decrement reference count for cleanup. Or it could cause memory leak. Although operations in err_free_ida are similar to the operations in callback function fsi_slave_release(), put_device() is a correct handling operation as comments require when cdev_device_add() fails. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 371975b0b075 ("fsi/core: Fix error paths on CFAM init") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/fsi/fsi-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index c6c115993ebc..444878ab9fb1 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -1084,7 +1084,8 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) rc = cdev_device_add(&slave->cdev, &slave->dev); if (rc) { dev_err(&slave->dev, "Error %d creating slave device\n", rc); - goto err_free_ida; + put_device(&slave->dev); + return rc; } /* Now that we have the cdev registered with the core, any fatal @@ -1110,8 +1111,6 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) return 0; -err_free_ida: - fsi_free_minor(slave->dev.devt); err_free: of_node_put(slave->dev.of_node); kfree(slave); -- 2.17.1

1 month, 1 week

2
1
0 0

[PATCH v2] drm/tilcdc: Fix removal actions in case of failed probe

by Kory Maincent

From: "Kory Maincent (TI.com)" <kory.maincent(a)bootlin.com> The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by moving both drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() inside the priv->is_registered conditional block, ensuring they only execute after successful device registration. Cc: stable(a)vger.kernel.org Reviewed-by: Swamil Jain <s-jain1(a)ti.com> Fixes: 3c4babae3c4a ("drm: Call drm_atomic_helper_shutdown() at shutdown/remove time for misc drivers") Signed-off-by: Kory Maincent (TI.com) <kory.maincent(a)bootlin.com> --- I'm working on removing the usage of deprecated functions as well as general improvements to this driver, but it will take some time so for now this is a simple fix to a functional bug. Change in v2: - Add missing cc: stable tag - Add Swamil reviewed-by --- drivers/gpu/drm/tilcdc/tilcdc_drv.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/tilcdc/tilcdc_drv.c b/drivers/gpu/drm/tilcdc/tilcdc_drv.c index 7caec4d38ddf..2031267a3490 100644 --- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c +++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c @@ -172,11 +172,11 @@ static void tilcdc_fini(struct drm_device *dev) if (priv->crtc) tilcdc_crtc_shutdown(priv->crtc); - if (priv->is_registered) + if (priv->is_registered) { drm_dev_unregister(dev); - - drm_kms_helper_poll_fini(dev); - drm_atomic_helper_shutdown(dev); + drm_kms_helper_poll_fini(dev); + drm_atomic_helper_shutdown(dev); + } tilcdc_irq_uninstall(dev); drm_mode_config_cleanup(dev); -- 2.43.0

1 month, 1 week

1
0
0 0

[PATCH] ksmbd: transport_ipc: validate payload size before reading handle

by Qianchang Zhao

handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read. Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable(a)vger.kernel.org Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/transport_ipc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c index 46f87fd1ce1c..2028de4d3ddf 100644 --- a/fs/smb/server/transport_ipc.c +++ b/fs/smb/server/transport_ipc.c @@ -263,6 +263,10 @@ static void ipc_msg_handle_free(int handle) static int handle_response(int type, void *payload, size_t sz) { + /* Prevent 4-byte read beyond declared payload size */ + if (sz < sizeof(unsigned int)) + return -EINVAL; + unsigned int handle = *(unsigned int *)payload; struct ipc_msg_table_entry *entry; int ret = 0; -- 2.34.1

1 month, 1 week

3
2
0 0

[PATCH v3 1/4] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime

by Srinivas Kandagatla

For some reason we endedup allocating sdw_stream_runtime for every cpu dai, this has two issues. 1. we never set snd_soc_dai_set_stream for non soundwire dai, which means there is no way that we can free this, resulting in memory leak 2. startup and shutdown callbacks can be called without hw_params callback called. This combination results in memory leak because machine driver sruntime array pointer is only set in hw_params callback. Fix this by 1. adding a helper function to get sdw_runtime for substream which can be used by shutdown callback to get hold of sruntime to free. 2. only allocate sdw_runtime for soundwire dais. Fixes: d32bac9cb09c ("ASoC: qcom: Add helper for allocating Soundwire stream runtime") Cc: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> Tested-by: Steev Klimaszewski <threeway(a)gmail.com> # Thinkpad X13s --- sound/soc/qcom/sc7280.c | 2 +- sound/soc/qcom/sc8280xp.c | 2 +- sound/soc/qcom/sdw.c | 105 +++++++++++++++++++++----------------- sound/soc/qcom/sdw.h | 1 + sound/soc/qcom/sm8250.c | 2 +- sound/soc/qcom/x1e80100.c | 2 +- 6 files changed, 64 insertions(+), 50 deletions(-) diff --git a/sound/soc/qcom/sc7280.c b/sound/soc/qcom/sc7280.c index af412bd0c89f..c444dae563c7 100644 --- a/sound/soc/qcom/sc7280.c +++ b/sound/soc/qcom/sc7280.c @@ -317,7 +317,7 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_card *card = rtd->card; struct sc7280_snd_data *data = snd_soc_card_get_drvdata(card); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); switch (cpu_dai->id) { case MI2S_PRIMARY: diff --git a/sound/soc/qcom/sc8280xp.c b/sound/soc/qcom/sc8280xp.c index 78e327bc2f07..9ba536dff667 100644 --- a/sound/soc/qcom/sc8280xp.c +++ b/sound/soc/qcom/sc8280xp.c @@ -73,7 +73,7 @@ static void sc8280xp_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct sc8280xp_snd_data *pdata = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = pdata->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); pdata->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); diff --git a/sound/soc/qcom/sdw.c b/sound/soc/qcom/sdw.c index 7d7981d4295b..7b2cae92c812 100644 --- a/sound/soc/qcom/sdw.c +++ b/sound/soc/qcom/sdw.c @@ -7,6 +7,37 @@ #include <sound/soc.h> #include "sdw.h" +static bool qcom_snd_is_sdw_dai(int id) +{ + switch (id) { + case WSA_CODEC_DMA_RX_0: + case WSA_CODEC_DMA_TX_0: + case WSA_CODEC_DMA_RX_1: + case WSA_CODEC_DMA_TX_1: + case WSA_CODEC_DMA_TX_2: + case RX_CODEC_DMA_RX_0: + case TX_CODEC_DMA_TX_0: + case RX_CODEC_DMA_RX_1: + case TX_CODEC_DMA_TX_1: + case RX_CODEC_DMA_RX_2: + case TX_CODEC_DMA_TX_2: + case RX_CODEC_DMA_RX_3: + case TX_CODEC_DMA_TX_3: + case RX_CODEC_DMA_RX_4: + case TX_CODEC_DMA_TX_4: + case RX_CODEC_DMA_RX_5: + case TX_CODEC_DMA_TX_5: + case RX_CODEC_DMA_RX_6: + case RX_CODEC_DMA_RX_7: + case SLIMBUS_0_RX...SLIMBUS_6_TX: + return true; + default: + break; + } + + return false; +} + /** * qcom_snd_sdw_startup() - Helper to start Soundwire stream for SoC audio card * @substream: The PCM substream from audio, as passed to snd_soc_ops->startup() @@ -29,6 +60,9 @@ int qcom_snd_sdw_startup(struct snd_pcm_substream *substream) u32 rx_ch_cnt = 0, tx_ch_cnt = 0; int ret, i, j; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return 0; + sruntime = sdw_alloc_stream(cpu_dai->name, SDW_STREAM_PCM); if (!sruntime) return -ENOMEM; @@ -89,19 +123,8 @@ int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, if (!sruntime) return 0; - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case WSA_CODEC_DMA_RX_1: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - break; - default: + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) return 0; - } if (*stream_prepared) return 0; @@ -129,9 +152,7 @@ int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, } EXPORT_SYMBOL_GPL(qcom_snd_sdw_prepare); -int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, - struct snd_pcm_hw_params *params, - struct sdw_stream_runtime **psruntime) +struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *substream) { struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *codec_dai; @@ -139,21 +160,23 @@ int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, struct sdw_stream_runtime *sruntime; int i; - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - for_each_rtd_codec_dais(rtd, i, codec_dai) { - sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream); - if (sruntime != ERR_PTR(-ENOTSUPP)) - *psruntime = sruntime; - } - break; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return NULL; + + for_each_rtd_codec_dais(rtd, i, codec_dai) { + sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream); + if (sruntime != ERR_PTR(-ENOTSUPP)) + return sruntime; } + return NULL; +} +EXPORT_SYMBOL_GPL(qcom_snd_sdw_get_stream); + +int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params, + struct sdw_stream_runtime **psruntime) +{ + *psruntime = qcom_snd_sdw_get_stream(substream); return 0; @@ -166,23 +189,13 @@ int qcom_snd_sdw_hw_free(struct snd_pcm_substream *substream, struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case WSA_CODEC_DMA_RX_1: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - if (sruntime && *stream_prepared) { - sdw_disable_stream(sruntime); - sdw_deprepare_stream(sruntime); - *stream_prepared = false; - } - break; - default: - break; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return 0; + + if (sruntime && *stream_prepared) { + sdw_disable_stream(sruntime); + sdw_deprepare_stream(sruntime); + *stream_prepared = false; } return 0; diff --git a/sound/soc/qcom/sdw.h b/sound/soc/qcom/sdw.h index 392e3455f1b1..b8bc5beb0522 100644 --- a/sound/soc/qcom/sdw.h +++ b/sound/soc/qcom/sdw.h @@ -10,6 +10,7 @@ int qcom_snd_sdw_startup(struct snd_pcm_substream *substream); int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, struct sdw_stream_runtime *runtime, bool *stream_prepared); +struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *stream); int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params, struct sdw_stream_runtime **psruntime); diff --git a/sound/soc/qcom/sm8250.c b/sound/soc/qcom/sm8250.c index f5b75a06e5bd..ce5b0059207f 100644 --- a/sound/soc/qcom/sm8250.c +++ b/sound/soc/qcom/sm8250.c @@ -117,7 +117,7 @@ static void sm8250_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct sm8250_snd_data *data = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); data->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); diff --git a/sound/soc/qcom/x1e80100.c b/sound/soc/qcom/x1e80100.c index 444f2162889f..2e3599516aa2 100644 --- a/sound/soc/qcom/x1e80100.c +++ b/sound/soc/qcom/x1e80100.c @@ -55,7 +55,7 @@ static void x1e80100_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct x1e80100_snd_data *data = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); data->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); -- 2.51.0

1 month, 1 week

1
0
0 0

Export Inquiry from Ledcor Group.

by Phillip Davies

1 month, 1 week

1
0
0 0

[PATCH] objtool/rust: add one more `noreturn` Rust function

by Miguel Ojeda

Between Rust 1.79 and 1.86, under `CONFIG_RUST_KERNEL_DOCTESTS=y`, `objtool` may report: rust/doctests_kernel_generated.o: warning: objtool: rust_doctest_kernel_alloc_kbox_rs_13() falls through to next function rust_doctest_kernel_alloc_kvec_rs_0() (as well as in rust_doctest_kernel_alloc_kvec_rs_0) due to calls to the `noreturn` symbol: core::option::expect_failed from code added in commits 779db37373a3 ("rust: alloc: kvec: implement AsPageIter for VVec") and 671618432f46 ("rust: alloc: kbox: implement AsPageIter for VBox"). Thus add the mangled one to the list so that `objtool` knows it is actually `noreturn`. This can be reproduced as well in other versions by tweaking the code, such as the latest stable Rust (1.90.0). Stable does not have code that triggers this, but it could have it in the future. Downstream forks could too. Thus tag it for backport. See commit 56d680dd23c3 ("objtool/rust: list `noreturn` Rust functions") for more details. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later. Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- tools/objtool/check.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index a5770570b106..3c7ab910b189 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -217,6 +217,7 @@ static bool is_rust_noreturn(const struct symbol *func) * these come from the Rust standard library). */ return str_ends_with(func->name, "_4core5sliceSp15copy_from_slice17len_mismatch_fail") || + str_ends_with(func->name, "_4core6option13expect_failed") || str_ends_with(func->name, "_4core6option13unwrap_failed") || str_ends_with(func->name, "_4core6result13unwrap_failed") || str_ends_with(func->name, "_4core9panicking5panic") || base-commit: 211ddde0823f1442e4ad052a2f30f050145ccada -- 2.51.0

1 month, 1 week

5
5
0 0

[PATCH v2 4/4] net: ravb: Ensure memory write completes before ringing TX doorbell

by Prabhakar

From: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Add a final dma_wmb() barrier before triggering the transmit request (TCCR_TSRQ) to ensure all descriptor and buffer writes are visible to the DMA engine. According to the hardware manual, a read-back operation is required before writing to the doorbell register to guarantee completion of previous writes. Instead of performing a dummy read, a dma_wmb() is used to both enforce the same ordering semantics on the CPU side and also to ensure completion of writes. Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Cc: stable(a)vger.kernel.org Co-developed-by: Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> Signed-off-by: Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> --- v1->v2: - New patch added to separate out the memory barrier change before ringing the doorbell. --- drivers/net/ethernet/renesas/ravb_main.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index 0e40001f64b4..c3fc15f9ec85 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -2232,6 +2232,14 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev) dma_wmb(); desc->die_dt = DT_FSINGLE; } + + /* Before ringing the doorbell we need to make sure that the latest + * writes have been committed to memory, otherwise it could delay + * things until the doorbell is rang again. + * This is in replacement of the read operation mentioned in the HW + * manuals. + */ + dma_wmb(); ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q); priv->cur_tx[q] += num_tx_desc; -- 2.43.0

1 month, 1 week

2
1
0 0

[PATCH v2 3/4] net: ravb: Enforce descriptor type ordering

by Prabhakar

From: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> Ensure the TX descriptor type fields are published in a safe order so the DMA engine never begins processing a descriptor chain before all descriptor fields are fully initialised. For multi-descriptor transmits the driver writes DT_FEND into the last descriptor and DT_FSTART into the first. The DMA engine begins processing when it observes DT_FSTART. Move the dma_wmb() barrier so it executes immediately after DT_FEND and immediately before writing DT_FSTART (and before DT_FSINGLE in the single-descriptor case). This guarantees that all prior CPU writes to the descriptor memory are visible to the device before DT_FSTART is seen. This avoids a situation where compiler/CPU reordering could publish DT_FSTART ahead of DT_FEND or other descriptor fields, allowing the DMA to start on a partially initialised chain and causing corrupted transmissions or TX timeouts. Such a failure was observed on RZ/G2L with an RT kernel as transmit queue timeouts and device resets. Fixes: 2f45d1902acf ("ravb: minimize TX data copying") Cc: stable(a)vger.kernel.org Co-developed-by: Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> Signed-off-by: Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> --- v1->v2: - Reflowed the code and updated the comment to clarify the ordering requirements. - Updated commit message. - Split up adding memory barrier change before ringing doorbell into a separate patch. --- drivers/net/ethernet/renesas/ravb_main.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index a200e205825a..0e40001f64b4 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -2211,13 +2211,25 @@ static netdev_tx_t ravb_start_xmit(struct sk_buff *skb, struct net_device *ndev) skb_tx_timestamp(skb); } - /* Descriptor type must be set after all the above writes */ - dma_wmb(); + if (num_tx_desc > 1) { desc->die_dt = DT_FEND; desc--; + /* When using multi-descriptors, DT_FEND needs to get written + * before DT_FSTART, but the compiler may reorder the memory + * writes in an attempt to optimize the code. + * Use a dma_wmb() barrier to make sure DT_FEND and DT_FSTART + * are written exactly in the order shown in the code. + * This is particularly important for cases where the DMA engine + * is already running when we are running this code. If the DMA + * sees DT_FSTART without the corresponding DT_FEND it will enter + * an error condition. + */ + dma_wmb(); desc->die_dt = DT_FSTART; } else { + /* Descriptor type must be set after all the above writes */ + dma_wmb(); desc->die_dt = DT_FSINGLE; } ravb_modify(ndev, TCCR, TCCR_TSRQ0 << q, TCCR_TSRQ0 << q); -- 2.43.0

1 month, 1 week

2
1
0 0

[PATCH v2 1/4] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime

by Srinivas Kandagatla

For some reason we endedup allocating sdw_stream_runtime for every cpu dai, this has two issues. 1. we never set snd_soc_dai_set_stream for non soundwire dai, which means there is no way that we can free this, resulting in memory leak 2. startup and shutdown callbacks can be called without hw_params callback called. This combination results in memory leak because machine driver sruntime array pointer is only set in hw_params callback. Fix this by 1. adding a helper function to get sdw_runtime for substream which can be used by shutdown callback to get hold of sruntime to free. 2. only allocate sdw_runtime for soundwire dais. Fixes: d32bac9cb09c ("ASoC: qcom: Add helper for allocating Soundwire stream runtime") Cc: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/qcom/sc7280.c | 2 +- sound/soc/qcom/sc8280xp.c | 2 +- sound/soc/qcom/sdw.c | 105 +++++++++++++++++++++----------------- sound/soc/qcom/sdw.h | 1 + sound/soc/qcom/sm8250.c | 2 +- sound/soc/qcom/x1e80100.c | 2 +- 6 files changed, 64 insertions(+), 50 deletions(-) diff --git a/sound/soc/qcom/sc7280.c b/sound/soc/qcom/sc7280.c index af412bd0c89f..c444dae563c7 100644 --- a/sound/soc/qcom/sc7280.c +++ b/sound/soc/qcom/sc7280.c @@ -317,7 +317,7 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_card *card = rtd->card; struct sc7280_snd_data *data = snd_soc_card_get_drvdata(card); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); switch (cpu_dai->id) { case MI2S_PRIMARY: diff --git a/sound/soc/qcom/sc8280xp.c b/sound/soc/qcom/sc8280xp.c index 78e327bc2f07..9ba536dff667 100644 --- a/sound/soc/qcom/sc8280xp.c +++ b/sound/soc/qcom/sc8280xp.c @@ -73,7 +73,7 @@ static void sc8280xp_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct sc8280xp_snd_data *pdata = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = pdata->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); pdata->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); diff --git a/sound/soc/qcom/sdw.c b/sound/soc/qcom/sdw.c index 7d7981d4295b..7b2cae92c812 100644 --- a/sound/soc/qcom/sdw.c +++ b/sound/soc/qcom/sdw.c @@ -7,6 +7,37 @@ #include <sound/soc.h> #include "sdw.h" +static bool qcom_snd_is_sdw_dai(int id) +{ + switch (id) { + case WSA_CODEC_DMA_RX_0: + case WSA_CODEC_DMA_TX_0: + case WSA_CODEC_DMA_RX_1: + case WSA_CODEC_DMA_TX_1: + case WSA_CODEC_DMA_TX_2: + case RX_CODEC_DMA_RX_0: + case TX_CODEC_DMA_TX_0: + case RX_CODEC_DMA_RX_1: + case TX_CODEC_DMA_TX_1: + case RX_CODEC_DMA_RX_2: + case TX_CODEC_DMA_TX_2: + case RX_CODEC_DMA_RX_3: + case TX_CODEC_DMA_TX_3: + case RX_CODEC_DMA_RX_4: + case TX_CODEC_DMA_TX_4: + case RX_CODEC_DMA_RX_5: + case TX_CODEC_DMA_TX_5: + case RX_CODEC_DMA_RX_6: + case RX_CODEC_DMA_RX_7: + case SLIMBUS_0_RX...SLIMBUS_6_TX: + return true; + default: + break; + } + + return false; +} + /** * qcom_snd_sdw_startup() - Helper to start Soundwire stream for SoC audio card * @substream: The PCM substream from audio, as passed to snd_soc_ops->startup() @@ -29,6 +60,9 @@ int qcom_snd_sdw_startup(struct snd_pcm_substream *substream) u32 rx_ch_cnt = 0, tx_ch_cnt = 0; int ret, i, j; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return 0; + sruntime = sdw_alloc_stream(cpu_dai->name, SDW_STREAM_PCM); if (!sruntime) return -ENOMEM; @@ -89,19 +123,8 @@ int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, if (!sruntime) return 0; - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case WSA_CODEC_DMA_RX_1: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - break; - default: + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) return 0; - } if (*stream_prepared) return 0; @@ -129,9 +152,7 @@ int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, } EXPORT_SYMBOL_GPL(qcom_snd_sdw_prepare); -int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, - struct snd_pcm_hw_params *params, - struct sdw_stream_runtime **psruntime) +struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *substream) { struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *codec_dai; @@ -139,21 +160,23 @@ int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, struct sdw_stream_runtime *sruntime; int i; - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - for_each_rtd_codec_dais(rtd, i, codec_dai) { - sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream); - if (sruntime != ERR_PTR(-ENOTSUPP)) - *psruntime = sruntime; - } - break; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return NULL; + + for_each_rtd_codec_dais(rtd, i, codec_dai) { + sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream); + if (sruntime != ERR_PTR(-ENOTSUPP)) + return sruntime; } + return NULL; +} +EXPORT_SYMBOL_GPL(qcom_snd_sdw_get_stream); + +int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params, + struct sdw_stream_runtime **psruntime) +{ + *psruntime = qcom_snd_sdw_get_stream(substream); return 0; @@ -166,23 +189,13 @@ int qcom_snd_sdw_hw_free(struct snd_pcm_substream *substream, struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case WSA_CODEC_DMA_RX_1: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - if (sruntime && *stream_prepared) { - sdw_disable_stream(sruntime); - sdw_deprepare_stream(sruntime); - *stream_prepared = false; - } - break; - default: - break; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return 0; + + if (sruntime && *stream_prepared) { + sdw_disable_stream(sruntime); + sdw_deprepare_stream(sruntime); + *stream_prepared = false; } return 0; diff --git a/sound/soc/qcom/sdw.h b/sound/soc/qcom/sdw.h index 392e3455f1b1..b8bc5beb0522 100644 --- a/sound/soc/qcom/sdw.h +++ b/sound/soc/qcom/sdw.h @@ -10,6 +10,7 @@ int qcom_snd_sdw_startup(struct snd_pcm_substream *substream); int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, struct sdw_stream_runtime *runtime, bool *stream_prepared); +struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *stream); int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params, struct sdw_stream_runtime **psruntime); diff --git a/sound/soc/qcom/sm8250.c b/sound/soc/qcom/sm8250.c index f5b75a06e5bd..ce5b0059207f 100644 --- a/sound/soc/qcom/sm8250.c +++ b/sound/soc/qcom/sm8250.c @@ -117,7 +117,7 @@ static void sm8250_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct sm8250_snd_data *data = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); data->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); diff --git a/sound/soc/qcom/x1e80100.c b/sound/soc/qcom/x1e80100.c index 444f2162889f..2e3599516aa2 100644 --- a/sound/soc/qcom/x1e80100.c +++ b/sound/soc/qcom/x1e80100.c @@ -55,7 +55,7 @@ static void x1e80100_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct x1e80100_snd_data *data = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); data->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); -- 2.51.0

1 month, 1 week

2
3
0 0

[PATCH 1/3] drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> On ADL-S the main DMC HRR event DMC_EVT_CTL/HTP are never restored to their previous values during DC6 exit. This angers assert_dmc_loaded(), and basically makes the HRR handler unusable because we don't rewrite EVT_HTP when enabling DMC events. Let's just clear the HRR EVT_CTL/HTP to zero from the beginnning so that the expected value matches the post-DC6 reality. I suppose if we ever had actual use for HRR we'd have to both, reject HRR+PSR, and reprogram EVT_HTP when enabling the event. But for now we don't care about HRR so keeping both registers zeroed is fine. Cc: stable(a)vger.kernel.org Tested-by: Petr Vorel <pvorel(a)suse.cz> Fixes: 43175c92d403 ("drm/i915/dmc: Assert DMC is loaded harder") Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15153 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_dmc.c | 55 +++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c index be6d37ea1139..5ba531e3bc36 100644 --- a/drivers/gpu/drm/i915/display/intel_dmc.c +++ b/drivers/gpu/drm/i915/display/intel_dmc.c @@ -550,6 +550,36 @@ static bool is_event_handler(struct intel_display *display, REG_FIELD_GET(DMC_EVT_CTL_EVENT_ID_MASK, data) == event_id; } +static bool fixup_dmc_evt(struct intel_display *display, + enum intel_dmc_id dmc_id, + i915_reg_t reg_ctl, u32 *data_ctl, + i915_reg_t reg_htp, u32 *data_htp) +{ + if (!is_dmc_evt_ctl_reg(display, dmc_id, reg_ctl)) + return false; + + if (!is_dmc_evt_htp_reg(display, dmc_id, reg_htp)) + return false; + + /* make sure reg_ctl and reg_htp are for the same event */ + if (i915_mmio_reg_offset(reg_ctl) - i915_mmio_reg_offset(DMC_EVT_CTL(display, dmc_id, 0)) != + i915_mmio_reg_offset(reg_htp) - i915_mmio_reg_offset(DMC_EVT_HTP(display, dmc_id, 0))) + return false; + + /* + * On ADL-S the HRR event handler is not restored after DC6. + * Clear it to zero from the beginning to avoid mismatches later. + */ + if (display->platform.alderlake_s && dmc_id == DMC_FW_MAIN && + is_event_handler(display, dmc_id, MAINDMC_EVENT_VBLANK_A, reg_ctl, *data_ctl)) { + *data_ctl = 0; + *data_htp = 0; + return true; + } + + return false; +} + static bool disable_dmc_evt(struct intel_display *display, enum intel_dmc_id dmc_id, i915_reg_t reg, u32 data) @@ -1068,9 +1098,32 @@ static u32 parse_dmc_fw_header(struct intel_dmc *dmc, for (i = 0; i < mmio_count; i++) { dmc_info->mmioaddr[i] = _MMIO(mmioaddr[i]); dmc_info->mmiodata[i] = mmiodata[i]; + } + for (i = 0; i < mmio_count - 1; i++) { + u32 orig_mmiodata[2] = { + dmc_info->mmiodata[i], + dmc_info->mmiodata[i+1], + }; + + if (!fixup_dmc_evt(display, dmc_id, + dmc_info->mmioaddr[i], &dmc_info->mmiodata[i], + dmc_info->mmioaddr[i+1], &dmc_info->mmiodata[i+1])) + continue; + + drm_dbg_kms(display->drm, + " mmio[%d]: 0x%x = 0x%x->0x%x (EVT_CTL)\n", + i, i915_mmio_reg_offset(dmc_info->mmioaddr[i]), + orig_mmiodata[0], dmc_info->mmiodata[i]); + drm_dbg_kms(display->drm, + " mmio[%d]: 0x%x = 0x%x->0x%x (EVT_HTP)\n", + i+1, i915_mmio_reg_offset(dmc_info->mmioaddr[i+1]), + orig_mmiodata[1], dmc_info->mmiodata[i+1]); + } + + for (i = 0; i < mmio_count; i++) { drm_dbg_kms(display->drm, " mmio[%d]: 0x%x = 0x%x%s%s\n", - i, mmioaddr[i], mmiodata[i], + i, i915_mmio_reg_offset(dmc_info->mmioaddr[i]), dmc_info->mmiodata[i], is_dmc_evt_ctl_reg(display, dmc_id, dmc_info->mmioaddr[i]) ? " (EVT_CTL)" : is_dmc_evt_htp_reg(display, dmc_id, dmc_info->mmioaddr[i]) ? " (EVT_HTP)" : "", disable_dmc_evt(display, dmc_id, dmc_info->mmioaddr[i], -- 2.49.1

1 month, 1 week

2
1
0 0

[PATCH 0/2] PCI: Keystone: __init and IRQ Fixes

by Siddharth Vadapalli

Hello, This series is based on commit 320475fbd590 Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux of Mainline Linux. The first patch in the series has been posted as a Fix in contrast to its predecessor at: https://lore.kernel.org/r/20250903124505.365913-10-s-vadapalli@ti.com/ based on the feedback provided by Jiri Slaby <jirislaby(a)kernel.org> at: https://lore.kernel.org/r/3d3a4b52-e343-42f3-9d69-94c259812143@kernel.org/ Since the Fix is independent of enabling loadable module support for the pci-keystone.c driver, it is being posted as a new patch. Checking out at the commit of Mainline Linux which this series is based on, I noticed an exception triggered by the pci-keystone.c driver during its probe. Although this is not a fatal exception and Linux continues to boot, the driver is non-functional. I root-caused the exception to free_initmem() freeing the memory associated with the ks_pcie_host_init() function in the driver before the driver's probe was invoked. This appears to be a race condition but it is easily reproducible with the Linux .config that I have used. The fix therefore is to remove the __init macro which is implemented by the second patch in the series. For reference, the logs for the case where Linux is built by checking out at the base commit of Mainline Linux are: https://gist.github.com/Siddharth-Vadapalli-at-TI/f4891b707921c53dfb464ad2f… and the logs clearly prove that the print associated with free_initmem() which is: [ 2.446834] Freeing unused kernel memory: 4864K is displayed prior to the prints associated with the pci-keystone.c driver being probed which is: [ 7.707103] keystone-pcie 5500000.pcie: host bridge /bus@100000/pcie@5500000 ranges: Building Linux by applying both patches in the series on the base commit of Mainline Linux, the driver probes successfully without any exceptions or errors. This was tested on AM654-EVM with an NVMe SSD connected to the PCIe Connector on the board. The NVMe SSD enumerates successfully. Additionally, the 'hdparm' utility was used to read from the SSD confirming that the SSD is functional. The logs corresponding to this are: https://gist.github.com/Siddharth-Vadapalli-at-TI/1b09a12a53db4233e82c5bcfc… Regards, Siddharth. Siddharth Vadapalli (2): PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit PCI: keystone: Remove the __init macro for the ks_pcie_host_init() callback drivers/pci/controller/dwc/pci-keystone.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.43.0

1 month, 1 week

3
5
0 0

[PATCH v2] serial: 8250: always disable IRQ during THRE test

by Peng Zhang

commit 039d4926379b ("serial: 8250: Toggle IER bits on only after irq has been set up") moved IRQ setup before the THRE test, so the interrupt handler can run during the test and race with its IIR reads. This can produce wrong THRE test results and cause spurious registration of the serial8250_backup_timeout timer. Unconditionally disable the IRQ for the short duration of the test and re-enable it afterwards to avoid the race. Cc: stable(a)vger.kernel.org Fixes: 039d4926379b ("serial: 8250: Toggle IER bits on only after irq has been set up") Signed-off-by: Peng Zhang <zhangpeng.00(a)bytedance.com> --- drivers/tty/serial/8250/8250_port.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c index 719faf92aa8a..f1740cc91143 100644 --- a/drivers/tty/serial/8250/8250_port.c +++ b/drivers/tty/serial/8250/8250_port.c @@ -2147,8 +2147,7 @@ static void serial8250_THRE_test(struct uart_port *port) if (up->port.flags & UPF_NO_THRE_TEST) return; - if (port->irqflags & IRQF_SHARED) - disable_irq_nosync(port->irq); + disable_irq(port->irq); /* * Test for UARTs that do not reassert THRE when the transmitter is idle and the interrupt @@ -2170,8 +2169,7 @@ static void serial8250_THRE_test(struct uart_port *port) serial_port_out(port, UART_IER, 0); } - if (port->irqflags & IRQF_SHARED) - enable_irq(port->irq); + enable_irq(port->irq); /* * If the interrupt is not reasserted, or we otherwise don't trust the iir, setup a timer to -- 2.20.1

1 month, 1 week

3
2
0 0

[RESEND PATCH] dma-mapping: benchmark: Add padding to ensure uABI remained consistent

by Qinxin Xia

The padding field in the structure was previously reserved to maintain a stable interface for potential new fields, ensuring compatibility with user-space shared data structures. However,it was accidentally removed by tiantao in a prior commit, which may lead to incompatibility between user space and the kernel. This patch reinstates the padding to restore the original structure layout and preserve compatibility. Fixes: 8ddde07a3d28 ("dma-mapping: benchmark: extract a common header file for map_benchmark definition") Cc: stable(a)vger.kernel.org Acked-by: Barry Song <baohua(a)kernel.org> Signed-off-by: Qinxin Xia <xiaqinxin(a)huawei.com> --- include/linux/map_benchmark.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/map_benchmark.h b/include/linux/map_benchmark.h index 62674c83bde4..2ac2fe52f248 100644 --- a/include/linux/map_benchmark.h +++ b/include/linux/map_benchmark.h @@ -27,5 +27,6 @@ struct map_benchmark { __u32 dma_dir; /* DMA data direction */ __u32 dma_trans_ns; /* time for DMA transmission in ns */ __u32 granule; /* how many PAGE_SIZE will do map/unmap once a time */ + __u8 expansion[76]; /* For future use */ }; #endif /* _KERNEL_DMA_BENCHMARK_H */ -- 2.33.0

1 month, 1 week

1
1
0 0

RE: wifi: ath10k: avoid unnecessary wait for service ready message

by Andreas Tobler

Dear all, this commit (Upstream commit 51a73f1b2e56b0324b4a3bb8cebc4221b5be4c7) makes our WLE600 Compex wifi cards (qca988x based) unusable. Reverting the commit brings the wifi card back. This was discovered on the v6.12.53 from today. ath10k messages excerpt: -------------- Oct 15 22:00:13 klog: ath10k_pci 0000:05:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0 Oct 15 22:00:13 klog: ath10k_pci 0000:05:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043222ff sub 0000:0000 Oct 15 22:00:13 klog: ath10k_pci 0000:05:00.0: kconfig debug 0 debugfs 0 tracing 0 dfs 1 testmode 0 Oct 15 22:00:13 klog: ath10k_pci 0000:05:00.0: firmware ver 10.2.4-1.0-00047 api 5 features no-p2p,raw-mode,mfp,allows-mesh-bcast crc32 35bd9258 Oct 15 22:00:13 klog: ath10k_pci 0000:05:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 Oct 15 22:00:20 klog: ath10k_pci 0000:05:00.0: wmi unified ready event not received Oct 15 22:00:21 klog: ath10k_pci 0000:05:00.0: could not init core (-110) Oct 15 22:00:21 klog: ath10k_pci 0000:05:00.0: could not probe fw (-110) -------------- Beside reverting, how can we help fixing this? Thanks & regards, Andreas

1 month, 1 week

2
4
0 0

[PATCH RESEND] Once cdev_device_add() failed, we should use put_device() to decrement reference count for cleanup. Or it could cause memory leak. Although operations in err_free_ida are similar to the operations in callback function fsi_slave_release(), put_device() is a correct handling operation as comments require when cdev_device_add() fails.

by Ma Ke

As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 371975b0b075 ("fsi/core: Fix error paths on CFAM init") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/fsi/fsi-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index c6c115993ebc..444878ab9fb1 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -1084,7 +1084,8 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) rc = cdev_device_add(&slave->cdev, &slave->dev); if (rc) { dev_err(&slave->dev, "Error %d creating slave device\n", rc); - goto err_free_ida; + put_device(&slave->dev); + return rc; } /* Now that we have the cdev registered with the core, any fatal @@ -1110,8 +1111,6 @@ static int fsi_slave_init(struct fsi_master *master, int link, uint8_t id) return 0; -err_free_ida: - fsi_free_minor(slave->dev.devt); err_free: of_node_put(slave->dev.of_node); kfree(slave); -- 2.17.1

1 month, 1 week

2
1
0 0

[PATCH v2] usb: gadget: udc: fix race condition in usb_del_gadget

by Jimmy Hu

A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0_x_2c/0_x_d0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window. Changes in v2: - Removed redundant inline comments as suggested by Alan Stern. Fixes: 5702f75375aa9 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue") Signed-off-by: Jimmy Hu <hhhuuu(a)google.com> Cc: stable(a)vger.kernel.org --- drivers/usb/gadget/udc/core.c | 17 ++++++++++++++++- include/linux/usb/gadget.h | 5 +++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index d709e24c1fd4..66d2428835da 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -1123,8 +1123,13 @@ static void usb_gadget_state_work(struct work_struct *work) void usb_gadget_set_state(struct usb_gadget *gadget, enum usb_device_state state) { + unsigned long flags; + + spin_lock_irqsave(&gadget->state_lock, flags); gadget->state = state; - schedule_work(&gadget->work); + if (!gadget->teardown) + schedule_work(&gadget->work); + spin_unlock_irqrestore(&gadget->state_lock, flags); } EXPORT_SYMBOL_GPL(usb_gadget_set_state); @@ -1357,6 +1362,8 @@ static void usb_udc_nop_release(struct device *dev) void usb_initialize_gadget(struct device *parent, struct usb_gadget *gadget, void (*release)(struct device *dev)) { + spin_lock_init(&gadget->state_lock); + gadget->teardown = false; INIT_WORK(&gadget->work, usb_gadget_state_work); gadget->dev.parent = parent; @@ -1531,6 +1538,7 @@ EXPORT_SYMBOL_GPL(usb_add_gadget_udc); void usb_del_gadget(struct usb_gadget *gadget) { struct usb_udc *udc = gadget->udc; + unsigned long flags; if (!udc) return; @@ -1544,6 +1552,13 @@ void usb_del_gadget(struct usb_gadget *gadget) kobject_uevent(&udc->dev.kobj, KOBJ_REMOVE); sysfs_remove_link(&udc->dev.kobj, "gadget"); device_del(&gadget->dev); + /* + * Set the teardown flag before flushing the work to prevent new work + * from being scheduled while we are cleaning up. + */ + spin_lock_irqsave(&gadget->state_lock, flags); + gadget->teardown = true; + spin_unlock_irqrestore(&gadget->state_lock, flags); flush_work(&gadget->work); ida_free(&gadget_id_numbers, gadget->id_number); cancel_work_sync(&udc->vbus_work); diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 0f28c5512fcb..8b5e593f7966 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -351,6 +351,9 @@ struct usb_gadget_ops { * can handle. The UDC must support this and all slower speeds and lower * number of lanes. * @state: the state we are now (attached, suspended, configured, etc) + * @state_lock: Spinlock protecting the `state` and `teardown` members. + * @teardown: True if the device is undergoing teardown, used to prevent + * new work from being scheduled during cleanup. * @name: Identifies the controller hardware type. Used in diagnostics * and sometimes configuration. * @dev: Driver model state for this abstract device. @@ -426,6 +429,8 @@ struct usb_gadget { enum usb_ssp_rate max_ssp_rate; enum usb_device_state state; + spinlock_t state_lock; + bool teardown; const char *name; struct device dev; unsigned isoch_delay; -- 2.51.0.760.g7b8bcc2412-goog

1 month, 1 week

3
2
0 0

[PATCH 6.1.y] sctp: linearize cloned gso packets in sctp_rcv

by Vasiliy Kovalev

From: Xin Long <lucien.xin(a)gmail.com> commit fd60d8a086191fe33c2d719732d2482052fa6805 upstream. A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv(). Fixes: 90017accff61 ("sctp: Add GSO support") Reported-by: syzbot+773e51afe420baaf0e2b(a)syzkaller.appspotmail.com Reported-by: syzbot+70a42f45e76bede082be(a)syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin(a)gmail.com> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.175459561… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ kovalev: bp to fix CVE-2025-38718 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- This patch is lost/missing, as it has already been added into stable branches less than and greater than 6.1. --- net/sctp/input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/input.c b/net/sctp/input.c index 4ee9374dcfb9..182898cb754a 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -114,7 +114,7 @@ int sctp_rcv(struct sk_buff *skb) * it's better to just linearize it otherwise crc computing * takes longer. */ - if ((!is_gso && skb_linearize(skb)) || + if (((!is_gso || skb_cloned(skb)) && skb_linearize(skb)) || !pskb_may_pull(skb, sizeof(struct sctphdr))) goto discard_it; -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH] mm/shmem: fix THP allocation size check and fallback

by Kairui Song

From: Kairui Song <kasong(a)tencent.com> There are some problems with the code implementations of THP fallback. suitable_orders could be zero, and calling highest_order on a zero value returns an overflowed size. And the order check loop is updating the index value on every loop which may cause the index to be aligned by a larger value while the loop shrinks the order. And it forgot to try order 0 after the final loop. This is usually fine because shmem_add_to_page_cache ensures the shmem mapping is still sane, but it might cause many potential issues like allocating random folios into the random position in the map or return -ENOMEM by accident. This triggered some strange userspace errors [1], and shouldn't have happened in the first place. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/linux-mm/CAMgjq7DqgAmj25nDUwwu1U2cSGSn8n4-Hqpgotted… [1] Fixes: e7a2ab7b3bb5d ("mm: shmem: add mTHP support for anonymous shmem") Signed-off-by: Kairui Song <kasong(a)tencent.com> --- mm/shmem.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index b50ce7dbc84a..25303711f123 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1824,6 +1824,9 @@ static unsigned long shmem_suitable_orders(struct inode *inode, struct vm_fault unsigned long pages; int order; + if (!orders) + return 0; + if (vma) { orders = thp_vma_suitable_orders(vma, vmf->address, orders); if (!orders) @@ -1888,27 +1891,28 @@ static struct folio *shmem_alloc_and_add_folio(struct vm_fault *vmf, if (!IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) orders = 0; - if (orders > 0) { - suitable_orders = shmem_suitable_orders(inode, vmf, - mapping, index, orders); + suitable_orders = shmem_suitable_orders(inode, vmf, + mapping, index, orders); + if (suitable_orders) { order = highest_order(suitable_orders); - while (suitable_orders) { + do { pages = 1UL << order; - index = round_down(index, pages); - folio = shmem_alloc_folio(gfp, order, info, index); - if (folio) + folio = shmem_alloc_folio(gfp, order, info, round_down(index, pages)); + if (folio) { + index = round_down(index, pages); goto allocated; + } if (pages == HPAGE_PMD_NR) count_vm_event(THP_FILE_FALLBACK); count_mthp_stat(order, MTHP_STAT_SHMEM_FALLBACK); order = next_order(&suitable_orders, order); - } - } else { - pages = 1; - folio = shmem_alloc_folio(gfp, 0, info, index); + } while (suitable_orders); } + + pages = 1; + folio = shmem_alloc_folio(gfp, 0, info, index); if (!folio) return ERR_PTR(-ENOMEM); -- 2.51.0

1 month, 1 week

2
3
0 0

[PATCH v3] mm/huge_memory: do not change split_huge_page*() target order silently.

by Zi Yan

Page cache folios from a file system that support large block size (LBS) can have minimal folio order greater than 0, thus a high order folio might not be able to be split down to order-0. Commit e220917fa507 ("mm: split a folio in minimum folio order chunks") bumps the target order of split_huge_page*() to the minimum allowed order when splitting a LBS folio. This causes confusion for some split_huge_page*() callers like memory failure handling code, since they expect after-split folios all have order-0 when split succeeds but in reality get min_order_for_split() order folios and give warnings. Fix it by failing a split if the folio cannot be split to the target order. Rename try_folio_split() to try_folio_split_to_order() to reflect the added new_order parameter. Remove its unused list parameter. Fixes: e220917fa507 ("mm: split a folio in minimum folio order chunks") [The test poisons LBS folios, which cannot be split to order-0 folios, and also tries to poison all memory. The non split LBS folios take more memory than the test anticipated, leading to OOM. The patch fixed the kernel warning and the test needs some change to avoid OOM.] Reported-by: syzbot+e6367ea2fdab6ed46056(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68d2c943.a70a0220.1b52b.02b3.GAE@google.com/ Cc: stable(a)vger.kernel.org Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Luis Chamberlain <mcgrof(a)kernel.org> Reviewed-by: Pankaj Raghav <p.raghav(a)samsung.com> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> --- From V2[1]: 1. Removed a typo in try_folio_split_to_order() comment. 2. Sent the Fixes patch separately. [1] https://lore.kernel.org/linux-mm/20251016033452.125479-1-ziy@nvidia.com/ include/linux/huge_mm.h | 55 +++++++++++++++++------------------------ mm/huge_memory.c | 9 +------ mm/truncate.c | 6 +++-- 3 files changed, 28 insertions(+), 42 deletions(-) diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h index c4a811958cda..7698b3542c4f 100644 --- a/include/linux/huge_mm.h +++ b/include/linux/huge_mm.h @@ -383,45 +383,30 @@ static inline int split_huge_page_to_list_to_order(struct page *page, struct lis } /* - * try_folio_split - try to split a @folio at @page using non uniform split. + * try_folio_split_to_order - try to split a @folio at @page to @new_order using + * non uniform split. * @folio: folio to be split - * @page: split to order-0 at the given page - * @list: store the after-split folios + * @page: split to @new_order at the given page + * @new_order: the target split order * - * Try to split a @folio at @page using non uniform split to order-0, if - * non uniform split is not supported, fall back to uniform split. + * Try to split a @folio at @page using non uniform split to @new_order, if + * non uniform split is not supported, fall back to uniform split. After-split + * folios are put back to LRU list. Use min_order_for_split() to get the lower + * bound of @new_order. * * Return: 0: split is successful, otherwise split failed. */ -static inline int try_folio_split(struct folio *folio, struct page *page, - struct list_head *list) +static inline int try_folio_split_to_order(struct folio *folio, + struct page *page, unsigned int new_order) { - int ret = min_order_for_split(folio); - - if (ret < 0) - return ret; - - if (!non_uniform_split_supported(folio, 0, false)) - return split_huge_page_to_list_to_order(&folio->page, list, - ret); - return folio_split(folio, ret, page, list); + if (!non_uniform_split_supported(folio, new_order, /* warns= */ false)) + return split_huge_page_to_list_to_order(&folio->page, NULL, + new_order); + return folio_split(folio, new_order, page, NULL); } static inline int split_huge_page(struct page *page) { - struct folio *folio = page_folio(page); - int ret = min_order_for_split(folio); - - if (ret < 0) - return ret; - - /* - * split_huge_page() locks the page before splitting and - * expects the same page that has been split to be locked when - * returned. split_folio(page_folio(page)) cannot be used here - * because it converts the page to folio and passes the head - * page to be split. - */ - return split_huge_page_to_list_to_order(page, NULL, ret); + return split_huge_page_to_list_to_order(page, NULL, 0); } void deferred_split_folio(struct folio *folio, bool partially_mapped); #ifdef CONFIG_MEMCG @@ -611,14 +596,20 @@ static inline int split_huge_page(struct page *page) return -EINVAL; } +static inline int min_order_for_split(struct folio *folio) +{ + VM_WARN_ON_ONCE_FOLIO(1, folio); + return -EINVAL; +} + static inline int split_folio_to_list(struct folio *folio, struct list_head *list) { VM_WARN_ON_ONCE_FOLIO(1, folio); return -EINVAL; } -static inline int try_folio_split(struct folio *folio, struct page *page, - struct list_head *list) +static inline int try_folio_split_to_order(struct folio *folio, + struct page *page, unsigned int new_order) { VM_WARN_ON_ONCE_FOLIO(1, folio); return -EINVAL; diff --git a/mm/huge_memory.c b/mm/huge_memory.c index f14fbef1eefd..fc65ec3393d2 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3812,8 +3812,6 @@ static int __folio_split(struct folio *folio, unsigned int new_order, min_order = mapping_min_folio_order(folio->mapping); if (new_order < min_order) { - VM_WARN_ONCE(1, "Cannot split mapped folio below min-order: %u", - min_order); ret = -EINVAL; goto out; } @@ -4165,12 +4163,7 @@ int min_order_for_split(struct folio *folio) int split_folio_to_list(struct folio *folio, struct list_head *list) { - int ret = min_order_for_split(folio); - - if (ret < 0) - return ret; - - return split_huge_page_to_list_to_order(&folio->page, list, ret); + return split_huge_page_to_list_to_order(&folio->page, list, 0); } /* diff --git a/mm/truncate.c b/mm/truncate.c index 91eb92a5ce4f..9210cf808f5c 100644 --- a/mm/truncate.c +++ b/mm/truncate.c @@ -194,6 +194,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) size_t size = folio_size(folio); unsigned int offset, length; struct page *split_at, *split_at2; + unsigned int min_order; if (pos < start) offset = start - pos; @@ -223,8 +224,9 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) if (!folio_test_large(folio)) return true; + min_order = mapping_min_folio_order(folio->mapping); split_at = folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE); - if (!try_folio_split(folio, split_at, NULL)) { + if (!try_folio_split_to_order(folio, split_at, min_order)) { /* * try to split at offset + length to make sure folios within * the range can be dropped, especially to avoid memory waste @@ -254,7 +256,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end) */ if (folio_test_large(folio2) && folio2->mapping == folio->mapping) - try_folio_split(folio2, split_at2, NULL); + try_folio_split_to_order(folio2, split_at2, min_order); folio_unlock(folio2); out: -- 2.51.0

1 month, 1 week

4
6
0 0

[PATCH v2 0/3] gpio: idio-16: Fix regmap initialization errors

by William Breathitt Gray

The migration of IDIO-16 GPIO drivers to the regmap API resulted in some regressions to the gpio-104-idio-16, gpio-pci-idio-16, and gpio-idio-16 modules. Specifically, the 104-idio-16 and pci-idio-16 GPIO drivers utilize regmap caching and thus must set max_register for their regmap_config, while gpio-idio-16 requires fixed_direction_output to represent the fixed direction of the IDIO-16 GPIO lines. Fixes for these regressions are provided by this series. Link: https://lore.kernel.org/r/cover.1680618405.git.william.gray@linaro.org Closes: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com Signed-off-by: William Breathitt Gray <wbg(a)kernel.org> --- Changes in v2: - Pick up Reviewed-by tags - Replace Link tags with Closes tags for fixes addressing bug reports - Link to v1: https://lore.kernel.org/r/20251017-fix-gpio-idio-16-regmap-v1-0-a7c71080f74… --- William Breathitt Gray (3): gpio: 104-idio-16: Define maximum valid register address offset gpio: pci-idio-16: Define maximum valid register address offset gpio: idio-16: Define fixed direction of the GPIO lines drivers/gpio/gpio-104-idio-16.c | 1 + drivers/gpio/gpio-idio-16.c | 5 +++++ drivers/gpio/gpio-pci-idio-16.c | 1 + 3 files changed, 7 insertions(+) --- base-commit: eba11116f39533d2e38cc5898014f2c95f32d23a change-id: 20251017-fix-gpio-idio-16-regmap-1282cdc56a19 Best regards, -- William Breathitt Gray <wbg(a)kernel.org>

1 month, 1 week

4
12
0 0

LOAN OFFER

by Ms. Madelaine Alfelor

Dear sir/Ma I'm an Investment Financing Consultant working for top investment financing companies globally. By virtue of my esteemed affiliation with a Bank in Hong Kong, S. Korea, Japan and the USA, we can help you get a Credit Line which will actively give you access to Funds between $10 million to $5 billion up to a period of 5 to 10 years for 5% annual rate on the credit line in returns. I will help you process the Credit Line within a few days if interested. The Fund is available to fund any type of viable businesses, investments or projects. Let me know the exact amount you need for your projects. Get in touch if you have a viable project that requires funding. Regards Ms. Madelaine Alfelor.

1 month, 1 week

1
0
0 0

Re: Patch "PM: hibernate: Add pm_hibernation_mode_is_suspend()" has been added to the 6.17-stable tree

by Pascal Ernster

[2025-10-20 10:36] gregkh linuxfoundation ! org: > This is a note to let you know that I've just added the patch titled > > PM: hibernate: Add pm_hibernation_mode_is_suspend() > > to the 6.17-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > pm-hibernate-add-pm_hibernation_mode_is_suspend.patch > and it can be found in the queue-6.17 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > From stable+bounces-187839-greg=kroah.com(a)vger.kernel.org Sat Oct 18 15:51:25 2025 > From: Sasha Levin <sashal(a)kernel.org> > Date: Sat, 18 Oct 2025 09:51:01 -0400 > Subject: PM: hibernate: Add pm_hibernation_mode_is_suspend() > To: stable(a)vger.kernel.org > Cc: "Mario Limonciello (AMD)" <superm1(a)kernel.org>, Ionut Nechita <ionut_n2001(a)yahoo.com>, Kenneth Crudup <kenny(a)panix.com>, Alex Deucher <alexander.deucher(a)amd.com>, "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com>, Sasha Levin <sashal(a)kernel.org> > Message-ID: <20251018135102.711457-1-sashal(a)kernel.org> > > From: "Mario Limonciello (AMD)" <superm1(a)kernel.org> > > [ Upstream commit 495c8d35035edb66e3284113bef01f3b1b843832 ] > > Some drivers have different flows for hibernation and suspend. If > the driver opportunistically will skip thaw() then it needs a hint > to know what is happening after the hibernate. > > Introduce a new symbol pm_hibernation_mode_is_suspend() that drivers > can call to determine if suspending the system for this purpose. > > Tested-by: Ionut Nechita <ionut_n2001(a)yahoo.com> > Tested-by: Kenneth Crudup <kenny(a)panix.com> > Acked-by: Alex Deucher <alexander.deucher(a)amd.com> > Signed-off-by: Mario Limonciello (AMD) <superm1(a)kernel.org> > Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> > Stable-dep-of: 0a6e9e098fcc ("drm/amd: Fix hybrid sleep") > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > include/linux/suspend.h | 2 ++ > kernel/power/hibernate.c | 11 +++++++++++ > 2 files changed, 13 insertions(+) > > --- a/include/linux/suspend.h > +++ b/include/linux/suspend.h > @@ -276,6 +276,7 @@ extern void arch_suspend_enable_irqs(voi > > extern int pm_suspend(suspend_state_t state); > extern bool sync_on_suspend_enabled; > +bool pm_hibernation_mode_is_suspend(void); > #else /* !CONFIG_SUSPEND */ > #define suspend_valid_only_mem NULL > > @@ -288,6 +289,7 @@ static inline bool pm_suspend_via_firmwa > static inline bool pm_resume_via_firmware(void) { return false; } > static inline bool pm_suspend_no_platform(void) { return false; } > static inline bool pm_suspend_default_s2idle(void) { return false; } > +static inline bool pm_hibernation_mode_is_suspend(void) { return false; } > > static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {} > static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; } > --- a/kernel/power/hibernate.c > +++ b/kernel/power/hibernate.c > @@ -80,6 +80,17 @@ static const struct platform_hibernation > > static atomic_t hibernate_atomic = ATOMIC_INIT(1); > > +#ifdef CONFIG_SUSPEND > +/** > + * pm_hibernation_mode_is_suspend - Check if hibernation has been set to suspend > + */ > +bool pm_hibernation_mode_is_suspend(void) > +{ > + return hibernation_mode == HIBERNATION_SUSPEND; > +} > +EXPORT_SYMBOL_GPL(pm_hibernation_mode_is_suspend); > +#endif > + > bool hibernate_acquire(void) > { > return atomic_add_unless(&hibernate_atomic, -1, 0); > > > Patches currently in stable-queue which might be from sashal(a)kernel.org are > > queue-6.17/drm-amd-fix-hybrid-sleep.patch > queue-6.17/usb-gadget-introduce-free_usb_request-helper.patch > queue-6.17/pm-hibernate-add-pm_hibernation_mode_is_suspend.patch > queue-6.17/usb-gadget-store-endpoint-pointer-in-usb_request.patch > queue-6.17/media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch > queue-6.17/usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch Hi, I kept getting "ERROR: modpost: "pm_hibernation_mode_is_suspend" [drivers/gpu/drm/amd/amdgpu/amdgpu.ko] undefined!" when trying to build a 6.17.4 kernel with all the patches from queue-6.17 applied on top (from the stable-queue git repo at commit id 6aceec507fd0d3cefa7cac227eaf897edf09bf32). That build-time error is gone and the resulting kernel boots/runs fine on various x86_64 machines and VMs since I've removed/omitted both this patch and queue-6.17/drm-amd-fix-hybrid-sleep.patch. I'm not sure if omitting queue-6.17/drm-amd-fix-hybrid-sleep.patch would have been sufficient, but both patches are part of the same patch set anyway. Sadly, I haven't been able to figure out what about the changes actually causes the issue. My first guess was that if CONFIG_SUSPEND is not selected/enabled, then the whole pm_hibernation_mode_is_suspend() function and the corresponding export symbol would be missing. However, the kernel that I was trying to build *does* have CONFIG_SUSPEND=y in its config, so this shouldn't be the cause… Regards Pascal

1 month, 1 week

3
7
0 0

[PATCH] ACPI: video: Fix use-after-free in acpi_video_bus_put_devices()

by Yuhao Jiang

The code contains a use-after-free vulnerability due to missing cancellation of delayed work during device removal. Specifically, in acpi_video_bus_remove(), the function acpi_video_bus_put_devices() is called, which frees all acpi_video_device structures without cancelling the associated delayed work (switch_brightness_work). This work is scheduled via brightness_switch_event() in response to ACPI events (e.g., brightness key presses) with a 100ms delay. If the work is pending when the device is removed, it may execute after the memory is freed, leading to use-after-free when the work function acpi_video_switch_brightness() accesses the device structure. Fix this by calling cancel_delayed_work_sync() before freeing each acpi_video_device to ensure the work is fully completed before the memory is released. Fixes: 67b662e189f46 ("ACPI / video: seperate backlight control and event interface") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- drivers/acpi/acpi_video.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index 103f29661576..5b80f87e078f 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -1974,6 +1974,7 @@ static int acpi_video_bus_put_devices(struct acpi_video_bus *video) mutex_lock(&video->device_list_lock); list_for_each_entry_safe(dev, next, &video->video_device_list, entry) { + cancel_delayed_work_sync(&dev->switch_brightness_work); list_del(&dev->entry); kfree(dev); } -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH] ACPI: video: Fix use-after-free in acpi_video_bus_put_devices()

by Yuhao Jiang

The code contains a use-after-free vulnerability due to missing cancellation of delayed work during device removal. Specifically, in acpi_video_bus_remove(), the function acpi_video_bus_put_devices() is called, which frees all acpi_video_device structures without cancelling the associated delayed work (switch_brightness_work). This work is scheduled via brightness_switch_event() in response to ACPI events (e.g., brightness key presses) with a 100ms delay. If the work is pending when the device is removed, it may execute after the memory is freed, leading to use-after-free when the work function acpi_video_switch_brightness() accesses the device structure. Fix this by calling cancel_delayed_work_sync() before freeing each acpi_video_device to ensure the work is fully completed before the memory is released. Fixes: 67b662e189f46 ("ACPI / video: seperate backlight control and event interface") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- drivers/acpi/acpi_video.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index 103f29661576..5b80f87e078f 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -1974,6 +1974,7 @@ static int acpi_video_bus_put_devices(struct acpi_video_bus *video) mutex_lock(&video->device_list_lock); list_for_each_entry_safe(dev, next, &video->video_device_list, entry) { + cancel_delayed_work_sync(&dev->switch_brightness_work); list_del(&dev->entry); kfree(dev); } -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH net] virtio-net: zero unused hash fields

by Jason Wang

When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields. Fixes: a2fb4bc4e2a6a ("net: implement virtio helpers to handle UDP GSO tunneling")x Cc: <stable(a)vger.kernel.org> Signed-off-by: Jason Wang <jasowang(a)redhat.com> --- include/linux/virtio_net.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 20e0584db1dd..4d1780848d0e 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -401,6 +401,10 @@ virtio_net_hdr_tnl_from_skb(const struct sk_buff *skb, if (!tnl_hdr_negotiated) return -EINVAL; + vhdr->hash_hdr.hash_value = 0; + vhdr->hash_hdr.hash_report = 0; + vhdr->hash_hdr.padding = 0; + /* Let the basic parsing deal with plain GSO features. */ skb_shinfo(skb)->gso_type &= ~tnl_gso_type; ret = virtio_net_hdr_from_skb(skb, hdr, true, false, vlan_hlen); -- 2.42.0

1 month, 1 week

3
3
0 0

ORDER 8745631

by Diana Owen

Greetings, I hope this email finds you well. I am Mrs. Diana Owen contacting you from Reality Trading Group Ltd India. . As a new growing company, we are looking for reliable company of your product as seen in your website for urgent purchase order basis. Could you please give me more details and specification of your products. We also need your products catalog, MOQ, Production Lead Time and Unit price? Best Regards, Mrs. Diana Owen Purchase Manager Company: Reality Trading Group Ltd

1 month, 1 week

1
0
0 0

[PATCH] scsi: aacraid: Fix DMA mapping leak in aac_send_raw_srb error paths

by Yuhao Jiang

The aac_send_raw_srb function creates DMA mappings for scatter-gather buffers but fails to unmap them in most error paths, leading to DMA mapping resource leaks. This patch fixes all error paths except -ERESTARTSYS. The -ERESTARTSYS case is a known design issue where resources cannot be safely freed (hardware may still be accessing them) but also cannot be properly tracked for later cleanup (they are local variables). Fixed paths: - copy_from_user failures during SG buffer setup - aac_hba_send/aac_fib_send errors after DMA mapping - copy_to_user failures after successful command execution Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- drivers/scsi/aacraid/commctrl.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index 68240d6f27ab..e0495f278e2e 100644 --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c @@ -493,6 +493,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) void __user *sg_user[HBA_MAX_SG_EMBEDDED]; void *sg_list[HBA_MAX_SG_EMBEDDED]; u32 sg_count[HBA_MAX_SG_EMBEDDED]; + dma_addr_t sg_dma_addr[HBA_MAX_SG_EMBEDDED]; + int sg_dma_last_mapped = -1; u32 sg_indx = 0; u32 byte_count = 0; u32 actual_fibsize64, actual_fibsize = 0; @@ -690,6 +692,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) } addr = dma_map_single(&dev->pdev->dev, p, sg_count[i], data_dir); + sg_dma_addr[i] = addr; + sg_dma_last_mapped = i; hbacmd->sge[i].addr_hi = cpu_to_le32((u32)(addr>>32)); hbacmd->sge[i].addr_lo = cpu_to_le32( (u32)(addr & 0xffffffff)); @@ -752,6 +756,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) } addr = dma_map_single(&dev->pdev->dev, p, sg_count[i], data_dir); + sg_dma_addr[i] = addr; + sg_dma_last_mapped = i; psg->sg[i].addr[0] = cpu_to_le32(addr & 0xffffffff); psg->sg[i].addr[1] = cpu_to_le32(addr>>32); @@ -808,6 +814,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) } addr = dma_map_single(&dev->pdev->dev, p, sg_count[i], data_dir); + sg_dma_addr[i] = addr; + sg_dma_last_mapped = i; psg->sg[i].addr[0] = cpu_to_le32(addr & 0xffffffff); psg->sg[i].addr[1] = cpu_to_le32(addr>>32); @@ -865,6 +873,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) addr = dma_map_single(&dev->pdev->dev, p, usg->sg[i].count, data_dir); + sg_dma_addr[i] = addr; + sg_dma_last_mapped = i; psg->sg[i].addr = cpu_to_le32(addr & 0xffffffff); byte_count += usg->sg[i].count; @@ -905,6 +915,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) } addr = dma_map_single(&dev->pdev->dev, p, sg_count[i], data_dir); + sg_dma_addr[i] = addr; + sg_dma_last_mapped = i; psg->sg[i].addr = cpu_to_le32(addr); byte_count += sg_count[i]; @@ -986,6 +998,10 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) cleanup: kfree(user_srbcmd); if (rcode != -ERESTARTSYS) { + for (i = 0; i <= sg_dma_last_mapped; i++) { + dma_unmap_single(&dev->pdev->dev, sg_dma_addr[i], + sg_count[i], data_dir); + } for (i = 0; i <= sg_indx; i++) kfree(sg_list[i]); aac_fib_complete(srbfib); -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH 6.1.y ] drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

by Vasiliy Kovalev

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> commit cdb637d339572398821204a1142d8d615668f1e9 upstream. The issue arises when the array 'adev->vcn.vcn_config' is accessed before checking if the index 'adev->vcn.num_vcn_inst' is within the bounds of the array. The fix involves moving the bounds check before the array access. This ensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array before it is used as an index. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_base_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use. Fixes: a0ccc717c4ab ("drm/amdgpu/discovery: validate VCN and SDMA instances") Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ kovalev: bp to fix CVE-2024-27042 ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c index d8441e273..8bc3a4bf3 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c @@ -1128,15 +1128,16 @@ static int amdgpu_discovery_reg_base_init(struct amdgpu_device *adev) * 0b10 : encode is disabled * 0b01 : decode is disabled */ - adev->vcn.vcn_config[adev->vcn.num_vcn_inst] = - ip->revision & 0xc0; - ip->revision &= ~0xc0; - if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES) + if (adev->vcn.num_vcn_inst < AMDGPU_MAX_VCN_INSTANCES) { + adev->vcn.vcn_config[adev->vcn.num_vcn_inst] = + ip->revision & 0xc0; adev->vcn.num_vcn_inst++; + } else dev_err(adev->dev, "Too many VCN instances: %d vs %d\n", adev->vcn.num_vcn_inst + 1, AMDGPU_MAX_VCN_INSTANCES); + ip->revision &= ~0xc0; } if (le16_to_cpu(ip->hw_id) == SDMA0_HWID || le16_to_cpu(ip->hw_id) == SDMA1_HWID || -- 2.50.1

1 month, 1 week

1
0
0 0

【年に一度】SBIポイントで豪華賞品を交換 — 在庫がなくなり次第終了No.86212

by SBI証券

平素よりSBI証券をご利用いただき、誠にありがとうございます。SBI証券では、日頃のご愛顧に感謝を込めて、年に一度だけの「ポイント交換キャンペーン」を開催しております。お客様の現在の保有ポイントは以下のとおりです。保有ポイント28,810ポイント本キャンペーンでは、貯まったポイントを豪華賞品と交換いただけます。交換は先着順で、在庫がなくなり次第終了となります。交換は以下のページからお手続きください。ポイント交換ページhttps://www.sbisec.co.jp/member/point/交換可能賞品の一例キャンペーン終了日：2025年10月22日・Apple iPad（第9世代 Wi-Fiモデル 64GB）【限定100台／残り15台】・Dyson コードレス掃除機【限定200台／残り90台】・Apple Watch SE（GPSモデル）・BALMUDA The Toaster（バルミューダトースター）・JCBギフトカード（5,000円分）・SBIオリジナル記念グッズ（非売品）この「年に一度の特別企画」は、例年多くのお客様にご参加いただいております。人気商品の在庫はすでに残りわずかです。ご注意・本キャンペーンは年に一度のみの開催です。・在庫がなくなり次第、予告なく終了いたします。・ポイント交換後の変更・キャンセルはお受けできません。一年に一度の特別なチャンスを、ぜひお見逃しなく。この機会にポイント交換をご利用ください。 SBI証券株式会社東京都港区六本木1-6-1 泉ガーデンタワーhttps://www.sbisec.co.jp/ © 2025 SBI SECURITIES Co., Ltd.

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] fuse: fix livelock in synchronous file put from fuseblk" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101630-unvaried-protector-cae4@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Mon, 15 Sep 2025 17:24:17 -0700 Subject: [PATCH] fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. Cc: stable(a)vger.kernel.org # v2.6.38 Fixes: 5a18ec176c934c ("fuse: fix hang of single threaded fuseblk filesystem") Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 54786f62a9d8..f1ef77a0be05 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -356,8 +356,14 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff, * Make the release synchronous if this is a fuseblk mount, * synchronous RELEASE is allowed (and desirable) in this case * because the server can be trusted not to screw up. + * + * Always use the asynchronous file put because the current thread + * might be the fuse server. This can happen if a process starts some + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. */ - fuse_file_put(ff, ff->fm->fc->destroy); + fuse_file_put(ff, false); } void fuse_release_common(struct file *file, bool isdir)

1 month, 1 week

2
1
0 0

[PATCH net 0/5] mptcp: handle late ADD_ADDR + selftests skip

by Matthieu Baerts (NGI0)

Here are a few independent fixes related to MPTCP and its selftests: - Patch 1: correctly handle ADD_ADDR being received after the switch to 'fully-established'. A fix for another recent fix backported up to v5.14. - Patches 2-5: properly mark some MPTCP Join subtests as 'skipped' if the tested kernel doesn't support the feature being validated. Some fixes for up to v5.13, v5.18, v6.11 and v6.18-rc1 respectively. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (5): mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR selftests: mptcp: join: mark 'flush re-add' as skipped if not supported selftests: mptcp: join: mark implicit tests as skipped if not supported selftests: mptcp: join: mark 'delete re-add signal' as skipped if not supported selftests: mptcp: join: mark laminar tests as skipped if not supported net/mptcp/pm_kernel.c | 6 ++++++ tools/testing/selftests/net/mptcp/mptcp_join.sh | 18 +++++++++--------- 2 files changed, 15 insertions(+), 9 deletions(-) --- base-commit: ffff5c8fc2af2218a3332b3d5b97654599d50cde change-id: 20251020-net-mptcp-c-flag-late-add-addr-1d954e7b63d2 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month, 1 week

2
5
0 0

[REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1

by Dimitri John Ledkov

If one enrolls linux kernel by-hash into db (for example using virt-fw-vars), the secureboot fails with security violation as EDK2 computation of authenticode for the linux binary doesn't match the enrolled hash. This is reproducible in AWS VMs, as well as locally with EDK2 builds with secureboot. Not affected v6.17 Not affected v6.17.3 Affected v6.17.4 Affected v6.18-rc1 Affected v6.18-rc2 Suspected patches are: $ git log --oneline v6.17.3..v6.17.4 -- scripts/ 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped Reverting all of the above, makes secureboot with by-hash enrolled into db work again. I will try to bisect this further to determine the culprit. It feels like the strip potentially didn't update section offsets or their numbers or something like that. -- Regards, Dimitri.

1 month, 1 week

3
2
0 0

[merged mm-hotfixes-stable] mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: use damos_commit_quota_goal() for new goal commit has been removed from the -mm tree. Its filename was mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: use damos_commit_quota_goal() for new goal commit Date: Mon, 13 Oct 2025 17:18:44 -0700 When damos_commit_quota_goals() is called for adding new DAMOS quota goals of DAMOS_QUOTA_USER_INPUT metric, current_value fields of the new goals should be also set as requested. However, damos_commit_quota_goals() is not updating the field for the case, since it is setting only metrics and target values using damos_new_quota_goal(), and metric-optional union fields using damos_commit_quota_goal_union(). As a result, users could see the first current_value parameter that committed online with a new quota goal is ignored. Users are assumed to commit the current_value for DAMOS_QUOTA_USER_INPUT quota goals, since it is being used as a feedback. Hence the real impact would be subtle. That said, this is obviously not intended behavior. Fix the issue by using damos_commit_quota_goal() which sets all quota goal parameters, instead of damos_commit_quota_goal_union(), which sets only the union fields. Link: https://lkml.kernel.org/r/20251014001846.279282-1-sj@kernel.org Fixes: 1aef9df0ee90 ("mm/damon/core: commit damos_quota_goal->nid") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.16+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit +++ a/mm/damon/core.c @@ -835,7 +835,7 @@ int damos_commit_quota_goals(struct damo src_goal->metric, src_goal->target_value); if (!new_goal) return -ENOMEM; - damos_commit_quota_goal_union(new_goal, src_goal); + damos_commit_quota_goal(new_goal, src_goal); damos_add_quota_goal(dst, new_goal); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-zswap-remove-unnecessary-dlen-writes-for-incompressible-pages.patch mm-zswap-fix-typos-s-zwap-zswap.patch mm-zswap-s-red-black-tree-xarray.patch docs-admin-guide-mm-zswap-s-red-black-tree-xarray.patch mm-damon-document-damos_quota_goal-nid-use-case.patch mm-damon-add-damos-quota-goal-type-for-per-memcg-per-node-memory-usage.patch mm-damon-core-implement-damos_quota_node_memcg_used_bp.patch mm-damon-sysfs-schemes-implement-path-file-under-quota-goal-directory.patch mm-damon-sysfs-schemes-support-damos_quota_node_memcg_used_bp.patch mm-damon-core-add-damos-quota-gaol-metric-for-per-memcg-per-numa-free-memory.patch mm-damon-sysfs-schemes-support-damos_quota_node_memcg_free_bp.patch docs-mm-damon-design-document-damos_quota_node_memcg_usedfree_bp.patch docs-admin-guide-mm-damon-usage-document-damos-quota-goal-path-file.patch docs-abi-damon-document-damos-quota-goal-path-file.patch

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme has been removed from the -mm tree. Its filename was mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Enze Li <lienze(a)kylinos.cn> Subject: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Date: Tue, 14 Oct 2025 16:42:25 +0800 Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks. Link: https://lkml.kernel.org/r/20251014084225.313313-1-lienze@kylinos.cn Fixes: ab82e57981d0 ("mm/damon/core: introduce damos->ops_filters") Signed-off-by: Enze Li <lienze(a)kylinos.cn> Reviewed-by: SeongJae Park <sj(a)kernel.org> Tested-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/damon/core.c~mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme +++ a/mm/damon/core.c @@ -452,6 +452,9 @@ void damon_destroy_scheme(struct damos * damos_for_each_filter_safe(f, next, s) damos_destroy_filter(f); + damos_for_each_ops_filter_safe(f, next, s) + damos_destroy_filter(f); + kfree(s->migrate_dests.node_id_arr); kfree(s->migrate_dests.weight_arr); damon_del_scheme(s); _ Patches currently in -mm which might be from lienze(a)kylinos.cn are

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] vmw_balloon-indicate-success-when-effectively-deflating-during-migration.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: vmw_balloon: indicate success when effectively deflating during migration has been removed from the -mm tree. Its filename was vmw_balloon-indicate-success-when-effectively-deflating-during-migration.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: vmw_balloon: indicate success when effectively deflating during migration Date: Tue, 14 Oct 2025 14:44:55 +0200 When migrating a balloon page, we first deflate the old page to then inflate the new page. However, if inflating the new page succeeded, we effectively deflated the old page, reducing the balloon size. In that case, the migration actually worked: similar to migrating+ immediately deflating the new page. The old page will be freed back to the buddy. Right now, the core will leave the page be marked as isolated (as we returned an error). When later trying to putback that page, we will run into the WARN_ON_ONCE() in balloon_page_putback(). That handling was changed in commit 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()"); before that change, we would have tolerated that way of handling it. To fix it, let's just return 0 in that case, making the core effectively just clear the "isolated" flag + freeing it back to the buddy as if the migration succeeded. Note that the new page will also get freed when the core puts the last reference. Note that this also makes it all be more consistent: we will no longer unisolate the page in the balloon driver while keeping it marked as being isolated in migration core. This was found by code inspection. Link: https://lkml.kernel.org/r/20251014124455.478345-1-david@redhat.com Fixes: 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jerrin Shaji George <jerrin.shaji-george(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/misc/vmw_balloon.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/misc/vmw_balloon.c~vmw_balloon-indicate-success-when-effectively-deflating-during-migration +++ a/drivers/misc/vmw_balloon.c @@ -1737,7 +1737,7 @@ static int vmballoon_migratepage(struct { unsigned long status, flags; struct vmballoon *b; - int ret; + int ret = 0; b = container_of(b_dev_info, struct vmballoon, b_dev_info); @@ -1796,17 +1796,15 @@ static int vmballoon_migratepage(struct * A failure happened. While we can deflate the page we just * inflated, this deflation can also encounter an error. Instead * we will decrease the size of the balloon to reflect the - * change and report failure. + * change. */ atomic64_dec(&b->size); - ret = -EBUSY; } else { /* * Success. Take a reference for the page, and we will add it to * the list after acquiring the lock. */ get_page(newpage); - ret = 0; } /* Update the balloon list under the @pages_lock */ @@ -1817,7 +1815,7 @@ static int vmballoon_migratepage(struct * If we succeed just insert it to the list and update the statistics * under the lock. */ - if (!ret) { + if (status == VMW_BALLOON_SUCCESS) { balloon_page_insert(&b->b_dev_info, newpage); __count_vm_event(BALLOON_MIGRATE); } _ Patches currently in -mm which might be from david(a)redhat.com are

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-core-fix-list_add_tail-call-on-damon_call.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/core: fix list_add_tail() call on damon_call() has been removed from the -mm tree. Its filename was mm-damon-core-fix-list_add_tail-call-on-damon_call.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix list_add_tail() call on damon_call() Date: Tue, 14 Oct 2025 13:59:36 -0700 Each damon_ctx maintains callback requests using a linked list (damon_ctx->call_controls). When a new callback request is received via damon_call(), the new request should be added to the list. However, the function is making a mistake at list_add_tail() invocation: putting the new item to add and the list head to add it before, in the opposite order. Because of the linked list manipulation implementation, the new request can still be reached from the context's list head. But the list items that were added before the new request are dropped from the list. As a result, the callbacks are unexpectedly not invocated. Worse yet, if the dropped callback requests were dynamically allocated, the memory is leaked. Actually DAMON sysfs interface is using a dynamically allocated repeat-mode callback request for automatic essential stats update. And because the online DAMON parameters commit is using a non-repeat-mode callback request, the issue can easily be reproduced, like below. # damo start --damos_action stat --refresh_stat 1s # damo tune --damos_action stat --refresh_stat 1s The first command dynamically allocates the repeat-mode callback request for automatic essential stat update. Users can see the essential stats are automatically updated for every second, using the sysfs interface. The second command calls damon_commit() with a new callback request that was made for the commit. As a result, the previously added repeat-mode callback request is dropped from the list. The automatic stats refresh stops working, and the memory for the repeat-mode callback request is leaked. It can be confirmed using kmemleak. Fix the mistake on the list_add_tail() call. Link: https://lkml.kernel.org/r/20251014205939.1206-1-sj@kernel.org Fixes: 004ded6bee11 ("mm/damon: accept parallel damon_call() requests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.17+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-fix-list_add_tail-call-on-damon_call +++ a/mm/damon/core.c @@ -1450,7 +1450,7 @@ int damon_call(struct damon_ctx *ctx, st INIT_LIST_HEAD(&control->list); mutex_lock(&ctx->call_controls_lock); - list_add_tail(&ctx->call_controls, &control->list); + list_add_tail(&control->list, &ctx->call_controls); mutex_unlock(&ctx->call_controls_lock); if (!damon_is_running(ctx)) return -EINVAL; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-zswap-remove-unnecessary-dlen-writes-for-incompressible-pages.patch mm-zswap-fix-typos-s-zwap-zswap.patch mm-zswap-s-red-black-tree-xarray.patch docs-admin-guide-mm-zswap-s-red-black-tree-xarray.patch mm-damon-document-damos_quota_goal-nid-use-case.patch mm-damon-add-damos-quota-goal-type-for-per-memcg-per-node-memory-usage.patch mm-damon-core-implement-damos_quota_node_memcg_used_bp.patch mm-damon-sysfs-schemes-implement-path-file-under-quota-goal-directory.patch mm-damon-sysfs-schemes-support-damos_quota_node_memcg_used_bp.patch mm-damon-core-add-damos-quota-gaol-metric-for-per-memcg-per-numa-free-memory.patch mm-damon-sysfs-schemes-support-damos_quota_node_memcg_free_bp.patch docs-mm-damon-design-document-damos_quota_node_memcg_usedfree_bp.patch docs-admin-guide-mm-damon-usage-document-damos-quota-goal-path-file.patch docs-abi-damon-document-damos-quota-goal-path-file.patch

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-mremap-correctly-account-old-mapping-after-mremap_dontunmap-remap.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap has been removed from the -mm tree. Its filename was mm-mremap-correctly-account-old-mapping-after-mremap_dontunmap-remap.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: mm/mremap: correctly account old mapping after MREMAP_DONTUNMAP remap Date: Mon, 13 Oct 2025 17:58:36 +0100 Commit b714ccb02a76 ("mm/mremap: complete refactor of move_vma()") mistakenly introduced a new behaviour - clearing the VM_ACCOUNT flag of the old mapping when a mapping is mremap()'d with the MREMAP_DONTUNMAP flag set. While we always clear the VM_LOCKED and VM_LOCKONFAULT flags for the old mapping (the page tables have been moved, so there is no data that could possibly be locked in memory), there is no reason to touch any other VMA flags. This is because after the move the old mapping is in a state as if it were freshly mapped. This implies that the attributes of the mapping ought to remain the same, including whether or not the mapping is accounted. Link: https://lkml.kernel.org/r/20251013165836.273113-1-lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Fixes: b714ccb02a76 ("mm/mremap: complete refactor of move_vma()") Reviewed-by: Pedro Falcato <pfalcato(a)suse.de> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mremap.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) --- a/mm/mremap.c~mm-mremap-correctly-account-old-mapping-after-mremap_dontunmap-remap +++ a/mm/mremap.c @@ -1237,10 +1237,10 @@ static int copy_vma_and_data(struct vma_ } /* - * Perform final tasks for MADV_DONTUNMAP operation, clearing mlock() and - * account flags on remaining VMA by convention (it cannot be mlock()'d any - * longer, as pages in range are no longer mapped), and removing anon_vma_chain - * links from it (if the entire VMA was copied over). + * Perform final tasks for MADV_DONTUNMAP operation, clearing mlock() flag on + * remaining VMA by convention (it cannot be mlock()'d any longer, as pages in + * range are no longer mapped), and removing anon_vma_chain links from it if the + * entire VMA was copied over. */ static void dontunmap_complete(struct vma_remap_struct *vrm, struct vm_area_struct *new_vma) @@ -1250,11 +1250,8 @@ static void dontunmap_complete(struct vm unsigned long old_start = vrm->vma->vm_start; unsigned long old_end = vrm->vma->vm_end; - /* - * We always clear VM_LOCKED[ONFAULT] | VM_ACCOUNT on the old - * vma. - */ - vm_flags_clear(vrm->vma, VM_LOCKED_MASK | VM_ACCOUNT); + /* We always clear VM_LOCKED[ONFAULT] on the old VMA. */ + vm_flags_clear(vrm->vma, VM_LOCKED_MASK); /* * anon_vma links of the old vma is no longer needed after its page _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are mm-shmem-update-shmem-to-use-mmap_prepare.patch device-dax-update-devdax-to-use-mmap_prepare.patch mm-vma-remove-unused-function-make-internal-functions-static.patch mm-add-vma_desc_size-vma_desc_pages-helpers.patch relay-update-relay-to-use-mmap_prepare.patch mm-vma-rename-__mmap_prepare-function-to-avoid-confusion.patch mm-add-remap_pfn_range_prepare-remap_pfn_range_complete.patch mm-abstract-io_remap_pfn_range-based-on-pfn.patch mm-introduce-io_remap_pfn_range_.patch mm-add-ability-to-take-further-action-in-vm_area_desc.patch doc-update-porting-vfs-documentation-for-mmap_prepare-actions.patch mm-hugetlbfs-update-hugetlbfs-to-use-mmap_prepare.patch mm-add-shmem_zero_setup_desc.patch mm-update-mem-char-driver-to-use-mmap_prepare.patch mm-update-resctl-to-use-mmap_prepare.patch

1 month, 1 week

1
0
0 0

[PATCH] usb: raw-gadget: do not limit transfer length

by andrey.konovalov＠linux.dev

From: Andrey Konovalov <andreyknvl(a)gmail.com> Drop the check on the maximum transfer length in Raw Gadget for both control and non-control transfers. Limiting the transfer length causes a problem with emulating USB devices whose full configuration descriptor exceeds PAGE_SIZE in length. Overall, there does not appear to be any reason to enforce any kind of transfer length limit on the Raw Gadget side for either control or non-control transfers, so let's just drop the related check. Cc: stable(a)vger.kernel.org Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface") Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> --- drivers/usb/gadget/legacy/raw_gadget.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c index 20165e1582d9..b71680c58de6 100644 --- a/drivers/usb/gadget/legacy/raw_gadget.c +++ b/drivers/usb/gadget/legacy/raw_gadget.c @@ -667,8 +667,6 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, return ERR_PTR(-EINVAL); if (!usb_raw_io_flags_valid(io->flags)) return ERR_PTR(-EINVAL); - if (io->length > PAGE_SIZE) - return ERR_PTR(-EINVAL); if (get_from_user) data = memdup_user(ptr + sizeof(*io), io->length); else { -- 2.43.0

1 month, 1 week

3
4
0 0

[PATCH RESEND] usb: raw-gadget: do not limit transfer length

by andrey.konovalov＠linux.dev

From: Andrey Konovalov <andreyknvl(a)gmail.com> Drop the check on the maximum transfer length in Raw Gadget for both control and non-control transfers. Limiting the transfer length causes a problem with emulating USB devices whose full configuration descriptor exceeds PAGE_SIZE in length. Overall, there does not appear to be any reason to enforce any kind of transfer length limit on the Raw Gadget side for either control or non-control transfers, so let's just drop the related check. Cc: stable(a)vger.kernel.org Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface") Signed-off-by: Andrey Konovalov <andreyknvl(a)gmail.com> --- drivers/usb/gadget/legacy/raw_gadget.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c index 20165e1582d9..b71680c58de6 100644 --- a/drivers/usb/gadget/legacy/raw_gadget.c +++ b/drivers/usb/gadget/legacy/raw_gadget.c @@ -667,8 +667,6 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, return ERR_PTR(-EINVAL); if (!usb_raw_io_flags_valid(io->flags)) return ERR_PTR(-EINVAL); - if (io->length > PAGE_SIZE) - return ERR_PTR(-EINVAL); if (get_from_user) data = memdup_user(ptr + sizeof(*io), io->length); else { -- 2.43.0

1 month, 1 week

1
0
0 0

[PATCH 0/2] fuse: Fix possible memleak at startup with immediate teardown

by Bernd Schubert

Do not merge yet, the current series has not been tested yet. The race is only easily reproducible with additional patches that pin pages during FUSE_IO_URING_CMD_REGISTER - slows it down and then xfstest's generic/001 triggers it reliably. However, I need to update these pin patches for linux master. Signed-off-by: Bernd Schubert <bschubert(a)ddn.com> --- Bernd Schubert (1): fuse: Move ring queues_refs decrement Jian Huang Li (1): fs/fuse: fix potential memory leak from fuse_uring_cancel fs/fuse/dev_uring.c | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) --- base-commit: 6548d364a3e850326831799d7e3ea2d7bb97ba08 change-id: 20251021-io-uring-fixes-cancel-mem-leak-820642677c37 Best regards, -- Bernd Schubert <bschubert(a)ddn.com>

1 month, 1 week

1
1
0 0

+ mm-shmem-fix-thp-allocation-size-check-and-fallback.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/shmem: fix THP allocation size check and fallback has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-shmem-fix-thp-allocation-size-check-and-fallback.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kairui Song <kasong(a)tencent.com> Subject: mm/shmem: fix THP allocation size check and fallback Date: Wed, 22 Oct 2025 03:04:36 +0800 There are some problems with the code implementations of THP fallback. suitable_orders could be zero, and calling highest_order on a zero value returns an overflowed size. And the order check loop is updating the index value on every loop which may cause the index to be aligned by a larger value while the loop shrinks the order. And it forgot to try order 0 after the final loop. This is usually fine because shmem_add_to_page_cache ensures the shmem mapping is still sane, but it might cause many potential issues like allocating random folios into the random position in the map or return -ENOMEM by accident. This triggered some strange userspace errors [1], and shouldn't have happened in the first place. Link: https://lkml.kernel.org/r/20251021190436.81682-1-ryncsn@gmail.com Link: https://lore.kernel.org/linux-mm/CAMgjq7DqgAmj25nDUwwu1U2cSGSn8n4-Hqpgotted… [1] Fixes: e7a2ab7b3bb5d ("mm: shmem: add mTHP support for anonymous shmem") Signed-off-by: Kairui Song <kasong(a)tencent.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Barry Song <baohua(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Nico Pache <npache(a)redhat.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) --- a/mm/shmem.c~mm-shmem-fix-thp-allocation-size-check-and-fallback +++ a/mm/shmem.c @@ -1824,6 +1824,9 @@ static unsigned long shmem_suitable_orde unsigned long pages; int order; + if (!orders) + return 0; + if (vma) { orders = thp_vma_suitable_orders(vma, vmf->address, orders); if (!orders) @@ -1888,27 +1891,28 @@ static struct folio *shmem_alloc_and_add if (!IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) orders = 0; - if (orders > 0) { - suitable_orders = shmem_suitable_orders(inode, vmf, - mapping, index, orders); + suitable_orders = shmem_suitable_orders(inode, vmf, + mapping, index, orders); + if (suitable_orders) { order = highest_order(suitable_orders); - while (suitable_orders) { + do { pages = 1UL << order; - index = round_down(index, pages); - folio = shmem_alloc_folio(gfp, order, info, index); - if (folio) + folio = shmem_alloc_folio(gfp, order, info, round_down(index, pages)); + if (folio) { + index = round_down(index, pages); goto allocated; + } if (pages == HPAGE_PMD_NR) count_vm_event(THP_FILE_FALLBACK); count_mthp_stat(order, MTHP_STAT_SHMEM_FALLBACK); order = next_order(&suitable_orders, order); - } - } else { - pages = 1; - folio = shmem_alloc_folio(gfp, 0, info, index); + } while (suitable_orders); } + + pages = 1; + folio = shmem_alloc_folio(gfp, 0, info, index); if (!folio) return ERR_PTR(-ENOMEM); _ Patches currently in -mm which might be from kasong(a)tencent.com are mm-shmem-fix-thp-allocation-size-check-and-fallback.patch

1 month, 1 week

1
0
0 0

[PATCH 5.10/5.15] srcu: Tighten cleanup_srcu_struct() GP checks

by Vasiliy Kovalev

From: "Paul E. McKenney" <paulmck(a)kernel.org> commit 8ed00760203d8018bee042fbfe8e076579be2c2b upstream. Currently, cleanup_srcu_struct() checks for a grace period in progress, but it does not check for a grace period that has not yet started but which might start at any time. Such a situation could result in a use-after-free bug, so this commit adds a check for a grace period that is needed but not yet started to cleanup_srcu_struct(). Fixes: da915ad5cf25 ("srcu: Parallelize callback handling") Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> [ kovalev: backport to fix CVE-2022-49651; added Fixes tag for commit da915ad5cf25 that introduced the srcu_gp_seq_needed field and the race condition between grace period requests and cleanup ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- kernel/rcu/srcutree.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/rcu/srcutree.c b/kernel/rcu/srcutree.c index b8821665c435..5d89d941280f 100644 --- a/kernel/rcu/srcutree.c +++ b/kernel/rcu/srcutree.c @@ -388,9 +388,11 @@ void cleanup_srcu_struct(struct srcu_struct *ssp) return; /* Forgot srcu_barrier(), so just leak it! */ } if (WARN_ON(rcu_seq_state(READ_ONCE(ssp->srcu_gp_seq)) != SRCU_STATE_IDLE) || + WARN_ON(rcu_seq_current(&ssp->srcu_gp_seq) != ssp->srcu_gp_seq_needed) || WARN_ON(srcu_readers_active(ssp))) { - pr_info("%s: Active srcu_struct %p state: %d\n", - __func__, ssp, rcu_seq_state(READ_ONCE(ssp->srcu_gp_seq))); + pr_info("%s: Active srcu_struct %p read state: %d gp state: %lu/%lu\n", + __func__, ssp, rcu_seq_state(READ_ONCE(ssp->srcu_gp_seq)), + rcu_seq_current(&ssp->srcu_gp_seq), ssp->srcu_gp_seq_needed); return; /* Caller forgot to stop doing call_srcu()? */ } free_percpu(ssp->sda); -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH v1 0/3] PCI fixes for s390

by Farhan Ali

Hi, I came across some issues in PCI code for s390 while working on VFIO error recovery for s390 PCI devices [1]. These patches can be indepedently applied and has no depedency on error recovery patch series. We would like to get these patches merged as they do fix some existing issues. [1] https://lore.kernel.org/all/20250924171628.826-1-alifm@linux.ibm.com/ Thanks Farhan Farhan Ali (3): PCI: Allow per function PCI slots s390/pci: Add architecture specific resource/bus address translation s390/pci: Restore IRQ unconditionally for the zPCI device arch/s390/include/asm/pci.h | 1 - arch/s390/pci/pci.c | 74 ++++++++++++++++++++++++++++++ arch/s390/pci/pci_irq.c | 9 +--- drivers/pci/host-bridge.c | 4 +- drivers/pci/hotplug/s390_pci_hpc.c | 10 +++- drivers/pci/pci.c | 5 +- drivers/pci/slot.c | 14 ++++-- include/linux/pci.h | 1 + 8 files changed, 100 insertions(+), 18 deletions(-) -- 2.43.0

1 month, 1 week

4
8
0 0

[PATCH] drm/amd: Add missing return for VPE idle handler

by Mario Limonciello

Adjusting the idle handler for DPM0 handling forgot a return statement which causes the system to not be able to enter s0i3. Add the missing return statement. Cc: stable(a)vger.kernel.org Reported-by: Sultan Alsawaf <sultan(a)kerneltoast.com> Closes: https://lore.kernel.org/amd-gfx/aPawCXBY9eM8oZvG@sultan-box/ Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c index f4932339d79d..aa78c2ee9e21 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c @@ -356,6 +356,7 @@ static void vpe_idle_work_handler(struct work_struct *work) goto reschedule; amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VPE, AMD_PG_STATE_GATE); + return; reschedule: schedule_delayed_work(&adev->vpe.idle_work, VPE_IDLE_TIMEOUT); -- 2.49.0

1 month, 1 week

3
5
0 0

FAILED: patch "[PATCH] fuse: fix livelock in synchronous file put from fuseblk" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101627-calzone-emperor-7442@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Mon, 15 Sep 2025 17:24:17 -0700 Subject: [PATCH] fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. Cc: stable(a)vger.kernel.org # v2.6.38 Fixes: 5a18ec176c934c ("fuse: fix hang of single threaded fuseblk filesystem") Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 54786f62a9d8..f1ef77a0be05 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -356,8 +356,14 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff, * Make the release synchronous if this is a fuseblk mount, * synchronous RELEASE is allowed (and desirable) in this case * because the server can be trusted not to screw up. + * + * Always use the asynchronous file put because the current thread + * might be the fuse server. This can happen if a process starts some + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. */ - fuse_file_put(ff, ff->fm->fc->destroy); + fuse_file_put(ff, false); } void fuse_release_common(struct file *file, bool isdir)

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] PCI: tegra194: Reset BARs when running in PCIe endpoint mode" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 42f9c66a6d0cc45758dab77233c5460e1cf003df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101639-january-preheated-6487@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 42f9c66a6d0cc45758dab77233c5460e1cf003df Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Mon, 22 Sep 2025 16:08:25 +0200 Subject: [PATCH] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Tegra already defines all BARs except BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR gets disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs and will run tests against all enabled BARs, so it will run tests against the BARs marked as BAR_RESERVED. After running the BAR tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4, so when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250922140822.519796-7-cassel@kernel.org diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index fe418b9bfbb4..359d92dca86a 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1941,6 +1941,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2016,6 +2025,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, };

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] PM: EM: Fix late boot with holes in CPU topology" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101616-gigahertz-profane-b22c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 Mon Sep 17 00:00:00 2001 From: Christian Loehle <christian.loehle(a)arm.com> Date: Sun, 31 Aug 2025 22:43:57 +0100 Subject: [PATCH] PM: EM: Fix late boot with holes in CPU topology Commit e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity adjustment") added a mechanism to handle CPUs that come up late by retrying when any of the `cpufreq_cpu_get()` call fails. However, if there are holes in the CPU topology (offline CPUs, e.g. nosmt), the first missing CPU causes the loop to break, preventing subsequent online CPUs from being updated. Instead of aborting on the first missing CPU policy, loop through all and retry if any were missing. Fixes: e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity adjustment") Suggested-by: Kenneth Crudup <kenneth.crudup(a)gmail.com> Reported-by: Kenneth Crudup <kenneth.crudup(a)gmail.com> Link: https://lore.kernel.org/linux-pm/40212796-734c-4140-8a85-854f72b8144d@panix… Cc: 6.9+ <stable(a)vger.kernel.org> # 6.9+ Signed-off-by: Christian Loehle <christian.loehle(a)arm.com> Link: https://patch.msgid.link/20250831214357.2020076-1-christian.loehle@arm.com [ rjw: Drop the new pr_debug() message which is not very useful ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c index 8df55397414a..5f17d2e8e954 100644 --- a/kernel/power/energy_model.c +++ b/kernel/power/energy_model.c @@ -799,7 +799,7 @@ void em_adjust_cpu_capacity(unsigned int cpu) static void em_check_capacity_update(void) { cpumask_var_t cpu_done_mask; - int cpu; + int cpu, failed_cpus = 0; if (!zalloc_cpumask_var(&cpu_done_mask, GFP_KERNEL)) { pr_warn("no free memory\n"); @@ -817,10 +817,8 @@ static void em_check_capacity_update(void) policy = cpufreq_cpu_get(cpu); if (!policy) { - pr_debug("Accessing cpu%d policy failed\n", cpu); - schedule_delayed_work(&em_update_work, - msecs_to_jiffies(1000)); - break; + failed_cpus++; + continue; } cpufreq_cpu_put(policy); @@ -835,6 +833,9 @@ static void em_check_capacity_update(void) em_adjust_new_capacity(cpu, dev, pd); } + if (failed_cpus) + schedule_delayed_work(&em_update_work, msecs_to_jiffies(1000)); + free_cpumask_var(cpu_done_mask); }

1 month, 1 week

2
4
0 0

[REGRESSION] stable-rc/linux-5.10.y: (build) passing 'const struct iomap *' to parameter of type 'struct iomap ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.10.y: --- passing 'const struct iomap *' to parameter of type 'struct iomap *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] in fs/dax.o (fs/dax.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:568e928648fdbc507b4cfc190ad338a93fe02440 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 63caad8a89c150b298b2e95d18ca60cd904d3183 Log excerpt: ===================================================== fs/dax.c:1147:44: error: passing 'const struct iomap *' to parameter of type 'struct iomap *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] 1147 | const sector_t sector = dax_iomap_sector(iomap, pos); | ^~~~~ fs/dax.c:1009:48: note: passing argument to parameter 'iomap' here 1009 | static sector_t dax_iomap_sector(struct iomap *iomap, loff_t pos) | ^ 1 error generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig on (arm64): - compiler: clang-17 - config: https://files.kernelci.org/kbuild-clang-17-arm64-allmodconfig-68f7d39c95331… - dashboard: https://d.kernelci.org/build/maestro:68f7d39c9533132a1895417c #kernelci issue maestro:568e928648fdbc507b4cfc190ad338a93fe02440 Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] memory: samsung: exynos-srom: Fix of_iomap leak in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 6744085079e785dae5f7a2239456135407c58b25 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101607-discharge-haiku-4150@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6744085079e785dae5f7a2239456135407c58b25 Mon Sep 17 00:00:00 2001 From: Zhen Ni <zhen.ni(a)easystack.cn> Date: Wed, 6 Aug 2025 10:55:38 +0800 Subject: [PATCH] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe The of_platform_populate() call at the end of the function has a possible failure path, causing a resource leak. Replace of_iomap() with devm_platform_ioremap_resource() to ensure automatic cleanup of srom->reg_base. This issue was detected by smatch static analysis: drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn: 'srom->reg_base' from of_iomap() not released on lines: 155. Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> diff --git a/drivers/memory/samsung/exynos-srom.c b/drivers/memory/samsung/exynos-srom.c index e73dd330af47..d913fb901973 100644 --- a/drivers/memory/samsung/exynos-srom.c +++ b/drivers/memory/samsung/exynos-srom.c @@ -121,20 +121,18 @@ static int exynos_srom_probe(struct platform_device *pdev) return -ENOMEM; srom->dev = dev; - srom->reg_base = of_iomap(np, 0); - if (!srom->reg_base) { + srom->reg_base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(srom->reg_base)) { dev_err(&pdev->dev, "iomap of exynos srom controller failed\n"); - return -ENOMEM; + return PTR_ERR(srom->reg_base); } platform_set_drvdata(pdev, srom); srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets, ARRAY_SIZE(exynos_srom_offsets)); - if (!srom->reg_offset) { - iounmap(srom->reg_base); + if (!srom->reg_offset) return -ENOMEM; - } for_each_child_of_node(np, child) { if (exynos_srom_configure_bank(srom, child)) {

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] PCI: rcar-host: Drop PMSR spinlock" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101648-abruptly-poncho-afdd@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marek.vasut+renesas(a)mailbox.org> Date: Tue, 9 Sep 2025 18:26:24 +0200 Subject: [PATCH] PCI: rcar-host: Drop PMSR spinlock The pmsr_lock spinlock used to be necessary to synchronize access to the PMSR register, because that access could have been triggered from either config space access in rcar_pcie_config_access() or an exception handler rcar_pcie_aarch32_abort_handler(). The rcar_pcie_aarch32_abort_handler() case is no longer applicable since commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read which triggered an exception"), which performs more accurate, controlled invocation of the exception, and a fixup. This leaves rcar_pcie_config_access() as the only call site from which rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be called from the controller struct pci_ops .read and .write callbacks, and those are serialized in drivers/pci/access.c using raw spinlock 'pci_lock' . It should be noted that CONFIG_PCI_LOCKLESS_CONFIG is never set on this platform. Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a raw spinlock, this constellation triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y . Remove the pmsr_lock to fix the locking. Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook") Reported-by: Duy Nguyen <duy.nguyen.rh(a)renesas.com> Reported-by: Thuan Nguyen <thuan.nguyen-hong(a)banvien.com.vn> Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250909162707.13927-1-marek.vasut+renesas@mailbox… diff --git a/drivers/pci/controller/pcie-rcar-host.c b/drivers/pci/controller/pcie-rcar-host.c index 4780e0109e58..625a00f3b223 100644 --- a/drivers/pci/controller/pcie-rcar-host.c +++ b/drivers/pci/controller/pcie-rcar-host.c @@ -52,20 +52,13 @@ struct rcar_pcie_host { int (*phy_init_fn)(struct rcar_pcie_host *host); }; -static DEFINE_SPINLOCK(pmsr_lock); - static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) { - unsigned long flags; u32 pmsr, val; int ret = 0; - spin_lock_irqsave(&pmsr_lock, flags); - - if (!pcie_base || pm_runtime_suspended(pcie_dev)) { - ret = -EINVAL; - goto unlock_exit; - } + if (!pcie_base || pm_runtime_suspended(pcie_dev)) + return -EINVAL; pmsr = readl(pcie_base + PMSR); @@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) writel(L1FAEG | PMEL1RX, pcie_base + PMSR); } -unlock_exit: - spin_unlock_irqrestore(&pmsr_lock, flags); return ret; }

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] PCI: tegra194: Reset BARs when running in PCIe endpoint mode" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 42f9c66a6d0cc45758dab77233c5460e1cf003df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101638-slider-outlying-148b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 42f9c66a6d0cc45758dab77233c5460e1cf003df Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Mon, 22 Sep 2025 16:08:25 +0200 Subject: [PATCH] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Tegra already defines all BARs except BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR gets disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs and will run tests against all enabled BARs, so it will run tests against the BARs marked as BAR_RESERVED. After running the BAR tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4, so when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250922140822.519796-7-cassel@kernel.org diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index fe418b9bfbb4..359d92dca86a 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1941,6 +1941,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2016,6 +2025,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, };

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] PCI: j721e: Fix programming sequence of "strap" settings" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f842d3313ba179d4005096357289c7ad09cec575 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101614-regulator-gumball-c7c6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f842d3313ba179d4005096357289c7ad09cec575 Mon Sep 17 00:00:00 2001 From: Siddharth Vadapalli <s-vadapalli(a)ti.com> Date: Mon, 8 Sep 2025 17:38:27 +0530 Subject: [PATCH] PCI: j721e: Fix programming sequence of "strap" settings The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the Mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. The "reset-values" of the registers are also different depending on the mode of operation. Since the PCIe Controller latches onto the "reset-values" immediately after being powered on, if the Glue Layer configuration is not done while the PCIe Controller is off, it will result in the PCIe Controller latching onto the wrong "reset-values". In practice, this will show up as a wrong representation of the PCIe Controller's capability structures in the PCIe Configuration Space. Some such capabilities which are supported by the PCIe Controller in the Root-Complex mode but are incorrectly latched onto as being unsupported are: - Link Bandwidth Notification - Alternate Routing ID (ARI) Forwarding Support - Next capability offset within Advanced Error Reporting (AER) capability Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. The runtime PM APIs namely pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and increment the usage counter respectively, causing GENPD to power off and power on the PCIe Controller. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index cfca13a4c840..5a9ae33e2b93 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; + /* + * The PCIe Controller's registers have different "reset-values" + * depending on the "strap" settings programmed into the PCIEn_CTRL + * register within the CTRL_MMR memory-mapped register space. + * The registers latch onto a "reset-value" based on the "strap" + * settings sampled after the PCIe Controller is powered on. + * To ensure that the "reset-values" are sampled accurately, power + * off the PCIe Controller before programming the "strap" settings + * and power it on after that. The runtime PM APIs namely + * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and + * increment the usage counter respectively, causing GENPD to power off + * and power on the PCIe Controller. + */ + ret = pm_runtime_put_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power off PCIe Controller\n"); + return ret; + } + ret = j721e_pcie_set_mode(pcie, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); @@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) return ret; } + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power on PCIe Controller\n"); + return ret; + } + /* Enable ACSPCIE refclk output if the optional property exists */ syscon = syscon_regmap_lookup_by_phandle_optional(node, "ti,syscon-acspcie-proxy-ctrl");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] PCI: tegra194: Reset BARs when running in PCIe endpoint mode" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 42f9c66a6d0cc45758dab77233c5460e1cf003df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101638-carry-unwashed-bba6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 42f9c66a6d0cc45758dab77233c5460e1cf003df Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Mon, 22 Sep 2025 16:08:25 +0200 Subject: [PATCH] PCI: tegra194: Reset BARs when running in PCIe endpoint mode Tegra already defines all BARs except BAR0 as BAR_RESERVED. This is sufficient for pci-epf-test to not allocate backing memory and to not call set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not mean that the BAR gets disabled. The host side driver, pci_endpoint_test, simply does an ioremap for all enabled BARs and will run tests against all enabled BARs, so it will run tests against the BARs marked as BAR_RESERVED. After running the BAR tests (which will write to all enabled BARs), the inbound address translation is broken. This is because the tegra controller exposes the ATU Port Logic Structure in BAR4, so when BAR4 is written, the inbound address translation settings get overwritten. To avoid this, implement the dw_pcie_ep_ops .init() callback and start off by disabling all BARs (pci-epf-test will later enable/configure BARs that are not defined as BAR_RESERVED). This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6, layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep. With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which was specifically made to detect address translation issues) passes. Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250922140822.519796-7-cassel@kernel.org diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index fe418b9bfbb4..359d92dca86a 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1941,6 +1941,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst_irq(int irq, void *arg) return IRQ_HANDLED; } +static void tegra_pcie_ep_init(struct dw_pcie_ep *ep) +{ + struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + enum pci_barno bar; + + for (bar = 0; bar < PCI_STD_NUM_BARS; bar++) + dw_pcie_ep_reset_bar(pci, bar); +}; + static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) { /* Tegra194 supports only INTA */ @@ -2016,6 +2025,7 @@ tegra_pcie_ep_get_features(struct dw_pcie_ep *ep) } static const struct dw_pcie_ep_ops pcie_ep_ops = { + .init = tegra_pcie_ep_init, .raise_irq = tegra_pcie_ep_raise_irq, .get_features = tegra_pcie_ep_get_features, };

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] spi: cadence-quadspi: Flush posted register writes before" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 29e0b471ccbd674d20d4bbddea1a51e7105212c5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101621-blah-dyslexic-116b@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29e0b471ccbd674d20d4bbddea1a51e7105212c5 Mon Sep 17 00:00:00 2001 From: Pratyush Yadav <pratyush(a)kernel.org> Date: Sat, 6 Sep 2025 00:29:55 +0530 Subject: [PATCH] spi: cadence-quadspi: Flush posted register writes before INDAC access cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first set the enable bit on APB region and then start reading/writing to the AHB region. On TI K3 SoCs these regions lie on different endpoints. This means that the order of the two operations is not guaranteed, and they might be reordered at the interconnect level. It is possible for the AHB write to be executed before the APB write to enable the indirect controller, causing the transaction to be invalid and the write erroring out. Read back the APB region write before accessing the AHB region to make sure the write got flushed and the race condition is eliminated. Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") CC: stable(a)vger.kernel.org Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Santhosh Kumar K <s-k6(a)ti.com> Message-ID: <20250905185958.3575037-2-s-k6(a)ti.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 9bf823348cd3..eaf9a0f522d5 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -764,6 +764,7 @@ static int cqspi_indirect_read_execute(struct cqspi_flash_pdata *f_pdata, reinit_completion(&cqspi->transfer_complete); writel(CQSPI_REG_INDIRECTRD_START_MASK, reg_base + CQSPI_REG_INDIRECTRD); + readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */ while (remaining > 0) { if (use_irq && @@ -1090,6 +1091,8 @@ static int cqspi_indirect_write_execute(struct cqspi_flash_pdata *f_pdata, reinit_completion(&cqspi->transfer_complete); writel(CQSPI_REG_INDIRECTWR_START_MASK, reg_base + CQSPI_REG_INDIRECTWR); + readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */ + /* * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access * Controller programming sequence, couple of cycles of

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] spi: cadence-quadspi: Flush posted register writes before DAC" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1ad55767e77a853c98752ed1e33b68049a243bd7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101635-laurel-crawling-2104@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ad55767e77a853c98752ed1e33b68049a243bd7 Mon Sep 17 00:00:00 2001 From: Pratyush Yadav <pratyush(a)kernel.org> Date: Sat, 6 Sep 2025 00:29:56 +0530 Subject: [PATCH] spi: cadence-quadspi: Flush posted register writes before DAC access cqspi_read_setup() and cqspi_write_setup() program the address width as the last step in the setup. This is likely to be immediately followed by a DAC region read/write. On TI K3 SoCs the DAC region is on a different endpoint from the register region. This means that the order of the two operations is not guaranteed, and they might be reordered at the interconnect level. It is possible that the DAC read/write goes through before the address width update goes through. In this situation if the previous command used a different address width the OSPI command is sent with the wrong number of address bytes, resulting in an invalid command and undefined behavior. Read back the size register to make sure the write gets flushed before accessing the DAC region. Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") CC: stable(a)vger.kernel.org Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Santhosh Kumar K <s-k6(a)ti.com> Message-ID: <20250905185958.3575037-3-s-k6(a)ti.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index eaf9a0f522d5..447a32a08a93 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -719,6 +719,7 @@ static int cqspi_read_setup(struct cqspi_flash_pdata *f_pdata, reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; reg |= (op->addr.nbytes - 1); writel(reg, reg_base + CQSPI_REG_SIZE); + readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ return 0; } @@ -1063,6 +1064,7 @@ static int cqspi_write_setup(struct cqspi_flash_pdata *f_pdata, reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; reg |= (op->addr.nbytes - 1); writel(reg, reg_base + CQSPI_REG_SIZE); + readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ return 0; }

1 month, 1 week

2
1
0 0

[PATCH 2/2] io_uring/sqpoll: be smarter on when to update the stime usage

by Jens Axboe

The current approach is a bit naive, and hence calls the time querying way too often. Only start the "doing work" timer when there's actual work to do, and then use that information to terminate (and account) the work time once done. This greatly reduces the frequency of these calls, when they cannot have changed anyway. Running a basic random reader that is setup to use SQPOLL, a profile before this change shows these as the top cycle consumers: + 32.60% iou-sqp-1074 [kernel.kallsyms] [k] thread_group_cputime_adjusted + 19.97% iou-sqp-1074 [kernel.kallsyms] [k] thread_group_cputime + 12.20% io_uring io_uring [.] submitter_uring_fn + 4.13% iou-sqp-1074 [kernel.kallsyms] [k] getrusage + 2.45% iou-sqp-1074 [kernel.kallsyms] [k] io_submit_sqes + 2.18% iou-sqp-1074 [kernel.kallsyms] [k] __pi_memset_generic + 2.09% iou-sqp-1074 [kernel.kallsyms] [k] cputime_adjust and after this change, top of profile looks as follows: + 36.23% io_uring io_uring [.] submitter_uring_fn + 23.26% iou-sqp-819 [kernel.kallsyms] [k] io_sq_thread + 10.14% iou-sqp-819 [kernel.kallsyms] [k] io_sq_tw + 6.52% iou-sqp-819 [kernel.kallsyms] [k] tctx_task_work_run + 4.82% iou-sqp-819 [kernel.kallsyms] [k] nvme_submit_cmds.part.0 + 2.91% iou-sqp-819 [kernel.kallsyms] [k] io_submit_sqes [...] 0.02% iou-sqp-819 [kernel.kallsyms] [k] cputime_adjust where it's spending the cycles on things that actually matter. Reported-by: Fengnan Chang <changfengnan(a)bytedance.com> Cc: stable(a)vger.kernel.org Fixes: 3fcb9d17206e ("io_uring/sqpoll: statistics of the true utilization of sq threads") Signed-off-by: Jens Axboe <axboe(a)kernel.dk> --- io_uring/sqpoll.c | 43 ++++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/io_uring/sqpoll.c b/io_uring/sqpoll.c index 8705b0aa82e0..f6916f46c047 100644 --- a/io_uring/sqpoll.c +++ b/io_uring/sqpoll.c @@ -170,6 +170,11 @@ static inline bool io_sqd_events_pending(struct io_sq_data *sqd) return READ_ONCE(sqd->state); } +struct io_sq_time { + bool started; + struct timespec64 ts; +}; + struct timespec64 io_sq_cpu_time(struct task_struct *tsk) { u64 utime, stime; @@ -178,15 +183,27 @@ struct timespec64 io_sq_cpu_time(struct task_struct *tsk) return ns_to_timespec64(stime); } -static void io_sq_update_worktime(struct io_sq_data *sqd, struct timespec64 start) +static void io_sq_update_worktime(struct io_sq_data *sqd, struct io_sq_time *ist) { struct timespec64 ts; - ts = timespec64_sub(io_sq_cpu_time(current), start); + if (!ist->started) + return; + ist->started = false; + ts = timespec64_sub(io_sq_cpu_time(current), ist->ts); sqd->work_time += ts.tv_sec * 1000000 + ts.tv_nsec / 1000; } -static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries) +static void io_sq_start_worktime(struct io_sq_time *ist) +{ + if (ist->started) + return; + ist->started = true; + ist->ts = io_sq_cpu_time(current); +} + +static int __io_sq_thread(struct io_ring_ctx *ctx, struct io_sq_data *sqd, + bool cap_entries, struct io_sq_time *ist) { unsigned int to_submit; int ret = 0; @@ -199,6 +216,8 @@ static int __io_sq_thread(struct io_ring_ctx *ctx, bool cap_entries) if (to_submit || !wq_list_empty(&ctx->iopoll_list)) { const struct cred *creds = NULL; + io_sq_start_worktime(ist); + if (ctx->sq_creds != current_cred()) creds = override_creds(ctx->sq_creds); @@ -277,7 +296,6 @@ static int io_sq_thread(void *data) struct llist_node *retry_list = NULL; struct io_sq_data *sqd = data; struct io_ring_ctx *ctx; - struct timespec64 start; unsigned long timeout = 0; char buf[TASK_COMM_LEN] = {}; DEFINE_WAIT(wait); @@ -315,6 +333,7 @@ static int io_sq_thread(void *data) mutex_lock(&sqd->lock); while (1) { bool cap_entries, sqt_spin = false; + struct io_sq_time ist = { }; if (io_sqd_events_pending(sqd) || signal_pending(current)) { if (io_sqd_handle_event(sqd)) @@ -323,9 +342,8 @@ static int io_sq_thread(void *data) } cap_entries = !list_is_singular(&sqd->ctx_list); - start = io_sq_cpu_time(current); list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) { - int ret = __io_sq_thread(ctx, cap_entries); + int ret = __io_sq_thread(ctx, sqd, cap_entries, &ist); if (!sqt_spin && (ret > 0 || !wq_list_empty(&ctx->iopoll_list))) sqt_spin = true; @@ -333,15 +351,18 @@ static int io_sq_thread(void *data) if (io_sq_tw(&retry_list, IORING_TW_CAP_ENTRIES_VALUE)) sqt_spin = true; - list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) - if (io_napi(ctx)) + list_for_each_entry(ctx, &sqd->ctx_list, sqd_list) { + if (io_napi(ctx)) { + io_sq_start_worktime(&ist); io_napi_sqpoll_busy_poll(ctx); + } + } + + io_sq_update_worktime(sqd, &ist); if (sqt_spin || !time_after(jiffies, timeout)) { - if (sqt_spin) { - io_sq_update_worktime(sqd, start); + if (sqt_spin) timeout = jiffies + sqd->sq_thread_idle; - } if (unlikely(need_resched())) { mutex_unlock(&sqd->lock); cond_resched(); -- 2.51.0

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] ext4: avoid potential buffer over-read in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101635-twitch-preoccupy-ad1d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o <tytso(a)mit.edu> Date: Tue, 16 Sep 2025 23:22:47 -0400 Subject: [PATCH] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. Cc: stable(a)vger.kernel.org Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock") Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0(a)mit.edu> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/super.c b/fs/ext4/super.c index d26e5c0731e5..488f4c281a3f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2469,7 +2469,7 @@ static int parse_apply_sb_mount_options(struct super_block *sb, struct ext4_fs_context *m_ctx) { struct ext4_sb_info *sbi = EXT4_SB(sb); - char *s_mount_opts = NULL; + char s_mount_opts[65]; struct ext4_fs_context *s_ctx = NULL; struct fs_context *fc = NULL; int ret = -ENOMEM; @@ -2477,15 +2477,11 @@ static int parse_apply_sb_mount_options(struct super_block *sb, if (!sbi->s_es->s_mount_opts[0]) return 0; - s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, - sizeof(sbi->s_es->s_mount_opts), - GFP_KERNEL); - if (!s_mount_opts) - return ret; + strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts); fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL); if (!fc) - goto out_free; + return -ENOMEM; s_ctx = kzalloc(sizeof(struct ext4_fs_context), GFP_KERNEL); if (!s_ctx) @@ -2517,11 +2513,8 @@ static int parse_apply_sb_mount_options(struct super_block *sb, ret = 0; out_free: - if (fc) { - ext4_fc_free(fc); - kfree(fc); - } - kfree(s_mount_opts); + ext4_fc_free(fc); + kfree(fc); return ret; }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] ext4: avoid potential buffer over-read in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101635-unbuckled-masses-9441@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o <tytso(a)mit.edu> Date: Tue, 16 Sep 2025 23:22:47 -0400 Subject: [PATCH] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. Cc: stable(a)vger.kernel.org Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock") Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0(a)mit.edu> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/super.c b/fs/ext4/super.c index d26e5c0731e5..488f4c281a3f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2469,7 +2469,7 @@ static int parse_apply_sb_mount_options(struct super_block *sb, struct ext4_fs_context *m_ctx) { struct ext4_sb_info *sbi = EXT4_SB(sb); - char *s_mount_opts = NULL; + char s_mount_opts[65]; struct ext4_fs_context *s_ctx = NULL; struct fs_context *fc = NULL; int ret = -ENOMEM; @@ -2477,15 +2477,11 @@ static int parse_apply_sb_mount_options(struct super_block *sb, if (!sbi->s_es->s_mount_opts[0]) return 0; - s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, - sizeof(sbi->s_es->s_mount_opts), - GFP_KERNEL); - if (!s_mount_opts) - return ret; + strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts); fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL); if (!fc) - goto out_free; + return -ENOMEM; s_ctx = kzalloc(sizeof(struct ext4_fs_context), GFP_KERNEL); if (!s_ctx) @@ -2517,11 +2513,8 @@ static int parse_apply_sb_mount_options(struct super_block *sb, ret = 0; out_free: - if (fc) { - ext4_fc_free(fc); - kfree(fc); - } - kfree(s_mount_opts); + ext4_fc_free(fc); + kfree(fc); return ret; }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] spi: cadence-quadspi: Flush posted register writes before DAC" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1ad55767e77a853c98752ed1e33b68049a243bd7 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101634-glare-unrivaled-70bf@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1ad55767e77a853c98752ed1e33b68049a243bd7 Mon Sep 17 00:00:00 2001 From: Pratyush Yadav <pratyush(a)kernel.org> Date: Sat, 6 Sep 2025 00:29:56 +0530 Subject: [PATCH] spi: cadence-quadspi: Flush posted register writes before DAC access cqspi_read_setup() and cqspi_write_setup() program the address width as the last step in the setup. This is likely to be immediately followed by a DAC region read/write. On TI K3 SoCs the DAC region is on a different endpoint from the register region. This means that the order of the two operations is not guaranteed, and they might be reordered at the interconnect level. It is possible that the DAC read/write goes through before the address width update goes through. In this situation if the previous command used a different address width the OSPI command is sent with the wrong number of address bytes, resulting in an invalid command and undefined behavior. Read back the size register to make sure the write gets flushed before accessing the DAC region. Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") CC: stable(a)vger.kernel.org Reviewed-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Pratyush Yadav <pratyush(a)kernel.org> Signed-off-by: Santhosh Kumar K <s-k6(a)ti.com> Message-ID: <20250905185958.3575037-3-s-k6(a)ti.com> Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index eaf9a0f522d5..447a32a08a93 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -719,6 +719,7 @@ static int cqspi_read_setup(struct cqspi_flash_pdata *f_pdata, reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; reg |= (op->addr.nbytes - 1); writel(reg, reg_base + CQSPI_REG_SIZE); + readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ return 0; } @@ -1063,6 +1064,7 @@ static int cqspi_write_setup(struct cqspi_flash_pdata *f_pdata, reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK; reg |= (op->addr.nbytes - 1); writel(reg, reg_base + CQSPI_REG_SIZE); + readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */ return 0; }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] phy: cadence: cdns-dphy: Update calibration wait time for" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2c27aaee934a1b5229152fe33a14f1fdf50da143 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101626-squeamish-relock-6780@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c27aaee934a1b5229152fe33a14f1fdf50da143 Mon Sep 17 00:00:00 2001 From: Devarsh Thakkar <devarsht(a)ti.com> Date: Fri, 4 Jul 2025 18:29:15 +0530 Subject: [PATCH] phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Do read-modify-write so that we re-use the characterized reset value as specified in TRM [1] to program calibration wait time which defines number of cycles to wait for after startup state machine is in bandgap enable state. This fixes PLL lock timeout error faced while using RPi DSI Panel on TI's AM62L and J721E SoC since earlier calibration wait time was getting overwritten to zero value thus failing the PLL to lockup and causing timeout. [1] AM62P TRM (Section 14.8.6.3.2.1.1 DPHY_TX_DPHYTX_CMN0_CMN_DIG_TBIT2): Link: https://www.ti.com/lit/pdf/spruj83 Cc: stable(a)vger.kernel.org Fixes: 7a343c8bf4b5 ("phy: Add Cadence D-PHY support") Signed-off-by: Devarsh Thakkar <devarsht(a)ti.com> Tested-by: Harikrishna Shenoy <h-shenoy(a)ti.com> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://lore.kernel.org/r/20250704125915.1224738-3-devarsht@ti.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/cadence/cdns-dphy.c b/drivers/phy/cadence/cdns-dphy.c index da8de0a9d086..24a25606996c 100644 --- a/drivers/phy/cadence/cdns-dphy.c +++ b/drivers/phy/cadence/cdns-dphy.c @@ -30,6 +30,7 @@ #define DPHY_CMN_SSM DPHY_PMA_CMN(0x20) #define DPHY_CMN_SSM_EN BIT(0) +#define DPHY_CMN_SSM_CAL_WAIT_TIME GENMASK(8, 1) #define DPHY_CMN_TX_MODE_EN BIT(9) #define DPHY_CMN_PWM DPHY_PMA_CMN(0x40) @@ -410,7 +411,8 @@ static int cdns_dphy_power_on(struct phy *phy) writel(reg, dphy->regs + DPHY_BAND_CFG); /* Start TX state machine. */ - writel(DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, + reg = readl(dphy->regs + DPHY_CMN_SSM); + writel((reg & DPHY_CMN_SSM_CAL_WAIT_TIME) | DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, dphy->regs + DPHY_CMN_SSM); ret = cdns_dphy_wait_for_pll_lock(dphy);

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] ext4: avoid potential buffer over-read in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101622-hungrily-marbling-e7ef@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o <tytso(a)mit.edu> Date: Tue, 16 Sep 2025 23:22:47 -0400 Subject: [PATCH] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. Cc: stable(a)vger.kernel.org Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock") Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0(a)mit.edu> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/super.c b/fs/ext4/super.c index d26e5c0731e5..488f4c281a3f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2469,7 +2469,7 @@ static int parse_apply_sb_mount_options(struct super_block *sb, struct ext4_fs_context *m_ctx) { struct ext4_sb_info *sbi = EXT4_SB(sb); - char *s_mount_opts = NULL; + char s_mount_opts[65]; struct ext4_fs_context *s_ctx = NULL; struct fs_context *fc = NULL; int ret = -ENOMEM; @@ -2477,15 +2477,11 @@ static int parse_apply_sb_mount_options(struct super_block *sb, if (!sbi->s_es->s_mount_opts[0]) return 0; - s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, - sizeof(sbi->s_es->s_mount_opts), - GFP_KERNEL); - if (!s_mount_opts) - return ret; + strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts); fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL); if (!fc) - goto out_free; + return -ENOMEM; s_ctx = kzalloc(sizeof(struct ext4_fs_context), GFP_KERNEL); if (!s_ctx) @@ -2517,11 +2513,8 @@ static int parse_apply_sb_mount_options(struct super_block *sb, ret = 0; out_free: - if (fc) { - ext4_fc_free(fc); - kfree(fc); - } - kfree(s_mount_opts); + ext4_fc_free(fc); + kfree(fc); return ret; }

1 month, 1 week

2
1
0 0

[PATCH v3] drm/nouveau: Fix refcount leak in nouveau_connector_detect

by Shuhao Fu

A possible inconsistent refcount update has been identified in function `nouveau_connector_detect`, which may cause a resource leak. After calling `pm_runtime_get_*(dev->dev)`, the usage counter of `dev->dev` gets increased. In case function `nvif_outp_edid_get` returns negative, function `nouveau_connector_detect` returns without decreasing the usage counter of `dev->dev`, causing a refcount inconsistency. Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/450 Fixes: 0cd7e0718139 ("drm/nouveau/disp: add output method to fetch edid") Signed-off-by: Shuhao Fu <sfual(a)cse.ust.hk> Cc: stable(a)vger.kernel.org Change in v3: - Cc stable Change in v2: - Add "Fixes" and "Cc" tags --- drivers/gpu/drm/nouveau/nouveau_connector.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c index 63621b151..45caccade 100644 --- a/drivers/gpu/drm/nouveau/nouveau_connector.c +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c @@ -600,8 +600,10 @@ nouveau_connector_detect(struct drm_connector *connector, bool force) new_edid = drm_get_edid(connector, nv_encoder->i2c); } else { ret = nvif_outp_edid_get(&nv_encoder->outp, (u8 **)&new_edid); - if (ret < 0) - return connector_status_disconnected; + if (ret < 0) { + conn_status = connector_status_disconnected; + goto out; + } } nouveau_connector_set_edid(nv_connector, new_edid); -- 2.39.5

1 month, 1 week

1
1
0 0

FAILED: patch "[PATCH] phy: cadence: cdns-dphy: Update calibration wait time for" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2c27aaee934a1b5229152fe33a14f1fdf50da143 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101626-mossy-unsaid-e0a8@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c27aaee934a1b5229152fe33a14f1fdf50da143 Mon Sep 17 00:00:00 2001 From: Devarsh Thakkar <devarsht(a)ti.com> Date: Fri, 4 Jul 2025 18:29:15 +0530 Subject: [PATCH] phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Do read-modify-write so that we re-use the characterized reset value as specified in TRM [1] to program calibration wait time which defines number of cycles to wait for after startup state machine is in bandgap enable state. This fixes PLL lock timeout error faced while using RPi DSI Panel on TI's AM62L and J721E SoC since earlier calibration wait time was getting overwritten to zero value thus failing the PLL to lockup and causing timeout. [1] AM62P TRM (Section 14.8.6.3.2.1.1 DPHY_TX_DPHYTX_CMN0_CMN_DIG_TBIT2): Link: https://www.ti.com/lit/pdf/spruj83 Cc: stable(a)vger.kernel.org Fixes: 7a343c8bf4b5 ("phy: Add Cadence D-PHY support") Signed-off-by: Devarsh Thakkar <devarsht(a)ti.com> Tested-by: Harikrishna Shenoy <h-shenoy(a)ti.com> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://lore.kernel.org/r/20250704125915.1224738-3-devarsht@ti.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/cadence/cdns-dphy.c b/drivers/phy/cadence/cdns-dphy.c index da8de0a9d086..24a25606996c 100644 --- a/drivers/phy/cadence/cdns-dphy.c +++ b/drivers/phy/cadence/cdns-dphy.c @@ -30,6 +30,7 @@ #define DPHY_CMN_SSM DPHY_PMA_CMN(0x20) #define DPHY_CMN_SSM_EN BIT(0) +#define DPHY_CMN_SSM_CAL_WAIT_TIME GENMASK(8, 1) #define DPHY_CMN_TX_MODE_EN BIT(9) #define DPHY_CMN_PWM DPHY_PMA_CMN(0x40) @@ -410,7 +411,8 @@ static int cdns_dphy_power_on(struct phy *phy) writel(reg, dphy->regs + DPHY_BAND_CFG); /* Start TX state machine. */ - writel(DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, + reg = readl(dphy->regs + DPHY_CMN_SSM); + writel((reg & DPHY_CMN_SSM_CAL_WAIT_TIME) | DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, dphy->regs + DPHY_CMN_SSM); ret = cdns_dphy_wait_for_pll_lock(dphy);

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] ext4: avoid potential buffer over-read in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101623-skydiver-grading-5b2f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8ecb790ea8c3fc69e77bace57f14cf0d7c177bd8 Mon Sep 17 00:00:00 2001 From: Theodore Ts'o <tytso(a)mit.edu> Date: Tue, 16 Sep 2025 23:22:47 -0400 Subject: [PATCH] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. Cc: stable(a)vger.kernel.org Fixes: 8b67f04ab9de ("ext4: Add mount options in superblock") Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Message-ID: <20250916-tune2fs-v2-1-d594dc7486f0(a)mit.edu> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/super.c b/fs/ext4/super.c index d26e5c0731e5..488f4c281a3f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2469,7 +2469,7 @@ static int parse_apply_sb_mount_options(struct super_block *sb, struct ext4_fs_context *m_ctx) { struct ext4_sb_info *sbi = EXT4_SB(sb); - char *s_mount_opts = NULL; + char s_mount_opts[65]; struct ext4_fs_context *s_ctx = NULL; struct fs_context *fc = NULL; int ret = -ENOMEM; @@ -2477,15 +2477,11 @@ static int parse_apply_sb_mount_options(struct super_block *sb, if (!sbi->s_es->s_mount_opts[0]) return 0; - s_mount_opts = kstrndup(sbi->s_es->s_mount_opts, - sizeof(sbi->s_es->s_mount_opts), - GFP_KERNEL); - if (!s_mount_opts) - return ret; + strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts); fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL); if (!fc) - goto out_free; + return -ENOMEM; s_ctx = kzalloc(sizeof(struct ext4_fs_context), GFP_KERNEL); if (!s_ctx) @@ -2517,11 +2513,8 @@ static int parse_apply_sb_mount_options(struct super_block *sb, ret = 0; out_free: - if (fc) { - ext4_fc_free(fc); - kfree(fc); - } - kfree(s_mount_opts); + ext4_fc_free(fc); + kfree(fc); return ret; }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] PCI: rcar-host: Convert struct rcar_msi mask_lock into raw" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5ed35b4d490d8735021cce9b715b62a418310864 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101634-immunity-sinuous-afc9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5ed35b4d490d8735021cce9b715b62a418310864 Mon Sep 17 00:00:00 2001 From: Marek Vasut <marek.vasut+renesas(a)mailbox.org> Date: Tue, 9 Sep 2025 18:26:25 +0200 Subject: [PATCH] PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock The rcar_msi_irq_unmask() function may be called from a PCI driver request_threaded_irq() function. This triggers kernel/irq/manage.c __setup_irq() which locks raw spinlock &desc->lock descriptor lock and with that descriptor lock held, calls rcar_msi_irq_unmask(). Since the &desc->lock descriptor lock is a raw spinlock, and the rcar_msi .mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y. Use scoped_guard() to simplify the locking. Fixes: 83ed8d4fa656 ("PCI: rcar: Convert to MSI domains") Reported-by: Duy Nguyen <duy.nguyen.rh(a)renesas.com> Reported-by: Thuan Nguyen <thuan.nguyen-hong(a)banvien.com.vn> Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Acked-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250909162707.13927-2-marek.vasut+renesas@mailbox… diff --git a/drivers/pci/controller/pcie-rcar-host.c b/drivers/pci/controller/pcie-rcar-host.c index 625a00f3b223..213028052aa5 100644 --- a/drivers/pci/controller/pcie-rcar-host.c +++ b/drivers/pci/controller/pcie-rcar-host.c @@ -12,6 +12,7 @@ */ #include <linux/bitops.h> +#include <linux/cleanup.h> #include <linux/clk.h> #include <linux/clk-provider.h> #include <linux/delay.h> @@ -38,7 +39,7 @@ struct rcar_msi { DECLARE_BITMAP(used, INT_PCI_MSI_NR); struct irq_domain *domain; struct mutex map_lock; - spinlock_t mask_lock; + raw_spinlock_t mask_lock; int irq1; int irq2; }; @@ -602,28 +603,26 @@ static void rcar_msi_irq_mask(struct irq_data *d) { struct rcar_msi *msi = irq_data_get_irq_chip_data(d); struct rcar_pcie *pcie = &msi_to_host(msi)->pcie; - unsigned long flags; u32 value; - spin_lock_irqsave(&msi->mask_lock, flags); - value = rcar_pci_read_reg(pcie, PCIEMSIIER); - value &= ~BIT(d->hwirq); - rcar_pci_write_reg(pcie, value, PCIEMSIIER); - spin_unlock_irqrestore(&msi->mask_lock, flags); + scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { + value = rcar_pci_read_reg(pcie, PCIEMSIIER); + value &= ~BIT(d->hwirq); + rcar_pci_write_reg(pcie, value, PCIEMSIIER); + } } static void rcar_msi_irq_unmask(struct irq_data *d) { struct rcar_msi *msi = irq_data_get_irq_chip_data(d); struct rcar_pcie *pcie = &msi_to_host(msi)->pcie; - unsigned long flags; u32 value; - spin_lock_irqsave(&msi->mask_lock, flags); - value = rcar_pci_read_reg(pcie, PCIEMSIIER); - value |= BIT(d->hwirq); - rcar_pci_write_reg(pcie, value, PCIEMSIIER); - spin_unlock_irqrestore(&msi->mask_lock, flags); + scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { + value = rcar_pci_read_reg(pcie, PCIEMSIIER); + value |= BIT(d->hwirq); + rcar_pci_write_reg(pcie, value, PCIEMSIIER); + } } static void rcar_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) @@ -736,7 +735,7 @@ static int rcar_pcie_enable_msi(struct rcar_pcie_host *host) int err; mutex_init(&msi->map_lock); - spin_lock_init(&msi->mask_lock); + raw_spin_lock_init(&msi->mask_lock); err = of_address_to_resource(dev->of_node, 0, &res); if (err)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] phy: cadence: cdns-dphy: Update calibration wait time for" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2c27aaee934a1b5229152fe33a14f1fdf50da143 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101625-happiness-heavily-11c6@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c27aaee934a1b5229152fe33a14f1fdf50da143 Mon Sep 17 00:00:00 2001 From: Devarsh Thakkar <devarsht(a)ti.com> Date: Fri, 4 Jul 2025 18:29:15 +0530 Subject: [PATCH] phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Do read-modify-write so that we re-use the characterized reset value as specified in TRM [1] to program calibration wait time which defines number of cycles to wait for after startup state machine is in bandgap enable state. This fixes PLL lock timeout error faced while using RPi DSI Panel on TI's AM62L and J721E SoC since earlier calibration wait time was getting overwritten to zero value thus failing the PLL to lockup and causing timeout. [1] AM62P TRM (Section 14.8.6.3.2.1.1 DPHY_TX_DPHYTX_CMN0_CMN_DIG_TBIT2): Link: https://www.ti.com/lit/pdf/spruj83 Cc: stable(a)vger.kernel.org Fixes: 7a343c8bf4b5 ("phy: Add Cadence D-PHY support") Signed-off-by: Devarsh Thakkar <devarsht(a)ti.com> Tested-by: Harikrishna Shenoy <h-shenoy(a)ti.com> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://lore.kernel.org/r/20250704125915.1224738-3-devarsht@ti.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/cadence/cdns-dphy.c b/drivers/phy/cadence/cdns-dphy.c index da8de0a9d086..24a25606996c 100644 --- a/drivers/phy/cadence/cdns-dphy.c +++ b/drivers/phy/cadence/cdns-dphy.c @@ -30,6 +30,7 @@ #define DPHY_CMN_SSM DPHY_PMA_CMN(0x20) #define DPHY_CMN_SSM_EN BIT(0) +#define DPHY_CMN_SSM_CAL_WAIT_TIME GENMASK(8, 1) #define DPHY_CMN_TX_MODE_EN BIT(9) #define DPHY_CMN_PWM DPHY_PMA_CMN(0x40) @@ -410,7 +411,8 @@ static int cdns_dphy_power_on(struct phy *phy) writel(reg, dphy->regs + DPHY_BAND_CFG); /* Start TX state machine. */ - writel(DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, + reg = readl(dphy->regs + DPHY_CMN_SSM); + writel((reg & DPHY_CMN_SSM_CAL_WAIT_TIME) | DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, dphy->regs + DPHY_CMN_SSM); ret = cdns_dphy_wait_for_pll_lock(dphy);

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] phy: cadence: cdns-dphy: Update calibration wait time for" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 2c27aaee934a1b5229152fe33a14f1fdf50da143 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101625-laborer-imaging-a408@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2c27aaee934a1b5229152fe33a14f1fdf50da143 Mon Sep 17 00:00:00 2001 From: Devarsh Thakkar <devarsht(a)ti.com> Date: Fri, 4 Jul 2025 18:29:15 +0530 Subject: [PATCH] phy: cadence: cdns-dphy: Update calibration wait time for startup state machine Do read-modify-write so that we re-use the characterized reset value as specified in TRM [1] to program calibration wait time which defines number of cycles to wait for after startup state machine is in bandgap enable state. This fixes PLL lock timeout error faced while using RPi DSI Panel on TI's AM62L and J721E SoC since earlier calibration wait time was getting overwritten to zero value thus failing the PLL to lockup and causing timeout. [1] AM62P TRM (Section 14.8.6.3.2.1.1 DPHY_TX_DPHYTX_CMN0_CMN_DIG_TBIT2): Link: https://www.ti.com/lit/pdf/spruj83 Cc: stable(a)vger.kernel.org Fixes: 7a343c8bf4b5 ("phy: Add Cadence D-PHY support") Signed-off-by: Devarsh Thakkar <devarsht(a)ti.com> Tested-by: Harikrishna Shenoy <h-shenoy(a)ti.com> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://lore.kernel.org/r/20250704125915.1224738-3-devarsht@ti.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/cadence/cdns-dphy.c b/drivers/phy/cadence/cdns-dphy.c index da8de0a9d086..24a25606996c 100644 --- a/drivers/phy/cadence/cdns-dphy.c +++ b/drivers/phy/cadence/cdns-dphy.c @@ -30,6 +30,7 @@ #define DPHY_CMN_SSM DPHY_PMA_CMN(0x20) #define DPHY_CMN_SSM_EN BIT(0) +#define DPHY_CMN_SSM_CAL_WAIT_TIME GENMASK(8, 1) #define DPHY_CMN_TX_MODE_EN BIT(9) #define DPHY_CMN_PWM DPHY_PMA_CMN(0x40) @@ -410,7 +411,8 @@ static int cdns_dphy_power_on(struct phy *phy) writel(reg, dphy->regs + DPHY_BAND_CFG); /* Start TX state machine. */ - writel(DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, + reg = readl(dphy->regs + DPHY_CMN_SSM); + writel((reg & DPHY_CMN_SSM_CAL_WAIT_TIME) | DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, dphy->regs + DPHY_CMN_SSM); ret = cdns_dphy_wait_for_pll_lock(dphy);

1 month, 1 week

2
3
0 0

[PATCH AUTOSEL 6.17-5.4] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()

by Sasha Levin

From: Viacheslav Dubeyko <slava(a)dubeyko.com> [ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the "garbage", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and "garbage" in the not initialized memory will be the reason of volume coruptions and file system driver bugs. Reported-by: syzbot <syzbot+773fa9d79b29bd8b6831(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 Signed-off-by: Viacheslav Dubeyko <slava(a)dubeyko.com> cc: John Paul Adrian Glaubitz <glaubitz(a)physik.fu-berlin.de> cc: Yangtao Li <frank.li(a)vivo.com> cc: linux-fsdevel(a)vger.kernel.org Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com Signed-off-by: Viacheslav Dubeyko <slava(a)dubeyko.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ## YES This commit should be backported to stable kernel trees and **has already been backported** (commit 71929d4dcb5ed in the current tree is the backported version). ### Detailed Analysis #### Bug Severity and Impact **Critical filesystem corruption bug** present since 2016 (commit 80f8dccf95147f): 1. **Uninitialized Memory Issue**: The HFS bitmap buffer is allocated with `kmalloc(8192, GFP_KERNEL)` at fs/hfs/mdb.c:175, but `kmalloc()` does not zero memory. The subsequent bitmap read operation (lines 179-197) only reads `(fs_ablocks + 8) / 8` bytes from disk, potentially leaving a large portion of the 8192-byte buffer uninitialized. 2. **Quantified Impact**: - Small filesystem (10,000 blocks): **84.7%** of bitmap uninitialized (6,941 bytes) - Medium filesystem (50,000 blocks): **23.7%** uninitialized (1,941 bytes) - Only filesystems near 65,528 blocks fully initialize the buffer 3. **Real-World Consequences**: - When `hfs_find_set_zero_bits()` (fs/hfs/bitmap.c:44) accesses the bitmap at `val = *curr`, it reads uninitialized garbage - This causes incorrect block allocation decisions during file operations (extend, truncate, write) - Can lead to filesystem corruption, data loss, or allocation failures - Detected by KMSAN during syzbot fuzzing, indicating real exploitability #### The Fix **Perfect minimal fix** - single line change at fs/hfs/mdb.c:175: ```c - HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); ``` `kzalloc()` guarantees zero-initialized memory, ensuring the bitmap starts in a correct state where unread regions are treated as free (zero bits). #### Stable Backport Criteria Evaluation ✅ **Fixes user-affecting bug**: Prevents filesystem corruption and incorrect block allocation ✅ **Small and contained**: Single line change, no side effects ✅ **No architectural changes**: Simple allocation function swap ✅ **Minimal regression risk**: Zero risk - only makes behavior more correct ✅ **Confined to subsystem**: Only affects HFS filesystem code ✅ **Follows stable rules**: Important bugfix, minimal change, well- tested (syzbot reported) #### Context and History - **Bug introduced**: 2016-01-02 by Al Viro (80f8dccf95147f) when replacing `__get_free_pages()` with `kmalloc()` - **Mainline fix**: 2025-08-20 (commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd) - **Backport status**: Already backported to this tree (71929d4dcb5ed) by Sasha Levin - **Similar fixes**: Recent HFS bug fixes (slab-out-of-bounds, GPF issues) typically include `Cc: stable(a)vger.kernel.org` and get backported - **Active maintenance**: 155 commits to fs/hfs/ since 2022, showing continued bugfixing effort #### Technical Review The commit message correctly explains the issue and references the syzkaller report. The fix is architecturally sound - the bitmap should logically start with all blocks free (zero bits), so zero-initializing the buffer is the correct approach rather than relying on disk data to fill all 8192 bytes. **Performance impact**: Negligible one-time cost of zeroing 8KB during mount operation. **Backport recommendation**: **STRONGLY RECOMMENDED** for all stable trees supporting HFS filesystem. fs/hfs/mdb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c index 8082eb01127cd..bf811347bb07d 100644 --- a/fs/hfs/mdb.c +++ b/fs/hfs/mdb.c @@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) pr_warn("continuing without an alternate MDB\n"); } - HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); if (!HFS_SB(sb)->bitmap) goto out; -- 2.51.0

1 month, 1 week

3
35
0 0

[PATCH] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs

by Christian Hitz

From: Christian Hitz <christian.hitz(a)bbv.ch> Signed-off-by: Christian Hitz <christian.hitz(a)bbv.ch> Cc: stable(a)vger.kernel.org --- drivers/leds/leds-lp50xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c index 94f8ef6b482c..05229e2f2e7e 100644 --- a/drivers/leds/leds-lp50xx.c +++ b/drivers/leds/leds-lp50xx.c @@ -54,7 +54,7 @@ /* There are 3 LED outputs per bank */ #define LP50XX_LEDS_PER_MODULE 3 -#define LP5009_MAX_LED_MODULES 2 +#define LP5009_MAX_LED_MODULES 3 #define LP5012_MAX_LED_MODULES 4 #define LP5018_MAX_LED_MODULES 6 #define LP5024_MAX_LED_MODULES 8 -- 2.51.0

1 month, 1 week

2
1
0 0

Re: Patch "rust: cpufreq: fix formatting" has been added to the 6.17-stable tree

by Miguel Ojeda

On Tue, Oct 21, 2025 at 4:58 PM Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > rust: cpufreq: fix formatting > > to the 6.17-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > rust-cpufreq-fix-formatting.patch > and it can be found in the queue-6.17 subdirectory. Yes, thanks -- with this one 6.17.y should be `rustfmt` clean again too, like mainline. Cheers, Miguel

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] cxl: Fix match_region_by_range() to use" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x f4d027921c811ff7fc16e4d03c6bbbf4347cf37a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102001-outsmart-slackness-607a@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f4d027921c811ff7fc16e4d03c6bbbf4347cf37a Mon Sep 17 00:00:00 2001 From: Dave Jiang <dave.jiang(a)intel.com> Date: Fri, 10 Oct 2025 13:57:55 -0700 Subject: [PATCH] cxl: Fix match_region_by_range() to use region_res_match_cxl_range() match_region_by_range() is not using the helper function that also takes extended linear cache size into account when comparing regions. This causes a x2 region to show up as 2 partial incomplete regions rather than a single CXL region with extended linear cache support. Replace the open coded compare logic with the proper helper function for comparison. User visible impact is that when 'cxl list' is issued, no activa CXL region(s) are shown. There may be multiple idle regions present. No actual active CXL region is present in the kernel. [dj: Fix stable address] Fixes: 0ec9849b6333 ("acpi/hmat / cxl: Add extended linear cache support for CXL") Cc: stable(a)vger.kernel.org Reviewed-by: Gregory Price <gourry(a)gourry.net> Reviewed-by: Alison Schofield <alison.schofield(a)intel.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Signed-off-by: Dave Jiang <dave.jiang(a)intel.com> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 858d4678628d..57ed85e332d3 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -3398,10 +3398,7 @@ static int match_region_by_range(struct device *dev, const void *data) p = &cxlr->params; guard(rwsem_read)(&cxl_rwsem.region); - if (p->res && p->res->start == r->start && p->res->end == r->end) - return 1; - - return 0; + return region_res_match_cxl_range(p, r); } static int cxl_extended_linear_cache_resize(struct cxl_region *cxlr,

1 month, 1 week

2
1
0 0

[PATCH] ksmbd: transport_ipc: validate payload size before reading handle

by Qianchang Zhao

handle_response() dereferences the payload as a 4-byte handle without verifying that the declared payload size is at least 4 bytes. A malformed or truncated message from ksmbd.mountd can lead to a 4-byte read past the declared payload size. Validate the size before dereferencing. This is a minimal fix to guard the initial handle read. Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable(a)vger.kernel.org Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/transport_ipc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c index 46f87fd1ce1c..2028de4d3ddf 100644 --- a/fs/smb/server/transport_ipc.c +++ b/fs/smb/server/transport_ipc.c @@ -263,6 +263,10 @@ static void ipc_msg_handle_free(int handle) static int handle_response(int type, void *payload, size_t sz) { + /* Prevent 4-byte read beyond declared payload size */ + if (sz < sizeof(unsigned int)) + return -EINVAL; + unsigned int handle = *(unsigned int *)payload; struct ipc_msg_table_entry *entry; int ret = 0; -- 2.34.1

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/xe: Don't allow evicting of BOs in same VM in array of VM" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 7ac74613e5f2ef3450f44fd2127198662c2563a9 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102048-unrushed-state-ce5e@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7ac74613e5f2ef3450f44fd2127198662c2563a9 Mon Sep 17 00:00:00 2001 From: Matthew Brost <matthew.brost(a)intel.com> Date: Thu, 9 Oct 2025 04:06:18 -0700 Subject: [PATCH] drm/xe: Don't allow evicting of BOs in same VM in array of VM binds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit An array of VM binds can potentially evict other buffer objects (BOs) within the same VM under certain conditions, which may lead to NULL pointer dereferences later in the bind pipeline. To prevent this, clear the allow_res_evict flag in the xe_bo_validate call. v2: - Invert polarity of no_res_evict (Thomas) - Add comment in code explaining issue (Thomas) Cc: stable(a)vger.kernel.org Reported-by: Paulo Zanoni <paulo.r.zanoni(a)intel.com> Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6268 Fixes: 774b5fa509a9 ("drm/xe: Avoid evicting object of the same vm in none fault mode") Fixes: 77f2ef3f16f5 ("drm/xe: Lock all gpuva ops during VM bind IOCTL") Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Brost <matthew.brost(a)intel.com> Tested-by: Paulo Zanoni <paulo.r.zanoni(a)intel.com> Reviewed-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Link: https://lore.kernel.org/r/20251009110618.3481870-1-matthew.brost@intel.com (cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 027e6ce648c5..f602b874e054 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -2832,7 +2832,7 @@ static void vm_bind_ioctl_ops_unwind(struct xe_vm *vm, } static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma, - bool validate) + bool res_evict, bool validate) { struct xe_bo *bo = xe_vma_bo(vma); struct xe_vm *vm = xe_vma_vm(vma); @@ -2843,7 +2843,8 @@ static int vma_lock_and_validate(struct drm_exec *exec, struct xe_vma *vma, err = drm_exec_lock_obj(exec, &bo->ttm.base); if (!err && validate) err = xe_bo_validate(bo, vm, - !xe_vm_in_preempt_fence_mode(vm), exec); + !xe_vm_in_preempt_fence_mode(vm) && + res_evict, exec); } return err; @@ -2913,14 +2914,23 @@ static int prefetch_ranges(struct xe_vm *vm, struct xe_vma_op *op) } static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm, - struct xe_vma_op *op) + struct xe_vma_ops *vops, struct xe_vma_op *op) { int err = 0; + bool res_evict; + + /* + * We only allow evicting a BO within the VM if it is not part of an + * array of binds, as an array of binds can evict another BO within the + * bind. + */ + res_evict = !(vops->flags & XE_VMA_OPS_ARRAY_OF_BINDS); switch (op->base.op) { case DRM_GPUVA_OP_MAP: if (!op->map.invalidate_on_bind) err = vma_lock_and_validate(exec, op->map.vma, + res_evict, !xe_vm_in_fault_mode(vm) || op->map.immediate); break; @@ -2931,11 +2941,13 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm, err = vma_lock_and_validate(exec, gpuva_to_vma(op->base.remap.unmap->va), - false); + res_evict, false); if (!err && op->remap.prev) - err = vma_lock_and_validate(exec, op->remap.prev, true); + err = vma_lock_and_validate(exec, op->remap.prev, + res_evict, true); if (!err && op->remap.next) - err = vma_lock_and_validate(exec, op->remap.next, true); + err = vma_lock_and_validate(exec, op->remap.next, + res_evict, true); break; case DRM_GPUVA_OP_UNMAP: err = check_ufence(gpuva_to_vma(op->base.unmap.va)); @@ -2944,7 +2956,7 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm, err = vma_lock_and_validate(exec, gpuva_to_vma(op->base.unmap.va), - false); + res_evict, false); break; case DRM_GPUVA_OP_PREFETCH: { @@ -2959,7 +2971,7 @@ static int op_lock_and_prep(struct drm_exec *exec, struct xe_vm *vm, err = vma_lock_and_validate(exec, gpuva_to_vma(op->base.prefetch.va), - false); + res_evict, false); if (!err && !xe_vma_has_no_bo(vma)) err = xe_bo_migrate(xe_vma_bo(vma), region_to_mem_type[region], @@ -3005,7 +3017,7 @@ static int vm_bind_ioctl_ops_lock_and_prep(struct drm_exec *exec, return err; list_for_each_entry(op, &vops->list, link) { - err = op_lock_and_prep(exec, vm, op); + err = op_lock_and_prep(exec, vm, vops, op); if (err) return err; } @@ -3638,6 +3650,8 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file) } xe_vma_ops_init(&vops, vm, q, syncs, num_syncs); + if (args->num_binds > 1) + vops.flags |= XE_VMA_OPS_ARRAY_OF_BINDS; for (i = 0; i < args->num_binds; ++i) { u64 range = bind_ops[i].range; u64 addr = bind_ops[i].addr; diff --git a/drivers/gpu/drm/xe/xe_vm_types.h b/drivers/gpu/drm/xe/xe_vm_types.h index da39940501d8..413353e1c225 100644 --- a/drivers/gpu/drm/xe/xe_vm_types.h +++ b/drivers/gpu/drm/xe/xe_vm_types.h @@ -476,6 +476,7 @@ struct xe_vma_ops { /** @flag: signify the properties within xe_vma_ops*/ #define XE_VMA_OPS_FLAG_HAS_SVM_PREFETCH BIT(0) #define XE_VMA_OPS_FLAG_MADVISE BIT(1) +#define XE_VMA_OPS_ARRAY_OF_BINDS BIT(2) u32 flags; #ifdef TEST_VM_OPS_ERROR /** @inject_error: inject error to test error handling */

1 month, 1 week

2
1
0 0

¿Tu evaluación de desempeño es realmente objetiva?

by Luis Rodríguez

Evaluaciones de Desempeño Objetivas con Vorecol 360 Feedback body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; padding-top: 10px; } Mejora tus evaluaciones de desempeño con feedback 360 real y automatizado. Hola, ¿Te has preguntado qué tan completas son tus evaluaciones de desempeño? En Vorecol 360 Feedback te ayudamos a implementar evaluaciones verdaderamente objetivas, recogiendo percepciones desde todas las direcciones: líderes, pares, colaboradores y autoevaluación. Lo que más valoran nuestros clientes de RRHH es que: Obtienen una visión completa y real del desempeño. Fomentan una cultura de feedback constructivo. Identifican oportunidades de desarrollo con mayor precisión. Automatizan todo el proceso con reportes claros y personalizables. Si estás buscando mejorar tus evaluaciones y fortalecer el desarrollo interno, te lo recomiendo muchísimo. Para más información puedes responder este correo o llamarme al número de abajo. Saludos, ------------------------ Atte.: Luis Rodríguez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewisppwseup">click aquí</a>

1 month, 1 week

1
0
0 0

[PATCH v3 00/10] pmdomain: samsung: add supoort for Google GS101

by André Draszik

Hi, This series adds support for the power domains on Google GS101. It's fairly similar to SoCs already supported by this driver, except that register acces does not work via plain ioremap() / readl() / writel(). Instead, the regmap created by the PMU driver must be used (which uses Arm SMCC calls under the hood). The DT update to add the new required properties on gs101 will be posted separately. Signed-off-by: André Draszik <andre.draszik(a)linaro.org> --- Changes in v3: - use additionalProperties, not unevaluatedProperties in patch 2 - fix path in $id in patch 2 (Rob) - drop comment around 'select' in patch 2 (Rob) - collect tags - Link to v2: https://lore.kernel.org/r/20251009-gs101-pd-v2-0-3f4a6db2af39@linaro.org Changes in v2: - Krzysztof: - move google,gs101-pmu binding into separate file - mark devm_kstrdup_const() patch as fix - use bool for need_early_sync_state - merge patches 8 and 10 from v1 series into one patch - collect tags - Link to v1: https://lore.kernel.org/r/20251006-gs101-pd-v1-0-f0cb0c01ea7b@linaro.org --- André Draszik (10): dt-bindings: power: samsung: add google,gs101-pd dt-bindings: soc: samsung: exynos-pmu: move gs101-pmu into separate binding dt-bindings: soc: samsung: gs101-pmu: allow power domains as children pmdomain: samsung: plug potential memleak during probe pmdomain: samsung: convert to using regmap pmdomain: samsung: convert to regmap_read_poll_timeout() pmdomain: samsung: don't hardcode offset for registers to 0 and 4 pmdomain: samsung: selectively handle enforced sync_state pmdomain: samsung: add support for google,gs101-pd pmdomain: samsung: use dev_err() instead of pr_err() .../devicetree/bindings/power/pd-samsung.yaml | 1 + .../bindings/soc/google/google,gs101-pmu.yaml | 106 +++++++++++++++++ .../bindings/soc/samsung/exynos-pmu.yaml | 20 ---- MAINTAINERS | 1 + drivers/pmdomain/samsung/exynos-pm-domains.c | 126 +++++++++++++++------ 5 files changed, 200 insertions(+), 54 deletions(-) --- base-commit: 58e817956925fdc12c61f1cb86915b82ae1603c1 change-id: 20251001-gs101-pd-d4dc97d70a84 Best regards, -- André Draszik <andre.draszik(a)linaro.org>

1 month, 1 week

3
3
0 0

FAILED: patch "[PATCH] drm/amdgpu: use atomic functions with memory barriers for vm" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102012-cranberry-chimp-891a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b Mon Sep 17 00:00:00 2001 From: Gui-Dong Han <hanguidong02(a)gmail.com> Date: Wed, 8 Oct 2025 03:43:27 +0000 Subject: [PATCH] drm/amdgpu: use atomic functions with memory barriers for vm fault info The atomic variable vm_fault_info_updated is used to synchronize access to adev->gmc.vm_fault_info between the interrupt handler and get_vm_fault_info(). The default atomic functions like atomic_set() and atomic_read() do not provide memory barriers. This allows for CPU instruction reordering, meaning the memory accesses to vm_fault_info and the vm_fault_info_updated flag are not guaranteed to occur in the intended order. This creates a race condition that can lead to inconsistent or stale data being used. The previous implementation, which used an explicit mb(), was incomplete and inefficient. It failed to account for all potential CPU reorderings, such as the access of vm_fault_info being reordered before the atomic_read of the flag. This approach is also more verbose and less performant than using the proper atomic functions with acquire/release semantics. Fix this by switching to atomic_set_release() and atomic_read_acquire(). These functions provide the necessary acquire and release semantics, which act as memory barriers to ensure the correct order of operations. It is also more efficient and idiomatic than using explicit full memory barriers. Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> Signed-off-by: Felix Kuehling <felix.kuehling(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index 83020963dfde..a2ca9acf8c4e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -2329,10 +2329,9 @@ void amdgpu_amdkfd_gpuvm_unmap_gtt_bo_from_kernel(struct kgd_mem *mem) int amdgpu_amdkfd_gpuvm_get_vm_fault_info(struct amdgpu_device *adev, struct kfd_vm_fault_info *mem) { - if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) { + if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) { *mem = *adev->gmc.vm_fault_info; - mb(); /* make sure read happened */ - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); } return 0; } diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c index 93d7ccb7d013..0e5e54d0a9a5 100644 --- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c @@ -1068,7 +1068,7 @@ static int gmc_v7_0_sw_init(struct amdgpu_ip_block *ip_block) GFP_KERNEL); if (!adev->gmc.vm_fault_info) return -ENOMEM; - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); return 0; } @@ -1290,7 +1290,7 @@ static int gmc_v7_0_process_interrupt(struct amdgpu_device *adev, vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, VMID); if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) - && !atomic_read(&adev->gmc.vm_fault_info_updated)) { + && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; u32 protections = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, @@ -1306,8 +1306,7 @@ static int gmc_v7_0_process_interrupt(struct amdgpu_device *adev, info->prot_read = protections & 0x8 ? true : false; info->prot_write = protections & 0x10 ? true : false; info->prot_exec = protections & 0x20 ? true : false; - mb(); - atomic_set(&adev->gmc.vm_fault_info_updated, 1); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); } return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c index c5e2a2c41e06..e1509480dfc2 100644 --- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c @@ -1183,7 +1183,7 @@ static int gmc_v8_0_sw_init(struct amdgpu_ip_block *ip_block) GFP_KERNEL); if (!adev->gmc.vm_fault_info) return -ENOMEM; - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); return 0; } @@ -1478,7 +1478,7 @@ static int gmc_v8_0_process_interrupt(struct amdgpu_device *adev, vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, VMID); if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) - && !atomic_read(&adev->gmc.vm_fault_info_updated)) { + && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; u32 protections = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, @@ -1494,8 +1494,7 @@ static int gmc_v8_0_process_interrupt(struct amdgpu_device *adev, info->prot_read = protections & 0x8 ? true : false; info->prot_write = protections & 0x10 ? true : false; info->prot_exec = protections & 0x20 ? true : false; - mb(); - atomic_set(&adev->gmc.vm_fault_info_updated, 1); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); } return 0;

1 month, 1 week

2
1
0 0

[PATCH] acpica: Work around bogus -Wstringop-overread warning since GCC 11

by Xi Ruoyao

When ACPI_MISALIGNMENT_NOT_SUPPORTED, GCC can produce a bogus -Wstringop-overread warning, see https://gcc.gnu.org/PR122073. To me it's very clear that we have a compiler bug here, thus just disable the warning. Cc: stable(a)vger.kernel.org Fixes: a9d13433fe17 ("LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled") Link: https://lore.kernel.org/all/899f2dec-e8b9-44f4-ab8d-001e160a2aed@roeck-us.n… Link: https://github.com/acpica/acpica/commit/abf5b573 Co-developed-by: Saket Dumbre <saket.dumbre(a)intel.com> Signed-off-by: Saket Dumbre <saket.dumbre(a)intel.com> Signed-off-by: Xi Ruoyao <xry111(a)xry111.site> --- drivers/acpi/acpica/tbprint.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/acpi/acpica/tbprint.c b/drivers/acpi/acpica/tbprint.c index 049f6c2f1e32..e5631027f7f1 100644 --- a/drivers/acpi/acpica/tbprint.c +++ b/drivers/acpi/acpica/tbprint.c @@ -95,6 +95,11 @@ acpi_tb_print_table_header(acpi_physical_address address, { struct acpi_table_header local_header; +#pragma GCC diagnostic push +#if defined(__GNUC__) && __GNUC__ >= 11 +#pragma GCC diagnostic ignored "-Wstringop-overread" +#endif + if (ACPI_COMPARE_NAMESEG(header->signature, ACPI_SIG_FACS)) { /* FACS only has signature and length fields */ @@ -143,4 +148,5 @@ acpi_tb_print_table_header(acpi_physical_address address, local_header.asl_compiler_id, local_header.asl_compiler_revision)); } +#pragma GCC diagnostic pop } -- 2.51.1

1 month, 1 week

3
3
0 0

FAILED: patch "[PATCH] drm/amdgpu: use atomic functions with memory barriers for vm" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102010-body-overnight-fcad@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b Mon Sep 17 00:00:00 2001 From: Gui-Dong Han <hanguidong02(a)gmail.com> Date: Wed, 8 Oct 2025 03:43:27 +0000 Subject: [PATCH] drm/amdgpu: use atomic functions with memory barriers for vm fault info The atomic variable vm_fault_info_updated is used to synchronize access to adev->gmc.vm_fault_info between the interrupt handler and get_vm_fault_info(). The default atomic functions like atomic_set() and atomic_read() do not provide memory barriers. This allows for CPU instruction reordering, meaning the memory accesses to vm_fault_info and the vm_fault_info_updated flag are not guaranteed to occur in the intended order. This creates a race condition that can lead to inconsistent or stale data being used. The previous implementation, which used an explicit mb(), was incomplete and inefficient. It failed to account for all potential CPU reorderings, such as the access of vm_fault_info being reordered before the atomic_read of the flag. This approach is also more verbose and less performant than using the proper atomic functions with acquire/release semantics. Fix this by switching to atomic_set_release() and atomic_read_acquire(). These functions provide the necessary acquire and release semantics, which act as memory barriers to ensure the correct order of operations. It is also more efficient and idiomatic than using explicit full memory barriers. Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> Signed-off-by: Felix Kuehling <felix.kuehling(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index 83020963dfde..a2ca9acf8c4e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -2329,10 +2329,9 @@ void amdgpu_amdkfd_gpuvm_unmap_gtt_bo_from_kernel(struct kgd_mem *mem) int amdgpu_amdkfd_gpuvm_get_vm_fault_info(struct amdgpu_device *adev, struct kfd_vm_fault_info *mem) { - if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) { + if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) { *mem = *adev->gmc.vm_fault_info; - mb(); /* make sure read happened */ - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); } return 0; } diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c index 93d7ccb7d013..0e5e54d0a9a5 100644 --- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c @@ -1068,7 +1068,7 @@ static int gmc_v7_0_sw_init(struct amdgpu_ip_block *ip_block) GFP_KERNEL); if (!adev->gmc.vm_fault_info) return -ENOMEM; - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); return 0; } @@ -1290,7 +1290,7 @@ static int gmc_v7_0_process_interrupt(struct amdgpu_device *adev, vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, VMID); if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) - && !atomic_read(&adev->gmc.vm_fault_info_updated)) { + && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; u32 protections = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, @@ -1306,8 +1306,7 @@ static int gmc_v7_0_process_interrupt(struct amdgpu_device *adev, info->prot_read = protections & 0x8 ? true : false; info->prot_write = protections & 0x10 ? true : false; info->prot_exec = protections & 0x20 ? true : false; - mb(); - atomic_set(&adev->gmc.vm_fault_info_updated, 1); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); } return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c index c5e2a2c41e06..e1509480dfc2 100644 --- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c @@ -1183,7 +1183,7 @@ static int gmc_v8_0_sw_init(struct amdgpu_ip_block *ip_block) GFP_KERNEL); if (!adev->gmc.vm_fault_info) return -ENOMEM; - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); return 0; } @@ -1478,7 +1478,7 @@ static int gmc_v8_0_process_interrupt(struct amdgpu_device *adev, vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, VMID); if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) - && !atomic_read(&adev->gmc.vm_fault_info_updated)) { + && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; u32 protections = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, @@ -1494,8 +1494,7 @@ static int gmc_v8_0_process_interrupt(struct amdgpu_device *adev, info->prot_read = protections & 0x8 ? true : false; info->prot_write = protections & 0x10 ? true : false; info->prot_exec = protections & 0x20 ? true : false; - mb(); - atomic_set(&adev->gmc.vm_fault_info_updated, 1); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); } return 0;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] drm/xe: Move rebar to be done earlier" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x d30203739be798d3de5c84db3060e96f00c54e82 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102055-prayer-clock-414f@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d30203739be798d3de5c84db3060e96f00c54e82 Mon Sep 17 00:00:00 2001 From: Lucas De Marchi <lucas.demarchi(a)intel.com> Date: Thu, 18 Sep 2025 13:58:57 -0700 Subject: [PATCH] drm/xe: Move rebar to be done earlier MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There may be cases in which the BAR0 also needs to move to accommodate the bigger BAR2. However if it's not released, the BAR2 resize fails. During the vram probe it can't be released as it's already in use by xe_mmio for early register access. Add a new function in xe_vram and let xe_pci call it directly before even early device probe. This allows the BAR2 to resize in cases BAR0 also needs to move, assuming there aren't other reasons to hold that move: [] xe 0000:03:00.0: vgaarb: deactivate vga console [] xe 0000:03:00.0: [drm] Attempting to resize bar from 8192MiB -> 16384MiB [] xe 0000:03:00.0: BAR 0 [mem 0x83000000-0x83ffffff 64bit]: releasing [] xe 0000:03:00.0: BAR 2 [mem 0x4000000000-0x41ffffffff 64bit pref]: releasing [] pcieport 0000:02:01.0: bridge window [mem 0x4000000000-0x41ffffffff 64bit pref]: releasing [] pcieport 0000:01:00.0: bridge window [mem 0x4000000000-0x41ffffffff 64bit pref]: releasing [] pcieport 0000:01:00.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref]: assigned [] pcieport 0000:02:01.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref]: assigned [] xe 0000:03:00.0: BAR 2 [mem 0x4000000000-0x43ffffffff 64bit pref]: assigned [] xe 0000:03:00.0: BAR 0 [mem 0x83000000-0x83ffffff 64bit]: assigned [] pcieport 0000:00:01.0: PCI bridge to [bus 01-04] [] pcieport 0000:00:01.0: bridge window [mem 0x83000000-0x840fffff] [] pcieport 0000:00:01.0: bridge window [mem 0x4000000000-0x44007fffff 64bit pref] [] pcieport 0000:01:00.0: PCI bridge to [bus 02-04] [] pcieport 0000:01:00.0: bridge window [mem 0x83000000-0x840fffff] [] pcieport 0000:01:00.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref] [] pcieport 0000:02:01.0: PCI bridge to [bus 03] [] pcieport 0000:02:01.0: bridge window [mem 0x83000000-0x83ffffff] [] pcieport 0000:02:01.0: bridge window [mem 0x4000000000-0x43ffffffff 64bit pref] [] xe 0000:03:00.0: [drm] BAR2 resized to 16384M [] xe 0000:03:00.0: [drm:xe_pci_probe [xe]] BATTLEMAGE e221:0000 dgfx:1 gfx:Xe2_HPG (20.02) ... For BMG there are additional fix needed in the PCI side, but this helps getting it to a working resize. All the rebar logic is more pci-specific than xe-specific and can be done very early in the probe sequence. In future it would be good to move it out of xe_vram.c, but this refactor is left for later. Cc: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Cc: stable(a)vger.kernel.org # 6.12+ Link: https://lore.kernel.org/intel-xe/fafda2a3-fc63-ce97-d22b-803f771a4d19@linux… Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Link: https://lore.kernel.org/r/20250918-xe-pci-rebar-2-v1-2-6c094702a074@intel.c… Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> (cherry picked from commit 45e33f220fd625492c11e15733d8e9b4f9db82a4) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c index be91343829dd..9a6df79fc5b6 100644 --- a/drivers/gpu/drm/xe/xe_pci.c +++ b/drivers/gpu/drm/xe/xe_pci.c @@ -867,6 +867,8 @@ static int xe_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) if (err) return err; + xe_vram_resize_bar(xe); + err = xe_device_probe_early(xe); /* * In Boot Survivability mode, no drm card is exposed and driver diff --git a/drivers/gpu/drm/xe/xe_vram.c b/drivers/gpu/drm/xe/xe_vram.c index b44ebf50fedb..652df7a5f4f6 100644 --- a/drivers/gpu/drm/xe/xe_vram.c +++ b/drivers/gpu/drm/xe/xe_vram.c @@ -26,15 +26,35 @@ #define BAR_SIZE_SHIFT 20 -static void -_resize_bar(struct xe_device *xe, int resno, resource_size_t size) +/* + * Release all the BARs that could influence/block LMEMBAR resizing, i.e. + * assigned IORESOURCE_MEM_64 BARs + */ +static void release_bars(struct pci_dev *pdev) +{ + struct resource *res; + int i; + + pci_dev_for_each_resource(pdev, res, i) { + /* Resource already un-assigned, do not reset it */ + if (!res->parent) + continue; + + /* No need to release unrelated BARs */ + if (!(res->flags & IORESOURCE_MEM_64)) + continue; + + pci_release_resource(pdev, i); + } +} + +static void resize_bar(struct xe_device *xe, int resno, resource_size_t size) { struct pci_dev *pdev = to_pci_dev(xe->drm.dev); int bar_size = pci_rebar_bytes_to_size(size); int ret; - if (pci_resource_len(pdev, resno)) - pci_release_resource(pdev, resno); + release_bars(pdev); ret = pci_resize_resource(pdev, resno, bar_size); if (ret) { @@ -50,7 +70,7 @@ _resize_bar(struct xe_device *xe, int resno, resource_size_t size) * if force_vram_bar_size is set, attempt to set to the requested size * else set to maximum possible size */ -static void resize_vram_bar(struct xe_device *xe) +void xe_vram_resize_bar(struct xe_device *xe) { int force_vram_bar_size = xe_modparam.force_vram_bar_size; struct pci_dev *pdev = to_pci_dev(xe->drm.dev); @@ -119,7 +139,7 @@ static void resize_vram_bar(struct xe_device *xe) pci_read_config_dword(pdev, PCI_COMMAND, &pci_cmd); pci_write_config_dword(pdev, PCI_COMMAND, pci_cmd & ~PCI_COMMAND_MEMORY); - _resize_bar(xe, LMEM_BAR, rebar_size); + resize_bar(xe, LMEM_BAR, rebar_size); pci_assign_unassigned_bus_resources(pdev->bus); pci_write_config_dword(pdev, PCI_COMMAND, pci_cmd); @@ -148,8 +168,6 @@ static int determine_lmem_bar_size(struct xe_device *xe, struct xe_vram_region * return -ENXIO; } - resize_vram_bar(xe); - lmem_bar->io_start = pci_resource_start(pdev, LMEM_BAR); lmem_bar->io_size = pci_resource_len(pdev, LMEM_BAR); if (!lmem_bar->io_size) diff --git a/drivers/gpu/drm/xe/xe_vram.h b/drivers/gpu/drm/xe/xe_vram.h index 72860f714fc6..13505cfb184d 100644 --- a/drivers/gpu/drm/xe/xe_vram.h +++ b/drivers/gpu/drm/xe/xe_vram.h @@ -11,6 +11,7 @@ struct xe_device; struct xe_vram_region; +void xe_vram_resize_bar(struct xe_device *xe); int xe_vram_probe(struct xe_device *xe); struct xe_vram_region *xe_vram_region_alloc(struct xe_device *xe, u8 id, u32 placement);

1 month, 1 week

2
5
0 0

[PATCH v3] slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts

by Hao Ge

From: Hao Ge <gehao(a)kylinos.cn> If two competing threads enter alloc_slab_obj_exts() and one of them fails to allocate the object extension vector, it might override the valid slab->obj_exts allocated by the other thread with OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and expects a valid pointer to dereference a NULL pointer later on. Update slab->obj_exts atomically using cmpxchg() to avoid slab->obj_exts overrides by racing threads. Thanks for Vlastimil and Suren's help with debugging. Fixes: f7381b911640 ("slab: mark slab->obj_exts allocation failures unconditionally") Cc: <stable(a)vger.kernel.org> Suggested-by: Suren Baghdasaryan <surenb(a)google.com> Signed-off-by: Hao Ge <gehao(a)kylinos.cn> --- v3: According to Suren's suggestion, simplify the commit message and the code comments. Thanks for Suren. v2: Incorporate handling for the scenario where, if mark_failed_objexts_alloc wins the race, the other process (that previously succeeded in allocation) will lose the race, based on Suren's suggestion. Add Suggested-by: Suren Baghdasaryan <surenb(a)google.com> --- mm/slub.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index 2e4340c75be2..d4403341c9df 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2054,7 +2054,7 @@ static inline void mark_objexts_empty(struct slabobj_ext *obj_exts) static inline void mark_failed_objexts_alloc(struct slab *slab) { - slab->obj_exts = OBJEXTS_ALLOC_FAIL; + cmpxchg(&slab->obj_exts, 0, OBJEXTS_ALLOC_FAIL); } static inline void handle_failed_objexts_alloc(unsigned long obj_exts, @@ -2136,6 +2136,7 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, #ifdef CONFIG_MEMCG new_exts |= MEMCG_DATA_OBJEXTS; #endif +retry: old_exts = READ_ONCE(slab->obj_exts); handle_failed_objexts_alloc(old_exts, vec, objects); if (new_slab) { @@ -2145,8 +2146,7 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, * be simply assigned. */ slab->obj_exts = new_exts; - } else if ((old_exts & ~OBJEXTS_FLAGS_MASK) || - cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) { + } else if (old_exts & ~OBJEXTS_FLAGS_MASK) { /* * If the slab is already in use, somebody can allocate and * assign slabobj_exts in parallel. In this case the existing @@ -2158,6 +2158,9 @@ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s, else kfree(vec); return 0; + } else if (cmpxchg(&slab->obj_exts, old_exts, new_exts) != old_exts) { + /* Retry if a racing thread changed slab->obj_exts from under us. */ + goto retry; } if (allow_spin) -- 2.25.1

1 month, 1 week

4
3
0 0

New October Order. 10938 Tuesday, October 21, 2025 at 03:14:23 PM

by Purchase - PathnSitu 737

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: October Thanks! Danny Peddinti PathnSitu Trading

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: use atomic functions with memory barriers for vm" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102009-dominion-underfeed-6f4b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6df8e84aa6b5b1812cc2cacd6b3f5ccbb18cda2b Mon Sep 17 00:00:00 2001 From: Gui-Dong Han <hanguidong02(a)gmail.com> Date: Wed, 8 Oct 2025 03:43:27 +0000 Subject: [PATCH] drm/amdgpu: use atomic functions with memory barriers for vm fault info The atomic variable vm_fault_info_updated is used to synchronize access to adev->gmc.vm_fault_info between the interrupt handler and get_vm_fault_info(). The default atomic functions like atomic_set() and atomic_read() do not provide memory barriers. This allows for CPU instruction reordering, meaning the memory accesses to vm_fault_info and the vm_fault_info_updated flag are not guaranteed to occur in the intended order. This creates a race condition that can lead to inconsistent or stale data being used. The previous implementation, which used an explicit mb(), was incomplete and inefficient. It failed to account for all potential CPU reorderings, such as the access of vm_fault_info being reordered before the atomic_read of the flag. This approach is also more verbose and less performant than using the proper atomic functions with acquire/release semantics. Fix this by switching to atomic_set_release() and atomic_read_acquire(). These functions provide the necessary acquire and release semantics, which act as memory barriers to ensure the correct order of operations. It is also more efficient and idiomatic than using explicit full memory barriers. Fixes: b97dfa27ef3a ("drm/amdgpu: save vm fault information for amdkfd") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> Signed-off-by: Felix Kuehling <felix.kuehling(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c index 83020963dfde..a2ca9acf8c4e 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -2329,10 +2329,9 @@ void amdgpu_amdkfd_gpuvm_unmap_gtt_bo_from_kernel(struct kgd_mem *mem) int amdgpu_amdkfd_gpuvm_get_vm_fault_info(struct amdgpu_device *adev, struct kfd_vm_fault_info *mem) { - if (atomic_read(&adev->gmc.vm_fault_info_updated) == 1) { + if (atomic_read_acquire(&adev->gmc.vm_fault_info_updated) == 1) { *mem = *adev->gmc.vm_fault_info; - mb(); /* make sure read happened */ - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); } return 0; } diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c index 93d7ccb7d013..0e5e54d0a9a5 100644 --- a/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v7_0.c @@ -1068,7 +1068,7 @@ static int gmc_v7_0_sw_init(struct amdgpu_ip_block *ip_block) GFP_KERNEL); if (!adev->gmc.vm_fault_info) return -ENOMEM; - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); return 0; } @@ -1290,7 +1290,7 @@ static int gmc_v7_0_process_interrupt(struct amdgpu_device *adev, vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, VMID); if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) - && !atomic_read(&adev->gmc.vm_fault_info_updated)) { + && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; u32 protections = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, @@ -1306,8 +1306,7 @@ static int gmc_v7_0_process_interrupt(struct amdgpu_device *adev, info->prot_read = protections & 0x8 ? true : false; info->prot_write = protections & 0x10 ? true : false; info->prot_exec = protections & 0x20 ? true : false; - mb(); - atomic_set(&adev->gmc.vm_fault_info_updated, 1); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); } return 0; diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c index c5e2a2c41e06..e1509480dfc2 100644 --- a/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v8_0.c @@ -1183,7 +1183,7 @@ static int gmc_v8_0_sw_init(struct amdgpu_ip_block *ip_block) GFP_KERNEL); if (!adev->gmc.vm_fault_info) return -ENOMEM; - atomic_set(&adev->gmc.vm_fault_info_updated, 0); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 0); return 0; } @@ -1478,7 +1478,7 @@ static int gmc_v8_0_process_interrupt(struct amdgpu_device *adev, vmid = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, VMID); if (amdgpu_amdkfd_is_kfd_vmid(adev, vmid) - && !atomic_read(&adev->gmc.vm_fault_info_updated)) { + && !atomic_read_acquire(&adev->gmc.vm_fault_info_updated)) { struct kfd_vm_fault_info *info = adev->gmc.vm_fault_info; u32 protections = REG_GET_FIELD(status, VM_CONTEXT1_PROTECTION_FAULT_STATUS, @@ -1494,8 +1494,7 @@ static int gmc_v8_0_process_interrupt(struct amdgpu_device *adev, info->prot_read = protections & 0x8 ? true : false; info->prot_write = protections & 0x10 ? true : false; info->prot_exec = protections & 0x20 ? true : false; - mb(); - atomic_set(&adev->gmc.vm_fault_info_updated, 1); + atomic_set_release(&adev->gmc.vm_fault_info_updated, 1); } return 0;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] drm/sched: Fix potential double free in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 5801e65206b065b0b2af032f7f1eef222aa2fd83 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102034-voltage-truck-aeff@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5801e65206b065b0b2af032f7f1eef222aa2fd83 Mon Sep 17 00:00:00 2001 From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Date: Wed, 15 Oct 2025 09:40:15 +0100 Subject: [PATCH] drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2") landed, with its fixup of commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies"). At that point it was a slightly different flavour of a double free, which commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/dri-devel/aNFbXq8OeYl3QSdm@stanley.mountain/ Cc: Christian König <christian.koenig(a)amd.com> Cc: Rob Clark <robdclark(a)chromium.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Philipp Stanner <phasta(a)kernel.org> Cc: Christian König <ckoenig.leichtzumerken(a)gmail.com> Cc: dri-devel(a)lists.freedesktop.org Cc: stable(a)vger.kernel.org # v5.16+ Signed-off-by: Philipp Stanner <phasta(a)kernel.org> Link: https://lore.kernel.org/r/20251015084015.6273-1-tvrtko.ursulin@igalia.com diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 46119aacb809..c39f0245e3a9 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -965,13 +965,14 @@ int drm_sched_job_add_resv_dependencies(struct drm_sched_job *job, dma_resv_assert_held(resv); dma_resv_for_each_fence(&cursor, resv, usage, fence) { - /* Make sure to grab an additional ref on the added fence */ - dma_fence_get(fence); - ret = drm_sched_job_add_dependency(job, fence); - if (ret) { - dma_fence_put(fence); + /* + * As drm_sched_job_add_dependency always consumes the fence + * reference (even when it fails), and dma_resv_for_each_fence + * is not obtaining one, we need to grab one before calling. + */ + ret = drm_sched_job_add_dependency(job, dma_fence_get(fence)); + if (ret) return ret; - } } return 0; }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] ext4: detect invalid INLINE_DATA + EXTENTS flag combination" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1d3ad183943b38eec2acf72a0ae98e635dc8456b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102009-dares-negligent-77e3@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1d3ad183943b38eec2acf72a0ae98e635dc8456b Mon Sep 17 00:00:00 2001 From: Deepanshu Kartikey <kartikey406(a)gmail.com> Date: Tue, 30 Sep 2025 16:58:10 +0530 Subject: [PATCH] ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode. Cc: stable(a)kernel.org Reported-and-tested-by: syzbot+038b7bf43423e132b308(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308 Suggested-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Message-ID: <20250930112810.315095-1-kartikey406(a)gmail.com> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index f9e4ac87211e..e99306a8f47c 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5319,6 +5319,14 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, } ei->i_flags = le32_to_cpu(raw_inode->i_flags); ext4_set_inode_flags(inode, true); + /* Detect invalid flag combination - can't have both inline data and extents */ + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA) && + ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) { + ext4_error_inode(inode, function, line, 0, + "inode has both inline data and extents flags"); + ret = -EFSCORRUPTED; + goto bad_inode; + } inode->i_blocks = ext4_inode_blocks(raw_inode, ei); ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl_lo); if (ext4_has_feature_64bit(sb))

1 month, 1 week

2
1
0 0

[PATCH v3] s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump

by Gerd Bayer

Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/<BDF> reporter fw_fatal while PCI error recovery is executed on the same <BDF> physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw <BDF> Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with "kernel answers: Permission denied" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space. Link: https://lore.kernel.org/all/20251007144826.2825134-1-gbayer@linux.ibm.com/ Cc: stable(a)vger.kernel.org Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") Reviewed-by: Niklas Schnelle <schnelle(a)linux.ibm.com> Signed-off-by: Gerd Bayer <gbayer(a)linux.ibm.com> --- Hi Niklas, Shay, Jason, by now I believe fixing this in s390/pci is the right way to go, since the other PCI error recovery implementations apparently don't require this strict blocking of accesses to the PCI config space. Hi Alexander, Vasily, Heiko, while I sent this to netdev since prior versions were discussed there, I assume this patch will go through the s390 tree, right? Thanks, Gerd --- Changes in v3: - Incorporate changes to commit message as suggested by Niklas. - Link to v2: https://lore.kernel.org/r/20251015-fix_pcirecov_master-v2-1-e07962fe9558@li… Changes in v2: - Rebase to upstream master --- arch/s390/pci/pci_event.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c index b95376041501f479eee20705d45fb8c68553da71..27db1e72c623f8a289cae457e87f0a9896ed241d 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c @@ -188,7 +188,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev) * is unbound or probed and that userspace can't access its * configuration space while we perform recovery. */ - pci_dev_lock(pdev); + device_lock(&pdev->dev); if (pdev->error_state == pci_channel_io_perm_failure) { ers_res = PCI_ERS_RESULT_DISCONNECT; goto out_unlock; @@ -257,7 +257,7 @@ static pci_ers_result_t zpci_event_attempt_error_recovery(struct pci_dev *pdev) driver->err_handler->resume(pdev); pci_uevent_ers(pdev, PCI_ERS_RESULT_RECOVERED); out_unlock: - pci_dev_unlock(pdev); + device_unlock(&pdev->dev); zpci_report_status(zdev, "recovery", status_str); return ers_res; --- base-commit: 9b332cece987ee1790b2ed4c989e28162fa47860 change-id: 20251015-fix_pcirecov_master-55fe3705c6c6 Best regards, -- Gerd Bayer <gbayer(a)linux.ibm.com>

1 month, 1 week

2
1
0 0

[PATCH 0/6] drm/panic: Fixes found with kunit.

by Jocelyn Falempe

A few fixes for drm panic, that I found when writing unit tests with kunit. Jocelyn Falempe (6): drm/panic: Fix drawing the logo on a small narrow screen drm/panic: Fix overlap between qr code and logo drm/panic: Fix qr_code, ensure vmargin is positive drm/panic: Fix kmsg text drawing rectangle drm/panic: Fix divide by 0 if the screen width < font width drm/panic: Fix 24bit pixel crossing page boundaries drivers/gpu/drm/drm_panic.c | 60 +++++++++++++++++++++++++++++++++---- 1 file changed, 54 insertions(+), 6 deletions(-) base-commit: e4bea919584ff292c9156cf7d641a2ab3cbe27b0 -- 2.51.0

1 month, 1 week

4
16
0 0

[PATCH] fs: Fix uninitialized 'offp' in statmount_string()

by Zhen Ni

In statmount_string(), most flags assign an output offset pointer (offp) which is later updated with the string offset. However, the STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the struct fields instead of using offp. This leaves offp uninitialized, leading to a possible uninitialized dereference when *offp is updated. Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code path consistent. Fixes: 37c4a9590e1e ("statmount: allow to retrieve idmappings") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- fs/namespace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index d82910f33dc4..5b5ab2ae238b 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -5454,11 +5454,11 @@ static int statmount_string(struct kstatmount *s, u64 flag) ret = statmount_sb_source(s, seq); break; case STATMOUNT_MNT_UIDMAP: - sm->mnt_uidmap = start; + offp = &sm->mnt_uidmap; ret = statmount_mnt_uidmap(s, seq); break; case STATMOUNT_MNT_GIDMAP: - sm->mnt_gidmap = start; + offp = &sm->mnt_gidmap; ret = statmount_mnt_gidmap(s, seq); break; default: -- 2.20.1

1 month, 1 week

3
3
0 0

[PATCH 6.12.y] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

[ Upstream commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 ] syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [akpm(a)linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: SeongJae Park <sj(a)kernel.org> Tested-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub(a)amazon.de: adjust context in bindgings_helper.h] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- Tested that CONFIG_RUST=y builds with LLVM=1 with toolchain from https://mirrors.edge.kernel.org/pub/tools/llvm/rust/. include/linux/mm.h | 2 +- rust/bindings/bindings_helper.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index f0fa8404957d..13b4bd7355c1 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -320,7 +320,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h index a80783fcbe04..8b97919a86e2 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -33,3 +33,4 @@ const gfp_t RUST_CONST_HELPER___GFP_ZERO = __GFP_ZERO; const gfp_t RUST_CONST_HELPER___GFP_HIGHMEM = ___GFP_HIGHMEM; const gfp_t RUST_CONST_HELPER___GFP_NOWARN = ___GFP_NOWARN; const blk_features_t RUST_CONST_HELPER_BLK_FEAT_ROTATIONAL = BLK_FEAT_ROTATIONAL; +const vm_flags_t RUST_CONST_HELPER_VM_MERGEABLE = VM_MERGEABLE; -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 1 week

1
0
0 0

[PATCH 6.6.y] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

[ Upstream commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 ] syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [akpm(a)linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: SeongJae Park <sj(a)kernel.org> Tested-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub(a)amazon.de: adapt rust bindgen const to older versions] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- I inferred the rust adaptation from the neighboring definitions. Could rust folks please also check that it makes sense? Tested that CONFIG_RUST=y builds with LLVM=1 with toolchain from https://mirrors.edge.kernel.org/pub/tools/llvm/rust/. include/linux/mm.h | 2 +- rust/bindings/bindings_helper.h | 2 ++ rust/bindings/lib.rs | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index ba77f08900ca..fa5b11452ae6 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -315,7 +315,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h index c91a3c24f607..5416f21918e0 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -12,8 +12,10 @@ #include <linux/refcount.h> #include <linux/wait.h> #include <linux/sched.h> +#include <linux/mm.h> /* `bindgen` gets confused at certain things. */ const size_t BINDINGS_ARCH_SLAB_MINALIGN = ARCH_SLAB_MINALIGN; const gfp_t BINDINGS_GFP_KERNEL = GFP_KERNEL; const gfp_t BINDINGS___GFP_ZERO = __GFP_ZERO; +const vm_flags_t BINDINGS_VM_MERGEABLE = VM_MERGEABLE; diff --git a/rust/bindings/lib.rs b/rust/bindings/lib.rs index 9bcbea04dac3..7d9078b94a8f 100644 --- a/rust/bindings/lib.rs +++ b/rust/bindings/lib.rs @@ -51,3 +51,4 @@ mod bindings_helper { pub const GFP_KERNEL: gfp_t = BINDINGS_GFP_KERNEL; pub const __GFP_ZERO: gfp_t = BINDINGS___GFP_ZERO; +pub const VM_MERGEABLE: vm_flags_t = BINDINGS_VM_MERGEABLE; -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 1 week

1
0
0 0

[PATCH 6.1.y] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

[ Upstream commit f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 ] syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. [akpm(a)linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel] Link: https://lore.kernel.org/oe-kbuild-all/202510030449.VfSaAjvd-lkp@intel.com/ Link: https://lkml.kernel.org/r/20251001090353.57523-2-acsjakub@amazon.de Fixes: 7677f7fd8be7 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: SeongJae Park <sj(a)kernel.org> Tested-by: Alice Ryhl <aliceryhl(a)google.com> Tested-by: Miguel Ojeda <miguel.ojeda.sandonis(a)gmail.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub(a)amazon.de: adapt rust bindgen to older versions] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> --- I inferred the rust adaptation from the neighboring definitions. Could rust folks please also check that it makes sense? Tested that CONFIG_RUST=y builds with LLVM=1 with toolchain from https://mirrors.edge.kernel.org/pub/tools/llvm/rust/ (used bindgen 0.56.0 from github, as it's no longer available at crates.io) include/linux/mm.h | 2 +- rust/bindings/bindings_helper.h | 2 ++ rust/bindings/lib.rs | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 3bf7823e1097..44381ffaf34b 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -316,7 +316,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h index fdb4e11df3bd..2f5fd797955a 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -7,8 +7,10 @@ */ #include <linux/slab.h> +#include <linux/mm.h> /* `bindgen` gets confused at certain things. */ const size_t BINDINGS_ARCH_SLAB_MINALIGN = ARCH_SLAB_MINALIGN; const gfp_t BINDINGS_GFP_KERNEL = GFP_KERNEL; const gfp_t BINDINGS___GFP_ZERO = __GFP_ZERO; +const vm_flags_t BINDINGS_VM_MERGEABLE = VM_MERGEABLE; diff --git a/rust/bindings/lib.rs b/rust/bindings/lib.rs index 6c50ee62c56b..8cf84e899817 100644 --- a/rust/bindings/lib.rs +++ b/rust/bindings/lib.rs @@ -51,3 +51,4 @@ pub use bindings_raw::*; pub const GFP_KERNEL: gfp_t = BINDINGS_GFP_KERNEL; pub const __GFP_ZERO: gfp_t = BINDINGS___GFP_ZERO; +pub const VM_MERGEABLE: vm_flags_t = BINDINGS_VM_MERGEABLE; -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 1 week

1
0
0 0

[tip: locking/core] locking/spinlock/debug: Fix data-race in do_raw_write_lock

by tip-bot2 for Alexander Sverdlin

The following commit has been merged into the locking/core branch of tip: Commit-ID: c14ecb555c3ee80eeb030a4e46d00e679537f03a Gitweb: https://git.kernel.org/tip/c14ecb555c3ee80eeb030a4e46d00e679537f03a Author: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> AuthorDate: Fri, 19 Sep 2025 11:12:38 +02:00 Committer: Peter Zijlstra <peterz(a)infradead.org> CommitterDate: Tue, 21 Oct 2025 12:31:55 +02:00 locking/spinlock/debug: Fix data-race in do_raw_write_lock KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork value changed: 0xffffffff -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has adressed most of these races, but seems to be not consistent/not complete. >From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now. Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races") Reported-by: Adrian Freihofer <adrian.freihofer(a)siemens.com> Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Reviewed-by: Paul E. McKenney <paulmck(a)kernel.org> Acked-by: Waiman Long <longman(a)redhat.com> Cc: stable(a)vger.kernel.org --- kernel/locking/spinlock_debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c index 87b03d2..2338b3a 100644 --- a/kernel/locking/spinlock_debug.c +++ b/kernel/locking/spinlock_debug.c @@ -184,8 +184,8 @@ void do_raw_read_unlock(rwlock_t *lock) static inline void debug_write_lock_before(rwlock_t *lock) { RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); - RWLOCK_BUG_ON(lock->owner == current, lock, "recursion"); - RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), + RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); + RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), lock, "cpu recursion"); }

1 month, 1 week

1
0
0 0

[PATCH 6.1 0/8] Backporting CVE-2025-38073 fix patch

by Mahmoud Adam

This series aims to fix the CVE-2025-38073 for 6.1 LTS. Which is fixed by c0e473a0d226 ("block: fix race between set_blocksize and read paths"). This patch is built on top multiple refactors that where merged on 6.6. The needed dependecies are: - e003f74afbd2 ("filemap: add a kiocb_invalidate_pages helper") - c402a9a9430b ("filemap: add a kiocb_invalidate_post_direct_write helper") - 182c25e9c157 ("filemap: update ki_pos in generic_perform_write") - 44fff0fa08ec ("fs: factor out a direct_write_fallback helper") - 727cfe976758 ("block: open code __generic_file_write_iter for blkdev writes") Also backport follow up fixes: - fb881cd76045 ("nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs()"). - 8287474aa5ff ("direct_write_fallback(): on error revert the ->ki_pos update from buffered write") Thanks, MNAdam Al Viro (1): direct_write_fallback(): on error revert the ->ki_pos update from buffered write Christoph Hellwig (5): filemap: add a kiocb_invalidate_pages helper filemap: add a kiocb_invalidate_post_direct_write helper filemap: update ki_pos in generic_perform_write fs: factor out a direct_write_fallback helper block: open code __generic_file_write_iter for blkdev writes Darrick J. Wong (1): block: fix race between set_blocksize and read paths Ryusuke Konishi (1): nilfs2: fix deadlock warnings caused by lock dependency in init_nilfs() block/bdev.c | 17 +++++ block/blk-zoned.c | 5 +- block/fops.c | 61 +++++++++++++++- block/ioctl.c | 6 ++ fs/ceph/file.c | 2 - fs/direct-io.c | 10 +-- fs/ext4/file.c | 9 +-- fs/f2fs/file.c | 1 - fs/iomap/direct-io.c | 12 +--- fs/libfs.c | 42 +++++++++++ fs/nfs/file.c | 1 - fs/nilfs2/the_nilfs.c | 3 - include/linux/fs.h | 7 +- include/linux/pagemap.h | 2 + mm/filemap.c | 154 +++++++++++++++++----------------------- 15 files changed, 205 insertions(+), 127 deletions(-) -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 1 week

3
12
0 0

[PATCH] rtc: amlogic-a4: fix double free caused by devm

by Haotian Zhang

The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove(), allowing the devm framework to automatically manage the clock lifecycle. Fixes: c89ac9182ee2 ("rtc: support for the Amlogic on-chip RTC") Signed-off-by: Haotian Zhang <vulab(a)iscas.ac.cn> --- drivers/rtc/rtc-amlogic-a4.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/rtc/rtc-amlogic-a4.c b/drivers/rtc/rtc-amlogic-a4.c index 1928b29c1045..ed36b649c057 100644 --- a/drivers/rtc/rtc-amlogic-a4.c +++ b/drivers/rtc/rtc-amlogic-a4.c @@ -390,7 +390,6 @@ static int aml_rtc_probe(struct platform_device *pdev) return 0; err_clk: - clk_disable_unprepare(rtc->sys_clk); device_init_wakeup(dev, false); return ret; @@ -425,7 +424,6 @@ static void aml_rtc_remove(struct platform_device *pdev) { struct aml_rtc_data *rtc = dev_get_drvdata(&pdev->dev); - clk_disable_unprepare(rtc->sys_clk); device_init_wakeup(&pdev->dev, false); } -- 2.25.1

1 month, 1 week

2
2
0 0

[PATCH 6.6.y] ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL

by Namjae Jeon

[ Upstream commit b2d99376c5d61eb60ffdb6c503e4b6c8f9712ddd ] ksmbd.mount will give each interfaces list and bind_interfaces_only flags to ksmbd server. Previously, the interfaces list was sent only when bind_interfaces_only was enabled. ksmbd server browse only interfaces list given from ksmbd.conf on FSCTL_QUERY_INTERFACE_INFO IOCTL. Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> --- fs/smb/server/ksmbd_netlink.h | 3 +- fs/smb/server/server.h | 1 + fs/smb/server/smb2pdu.c | 4 ++ fs/smb/server/transport_ipc.c | 1 + fs/smb/server/transport_tcp.c | 69 ++++++++++++++++------------------- fs/smb/server/transport_tcp.h | 1 + 6 files changed, 41 insertions(+), 38 deletions(-) diff --git a/fs/smb/server/ksmbd_netlink.h b/fs/smb/server/ksmbd_netlink.h index c6c1844d4448..363501fc308a 100644 --- a/fs/smb/server/ksmbd_netlink.h +++ b/fs/smb/server/ksmbd_netlink.h @@ -108,8 +108,9 @@ struct ksmbd_startup_request { __u32 smb2_max_credits; /* MAX credits */ __u32 smbd_max_io_size; /* smbd read write size */ __u32 max_connections; /* Number of maximum simultaneous connections */ + __s8 bind_interfaces_only; __u32 max_ip_connections; /* Number of maximum connection per ip address */ - __u32 reserved[125]; /* Reserved room */ + __s8 reserved[499]; /* Reserved room */ __u32 ifc_list_sz; /* interfaces list size */ __s8 ____payload[]; } __packed; diff --git a/fs/smb/server/server.h b/fs/smb/server/server.h index d0744498ceed..48bd203abb44 100644 --- a/fs/smb/server/server.h +++ b/fs/smb/server/server.h @@ -46,6 +46,7 @@ struct ksmbd_server_config { unsigned int max_ip_connections; char *conf[SERVER_CONF_WORK_GROUP + 1]; + bool bind_interfaces_only; }; extern struct ksmbd_server_config server_conf; diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 93c31feab356..9a58c5a6f986 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -38,6 +38,7 @@ #include "mgmt/user_session.h" #include "mgmt/ksmbd_ida.h" #include "ndr.h" +#include "transport_tcp.h" static void __wbuf(struct ksmbd_work *work, void **req, void **rsp) { @@ -7790,6 +7791,9 @@ static int fsctl_query_iface_info_ioctl(struct ksmbd_conn *conn, if (netdev->type == ARPHRD_LOOPBACK) continue; + if (!ksmbd_find_netdev_name_iface_list(netdev->name)) + continue; + flags = dev_get_flags(netdev); if (!(flags & IFF_RUNNING)) continue; diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c index 80581a7bc1bc..354f7144c590 100644 --- a/fs/smb/server/transport_ipc.c +++ b/fs/smb/server/transport_ipc.c @@ -327,6 +327,7 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) ret = ksmbd_set_netbios_name(req->netbios_name); ret |= ksmbd_set_server_string(req->server_string); ret |= ksmbd_set_work_group(req->work_group); + server_conf.bind_interfaces_only = req->bind_interfaces_only; ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req), req->ifc_list_sz); out: diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c index c43a46511428..665d21d40e7a 100644 --- a/fs/smb/server/transport_tcp.c +++ b/fs/smb/server/transport_tcp.c @@ -551,30 +551,37 @@ static int create_socket(struct interface *iface) return ret; } +struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name) +{ + struct interface *iface; + + list_for_each_entry(iface, &iface_list, entry) + if (!strcmp(iface->name, netdev_name)) + return iface; + return NULL; +} + static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, void *ptr) { struct net_device *netdev = netdev_notifier_info_to_dev(ptr); struct interface *iface; - int ret, found = 0; + int ret; switch (event) { case NETDEV_UP: if (netif_is_bridge_port(netdev)) return NOTIFY_OK; - list_for_each_entry(iface, &iface_list, entry) { - if (!strcmp(iface->name, netdev->name)) { - found = 1; - if (iface->state != IFACE_STATE_DOWN) - break; - ret = create_socket(iface); - if (ret) - return NOTIFY_OK; - break; - } + iface = ksmbd_find_netdev_name_iface_list(netdev->name); + if (iface && iface->state == IFACE_STATE_DOWN) { + ksmbd_debug(CONN, "netdev-up event: netdev(%s) is going up\n", + iface->name); + ret = create_socket(iface); + if (ret) + return NOTIFY_OK; } - if (!found && bind_additional_ifaces) { + if (!iface && bind_additional_ifaces) { iface = alloc_iface(kstrdup(netdev->name, GFP_KERNEL)); if (!iface) return NOTIFY_OK; @@ -584,19 +591,19 @@ static int ksmbd_netdev_event(struct notifier_block *nb, unsigned long event, } break; case NETDEV_DOWN: - list_for_each_entry(iface, &iface_list, entry) { - if (!strcmp(iface->name, netdev->name) && - iface->state == IFACE_STATE_CONFIGURED) { - tcp_stop_kthread(iface->ksmbd_kthread); - iface->ksmbd_kthread = NULL; - mutex_lock(&iface->sock_release_lock); - tcp_destroy_socket(iface->ksmbd_socket); - iface->ksmbd_socket = NULL; - mutex_unlock(&iface->sock_release_lock); - - iface->state = IFACE_STATE_DOWN; - break; - } + iface = ksmbd_find_netdev_name_iface_list(netdev->name); + if (iface && iface->state == IFACE_STATE_CONFIGURED) { + ksmbd_debug(CONN, "netdev-down event: netdev(%s) is going down\n", + iface->name); + tcp_stop_kthread(iface->ksmbd_kthread); + iface->ksmbd_kthread = NULL; + mutex_lock(&iface->sock_release_lock); + tcp_destroy_socket(iface->ksmbd_socket); + iface->ksmbd_socket = NULL; + mutex_unlock(&iface->sock_release_lock); + + iface->state = IFACE_STATE_DOWN; + break; } break; } @@ -665,18 +672,6 @@ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz) int sz = 0; if (!ifc_list_sz) { - struct net_device *netdev; - - rtnl_lock(); - for_each_netdev(&init_net, netdev) { - if (netif_is_bridge_port(netdev)) - continue; - if (!alloc_iface(kstrdup(netdev->name, GFP_KERNEL))) { - rtnl_unlock(); - return -ENOMEM; - } - } - rtnl_unlock(); bind_additional_ifaces = 1; return 0; } diff --git a/fs/smb/server/transport_tcp.h b/fs/smb/server/transport_tcp.h index 5925ec5df475..bf6a3d71f7a0 100644 --- a/fs/smb/server/transport_tcp.h +++ b/fs/smb/server/transport_tcp.h @@ -8,6 +8,7 @@ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz); void ksmbd_free_transport(struct ksmbd_transport *kt); +struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name); int ksmbd_tcp_init(void); void ksmbd_tcp_destroy(void); -- 2.25.1

1 month, 1 week

1
1
0 0

+ crash-let-architecture-decide-crash-memory-export-to-iomem_resource.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: crash: let architecture decide crash memory export to iomem_resource has been added to the -mm mm-nonmm-unstable branch. Its filename is crash-let-architecture-decide-crash-memory-export-to-iomem_resource.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Sourabh Jain <sourabhjain(a)linux.ibm.com> Subject: crash: let architecture decide crash memory export to iomem_resource Date: Thu, 16 Oct 2025 19:58:31 +0530 With the generic crashkernel reservation, the kernel emits the following warning on powerpc: WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/mem.c:341 add_system_ram_resources+0xfc/0x180 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-auto-12607-g5472d60c129f #1 VOLUNTARY Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries NIP: c00000000201de3c LR: c00000000201de34 CTR: 0000000000000000 REGS: c000000127cef8a0 TRAP: 0700 Not tainted (6.17.0-auto-12607-g5472d60c129f) MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 84000840 XER: 20040010 CFAR: c00000000017eed0 IRQMASK: 0 GPR00: c00000000201de34 c000000127cefb40 c0000000016a8100 0000000000000001 GPR04: c00000012005aa00 0000000020000000 c000000002b705c8 0000000000000000 GPR08: 000000007fffffff fffffffffffffff0 c000000002db8100 000000011fffffff GPR12: c00000000201dd40 c000000002ff0000 c0000000000112bc 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 c0000000015a3808 GPR24: c00000000200468c c000000001699888 0000000000000106 c0000000020d1950 GPR28: c0000000014683f8 0000000081000200 c0000000015c1868 c000000002b9f710 NIP [c00000000201de3c] add_system_ram_resources+0xfc/0x180 LR [c00000000201de34] add_system_ram_resources+0xf4/0x180 Call Trace: add_system_ram_resources+0xf4/0x180 (unreliable) do_one_initcall+0x60/0x36c do_initcalls+0x120/0x220 kernel_init_freeable+0x23c/0x390 kernel_init+0x34/0x26c ret_from_kernel_user_thread+0x14/0x1c This warning occurs due to a conflict between crashkernel and System RAM iomem resources. The generic crashkernel reservation adds the crashkernel memory range to /proc/iomem during early initialization. Later, all memblock ranges are added to /proc/iomem as System RAM. If the crashkernel region overlaps with any memblock range, it causes a conflict while adding those memblock regions as iomem resources, triggering the above warning. The conflicting memblock regions are then omitted from /proc/iomem. For example, if the following crashkernel region is added to /proc/iomem: 20000000-11fffffff : Crash kernel then the following memblock regions System RAM regions fail to be inserted: 00000000-7fffffff : System RAM 80000000-257fffffff : System RAM Fix this by not adding the crashkernel memory to /proc/iomem on powerpc. Introduce an architecture hook to let each architecture decide whether to export the crashkernel region to /proc/iomem. For more info checkout commit c40dd2f766440 ("powerpc: Add System RAM to /proc/iomem") and commit bce074bdbc36 ("powerpc: insert System RAM resource to prevent crashkernel conflict") Note: Before switching to the generic crashkernel reservation, powerpc never exported the crashkernel region to /proc/iomem. Link: https://lkml.kernel.org/r/20251016142831.144515-1-sourabhjain@linux.ibm.com Fixes: e3185ee438c2 ("powerpc/crash: use generic crashkernel reservation"). Signed-off-by: Sourabh Jain <sourabhjain(a)linux.ibm.com> Reported-by: Venkat Rao Bagalkote <venkat88(a)linux.ibm.com> Closes: https://lore.kernel.org/all/90937fe0-2e76-4c82-b27e-7b8a7fe3ac69@linux.ibm.… Cc: Baoquan he <bhe(a)redhat.com> Cc: Hari Bathini <hbathini(a)linux.ibm.com> Cc: Madhavan Srinivasan <maddy(a)linux.ibm.com> Cc: Mahesh Salgaonkar <mahesh(a)linux.ibm.com> Cc: Michael Ellerman <mpe(a)ellerman.id.au> Cc: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/powerpc/include/asm/crash_reserve.h | 8 ++++++++ include/linux/crash_reserve.h | 6 ++++++ kernel/crash_reserve.c | 3 +++ 3 files changed, 17 insertions(+) --- a/arch/powerpc/include/asm/crash_reserve.h~crash-let-architecture-decide-crash-memory-export-to-iomem_resource +++ a/arch/powerpc/include/asm/crash_reserve.h @@ -5,4 +5,12 @@ /* crash kernel regions are Page size agliged */ #define CRASH_ALIGN PAGE_SIZE +#ifdef CONFIG_ARCH_HAS_GENERIC_CRASHKERNEL_RESERVATION +static inline bool arch_add_crash_res_to_iomem(void) +{ + return false; +} +#define arch_add_crash_res_to_iomem arch_add_crash_res_to_iomem +#endif + #endif /* _ASM_POWERPC_CRASH_RESERVE_H */ --- a/include/linux/crash_reserve.h~crash-let-architecture-decide-crash-memory-export-to-iomem_resource +++ a/include/linux/crash_reserve.h @@ -32,6 +32,12 @@ int __init parse_crashkernel(char *cmdli void __init reserve_crashkernel_cma(unsigned long long cma_size); #ifdef CONFIG_ARCH_HAS_GENERIC_CRASHKERNEL_RESERVATION +#ifndef arch_add_crash_res_to_iomem +static inline bool arch_add_crash_res_to_iomem(void) +{ + return true; +} +#endif #ifndef DEFAULT_CRASH_KERNEL_LOW_SIZE #define DEFAULT_CRASH_KERNEL_LOW_SIZE (128UL << 20) #endif --- a/kernel/crash_reserve.c~crash-let-architecture-decide-crash-memory-export-to-iomem_resource +++ a/kernel/crash_reserve.c @@ -524,6 +524,9 @@ void __init reserve_crashkernel_cma(unsi #ifndef HAVE_ARCH_ADD_CRASH_RES_TO_IOMEM_EARLY static __init int insert_crashkernel_resources(void) { + if (!arch_add_crash_res_to_iomem()) + return 0; + if (crashk_res.start < crashk_res.end) insert_resource(&iomem_resource, &crashk_res); _ Patches currently in -mm which might be from sourabhjain(a)linux.ibm.com are crash-let-architecture-decide-crash-memory-export-to-iomem_resource.patch

1 month, 1 week

2
1
0 0

[PATCH rtw-next] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1

by Zenm Chen

Add USB ID 2001:3328 for D-Link AN3U rev. A1 which is a RTL8192FU-based Wi-Fi adapter. Compile tested only. Cc: stable(a)vger.kernel.org # 6.6.x Signed-off-by: Zenm Chen <zenmchen(a)gmail.com> --- Link to the Windows driver for D-Link AN3U rev. A1 https://www.dlinktw.com.tw/techsupport/ProductInfo.aspx?m=AN3U --- drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c index 3ded59527..be39463bd 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c @@ -8136,6 +8136,9 @@ static const struct usb_device_id dev_table[] = { /* TP-Link TL-WN823N V2 */ {USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0135, 0xff, 0xff, 0xff), .driver_info = (unsigned long)&rtl8192fu_fops}, +/* D-Link AN3U rev. A1 */ +{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3328, 0xff, 0xff, 0xff), + .driver_info = (unsigned long)&rtl8192fu_fops}, #ifdef CONFIG_RTL8XXXU_UNTESTED /* Still supported by rtlwifi */ {USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x8176, 0xff, 0xff, 0xff), -- 2.51.0

1 month, 1 week

2
7
0 0

[PATCH] scsi: wd33c93: fix buffer overflow in SCSI message-in handling

by Yuhao Jiang

A buffer overflow vulnerability exists in the wd33c93 SCSI driver's message handling where missing bounds checking allows a malicious SCSI device to overflow the incoming_msg[] buffer and corrupt kernel memory. The issue occurs because: - incoming_msg[] is a fixed 8-byte buffer (line 235 in wd33c93.h) - wd33c93_intr() writes to incoming_msg[incoming_ptr] without validating incoming_ptr is within bounds (line 935) - For EXTENDED_MESSAGE, incoming_ptr increments based on the device- supplied length field (line 1085) with no maximum check - The validation at line 1001 only checks if the message is complete, not if it exceeds buffer size This allows an attacker controlling a SCSI device to craft an extended message with length field 0xFF, causing the driver to write 256 bytes into an 8-byte buffer. This can corrupt adjacent fields in the WD33C93_hostdata structure including function pointers, potentially leading to arbitrary code execution. Add bounds checking in the MESSAGE_IN handler to ensure incoming_ptr does not exceed buffer capacity before writing. Reject oversized messages per SCSI protocol by sending MESSAGE_REJECT. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Yuhao Jiang <danisjiang(a)gmail.com> --- drivers/scsi/wd33c93.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/scsi/wd33c93.c b/drivers/scsi/wd33c93.c index dd1fef9226f2..2d50a0a01726 100644 --- a/drivers/scsi/wd33c93.c +++ b/drivers/scsi/wd33c93.c @@ -932,6 +932,19 @@ wd33c93_intr(struct Scsi_Host *instance) sr = read_wd33c93(regs, WD_SCSI_STATUS); /* clear interrupt */ udelay(7); + /* Prevent buffer overflow from malicious extended messages */ + if (hostdata->incoming_ptr >= sizeof(hostdata->incoming_msg)) { + printk("wd33c93: Incoming message too long, rejecting\n"); + hostdata->incoming_ptr = 0; + write_wd33c93_cmd(regs, WD_CMD_ASSERT_ATN); + hostdata->outgoing_msg[0] = MESSAGE_REJECT; + hostdata->outgoing_len = 1; + write_wd33c93_cmd(regs, WD_CMD_NEGATE_ACK); + hostdata->state = S_CONNECTED; + spin_unlock_irqrestore(&hostdata->lock, flags); + break; + } + hostdata->incoming_msg[hostdata->incoming_ptr] = msg; if (hostdata->incoming_msg[0] == EXTENDED_MESSAGE) msg = EXTENDED_MESSAGE; -- 2.34.1

1 month, 1 week

2
1
0 0

【年に一度】SBIポイントで豪華賞品を交換 — 在庫がなくなり次第終了No.11641

by SBI証券

平素よりSBI証券をご利用いただき、誠にありがとうございます。SBI証券では、日頃のご愛顧に感謝を込めて、年に一度だけの「ポイント交換キャンペーン」を開催しております。お客様の現在の保有ポイントは以下のとおりです。保有ポイント28,810ポイント本キャンペーンでは、貯まったポイントを豪華賞品と交換いただけます。交換は先着順で、在庫がなくなり次第終了となります。交換は以下のページからお手続きください。ポイント交換ページhttps://www.sbisec.co.jp/member/point/交換可能賞品の一例キャンペーン終了日：2025年10月21日・Apple iPad（第9世代 Wi-Fiモデル 64GB）【限定100台／残り15台】・Dyson コードレス掃除機【限定200台／残り90台】・Apple Watch SE（GPSモデル）・BALMUDA The Toaster（バルミューダトースター）・JCBギフトカード（5,000円分）・SBIオリジナル記念グッズ（非売品）この「年に一度の特別企画」は、例年多くのお客様にご参加いただいております。人気商品の在庫はすでに残りわずかです。ご注意・本キャンペーンは年に一度のみの開催です。・在庫がなくなり次第、予告なく終了いたします。・ポイント交換後の変更・キャンセルはお受けできません。一年に一度の特別なチャンスを、ぜひお見逃しなく。この機会にポイント交換をご利用ください。 SBI証券株式会社東京都港区六本木1-6-1 泉ガーデンタワーhttps://www.sbisec.co.jp/ © 2025 SBI SECURITIES Co., Ltd.

1 month, 1 week

1
0
0 0

ksmbd: add max ip connections parameter: backport problem 6.6

by Hauke Mehrtens

Hi, I think the backport of "ksmbd: add max ip connections parameter" to kernel 6.6 breaks the ksmbd ABI. See here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… The "struct ksmbd_startup_request" is part of the ABI. The user space tool expects there the additional attribute: __s8 bind_interfaces_only; See: https://github.com/cifsd-team/ksmbd-tools/commit/3b7d4b4c02ddeb81ed3e68b623… Which was added in b2d99376c5d6 "ksmbd: browse interfaces list on FSCTL_QUERY_INTERFACE_INFO IOCTL". Hauke

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] jbd2: ensure that all ongoing I/O complete before freeing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 3c652c3a71de1d30d72dc82c3bead8deb48eb749 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102030-hurt-surplus-ab8e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3c652c3a71de1d30d72dc82c3bead8deb48eb749 Mon Sep 17 00:00:00 2001 From: Zhang Yi <yi.zhang(a)huawei.com> Date: Tue, 16 Sep 2025 17:33:36 +0800 Subject: [PATCH] jbd2: ensure that all ongoing I/O complete before freeing blocks When releasing file system metadata blocks in jbd2_journal_forget(), if this buffer has not yet been checkpointed, it may have already been written back, currently be in the process of being written back, or has not yet written back. jbd2_journal_forget() calls jbd2_journal_try_remove_checkpoint() to check the buffer's status and add it to the current transaction if it has not been written back. This buffer can only be reallocated after the transaction is committed. jbd2_journal_try_remove_checkpoint() attempts to lock the buffer and check its dirty status while holding the buffer lock. If the buffer has already been written back, everything proceeds normally. However, there are two issues. First, the function returns immediately if the buffer is locked by the write-back process. It does not wait for the write-back to complete. Consequently, until the current transaction is committed and the block is reallocated, there is no guarantee that the I/O will complete. This means that ongoing I/O could write stale metadata to the newly allocated block, potentially corrupting data. Second, the function unlocks the buffer as soon as it detects that the buffer is still dirty. If a concurrent write-back occurs immediately after this unlocking and before clear_buffer_dirty() is called in jbd2_journal_forget(), data corruption can theoretically still occur. Although these two issues are unlikely to occur in practice since the undergoing metadata writeback I/O does not take this long to complete, it's better to explicitly ensure that all ongoing I/O operations are completed. Fixes: 597599268e3b ("jbd2: discard dirty data when forgetting an un-journalled buffer") Cc: stable(a)kernel.org Suggested-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Message-ID: <20250916093337.3161016-2-yi.zhang(a)huaweicloud.com> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c index c7867139af69..3e510564de6e 100644 --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -1659,6 +1659,7 @@ int jbd2_journal_forget(handle_t *handle, struct buffer_head *bh) int drop_reserve = 0; int err = 0; int was_modified = 0; + int wait_for_writeback = 0; if (is_handle_aborted(handle)) return -EROFS; @@ -1782,18 +1783,22 @@ int jbd2_journal_forget(handle_t *handle, struct buffer_head *bh) } /* - * The buffer is still not written to disk, we should - * attach this buffer to current transaction so that the - * buffer can be checkpointed only after the current - * transaction commits. + * The buffer has not yet been written to disk. We should + * either clear the buffer or ensure that the ongoing I/O + * is completed, and attach this buffer to current + * transaction so that the buffer can be checkpointed only + * after the current transaction commits. */ clear_buffer_dirty(bh); + wait_for_writeback = 1; __jbd2_journal_file_buffer(jh, transaction, BJ_Forget); spin_unlock(&journal->j_list_lock); } drop: __brelse(bh); spin_unlock(&jh->b_state_lock); + if (wait_for_writeback) + wait_on_buffer(bh); jbd2_journal_put_journal_head(jh); if (drop_reserve) { /* no need to reserve log space for this block -bzzz */

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] vfs: Don't leak disconnected dentries on umount" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 56094ad3eaa21e6621396cc33811d8f72847a834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102042-tactical-subtract-5775@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56094ad3eaa21e6621396cc33811d8f72847a834 Mon Sep 17 00:00:00 2001 From: Jan Kara <jack(a)suse.cz> Date: Thu, 2 Oct 2025 17:55:07 +0200 Subject: [PATCH] vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07(a)syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/dcache.c b/fs/dcache.c index a067fa0a965a..035cccbc9276 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2557,6 +2557,8 @@ struct dentry *d_alloc_parallel(struct dentry *parent, spin_lock(&parent->d_lock); new->d_parent = dget_dlock(parent); hlist_add_head(&new->d_sib, &parent->d_children); + if (parent->d_flags & DCACHE_DISCONNECTED) + new->d_flags |= DCACHE_DISCONNECTED; spin_unlock(&parent->d_lock); retry:

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] vfs: Don't leak disconnected dentries on umount" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 56094ad3eaa21e6621396cc33811d8f72847a834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102041-bonus-amid-8eda@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56094ad3eaa21e6621396cc33811d8f72847a834 Mon Sep 17 00:00:00 2001 From: Jan Kara <jack(a)suse.cz> Date: Thu, 2 Oct 2025 17:55:07 +0200 Subject: [PATCH] vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07(a)syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/dcache.c b/fs/dcache.c index a067fa0a965a..035cccbc9276 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2557,6 +2557,8 @@ struct dentry *d_alloc_parallel(struct dentry *parent, spin_lock(&parent->d_lock); new->d_parent = dget_dlock(parent); hlist_add_head(&new->d_sib, &parent->d_children); + if (parent->d_flags & DCACHE_DISCONNECTED) + new->d_flags |= DCACHE_DISCONNECTED; spin_unlock(&parent->d_lock); retry:

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102009-buckskin-tweet-87b7@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] vfs: Don't leak disconnected dentries on umount" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 56094ad3eaa21e6621396cc33811d8f72847a834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102040-uninstall-uneatable-a789@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56094ad3eaa21e6621396cc33811d8f72847a834 Mon Sep 17 00:00:00 2001 From: Jan Kara <jack(a)suse.cz> Date: Thu, 2 Oct 2025 17:55:07 +0200 Subject: [PATCH] vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07(a)syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/dcache.c b/fs/dcache.c index a067fa0a965a..035cccbc9276 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2557,6 +2557,8 @@ struct dentry *d_alloc_parallel(struct dentry *parent, spin_lock(&parent->d_lock); new->d_parent = dget_dlock(parent); hlist_add_head(&new->d_sib, &parent->d_children); + if (parent->d_flags & DCACHE_DISCONNECTED) + new->d_flags |= DCACHE_DISCONNECTED; spin_unlock(&parent->d_lock); retry:

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102040-always-thirty-b345@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102023-trade-spud-e81a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] vfs: Don't leak disconnected dentries on umount" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 56094ad3eaa21e6621396cc33811d8f72847a834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102039-unmasking-zero-2258@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56094ad3eaa21e6621396cc33811d8f72847a834 Mon Sep 17 00:00:00 2001 From: Jan Kara <jack(a)suse.cz> Date: Thu, 2 Oct 2025 17:55:07 +0200 Subject: [PATCH] vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07(a)syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/dcache.c b/fs/dcache.c index a067fa0a965a..035cccbc9276 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2557,6 +2557,8 @@ struct dentry *d_alloc_parallel(struct dentry *parent, spin_lock(&parent->d_lock); new->d_parent = dget_dlock(parent); hlist_add_head(&new->d_sib, &parent->d_children); + if (parent->d_flags & DCACHE_DISCONNECTED) + new->d_flags |= DCACHE_DISCONNECTED; spin_unlock(&parent->d_lock); retry:

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102006-approach-hesitancy-3614@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
1
0 0

[PATCH rc] iommufd: Don't overflow during division for dirty tracking

by Jason Gunthorpe

If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. Cc: stable(a)vger.kernel.org Fixes: 58ccf0190d19 ("vfio: Add an IOVA bitmap support") Reported-by: syzbot+093a8a8b859472e6c257(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=093a8a8b859472e6c257 Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> --- drivers/iommu/iommufd/iova_bitmap.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c index 4514575818fc07..b5b67a9d3fb35e 100644 --- a/drivers/iommu/iommufd/iova_bitmap.c +++ b/drivers/iommu/iommufd/iova_bitmap.c @@ -130,9 +130,8 @@ struct iova_bitmap { static unsigned long iova_bitmap_offset_to_index(struct iova_bitmap *bitmap, unsigned long iova) { - unsigned long pgsize = 1UL << bitmap->mapped.pgshift; - - return iova / (BITS_PER_TYPE(*bitmap->bitmap) * pgsize); + return (iova >> bitmap->mapped.pgshift) / + BITS_PER_TYPE(*bitmap->bitmap); } /* base-commit: 2a918911ed3d0841923525ed0fe707762ee78844 -- 2.43.0

1 month, 1 week

4
4
0 0

FAILED: patch "[PATCH] f2fs: fix wrong block mapping for multi-devices" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9d5c4f5c7a2c7677e1b3942772122b032c265aae # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102053-joylessly-pony-8641@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9d5c4f5c7a2c7677e1b3942772122b032c265aae Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim <jaegeuk(a)kernel.org> Date: Tue, 7 Oct 2025 03:32:30 +0000 Subject: [PATCH] f2fs: fix wrong block mapping for multi-devices Assuming the disk layout as below, disk0: 0 --- 0x00035abfff disk1: 0x00035ac000 --- 0x00037abfff disk2: 0x00037ac000 --- 0x00037ebfff and we want to read data from offset=13568 having len=128 across the block devices, we can illustrate the block addresses like below. 0 .. 0x00037ac000 ------------------- 0x00037ebfff, 0x00037ec000 ------- | ^ ^ ^ | fofs 0 13568 13568+128 | ------------------------------------------------------ | LBA 0x37e8aa9 0x37ebfa9 0x37ec029 --- map 0x3caa9 0x3ffa9 In this example, we should give the relative map of the target block device ranging from 0x3caa9 to 0x3ffa9 where the length should be calculated by 0x37ebfff + 1 - 0x37ebfa9. In the below equation, however, map->m_pblk was supposed to be the original address instead of the one from the target block address. - map->m_len = min(map->m_len, dev->end_blk + 1 - map->m_pblk); Cc: stable(a)vger.kernel.org Fixes: 71f2c8206202 ("f2fs: multidevice: support direct IO") Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index ef38e62cda8f..775aa4f63aa3 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1497,8 +1497,8 @@ static bool f2fs_map_blocks_cached(struct inode *inode, struct f2fs_dev_info *dev = &sbi->devs[bidx]; map->m_bdev = dev->bdev; - map->m_pblk -= dev->start_blk; map->m_len = min(map->m_len, dev->end_blk + 1 - map->m_pblk); + map->m_pblk -= dev->start_blk; } else { map->m_bdev = inode->i_sb->s_bdev; }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] vfs: Don't leak disconnected dentries on umount" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 56094ad3eaa21e6621396cc33811d8f72847a834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102038-pogo-backfire-3d6e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56094ad3eaa21e6621396cc33811d8f72847a834 Mon Sep 17 00:00:00 2001 From: Jan Kara <jack(a)suse.cz> Date: Thu, 2 Oct 2025 17:55:07 +0200 Subject: [PATCH] vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07(a)syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/dcache.c b/fs/dcache.c index a067fa0a965a..035cccbc9276 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2557,6 +2557,8 @@ struct dentry *d_alloc_parallel(struct dentry *parent, spin_lock(&parent->d_lock); new->d_parent = dget_dlock(parent); hlist_add_head(&new->d_sib, &parent->d_children); + if (parent->d_flags & DCACHE_DISCONNECTED) + new->d_flags |= DCACHE_DISCONNECTED; spin_unlock(&parent->d_lock); retry:

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102007-unashamed-manmade-2cbd@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
1
0 0

[PATCH 6.12] dmaengine: Add missing cleanup on module unload

by Guenter Roeck

Upstream commit b7cb9a034305 ("dmaengine: idxd: Fix refcount underflow on module unload") fixes a refcount underflow by replacing the call to idxd_cleanup() in the remove function with direct cleanup calls. That works fine upstream. However, upstream removed support for IOMMU_DEV_FEAT_IOPF, which is still supported in v6.12.y. The backport of commit b7cb9a034305 into v6.12.y misses the call to disable it. This results in a warning backtrace when unloading and reloading the module. WARNING: CPU: 0 PID: 665849 at drivers/pci/ats.c:337 pci_reset_pri+0x4c/0x60 ... RIP: 0010:pci_reset_pri+0xa7/0x130 Add the missing cleanup call to fix the problem. Fixes: ce81905bec91 ("dmaengine: idxd: Fix refcount underflow on module unload") Cc: Yi Sun <yi.sun(a)intel.com> Cc: Shuai Xue <xueshuai(a)linux.alibaba.com> Cc: Dave Jiang <dave.jiang(a)intel.com> Cc: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Cc: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> --- The problem fixed with this patch only affects v6.12.y. drivers/dma/idxd/init.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 74a83203181d..e55136bb525e 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -923,6 +923,8 @@ static void idxd_remove(struct pci_dev *pdev) idxd_cleanup_interrupts(idxd); if (device_pasid_enabled(idxd)) idxd_disable_system_pasid(idxd); + if (device_user_pasid_enabled(idxd)) + idxd_disable_sva(idxd->pdev); pci_iounmap(pdev, idxd->reg_base); put_device(idxd_confdev(idxd)); pci_disable_device(pdev); -- 2.45.2

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] nfsd: decouple the xprtsec policy check from" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e4f574ca9c6dfa66695bb054ff5df43ecea873ec # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101611-revisit-ranging-52d6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4f574ca9c6dfa66695bb054ff5df43ecea873ec Mon Sep 17 00:00:00 2001 From: Scott Mayhew <smayhew(a)redhat.com> Date: Wed, 6 Aug 2025 15:15:43 -0400 Subject: [PATCH] nfsd: decouple the xprtsec policy check from check_nfsd_access() A while back I had reported that an NFSv3 client could successfully mount using '-o xprtsec=none' an export that had been exported with 'xprtsec=tls:mtls'. By "successfully" I mean that the mount command would succeed and the mount would show up in /proc/mount. Attempting to do anything futher with the mount would be met with NFS3ERR_ACCES. This was fixed (albeit accidentally) by commit bb4f07f2409c ("nfsd: Fix NFSD_MAY_BYPASS_GSS and NFSD_MAY_BYPASS_GSS_ON_ROOT") and was subsequently re-broken by commit 0813c5f01249 ("nfsd: fix access checking for NLM under XPRTSEC policies"). Transport Layer Security isn't an RPC security flavor or pseudo-flavor, so we shouldn't be conflating them when determining whether the access checks can be bypassed. Split check_nfsd_access() into two helpers, and have __fh_verify() call the helpers directly since __fh_verify() has logic that allows one or both of the checks to be skipped. All other sites will continue to call check_nfsd_access(). Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/ Fixes: 9280c5774314 ("NFSD: Handle new xprtsec= export option") Cc: stable(a)vger.kernel.org Signed-off-by: Scott Mayhew <smayhew(a)redhat.com> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c index cadfc2bae60e..95b5681152c4 100644 --- a/fs/nfsd/export.c +++ b/fs/nfsd/export.c @@ -1082,50 +1082,62 @@ static struct svc_export *exp_find(struct cache_detail *cd, } /** - * check_nfsd_access - check if access to export is allowed. + * check_xprtsec_policy - check if access to export is allowed by the + * xprtsec policy * @exp: svc_export that is being accessed. - * @rqstp: svc_rqst attempting to access @exp (will be NULL for LOCALIO). - * @may_bypass_gss: reduce strictness of authorization check + * @rqstp: svc_rqst attempting to access @exp. + * + * Helper function for check_nfsd_access(). Note that callers should be + * using check_nfsd_access() instead of calling this function directly. The + * one exception is __fh_verify() since it has logic that may result in one + * or both of the helpers being skipped. * * Return values: * %nfs_ok if access is granted, or * %nfserr_wrongsec if access is denied */ -__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, - bool may_bypass_gss) +__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) { - struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; - struct svc_xprt *xprt; - - /* - * If rqstp is NULL, this is a LOCALIO request which will only - * ever use a filehandle/credential pair for which access has - * been affirmed (by ACCESS or OPEN NFS requests) over the - * wire. So there is no need for further checks here. - */ - if (!rqstp) - return nfs_ok; - - xprt = rqstp->rq_xprt; + struct svc_xprt *xprt = rqstp->rq_xprt; if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) - goto ok; + return nfs_ok; } if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) - goto ok; + return nfs_ok; } if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) - goto ok; + return nfs_ok; } - if (!may_bypass_gss) - goto denied; + return nfserr_wrongsec; +} + +/** + * check_security_flavor - check if access to export is allowed by the + * security flavor + * @exp: svc_export that is being accessed. + * @rqstp: svc_rqst attempting to access @exp. + * @may_bypass_gss: reduce strictness of authorization check + * + * Helper function for check_nfsd_access(). Note that callers should be + * using check_nfsd_access() instead of calling this function directly. The + * one exception is __fh_verify() since it has logic that may result in one + * or both of the helpers being skipped. + * + * Return values: + * %nfs_ok if access is granted, or + * %nfserr_wrongsec if access is denied + */ +__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, + bool may_bypass_gss) +{ + struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; -ok: /* legacy gss-only clients are always OK: */ if (exp->ex_client == rqstp->rq_gssclient) return nfs_ok; @@ -1167,10 +1179,30 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, } } -denied: return nfserr_wrongsec; } +/** + * check_nfsd_access - check if access to export is allowed. + * @exp: svc_export that is being accessed. + * @rqstp: svc_rqst attempting to access @exp. + * @may_bypass_gss: reduce strictness of authorization check + * + * Return values: + * %nfs_ok if access is granted, or + * %nfserr_wrongsec if access is denied + */ +__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, + bool may_bypass_gss) +{ + __be32 status; + + status = check_xprtsec_policy(exp, rqstp); + if (status != nfs_ok) + return status; + return check_security_flavor(exp, rqstp, may_bypass_gss); +} + /* * Uses rq_client and rq_gssclient to find an export; uses rq_client (an * auth_unix client) if it's available and has secinfo information; diff --git a/fs/nfsd/export.h b/fs/nfsd/export.h index b9c0adb3ce09..ef5581911d5b 100644 --- a/fs/nfsd/export.h +++ b/fs/nfsd/export.h @@ -101,6 +101,9 @@ struct svc_expkey { struct svc_cred; int nfsexp_flags(struct svc_cred *cred, struct svc_export *exp); +__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp); +__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp, + bool may_bypass_gss); __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp, bool may_bypass_gss); diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c index f4c2fb3dd5d0..062cfc18d8c6 100644 --- a/fs/nfsd/nfsfh.c +++ b/fs/nfsd/nfsfh.c @@ -364,10 +364,30 @@ __fh_verify(struct svc_rqst *rqstp, if (error) goto out; + /* + * If rqstp is NULL, this is a LOCALIO request which will only + * ever use a filehandle/credential pair for which access has + * been affirmed (by ACCESS or OPEN NFS requests) over the + * wire. Skip both the xprtsec policy and the security flavor + * checks. + */ + if (!rqstp) + goto check_permissions; + if ((access & NFSD_MAY_NLM) && (exp->ex_flags & NFSEXP_NOAUTHNLM)) /* NLM is allowed to fully bypass authentication */ goto out; + /* + * NLM is allowed to bypass the xprtsec policy check because lockd + * doesn't support xprtsec. + */ + if (!(access & NFSD_MAY_NLM)) { + error = check_xprtsec_policy(exp, rqstp); + if (error) + goto out; + } + if (access & NFSD_MAY_BYPASS_GSS) may_bypass_gss = true; /* @@ -379,13 +399,15 @@ __fh_verify(struct svc_rqst *rqstp, && exp->ex_path.dentry == dentry) may_bypass_gss = true; - error = check_nfsd_access(exp, rqstp, may_bypass_gss); + error = check_security_flavor(exp, rqstp, may_bypass_gss); if (error) goto out; + /* During LOCALIO call to fh_verify will be called with a NULL rqstp */ if (rqstp) svc_xprt_set_valid(rqstp->rq_xprt); +check_permissions: /* Finally, check access permissions. */ error = nfsd_permission(cred, exp, dentry, access); out:

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] f2fs: fix wrong block mapping for multi-devices" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9d5c4f5c7a2c7677e1b3942772122b032c265aae # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102052-work-collected-f03f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9d5c4f5c7a2c7677e1b3942772122b032c265aae Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim <jaegeuk(a)kernel.org> Date: Tue, 7 Oct 2025 03:32:30 +0000 Subject: [PATCH] f2fs: fix wrong block mapping for multi-devices Assuming the disk layout as below, disk0: 0 --- 0x00035abfff disk1: 0x00035ac000 --- 0x00037abfff disk2: 0x00037ac000 --- 0x00037ebfff and we want to read data from offset=13568 having len=128 across the block devices, we can illustrate the block addresses like below. 0 .. 0x00037ac000 ------------------- 0x00037ebfff, 0x00037ec000 ------- | ^ ^ ^ | fofs 0 13568 13568+128 | ------------------------------------------------------ | LBA 0x37e8aa9 0x37ebfa9 0x37ec029 --- map 0x3caa9 0x3ffa9 In this example, we should give the relative map of the target block device ranging from 0x3caa9 to 0x3ffa9 where the length should be calculated by 0x37ebfff + 1 - 0x37ebfa9. In the below equation, however, map->m_pblk was supposed to be the original address instead of the one from the target block address. - map->m_len = min(map->m_len, dev->end_blk + 1 - map->m_pblk); Cc: stable(a)vger.kernel.org Fixes: 71f2c8206202 ("f2fs: multidevice: support direct IO") Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index ef38e62cda8f..775aa4f63aa3 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1497,8 +1497,8 @@ static bool f2fs_map_blocks_cached(struct inode *inode, struct f2fs_dev_info *dev = &sbi->devs[bidx]; map->m_bdev = dev->bdev; - map->m_pblk -= dev->start_blk; map->m_len = min(map->m_len, dev->end_blk + 1 - map->m_pblk); + map->m_pblk -= dev->start_blk; } else { map->m_bdev = inode->i_sb->s_bdev; }

1 month, 1 week

2
4
0 0

, conoce mejor a tu candidato antes de contratar

by Valeria Pérez

Evaluaciones Psicométricas para RR.HH. body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Mejora tus procesos de selección con evaluaciones psicométricas fáciles y confiables. Hola, {{{sus_name}}} Sabemos que encontrar al candidato ideal va más allá del currículum. Por eso quiero contarte brevemente sobre PsicoSmart, una plataforma que ayuda a equipos de RR.HH. a evaluar talento con pruebas psicométricas rápidas, confiables y fáciles de aplicar. Con PsicoSmart puedes: Aplicar evaluaciones psicométricas 100% en línea. Elegir entre más de 31 pruebas psicométricas Generar reportes automáticos, visuales y fáciles de interpretar. Comparar resultados entre candidatos en segundos. Ahorrar horas valiosas del proceso de selección. Si estás buscando mejorar tus contrataciones, te lo recomiendo muchísimo. Si quieres conocer más puedes responder este correo o simplemente contactarme, mis datos están abajo. Saludos, ----------------------------- Atte.: Valeria Pérez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewispooseup">click aquí</a>

1 month, 1 week

1
0
0 0

Re: Patch "PCI/sysfs: Ensure devices are powered for config reads" has been added to the 6.6-stable tree

by Brian Norris

Hi, On Thu, Oct 16, 2025 at 03:09:27PM +0200, Greg Kroah-Hartman wrote: > > This is a note to let you know that I've just added the patch titled > > PCI/sysfs: Ensure devices are powered for config reads > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > pci-sysfs-ensure-devices-are-powered-for-config-reads.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Adding to the stable tree is good IMO, but one note about exactly how to do so below: > Wrap these access in pci_config_pm_runtime_{get,put}() like most of the > rest of the similar sysfs attributes. > > Notably, "max_link_speed" does not access config registers; it returns a > cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link > Speeds"). ^^ This note about commit d2bd39c0456b was specifically to provide hints about backporting. Without commit d2bd39c0456b, the solution is somewhat incomplete. We should either backport commit d2bd39c0456b as well, or we should adapt the change to add pci_config_pm_runtime_{get,put}() in max_link_speed_show() too. Commit d2bd39c0456b was already ported to 6.12.y, but seemingly no further. If adapting this change to pre-commit-d2bd39c0456b is better, I can submit an updated version here. Without commit d2bd39c0456b, it just means that the 'max_link_speed' sysfs attribute is still susceptible to accessing a powered-down device/link. We're in no worse state than we were without this patch. And frankly, people are not likely to notice if they haven't already, since I'd guess most systems don't suspend devices this aggressively. Brian > Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") > Signed-off-by: Brian Norris <briannorris(a)google.com> > Signed-off-by: Brian Norris <briannorris(a)chromium.org> > Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> > Cc: stable(a)vger.kernel.org > Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a… > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > --- > drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++- > 1 file changed, 19 insertions(+), 1 deletion(-) > > --- a/drivers/pci/pci-sysfs.c > +++ b/drivers/pci/pci-sysfs.c > @@ -196,8 +196,14 @@ static ssize_t max_link_width_show(struc > struct device_attribute *attr, char *buf) > { > struct pci_dev *pdev = to_pci_dev(dev); > + ssize_t ret; > > - return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); > + /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ > + pci_config_pm_runtime_get(pdev); > + ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); > + pci_config_pm_runtime_put(pdev); > + > + return ret; > } > static DEVICE_ATTR_RO(max_link_width); > > @@ -209,7 +215,10 @@ static ssize_t current_link_speed_show(s > int err; > enum pci_bus_speed speed; > > + pci_config_pm_runtime_get(pci_dev); > err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); > + pci_config_pm_runtime_put(pci_dev); > + > if (err) > return -EINVAL; > > @@ -226,7 +235,10 @@ static ssize_t current_link_width_show(s > u16 linkstat; > int err; > > + pci_config_pm_runtime_get(pci_dev); > err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); > + pci_config_pm_runtime_put(pci_dev); > + > if (err) > return -EINVAL; > > @@ -242,7 +254,10 @@ static ssize_t secondary_bus_number_show > u8 sec_bus; > int err; > > + pci_config_pm_runtime_get(pci_dev); > err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); > + pci_config_pm_runtime_put(pci_dev); > + > if (err) > return -EINVAL; > > @@ -258,7 +273,10 @@ static ssize_t subordinate_bus_number_sh > u8 sub_bus; > int err; > > + pci_config_pm_runtime_get(pci_dev); > err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); > + pci_config_pm_runtime_put(pci_dev); > + > if (err) > return -EINVAL; > > > > Patches currently in stable-queue which might be from briannorris(a)google.com are > > queue-6.6/pci-sysfs-ensure-devices-are-powered-for-config-reads.patch

1 month, 1 week

2
3
0 0

[PATCH 6.6] PCI/sysfs: Ensure devices are powered for config reads (part 2)

by Brian Norris

From: Brian Norris <briannorris(a)google.com> Commit 48991e493507 ("PCI/sysfs: Ensure devices are powered for config reads") was applied to various linux-stable trees. However, prior to 6.12.y, we do not have commit d2bd39c0456b ("PCI: Store all PCIe Supported Link Speeds"). Therefore, we also need to apply the change to max_link_speed_show(). This was pointed out here: Re: Patch "PCI/sysfs: Ensure devices are powered for config reads" has been added to the 6.6-stable tree https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ Original change description follows: The "max_link_width", "current_link_speed", "current_link_width", "secondary_bus_number", and "subordinate_bus_number" sysfs files all access config registers, but they don't check the runtime PM state. If the device is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus values, or worse, depending on implementation details. Wrap these access in pci_config_pm_runtime_{get,put}() like most of the rest of the similar sysfs attributes. Notably, "max_link_speed" does not access config registers; it returns a cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link Speeds"). Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") Link: https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> Cc: stable(a)vger.kernel.org --- This patch should be applicable to any linux-stable version that has commit 48991e493507 but not d2bd39c0456b. So far, I believe that's any linux-stable branch prior to 6.12.y. I've tested this on 6.6.y. drivers/pci/pci-sysfs.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 449d42744d33..300caafcfa10 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -186,9 +186,15 @@ static ssize_t max_link_speed_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; + + /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ + pci_config_pm_runtime_get(pdev); + ret = sysfs_emit(buf, "%s\n", + pci_speed_string(pcie_get_speed_cap(pdev))); + pci_config_pm_runtime_put(pdev); - return sysfs_emit(buf, "%s\n", - pci_speed_string(pcie_get_speed_cap(pdev))); + return ret; } static DEVICE_ATTR_RO(max_link_speed); -- 2.51.0.869.ge66316f041-goog

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102008-childlike-sneezing-5892@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
5
0 0

FAILED: patch "[PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 4b47a8601b71ad98833b447d465592d847b4dc77 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102049-comic-carpentry-952e@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4b47a8601b71ad98833b447d465592d847b4dc77 Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Thu, 11 Sep 2025 11:12:06 -0400 Subject: [PATCH] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Avoid a crash if a pNFS client should happen to send a LAYOUTCOMMIT operation on a FlexFiles layout. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/linux-nfs/152f99b2-ba35-4dec-93a9-4690e625dccd@orac… Cc: Thomas Haynes <loghyr(a)hammerspace.com> Cc: stable(a)vger.kernel.org Fixes: 9b9960a0ca47 ("nfsd: Add a super simple flex file server") Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/flexfilelayout.c b/fs/nfsd/flexfilelayout.c index c318cf74e388..0f1a35400cd5 100644 --- a/fs/nfsd/flexfilelayout.c +++ b/fs/nfsd/flexfilelayout.c @@ -125,6 +125,13 @@ nfsd4_ff_proc_getdeviceinfo(struct super_block *sb, struct svc_rqst *rqstp, return 0; } +static __be32 +nfsd4_ff_proc_layoutcommit(struct inode *inode, struct svc_rqst *rqstp, + struct nfsd4_layoutcommit *lcp) +{ + return nfs_ok; +} + const struct nfsd4_layout_ops ff_layout_ops = { .notify_types = NOTIFY_DEVICEID4_DELETE | NOTIFY_DEVICEID4_CHANGE, @@ -133,4 +140,5 @@ const struct nfsd4_layout_ops ff_layout_ops = { .encode_getdeviceinfo = nfsd4_ff_encode_getdeviceinfo, .proc_layoutget = nfsd4_ff_proc_layoutget, .encode_layoutget = nfsd4_ff_encode_layoutget, + .proc_layoutcommit = nfsd4_ff_proc_layoutcommit, };

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] ixgbevf: fix mailbox API compatibility by negotiating" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a7075f501bd33c93570af759b6f4302ef0175168 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102053-upheld-recess-9b2f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a7075f501bd33c93570af759b6f4302ef0175168 Mon Sep 17 00:00:00 2001 From: Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> Date: Thu, 9 Oct 2025 17:03:49 -0700 Subject: [PATCH] ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future. Reported-by: Jacob Keller <jacob.e.keller(a)intel.com> Closes: https://lore.kernel.org/intel-wired-lan/20241101-jk-ixgbevf-mailbox-v1-5-fi… Fixes: 0062e7cc955e ("ixgbevf: add VF IPsec offload code") Fixes: 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> Tested-by: Rafal Romanowski <rafal.romanowski(a)intel.com> Signed-off-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-4-ef32a425b92a@i… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c index 65580b9cb06f..fce35924ff8b 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c +++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c @@ -273,6 +273,9 @@ static int ixgbevf_ipsec_add_sa(struct net_device *dev, adapter = netdev_priv(dev); ipsec = adapter->ipsec; + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return -EOPNOTSUPP; + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for IPsec offload"); return -EINVAL; @@ -405,6 +408,9 @@ static void ixgbevf_ipsec_del_sa(struct net_device *dev, adapter = netdev_priv(dev); ipsec = adapter->ipsec; + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return; + if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) { sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX; @@ -612,6 +618,10 @@ void ixgbevf_init_ipsec_offload(struct ixgbevf_adapter *adapter) size_t size; switch (adapter->hw.api_version) { + case ixgbe_mbox_api_17: + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return; + break; case ixgbe_mbox_api_14: break; default: diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h index 3a379e6a3a2a..039187607e98 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h @@ -363,6 +363,13 @@ struct ixgbevf_adapter { struct ixgbe_hw hw; u16 msg_enable; + u32 pf_features; +#define IXGBEVF_PF_SUP_IPSEC BIT(0) +#define IXGBEVF_PF_SUP_ESX_MBX BIT(1) + +#define IXGBEVF_SUPPORTED_FEATURES (IXGBEVF_PF_SUP_IPSEC | \ + IXGBEVF_PF_SUP_ESX_MBX) + struct ixgbevf_hw_stats stats; unsigned long state; diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c index 92671638b428..d5ce20f47def 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c @@ -2271,10 +2271,35 @@ static void ixgbevf_init_last_counter_stats(struct ixgbevf_adapter *adapter) adapter->stats.base_vfmprc = adapter->stats.last_vfmprc; } +/** + * ixgbevf_set_features - Set features supported by PF + * @adapter: pointer to the adapter struct + * + * Negotiate with PF supported features and then set pf_features accordingly. + */ +static void ixgbevf_set_features(struct ixgbevf_adapter *adapter) +{ + u32 *pf_features = &adapter->pf_features; + struct ixgbe_hw *hw = &adapter->hw; + int err; + + err = hw->mac.ops.negotiate_features(hw, pf_features); + if (err && err != -EOPNOTSUPP) + netdev_dbg(adapter->netdev, + "PF feature negotiation failed.\n"); + + /* Address also pre API 1.7 cases */ + if (hw->api_version == ixgbe_mbox_api_14) + *pf_features |= IXGBEVF_PF_SUP_IPSEC; + else if (hw->api_version == ixgbe_mbox_api_15) + *pf_features |= IXGBEVF_PF_SUP_ESX_MBX; +} + static void ixgbevf_negotiate_api(struct ixgbevf_adapter *adapter) { struct ixgbe_hw *hw = &adapter->hw; static const int api[] = { + ixgbe_mbox_api_17, ixgbe_mbox_api_16, ixgbe_mbox_api_15, ixgbe_mbox_api_14, @@ -2295,8 +2320,9 @@ static void ixgbevf_negotiate_api(struct ixgbevf_adapter *adapter) idx++; } - /* Following is not supported by API 1.6, it is specific for 1.5 */ - if (hw->api_version == ixgbe_mbox_api_15) { + ixgbevf_set_features(adapter); + + if (adapter->pf_features & IXGBEVF_PF_SUP_ESX_MBX) { hw->mbx.ops.init_params(hw); memcpy(&hw->mbx.ops, &ixgbevf_mbx_ops, sizeof(struct ixgbe_mbx_operations)); @@ -2654,6 +2680,7 @@ static void ixgbevf_set_num_queues(struct ixgbevf_adapter *adapter) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: if (adapter->xdp_prog && hw->mac.max_tx_queues == rss) rss = rss > 3 ? 2 : 1; @@ -4649,6 +4676,7 @@ static int ixgbevf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: netdev->max_mtu = IXGBE_MAX_JUMBO_FRAME_SIZE - (ETH_HLEN + ETH_FCS_LEN); break; diff --git a/drivers/net/ethernet/intel/ixgbevf/mbx.h b/drivers/net/ethernet/intel/ixgbevf/mbx.h index c1494fd1f67b..a8ed23ee66aa 100644 --- a/drivers/net/ethernet/intel/ixgbevf/mbx.h +++ b/drivers/net/ethernet/intel/ixgbevf/mbx.h @@ -67,6 +67,7 @@ enum ixgbe_pfvf_api_rev { ixgbe_mbox_api_14, /* API version 1.4, linux/freebsd VF driver */ ixgbe_mbox_api_15, /* API version 1.5, linux/freebsd VF driver */ ixgbe_mbox_api_16, /* API version 1.6, linux/freebsd VF driver */ + ixgbe_mbox_api_17, /* API version 1.7, linux/freebsd VF driver */ /* This value should always be last */ ixgbe_mbox_api_unknown, /* indicates that API version is not known */ }; @@ -106,6 +107,9 @@ enum ixgbe_pfvf_api_rev { /* mailbox API, version 1.6 VF requests */ #define IXGBE_VF_GET_PF_LINK_STATE 0x11 /* request PF to send link info */ +/* mailbox API, version 1.7 VF requests */ +#define IXGBE_VF_FEATURES_NEGOTIATE 0x12 /* get features supported by PF*/ + /* length of permanent address message returned from PF */ #define IXGBE_VF_PERMADDR_MSG_LEN 4 /* word in permanent address message with the current multicast type */ diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c index f05246fb5a74..74d320879513 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.c +++ b/drivers/net/ethernet/intel/ixgbevf/vf.c @@ -313,6 +313,7 @@ int ixgbevf_get_reta_locked(struct ixgbe_hw *hw, u32 *reta, int num_rx_queues) * is not supported for this device type. */ switch (hw->api_version) { + case ixgbe_mbox_api_17: case ixgbe_mbox_api_16: case ixgbe_mbox_api_15: case ixgbe_mbox_api_14: @@ -383,6 +384,7 @@ int ixgbevf_get_rss_key_locked(struct ixgbe_hw *hw, u8 *rss_key) * or if the operation is not supported for this device type. */ switch (hw->api_version) { + case ixgbe_mbox_api_17: case ixgbe_mbox_api_16: case ixgbe_mbox_api_15: case ixgbe_mbox_api_14: @@ -555,6 +557,7 @@ static s32 ixgbevf_update_xcast_mode(struct ixgbe_hw *hw, int xcast_mode) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return -EOPNOTSUPP; @@ -646,6 +649,7 @@ static int ixgbevf_get_pf_link_state(struct ixgbe_hw *hw, ixgbe_link_speed *spee switch (hw->api_version) { case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return -EOPNOTSUPP; @@ -669,6 +673,42 @@ static int ixgbevf_get_pf_link_state(struct ixgbe_hw *hw, ixgbe_link_speed *spee return err; } +/** + * ixgbevf_negotiate_features_vf - negotiate supported features with PF driver + * @hw: pointer to the HW structure + * @pf_features: bitmask of features supported by PF + * + * Return: IXGBE_ERR_MBX in the case of mailbox error, + * -EOPNOTSUPP if the op is not supported or 0 on success. + */ +static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) +{ + u32 msgbuf[2] = {}; + int err; + + switch (hw->api_version) { + case ixgbe_mbox_api_17: + break; + default: + return -EOPNOTSUPP; + } + + msgbuf[0] = IXGBE_VF_FEATURES_NEGOTIATE; + msgbuf[1] = IXGBEVF_SUPPORTED_FEATURES; + + err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, + ARRAY_SIZE(msgbuf)); + + if (err || (msgbuf[0] & IXGBE_VT_MSGTYPE_FAILURE)) { + err = IXGBE_ERR_MBX; + *pf_features = 0x0; + } else { + *pf_features = msgbuf[1]; + } + + return err; +} + /** * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address * @hw: pointer to the HW structure @@ -799,6 +839,7 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw, bool *link_up, bool autoneg_wait_to_complete) { + struct ixgbevf_adapter *adapter = hw->back; struct ixgbe_mbx_info *mbx = &hw->mbx; struct ixgbe_mac_info *mac = &hw->mac; s32 ret_val = 0; @@ -825,7 +866,7 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw, * until we are called again and don't report an error */ if (mbx->ops.read(hw, &in_msg, 1)) { - if (hw->api_version >= ixgbe_mbox_api_15) + if (adapter->pf_features & IXGBEVF_PF_SUP_ESX_MBX) mac->get_link_status = false; goto out; } @@ -1026,6 +1067,7 @@ int ixgbevf_get_queues(struct ixgbe_hw *hw, unsigned int *num_tcs, case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return 0; @@ -1080,6 +1122,7 @@ static const struct ixgbe_mac_operations ixgbevf_mac_ops = { .setup_link = ixgbevf_setup_mac_link_vf, .check_link = ixgbevf_check_mac_link_vf, .negotiate_api_version = ixgbevf_negotiate_api_version_vf, + .negotiate_features = ixgbevf_negotiate_features_vf, .set_rar = ixgbevf_set_rar_vf, .update_mc_addr_list = ixgbevf_update_mc_addr_list_vf, .update_xcast_mode = ixgbevf_update_xcast_mode, diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.h b/drivers/net/ethernet/intel/ixgbevf/vf.h index 2d791bc26ae4..4f19b8900c29 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.h +++ b/drivers/net/ethernet/intel/ixgbevf/vf.h @@ -26,6 +26,7 @@ struct ixgbe_mac_operations { s32 (*stop_adapter)(struct ixgbe_hw *); s32 (*get_bus_info)(struct ixgbe_hw *); s32 (*negotiate_api_version)(struct ixgbe_hw *hw, int api); + int (*negotiate_features)(struct ixgbe_hw *hw, u32 *pf_features); /* Link */ s32 (*setup_link)(struct ixgbe_hw *, ixgbe_link_speed, bool, bool);

1 month, 1 week

2
4
0 0

[PATCH v2 1/1] selftest/sched: skip the test if smt is not enabled

by Yifei Liu

The core scheduling is for smt enabled cpus. It is not returns failure and gives plenty of error messages and not clearly points to the smt issue if the smt is disabled. It just mention "not a core sched system" and many other messages. For example: Not a core sched system tid=210574, / tgid=210574 / pgid=210574: ffffffffffffffff Not a core sched system tid=210575, / tgid=210575 / pgid=210574: ffffffffffffffff Not a core sched system tid=210577, / tgid=210575 / pgid=210574: ffffffffffffffff (similar things many other times) In this patch, the test will first read /sys/devices/system/cpu/smt/active, if the file cannot be opened or its value is 0, the test is skipped with an explanatory message. This helps developers understand why it is skipped and avoids unnecessary attention when running the full selftest suite. Cc: stable(a)vger.kernel.org Signed-off-by: Yifei Liu <yifei.l.liu(a)oracle.com> --- tools/testing/selftests/sched/cs_prctl_test.c | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/sched/cs_prctl_test.c b/tools/testing/selftests/sched/cs_prctl_test.c index 52d97fae4dbd..7ce8088cde6a 100644 --- a/tools/testing/selftests/sched/cs_prctl_test.c +++ b/tools/testing/selftests/sched/cs_prctl_test.c @@ -32,6 +32,8 @@ #include <stdlib.h> #include <string.h> +#include "../kselftest.h" + #if __GLIBC_PREREQ(2, 30) == 0 #include <sys/syscall.h> static pid_t gettid(void) @@ -109,6 +111,22 @@ static void handle_usage(int rc, char *msg) exit(rc); } +int check_smt(void) +{ + int c = 0; + FILE *file; + + file = fopen("/sys/devices/system/cpu/smt/active", "r"); + if (!file) + return 0; + c = fgetc(file) - 0x30; + fclose(file); + if (c == 0 || c == 1) + return c; + //if fgetc returns EOF or -1 for correupted files, return 0. + return 0; +} + static unsigned long get_cs_cookie(int pid) { unsigned long long cookie; @@ -271,7 +289,10 @@ int main(int argc, char *argv[]) delay = -1; srand(time(NULL)); - + if (!check_smt()) { + ksft_test_result_skip("smt not enabled\n"); + return 1; + } /* put into separate process group */ if (setpgid(0, 0) != 0) handle_error("process group"); -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH v1 1/3] PCI: Allow per function PCI slots

by Farhan Ali

On s390 systems, which use a machine level hypervisor, PCI devices are always accessed through a form of PCI pass-through which fundamentally operates on a per PCI function granularity. This is also reflected in the s390 PCI hotplug driver which creates hotplug slots for individual PCI functions. Its reset_slot() function, which is a wrapper for zpci_hot_reset_device(), thus also resets individual functions. Currently, the kernel's PCI_SLOT() macro assigns the same pci_slot object to multifunction devices. This approach worked fine on s390 systems that only exposed virtual functions as individual PCI domains to the operating system. Since commit 44510d6fa0c0 ("s390/pci: Handling multifunctions") s390 supports exposing the topology of multifunction PCI devices by grouping them in a shared PCI domain. When attempting to reset a function through the hotplug driver, the shared slot assignment causes the wrong function to be reset instead of the intended one. It also leaks memory as we do create a pci_slot object for the function, but don't correctly free it in pci_slot_release(). Add a flag for struct pci_slot to allow per function PCI slots for functions managed through a hypervisor, which exposes individual PCI functions while retaining the topology. Fixes: 44510d6fa0c0 ("s390/pci: Handling multifunctions") Cc: stable(a)vger.kernel.org Suggested-by: Niklas Schnelle <schnelle(a)linux.ibm.com> Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> Signed-off-by: Farhan Ali <alifm(a)linux.ibm.com> --- drivers/pci/hotplug/s390_pci_hpc.c | 10 ++++++++-- drivers/pci/pci.c | 5 +++-- drivers/pci/slot.c | 14 +++++++++++--- include/linux/pci.h | 1 + 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/drivers/pci/hotplug/s390_pci_hpc.c b/drivers/pci/hotplug/s390_pci_hpc.c index d9996516f49e..8b547de464bf 100644 --- a/drivers/pci/hotplug/s390_pci_hpc.c +++ b/drivers/pci/hotplug/s390_pci_hpc.c @@ -126,14 +126,20 @@ static const struct hotplug_slot_ops s390_hotplug_slot_ops = { int zpci_init_slot(struct zpci_dev *zdev) { + int ret; char name[SLOT_NAME_SIZE]; struct zpci_bus *zbus = zdev->zbus; zdev->hotplug_slot.ops = &s390_hotplug_slot_ops; snprintf(name, SLOT_NAME_SIZE, "%08x", zdev->fid); - return pci_hp_register(&zdev->hotplug_slot, zbus->bus, - zdev->devfn, name); + ret = pci_hp_register(&zdev->hotplug_slot, zbus->bus, + zdev->devfn, name); + if (ret) + return ret; + + zdev->hotplug_slot.pci_slot->per_func_slot = 1; + return 0; } void zpci_exit_slot(struct zpci_dev *zdev) diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index b14dd064006c..36ee38e0d817 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -4980,8 +4980,9 @@ static int pci_reset_hotplug_slot(struct hotplug_slot *hotplug, bool probe) static int pci_dev_reset_slot_function(struct pci_dev *dev, bool probe) { - if (dev->multifunction || dev->subordinate || !dev->slot || - dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET) + if (dev->subordinate || !dev->slot || + dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET || + (dev->multifunction && !dev->slot->per_func_slot)) return -ENOTTY; return pci_reset_hotplug_slot(dev->slot->hotplug, probe); diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c index 50fb3eb595fe..51ee59e14393 100644 --- a/drivers/pci/slot.c +++ b/drivers/pci/slot.c @@ -63,6 +63,14 @@ static ssize_t cur_speed_read_file(struct pci_slot *slot, char *buf) return bus_speed_read(slot->bus->cur_bus_speed, buf); } +static bool pci_dev_matches_slot(struct pci_dev *dev, struct pci_slot *slot) +{ + if (slot->per_func_slot) + return dev->devfn == slot->number; + + return PCI_SLOT(dev->devfn) == slot->number; +} + static void pci_slot_release(struct kobject *kobj) { struct pci_dev *dev; @@ -73,7 +81,7 @@ static void pci_slot_release(struct kobject *kobj) down_read(&pci_bus_sem); list_for_each_entry(dev, &slot->bus->devices, bus_list) - if (PCI_SLOT(dev->devfn) == slot->number) + if (pci_dev_matches_slot(dev, slot)) dev->slot = NULL; up_read(&pci_bus_sem); @@ -166,7 +174,7 @@ void pci_dev_assign_slot(struct pci_dev *dev) mutex_lock(&pci_slot_mutex); list_for_each_entry(slot, &dev->bus->slots, list) - if (PCI_SLOT(dev->devfn) == slot->number) + if (pci_dev_matches_slot(dev, slot)) dev->slot = slot; mutex_unlock(&pci_slot_mutex); } @@ -285,7 +293,7 @@ struct pci_slot *pci_create_slot(struct pci_bus *parent, int slot_nr, down_read(&pci_bus_sem); list_for_each_entry(dev, &parent->devices, bus_list) - if (PCI_SLOT(dev->devfn) == slot_nr) + if (pci_dev_matches_slot(dev, slot)) dev->slot = slot; up_read(&pci_bus_sem); diff --git a/include/linux/pci.h b/include/linux/pci.h index d1fdf81fbe1e..6ad194597ab5 100644 --- a/include/linux/pci.h +++ b/include/linux/pci.h @@ -78,6 +78,7 @@ struct pci_slot { struct list_head list; /* Node in list of slots */ struct hotplug_slot *hotplug; /* Hotplug info (move here) */ unsigned char number; /* PCI_SLOT(pci_dev->devfn) */ + unsigned int per_func_slot:1; /* Allow per function slot */ struct kobject kobj; }; -- 2.43.0

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] xfs: use deferred intent items for reaping crosslinked blocks" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x cd32a0c0dcdf634f2e0e71f41c272e19dece6264 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101603-parasitic-impatient-2d2b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cd32a0c0dcdf634f2e0e71f41c272e19dece6264 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Tue, 8 Apr 2025 16:14:32 -0700 Subject: [PATCH] xfs: use deferred intent items for reaping crosslinked blocks When we're removing rmap records for crosslinked blocks, use deferred intent items so that we can try to free/unmap as many of the old data structure's blocks as we can in the same transaction as the commit. Cc: <stable(a)vger.kernel.org> # v6.6 Fixes: 1c7ce115e52106 ("xfs: reap large AG metadata extents when possible") Signed-off-by: "Darrick J. Wong" <djwong(a)kernel.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> diff --git a/fs/xfs/scrub/reap.c b/fs/xfs/scrub/reap.c index 8703897c0a9c..86d3d104b8d9 100644 --- a/fs/xfs/scrub/reap.c +++ b/fs/xfs/scrub/reap.c @@ -416,8 +416,6 @@ xreap_agextent_iter( trace_xreap_dispose_unmap_extent(pag_group(sc->sa.pag), agbno, *aglenp); - rs->force_roll = true; - if (rs->oinfo == &XFS_RMAP_OINFO_COW) { /* * If we're unmapping CoW staging extents, remove the @@ -426,11 +424,14 @@ xreap_agextent_iter( */ xfs_refcount_free_cow_extent(sc->tp, false, fsbno, *aglenp); + rs->force_roll = true; return 0; } - return xfs_rmap_free(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno, - *aglenp, rs->oinfo); + xfs_rmap_free_extent(sc->tp, false, fsbno, *aglenp, + rs->oinfo->oi_owner); + rs->deferred++; + return 0; } trace_xreap_dispose_free_extent(pag_group(sc->sa.pag), agbno, *aglenp);

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] ixgbevf: fix mailbox API compatibility by negotiating" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a7075f501bd33c93570af759b6f4302ef0175168 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102051-bonded-proofread-bd52@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a7075f501bd33c93570af759b6f4302ef0175168 Mon Sep 17 00:00:00 2001 From: Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> Date: Thu, 9 Oct 2025 17:03:49 -0700 Subject: [PATCH] ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future. Reported-by: Jacob Keller <jacob.e.keller(a)intel.com> Closes: https://lore.kernel.org/intel-wired-lan/20241101-jk-ixgbevf-mailbox-v1-5-fi… Fixes: 0062e7cc955e ("ixgbevf: add VF IPsec offload code") Fixes: 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> Tested-by: Rafal Romanowski <rafal.romanowski(a)intel.com> Signed-off-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-4-ef32a425b92a@i… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c index 65580b9cb06f..fce35924ff8b 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c +++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c @@ -273,6 +273,9 @@ static int ixgbevf_ipsec_add_sa(struct net_device *dev, adapter = netdev_priv(dev); ipsec = adapter->ipsec; + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return -EOPNOTSUPP; + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for IPsec offload"); return -EINVAL; @@ -405,6 +408,9 @@ static void ixgbevf_ipsec_del_sa(struct net_device *dev, adapter = netdev_priv(dev); ipsec = adapter->ipsec; + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return; + if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) { sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX; @@ -612,6 +618,10 @@ void ixgbevf_init_ipsec_offload(struct ixgbevf_adapter *adapter) size_t size; switch (adapter->hw.api_version) { + case ixgbe_mbox_api_17: + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return; + break; case ixgbe_mbox_api_14: break; default: diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h index 3a379e6a3a2a..039187607e98 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h @@ -363,6 +363,13 @@ struct ixgbevf_adapter { struct ixgbe_hw hw; u16 msg_enable; + u32 pf_features; +#define IXGBEVF_PF_SUP_IPSEC BIT(0) +#define IXGBEVF_PF_SUP_ESX_MBX BIT(1) + +#define IXGBEVF_SUPPORTED_FEATURES (IXGBEVF_PF_SUP_IPSEC | \ + IXGBEVF_PF_SUP_ESX_MBX) + struct ixgbevf_hw_stats stats; unsigned long state; diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c index 92671638b428..d5ce20f47def 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c @@ -2271,10 +2271,35 @@ static void ixgbevf_init_last_counter_stats(struct ixgbevf_adapter *adapter) adapter->stats.base_vfmprc = adapter->stats.last_vfmprc; } +/** + * ixgbevf_set_features - Set features supported by PF + * @adapter: pointer to the adapter struct + * + * Negotiate with PF supported features and then set pf_features accordingly. + */ +static void ixgbevf_set_features(struct ixgbevf_adapter *adapter) +{ + u32 *pf_features = &adapter->pf_features; + struct ixgbe_hw *hw = &adapter->hw; + int err; + + err = hw->mac.ops.negotiate_features(hw, pf_features); + if (err && err != -EOPNOTSUPP) + netdev_dbg(adapter->netdev, + "PF feature negotiation failed.\n"); + + /* Address also pre API 1.7 cases */ + if (hw->api_version == ixgbe_mbox_api_14) + *pf_features |= IXGBEVF_PF_SUP_IPSEC; + else if (hw->api_version == ixgbe_mbox_api_15) + *pf_features |= IXGBEVF_PF_SUP_ESX_MBX; +} + static void ixgbevf_negotiate_api(struct ixgbevf_adapter *adapter) { struct ixgbe_hw *hw = &adapter->hw; static const int api[] = { + ixgbe_mbox_api_17, ixgbe_mbox_api_16, ixgbe_mbox_api_15, ixgbe_mbox_api_14, @@ -2295,8 +2320,9 @@ static void ixgbevf_negotiate_api(struct ixgbevf_adapter *adapter) idx++; } - /* Following is not supported by API 1.6, it is specific for 1.5 */ - if (hw->api_version == ixgbe_mbox_api_15) { + ixgbevf_set_features(adapter); + + if (adapter->pf_features & IXGBEVF_PF_SUP_ESX_MBX) { hw->mbx.ops.init_params(hw); memcpy(&hw->mbx.ops, &ixgbevf_mbx_ops, sizeof(struct ixgbe_mbx_operations)); @@ -2654,6 +2680,7 @@ static void ixgbevf_set_num_queues(struct ixgbevf_adapter *adapter) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: if (adapter->xdp_prog && hw->mac.max_tx_queues == rss) rss = rss > 3 ? 2 : 1; @@ -4649,6 +4676,7 @@ static int ixgbevf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: netdev->max_mtu = IXGBE_MAX_JUMBO_FRAME_SIZE - (ETH_HLEN + ETH_FCS_LEN); break; diff --git a/drivers/net/ethernet/intel/ixgbevf/mbx.h b/drivers/net/ethernet/intel/ixgbevf/mbx.h index c1494fd1f67b..a8ed23ee66aa 100644 --- a/drivers/net/ethernet/intel/ixgbevf/mbx.h +++ b/drivers/net/ethernet/intel/ixgbevf/mbx.h @@ -67,6 +67,7 @@ enum ixgbe_pfvf_api_rev { ixgbe_mbox_api_14, /* API version 1.4, linux/freebsd VF driver */ ixgbe_mbox_api_15, /* API version 1.5, linux/freebsd VF driver */ ixgbe_mbox_api_16, /* API version 1.6, linux/freebsd VF driver */ + ixgbe_mbox_api_17, /* API version 1.7, linux/freebsd VF driver */ /* This value should always be last */ ixgbe_mbox_api_unknown, /* indicates that API version is not known */ }; @@ -106,6 +107,9 @@ enum ixgbe_pfvf_api_rev { /* mailbox API, version 1.6 VF requests */ #define IXGBE_VF_GET_PF_LINK_STATE 0x11 /* request PF to send link info */ +/* mailbox API, version 1.7 VF requests */ +#define IXGBE_VF_FEATURES_NEGOTIATE 0x12 /* get features supported by PF*/ + /* length of permanent address message returned from PF */ #define IXGBE_VF_PERMADDR_MSG_LEN 4 /* word in permanent address message with the current multicast type */ diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c index f05246fb5a74..74d320879513 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.c +++ b/drivers/net/ethernet/intel/ixgbevf/vf.c @@ -313,6 +313,7 @@ int ixgbevf_get_reta_locked(struct ixgbe_hw *hw, u32 *reta, int num_rx_queues) * is not supported for this device type. */ switch (hw->api_version) { + case ixgbe_mbox_api_17: case ixgbe_mbox_api_16: case ixgbe_mbox_api_15: case ixgbe_mbox_api_14: @@ -383,6 +384,7 @@ int ixgbevf_get_rss_key_locked(struct ixgbe_hw *hw, u8 *rss_key) * or if the operation is not supported for this device type. */ switch (hw->api_version) { + case ixgbe_mbox_api_17: case ixgbe_mbox_api_16: case ixgbe_mbox_api_15: case ixgbe_mbox_api_14: @@ -555,6 +557,7 @@ static s32 ixgbevf_update_xcast_mode(struct ixgbe_hw *hw, int xcast_mode) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return -EOPNOTSUPP; @@ -646,6 +649,7 @@ static int ixgbevf_get_pf_link_state(struct ixgbe_hw *hw, ixgbe_link_speed *spee switch (hw->api_version) { case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return -EOPNOTSUPP; @@ -669,6 +673,42 @@ static int ixgbevf_get_pf_link_state(struct ixgbe_hw *hw, ixgbe_link_speed *spee return err; } +/** + * ixgbevf_negotiate_features_vf - negotiate supported features with PF driver + * @hw: pointer to the HW structure + * @pf_features: bitmask of features supported by PF + * + * Return: IXGBE_ERR_MBX in the case of mailbox error, + * -EOPNOTSUPP if the op is not supported or 0 on success. + */ +static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) +{ + u32 msgbuf[2] = {}; + int err; + + switch (hw->api_version) { + case ixgbe_mbox_api_17: + break; + default: + return -EOPNOTSUPP; + } + + msgbuf[0] = IXGBE_VF_FEATURES_NEGOTIATE; + msgbuf[1] = IXGBEVF_SUPPORTED_FEATURES; + + err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, + ARRAY_SIZE(msgbuf)); + + if (err || (msgbuf[0] & IXGBE_VT_MSGTYPE_FAILURE)) { + err = IXGBE_ERR_MBX; + *pf_features = 0x0; + } else { + *pf_features = msgbuf[1]; + } + + return err; +} + /** * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address * @hw: pointer to the HW structure @@ -799,6 +839,7 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw, bool *link_up, bool autoneg_wait_to_complete) { + struct ixgbevf_adapter *adapter = hw->back; struct ixgbe_mbx_info *mbx = &hw->mbx; struct ixgbe_mac_info *mac = &hw->mac; s32 ret_val = 0; @@ -825,7 +866,7 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw, * until we are called again and don't report an error */ if (mbx->ops.read(hw, &in_msg, 1)) { - if (hw->api_version >= ixgbe_mbox_api_15) + if (adapter->pf_features & IXGBEVF_PF_SUP_ESX_MBX) mac->get_link_status = false; goto out; } @@ -1026,6 +1067,7 @@ int ixgbevf_get_queues(struct ixgbe_hw *hw, unsigned int *num_tcs, case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return 0; @@ -1080,6 +1122,7 @@ static const struct ixgbe_mac_operations ixgbevf_mac_ops = { .setup_link = ixgbevf_setup_mac_link_vf, .check_link = ixgbevf_check_mac_link_vf, .negotiate_api_version = ixgbevf_negotiate_api_version_vf, + .negotiate_features = ixgbevf_negotiate_features_vf, .set_rar = ixgbevf_set_rar_vf, .update_mc_addr_list = ixgbevf_update_mc_addr_list_vf, .update_xcast_mode = ixgbevf_update_xcast_mode, diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.h b/drivers/net/ethernet/intel/ixgbevf/vf.h index 2d791bc26ae4..4f19b8900c29 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.h +++ b/drivers/net/ethernet/intel/ixgbevf/vf.h @@ -26,6 +26,7 @@ struct ixgbe_mac_operations { s32 (*stop_adapter)(struct ixgbe_hw *); s32 (*get_bus_info)(struct ixgbe_hw *); s32 (*negotiate_api_version)(struct ixgbe_hw *hw, int api); + int (*negotiate_features)(struct ixgbe_hw *hw, u32 *pf_features); /* Link */ s32 (*setup_link)(struct ixgbe_hw *, ixgbe_link_speed, bool, bool);

1 month, 1 week

2
4
0 0

[PATCH 6.1 v2 00/10] fix invalid sleeping in detect_cache_attributes()

by Wen Yang

commit 3fcbf1c77d08 ("arch_topology: Fix cache attributes detection in the CPU hotplug path") adds a call to detect_cache_attributes() to populate the cacheinfo before updating the siblings mask. detect_cache_attributes() allocates memory and can take the PPTT mutex (on ACPI platforms). On PREEMPT_RT kernels, on secondary CPUs, this triggers a: 'BUG: sleeping function called from invalid context' as the code is executed with preemption and interrupts disabled: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 | in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/111 | preempt_count: 1, expected: 0 | RCU nest depth: 1, expected: 1 | 3 locks held by swapper/111/0: | #0: (&pcp->lock){+.+.}-{3:3}, at: get_page_from_freelist+0x218/0x12c8 | #1: (rcu_read_lock){....}-{1:3}, at: rt_spin_trylock+0x48/0xf0 | #2: (&zone->lock){+.+.}-{3:3}, at: rmqueue_bulk+0x64/0xa80 | irq event stamp: 0 | hardirqs last enabled at (0): 0x0 | hardirqs last disabled at (0): copy_process+0x5dc/0x1ab8 | softirqs last enabled at (0): copy_process+0x5dc/0x1ab8 | softirqs last disabled at (0): 0x0 | Preemption disabled at: | migrate_enable+0x30/0x130 | CPU: 111 PID: 0 Comm: swapper/111 Tainted: G W 6.0.0-rc4-rt6-[...] | Call trace: | __kmalloc+0xbc/0x1e8 | detect_cache_attributes+0x2d4/0x5f0 | update_siblings_masks+0x30/0x368 | store_cpu_topology+0x78/0xb8 | secondary_start_kernel+0xd0/0x198 | __secondary_switched+0xb0/0xb4 Pierre fixed this issue in the upstream 6.3 and the original series is follows: https://lore.kernel.org/all/167404285593.885445.6219705651301997538.b4-ty@a… We also encountered the same issue on 6.1 stable branch, and need to backport this series: cacheinfo: Use RISC-V's init_cache_level() as generic OF implementation cacheinfo: Return error code in init_of_cache_level() cacheinfo: Check 'cache-unified' property to count cache leaves ACPI: PPTT: Remove acpi_find_cache_levels() ACPI: PPTT: Update acpi_find_last_cache_level() to acpi_get_cache_info() arch_topology: Build cacheinfo from primary CPU And there was a non-trivial number of follow-on fixes for patches in this series, as pointed out by Greg in the 6.1.156-RC1 review: cacheinfo: Initialize variables in fetch_cache_info() cacheinfo: Fix LLC is not exported through sysfs drivers: base: cacheinfo: Update cpu_map_populated during CPU Hotplug Finally, Jon discovered an issue in the Tegra platform caused by these patches: https://lore.kernel.org/all/046f08cb-0610-48c9-af24-4804367df177@nvidia.com/ So we also need to backport the following patch: arm64: tegra: Update cache properties K Prateek Nayak (1): drivers: base: cacheinfo: Update cpu_map_populated during CPU Hotplug Pierre Gondois (8): cacheinfo: Use RISC-V's init_cache_level() as generic OF implementation cacheinfo: Return error code in init_of_cache_level() cacheinfo: Check 'cache-unified' property to count cache leaves ACPI: PPTT: Remove acpi_find_cache_levels() ACPI: PPTT: Update acpi_find_last_cache_level() to acpi_get_cache_info() arch_topology: Build cacheinfo from primary CPU cacheinfo: Initialize variables in fetch_cache_info() arm64: tegra: Update cache properties Yicong Yang (1): cacheinfo: Fix LLC is not exported through sysfs arch/arm64/boot/dts/nvidia/tegra194.dtsi | 15 +++ arch/arm64/boot/dts/nvidia/tegra210.dtsi | 1 + arch/arm64/boot/dts/nvidia/tegra234.dtsi | 33 +++++ arch/arm64/kernel/cacheinfo.c | 11 +- arch/riscv/kernel/cacheinfo.c | 42 ------ drivers/acpi/pptt.c | 93 ++++++++------ drivers/base/arch_topology.c | 12 +- drivers/base/cacheinfo.c | 156 +++++++++++++++++++---- include/linux/cacheinfo.h | 11 +- 9 files changed, 262 insertions(+), 112 deletions(-) -- 2.25.1

1 month, 1 week

1
10
0 0

FAILED: patch "[PATCH] vfs: Don't leak disconnected dentries on umount" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 56094ad3eaa21e6621396cc33811d8f72847a834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102038-hash-smashing-4b29@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 56094ad3eaa21e6621396cc33811d8f72847a834 Mon Sep 17 00:00:00 2001 From: Jan Kara <jack(a)suse.cz> Date: Thu, 2 Oct 2025 17:55:07 +0200 Subject: [PATCH] vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail to find the dentry we are trying to reconnect and instead create a new dentry under the parent. Now this dentry will not be marked as disconnected although the parent still may well be disconnected (at least in case this inconsistency happened because the fs is corrupted and .. doesn't point to the real parent directory). This creates inconsistency in disconnected flags but AFAICS it was mostly harmless. At least until commit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") which removed adding of most disconnected dentries to sb->s_anon list. Thus after this commit cleanup of disconnected dentries implicitely relies on the fact that dput() will immediately reclaim such dentries. However when some leaf dentry isn't marked as disconnected, as in the scenario described above, the reclaim doesn't happen and the dentries are "leaked". Memory reclaim can eventually reclaim them but otherwise they stay in memory and if umount comes first, we hit infamous "Busy inodes after unmount" bug. Make sure all dentries created under a disconnected parent are marked as disconnected as well. Reported-by: syzbot+1d79ebe5383fc016cf07(a)syzkaller.appspotmail.com Fixes: f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/dcache.c b/fs/dcache.c index a067fa0a965a..035cccbc9276 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2557,6 +2557,8 @@ struct dentry *d_alloc_parallel(struct dentry *parent, spin_lock(&parent->d_lock); new->d_parent = dget_dlock(parent); hlist_add_head(&new->d_sib, &parent->d_children); + if (parent->d_flags & DCACHE_DISCONNECTED) + new->d_flags |= DCACHE_DISCONNECTED; spin_unlock(&parent->d_lock); retry:

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] ixgbevf: fix mailbox API compatibility by negotiating" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a7075f501bd33c93570af759b6f4302ef0175168 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102050-stadium-reformer-c157@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a7075f501bd33c93570af759b6f4302ef0175168 Mon Sep 17 00:00:00 2001 From: Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> Date: Thu, 9 Oct 2025 17:03:49 -0700 Subject: [PATCH] ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support for IPSec which is specific only for the kernel ixgbe driver. None of the rest of the Intel 10G PF/VF drivers supports it. And actually lack of support was not included in the IPSec implementation - there were no such code paths. No possibility to negotiate support for the feature was introduced along with introduction of the feature itself. Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") increasing API version to 1.5 did the same - it introduced code supported specifically by the PF ESX driver. It altered API version for the VF driver in the same time not touching the version defined for the PF ixgbe driver. It led to additional discrepancies, as the code provided within API 1.6 cannot be supported for Linux ixgbe driver as it causes crashes. The issue was noticed some time ago and mitigated by Jake within the commit d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5"). As a result we have regression for IPsec support and after increasing API to version 1.6 ixgbevf driver stopped to support ESX MBX. To fix this mess add new mailbox op asking PF driver about supported features. Basing on a response determine whether to set support for IPSec and ESX-specific enhanced mailbox. New mailbox op, for compatibility purposes, must be added within new API revision, as API version of OOT PF & VF drivers is already increased to 1.6 and doesn't incorporate features negotiate op. Features negotiation mechanism gives possibility to be extended with new features when needed in the future. Reported-by: Jacob Keller <jacob.e.keller(a)intel.com> Closes: https://lore.kernel.org/intel-wired-lan/20241101-jk-ixgbevf-mailbox-v1-5-fi… Fixes: 0062e7cc955e ("ixgbevf: add VF IPsec offload code") Fixes: 339f28964147 ("ixgbevf: Add support for new mailbox communication between PF and VF") Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Cc: stable(a)vger.kernel.org Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> Tested-by: Rafal Romanowski <rafal.romanowski(a)intel.com> Signed-off-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/20251009-jk-iwl-net-2025-10-01-v3-4-ef32a425b92a@i… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c index 65580b9cb06f..fce35924ff8b 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c +++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c @@ -273,6 +273,9 @@ static int ixgbevf_ipsec_add_sa(struct net_device *dev, adapter = netdev_priv(dev); ipsec = adapter->ipsec; + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return -EOPNOTSUPP; + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for IPsec offload"); return -EINVAL; @@ -405,6 +408,9 @@ static void ixgbevf_ipsec_del_sa(struct net_device *dev, adapter = netdev_priv(dev); ipsec = adapter->ipsec; + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return; + if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) { sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX; @@ -612,6 +618,10 @@ void ixgbevf_init_ipsec_offload(struct ixgbevf_adapter *adapter) size_t size; switch (adapter->hw.api_version) { + case ixgbe_mbox_api_17: + if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC)) + return; + break; case ixgbe_mbox_api_14: break; default: diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h index 3a379e6a3a2a..039187607e98 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf.h @@ -363,6 +363,13 @@ struct ixgbevf_adapter { struct ixgbe_hw hw; u16 msg_enable; + u32 pf_features; +#define IXGBEVF_PF_SUP_IPSEC BIT(0) +#define IXGBEVF_PF_SUP_ESX_MBX BIT(1) + +#define IXGBEVF_SUPPORTED_FEATURES (IXGBEVF_PF_SUP_IPSEC | \ + IXGBEVF_PF_SUP_ESX_MBX) + struct ixgbevf_hw_stats stats; unsigned long state; diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c index 92671638b428..d5ce20f47def 100644 --- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c @@ -2271,10 +2271,35 @@ static void ixgbevf_init_last_counter_stats(struct ixgbevf_adapter *adapter) adapter->stats.base_vfmprc = adapter->stats.last_vfmprc; } +/** + * ixgbevf_set_features - Set features supported by PF + * @adapter: pointer to the adapter struct + * + * Negotiate with PF supported features and then set pf_features accordingly. + */ +static void ixgbevf_set_features(struct ixgbevf_adapter *adapter) +{ + u32 *pf_features = &adapter->pf_features; + struct ixgbe_hw *hw = &adapter->hw; + int err; + + err = hw->mac.ops.negotiate_features(hw, pf_features); + if (err && err != -EOPNOTSUPP) + netdev_dbg(adapter->netdev, + "PF feature negotiation failed.\n"); + + /* Address also pre API 1.7 cases */ + if (hw->api_version == ixgbe_mbox_api_14) + *pf_features |= IXGBEVF_PF_SUP_IPSEC; + else if (hw->api_version == ixgbe_mbox_api_15) + *pf_features |= IXGBEVF_PF_SUP_ESX_MBX; +} + static void ixgbevf_negotiate_api(struct ixgbevf_adapter *adapter) { struct ixgbe_hw *hw = &adapter->hw; static const int api[] = { + ixgbe_mbox_api_17, ixgbe_mbox_api_16, ixgbe_mbox_api_15, ixgbe_mbox_api_14, @@ -2295,8 +2320,9 @@ static void ixgbevf_negotiate_api(struct ixgbevf_adapter *adapter) idx++; } - /* Following is not supported by API 1.6, it is specific for 1.5 */ - if (hw->api_version == ixgbe_mbox_api_15) { + ixgbevf_set_features(adapter); + + if (adapter->pf_features & IXGBEVF_PF_SUP_ESX_MBX) { hw->mbx.ops.init_params(hw); memcpy(&hw->mbx.ops, &ixgbevf_mbx_ops, sizeof(struct ixgbe_mbx_operations)); @@ -2654,6 +2680,7 @@ static void ixgbevf_set_num_queues(struct ixgbevf_adapter *adapter) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: if (adapter->xdp_prog && hw->mac.max_tx_queues == rss) rss = rss > 3 ? 2 : 1; @@ -4649,6 +4676,7 @@ static int ixgbevf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: netdev->max_mtu = IXGBE_MAX_JUMBO_FRAME_SIZE - (ETH_HLEN + ETH_FCS_LEN); break; diff --git a/drivers/net/ethernet/intel/ixgbevf/mbx.h b/drivers/net/ethernet/intel/ixgbevf/mbx.h index c1494fd1f67b..a8ed23ee66aa 100644 --- a/drivers/net/ethernet/intel/ixgbevf/mbx.h +++ b/drivers/net/ethernet/intel/ixgbevf/mbx.h @@ -67,6 +67,7 @@ enum ixgbe_pfvf_api_rev { ixgbe_mbox_api_14, /* API version 1.4, linux/freebsd VF driver */ ixgbe_mbox_api_15, /* API version 1.5, linux/freebsd VF driver */ ixgbe_mbox_api_16, /* API version 1.6, linux/freebsd VF driver */ + ixgbe_mbox_api_17, /* API version 1.7, linux/freebsd VF driver */ /* This value should always be last */ ixgbe_mbox_api_unknown, /* indicates that API version is not known */ }; @@ -106,6 +107,9 @@ enum ixgbe_pfvf_api_rev { /* mailbox API, version 1.6 VF requests */ #define IXGBE_VF_GET_PF_LINK_STATE 0x11 /* request PF to send link info */ +/* mailbox API, version 1.7 VF requests */ +#define IXGBE_VF_FEATURES_NEGOTIATE 0x12 /* get features supported by PF*/ + /* length of permanent address message returned from PF */ #define IXGBE_VF_PERMADDR_MSG_LEN 4 /* word in permanent address message with the current multicast type */ diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c index f05246fb5a74..74d320879513 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.c +++ b/drivers/net/ethernet/intel/ixgbevf/vf.c @@ -313,6 +313,7 @@ int ixgbevf_get_reta_locked(struct ixgbe_hw *hw, u32 *reta, int num_rx_queues) * is not supported for this device type. */ switch (hw->api_version) { + case ixgbe_mbox_api_17: case ixgbe_mbox_api_16: case ixgbe_mbox_api_15: case ixgbe_mbox_api_14: @@ -383,6 +384,7 @@ int ixgbevf_get_rss_key_locked(struct ixgbe_hw *hw, u8 *rss_key) * or if the operation is not supported for this device type. */ switch (hw->api_version) { + case ixgbe_mbox_api_17: case ixgbe_mbox_api_16: case ixgbe_mbox_api_15: case ixgbe_mbox_api_14: @@ -555,6 +557,7 @@ static s32 ixgbevf_update_xcast_mode(struct ixgbe_hw *hw, int xcast_mode) case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return -EOPNOTSUPP; @@ -646,6 +649,7 @@ static int ixgbevf_get_pf_link_state(struct ixgbe_hw *hw, ixgbe_link_speed *spee switch (hw->api_version) { case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return -EOPNOTSUPP; @@ -669,6 +673,42 @@ static int ixgbevf_get_pf_link_state(struct ixgbe_hw *hw, ixgbe_link_speed *spee return err; } +/** + * ixgbevf_negotiate_features_vf - negotiate supported features with PF driver + * @hw: pointer to the HW structure + * @pf_features: bitmask of features supported by PF + * + * Return: IXGBE_ERR_MBX in the case of mailbox error, + * -EOPNOTSUPP if the op is not supported or 0 on success. + */ +static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) +{ + u32 msgbuf[2] = {}; + int err; + + switch (hw->api_version) { + case ixgbe_mbox_api_17: + break; + default: + return -EOPNOTSUPP; + } + + msgbuf[0] = IXGBE_VF_FEATURES_NEGOTIATE; + msgbuf[1] = IXGBEVF_SUPPORTED_FEATURES; + + err = ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, + ARRAY_SIZE(msgbuf)); + + if (err || (msgbuf[0] & IXGBE_VT_MSGTYPE_FAILURE)) { + err = IXGBE_ERR_MBX; + *pf_features = 0x0; + } else { + *pf_features = msgbuf[1]; + } + + return err; +} + /** * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address * @hw: pointer to the HW structure @@ -799,6 +839,7 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw, bool *link_up, bool autoneg_wait_to_complete) { + struct ixgbevf_adapter *adapter = hw->back; struct ixgbe_mbx_info *mbx = &hw->mbx; struct ixgbe_mac_info *mac = &hw->mac; s32 ret_val = 0; @@ -825,7 +866,7 @@ static s32 ixgbevf_check_mac_link_vf(struct ixgbe_hw *hw, * until we are called again and don't report an error */ if (mbx->ops.read(hw, &in_msg, 1)) { - if (hw->api_version >= ixgbe_mbox_api_15) + if (adapter->pf_features & IXGBEVF_PF_SUP_ESX_MBX) mac->get_link_status = false; goto out; } @@ -1026,6 +1067,7 @@ int ixgbevf_get_queues(struct ixgbe_hw *hw, unsigned int *num_tcs, case ixgbe_mbox_api_14: case ixgbe_mbox_api_15: case ixgbe_mbox_api_16: + case ixgbe_mbox_api_17: break; default: return 0; @@ -1080,6 +1122,7 @@ static const struct ixgbe_mac_operations ixgbevf_mac_ops = { .setup_link = ixgbevf_setup_mac_link_vf, .check_link = ixgbevf_check_mac_link_vf, .negotiate_api_version = ixgbevf_negotiate_api_version_vf, + .negotiate_features = ixgbevf_negotiate_features_vf, .set_rar = ixgbevf_set_rar_vf, .update_mc_addr_list = ixgbevf_update_mc_addr_list_vf, .update_xcast_mode = ixgbevf_update_xcast_mode, diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.h b/drivers/net/ethernet/intel/ixgbevf/vf.h index 2d791bc26ae4..4f19b8900c29 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.h +++ b/drivers/net/ethernet/intel/ixgbevf/vf.h @@ -26,6 +26,7 @@ struct ixgbe_mac_operations { s32 (*stop_adapter)(struct ixgbe_hw *); s32 (*get_bus_info)(struct ixgbe_hw *); s32 (*negotiate_api_version)(struct ixgbe_hw *hw, int api); + int (*negotiate_features)(struct ixgbe_hw *hw, u32 *pf_features); /* Link */ s32 (*setup_link)(struct ixgbe_hw *, ixgbe_link_speed, bool, bool);

1 month, 1 week

2
4
0 0

FAILED: patch "[PATCH] x86/resctrl: Fix miscount of bandwidth event when" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 15292f1b4c55a3a7c940dbcb6cb8793871ed3d92 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102047-tissue-surplus-ff35@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 15292f1b4c55a3a7c940dbcb6cb8793871ed3d92 Mon Sep 17 00:00:00 2001 From: Babu Moger <babu.moger(a)amd.com> Date: Fri, 10 Oct 2025 12:08:35 -0500 Subject: [PATCH] x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Users can create as many monitoring groups as the number of RMIDs supported by the hardware. However, on AMD systems, only a limited number of RMIDs are guaranteed to be actively tracked by the hardware. RMIDs that exceed this limit are placed in an "Unavailable" state. When a bandwidth counter is read for such an RMID, the hardware sets MSR_IA32_QM_CTR.Unavailable (bit 62). When such an RMID starts being tracked again the hardware counter is reset to zero. MSR_IA32_QM_CTR.Unavailable remains set on first read after tracking re-starts and is clear on all subsequent reads as long as the RMID is tracked. resctrl miscounts the bandwidth events after an RMID transitions from the "Unavailable" state back to being tracked. This happens because when the hardware starts counting again after resetting the counter to zero, resctrl in turn compares the new count against the counter value stored from the previous time the RMID was tracked. This results in resctrl computing an event value that is either undercounting (when new counter is more than stored counter) or a mistaken overflow (when new counter is less than stored counter). Reset the stored value (arch_mbm_state::prev_msr) of MSR_IA32_QM_CTR to zero whenever the RMID is in the "Unavailable" state to ensure accurate counting after the RMID resets to zero when it starts to be tracked again. Example scenario that results in mistaken overflow ================================================== 1. The resctrl filesystem is mounted, and a task is assigned to a monitoring group. $mount -t resctrl resctrl /sys/fs/resctrl $mkdir /sys/fs/resctrl/mon_groups/test1/ $echo 1234 > /sys/fs/resctrl/mon_groups/test1/tasks $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 21323 <- Total bytes on domain 0 "Unavailable" <- Total bytes on domain 1 Task is running on domain 0. Counter on domain 1 is "Unavailable". 2. The task runs on domain 0 for a while and then moves to domain 1. The counter starts incrementing on domain 1. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 7345357 <- Total bytes on domain 0 4545 <- Total bytes on domain 1 3. At some point, the RMID in domain 0 transitions to the "Unavailable" state because the task is no longer executing in that domain. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes "Unavailable" <- Total bytes on domain 0 434341 <- Total bytes on domain 1 4. Since the task continues to migrate between domains, it may eventually return to domain 0. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 17592178699059 <- Overflow on domain 0 3232332 <- Total bytes on domain 1 In this case, the RMID on domain 0 transitions from "Unavailable" state to active state. The hardware sets MSR_IA32_QM_CTR.Unavailable (bit 62) when the counter is read and begins tracking the RMID counting from 0. Subsequent reads succeed but return a value smaller than the previously saved MSR value (7345357). Consequently, the resctrl's overflow logic is triggered, it compares the previous value (7345357) with the new, smaller value and incorrectly interprets this as a counter overflow, adding a large delta. In reality, this is a false positive: the counter did not overflow but was simply reset when the RMID transitioned from "Unavailable" back to active state. Here is the text from APM [1] available from [2]. "In PQOS Version 2.0 or higher, the MBM hardware will set the U bit on the first QM_CTR read when it begins tracking an RMID that it was not previously tracking. The U bit will be zero for all subsequent reads from that RMID while it is still tracked by the hardware. Therefore, a QM_CTR read with the U bit set when that RMID is in use by a processor can be considered 0 when calculating the difference with a subsequent read." [1] AMD64 Architecture Programmer's Manual Volume 2: System Programming Publication # 24593 Revision 3.41 section 19.3.3 Monitoring L3 Memory Bandwidth (MBM). [ bp: Split commit message into smaller paragraph chunks for better consumption. ] Fixes: 4d05bf71f157d ("x86/resctrl: Introduce AMD QOS feature") Signed-off-by: Babu Moger <babu.moger(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Reinette Chatre <reinette.chatre(a)intel.com> Tested-by: Reinette Chatre <reinette.chatre(a)intel.com> Cc: stable(a)vger.kernel.org # needs adjustments for <= v6.17 Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 # [2] diff --git a/arch/x86/kernel/cpu/resctrl/monitor.c b/arch/x86/kernel/cpu/resctrl/monitor.c index c8945610d455..2cd25a0d4637 100644 --- a/arch/x86/kernel/cpu/resctrl/monitor.c +++ b/arch/x86/kernel/cpu/resctrl/monitor.c @@ -242,7 +242,9 @@ int resctrl_arch_rmid_read(struct rdt_resource *r, struct rdt_mon_domain *d, u32 unused, u32 rmid, enum resctrl_event_id eventid, u64 *val, void *ignored) { + struct rdt_hw_mon_domain *hw_dom = resctrl_to_arch_mon_dom(d); int cpu = cpumask_any(&d->hdr.cpu_mask); + struct arch_mbm_state *am; u64 msr_val; u32 prmid; int ret; @@ -251,12 +253,16 @@ int resctrl_arch_rmid_read(struct rdt_resource *r, struct rdt_mon_domain *d, prmid = logical_rmid_to_physical_rmid(cpu, rmid); ret = __rmid_read_phys(prmid, eventid, &msr_val); - if (ret) - return ret; - *val = get_corrected_val(r, d, rmid, eventid, msr_val); + if (!ret) { + *val = get_corrected_val(r, d, rmid, eventid, msr_val); + } else if (ret == -EINVAL) { + am = get_arch_mbm_state(hw_dom, rmid, eventid); + if (am) + am->prev_msr = 0; + } - return 0; + return ret; } static int __cntr_id_read(u32 cntr_id, u64 *val)

1 month, 1 week

5
8
0 0

FAILED: patch "[PATCH] x86/resctrl: Fix miscount of bandwidth event when" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 15292f1b4c55a3a7c940dbcb6cb8793871ed3d92 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102049-machine-domestic-c4b2@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 15292f1b4c55a3a7c940dbcb6cb8793871ed3d92 Mon Sep 17 00:00:00 2001 From: Babu Moger <babu.moger(a)amd.com> Date: Fri, 10 Oct 2025 12:08:35 -0500 Subject: [PATCH] x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID Users can create as many monitoring groups as the number of RMIDs supported by the hardware. However, on AMD systems, only a limited number of RMIDs are guaranteed to be actively tracked by the hardware. RMIDs that exceed this limit are placed in an "Unavailable" state. When a bandwidth counter is read for such an RMID, the hardware sets MSR_IA32_QM_CTR.Unavailable (bit 62). When such an RMID starts being tracked again the hardware counter is reset to zero. MSR_IA32_QM_CTR.Unavailable remains set on first read after tracking re-starts and is clear on all subsequent reads as long as the RMID is tracked. resctrl miscounts the bandwidth events after an RMID transitions from the "Unavailable" state back to being tracked. This happens because when the hardware starts counting again after resetting the counter to zero, resctrl in turn compares the new count against the counter value stored from the previous time the RMID was tracked. This results in resctrl computing an event value that is either undercounting (when new counter is more than stored counter) or a mistaken overflow (when new counter is less than stored counter). Reset the stored value (arch_mbm_state::prev_msr) of MSR_IA32_QM_CTR to zero whenever the RMID is in the "Unavailable" state to ensure accurate counting after the RMID resets to zero when it starts to be tracked again. Example scenario that results in mistaken overflow ================================================== 1. The resctrl filesystem is mounted, and a task is assigned to a monitoring group. $mount -t resctrl resctrl /sys/fs/resctrl $mkdir /sys/fs/resctrl/mon_groups/test1/ $echo 1234 > /sys/fs/resctrl/mon_groups/test1/tasks $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 21323 <- Total bytes on domain 0 "Unavailable" <- Total bytes on domain 1 Task is running on domain 0. Counter on domain 1 is "Unavailable". 2. The task runs on domain 0 for a while and then moves to domain 1. The counter starts incrementing on domain 1. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 7345357 <- Total bytes on domain 0 4545 <- Total bytes on domain 1 3. At some point, the RMID in domain 0 transitions to the "Unavailable" state because the task is no longer executing in that domain. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes "Unavailable" <- Total bytes on domain 0 434341 <- Total bytes on domain 1 4. Since the task continues to migrate between domains, it may eventually return to domain 0. $cat /sys/fs/resctrl/mon_groups/test1/mon_data/mon_L3_*/mbm_total_bytes 17592178699059 <- Overflow on domain 0 3232332 <- Total bytes on domain 1 In this case, the RMID on domain 0 transitions from "Unavailable" state to active state. The hardware sets MSR_IA32_QM_CTR.Unavailable (bit 62) when the counter is read and begins tracking the RMID counting from 0. Subsequent reads succeed but return a value smaller than the previously saved MSR value (7345357). Consequently, the resctrl's overflow logic is triggered, it compares the previous value (7345357) with the new, smaller value and incorrectly interprets this as a counter overflow, adding a large delta. In reality, this is a false positive: the counter did not overflow but was simply reset when the RMID transitioned from "Unavailable" back to active state. Here is the text from APM [1] available from [2]. "In PQOS Version 2.0 or higher, the MBM hardware will set the U bit on the first QM_CTR read when it begins tracking an RMID that it was not previously tracking. The U bit will be zero for all subsequent reads from that RMID while it is still tracked by the hardware. Therefore, a QM_CTR read with the U bit set when that RMID is in use by a processor can be considered 0 when calculating the difference with a subsequent read." [1] AMD64 Architecture Programmer's Manual Volume 2: System Programming Publication # 24593 Revision 3.41 section 19.3.3 Monitoring L3 Memory Bandwidth (MBM). [ bp: Split commit message into smaller paragraph chunks for better consumption. ] Fixes: 4d05bf71f157d ("x86/resctrl: Introduce AMD QOS feature") Signed-off-by: Babu Moger <babu.moger(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Reinette Chatre <reinette.chatre(a)intel.com> Tested-by: Reinette Chatre <reinette.chatre(a)intel.com> Cc: stable(a)vger.kernel.org # needs adjustments for <= v6.17 Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 # [2] diff --git a/arch/x86/kernel/cpu/resctrl/monitor.c b/arch/x86/kernel/cpu/resctrl/monitor.c index c8945610d455..2cd25a0d4637 100644 --- a/arch/x86/kernel/cpu/resctrl/monitor.c +++ b/arch/x86/kernel/cpu/resctrl/monitor.c @@ -242,7 +242,9 @@ int resctrl_arch_rmid_read(struct rdt_resource *r, struct rdt_mon_domain *d, u32 unused, u32 rmid, enum resctrl_event_id eventid, u64 *val, void *ignored) { + struct rdt_hw_mon_domain *hw_dom = resctrl_to_arch_mon_dom(d); int cpu = cpumask_any(&d->hdr.cpu_mask); + struct arch_mbm_state *am; u64 msr_val; u32 prmid; int ret; @@ -251,12 +253,16 @@ int resctrl_arch_rmid_read(struct rdt_resource *r, struct rdt_mon_domain *d, prmid = logical_rmid_to_physical_rmid(cpu, rmid); ret = __rmid_read_phys(prmid, eventid, &msr_val); - if (ret) - return ret; - *val = get_corrected_val(r, d, rmid, eventid, msr_val); + if (!ret) { + *val = get_corrected_val(r, d, rmid, eventid, msr_val); + } else if (ret == -EINVAL) { + am = get_arch_mbm_state(hw_dom, rmid, eventid); + if (am) + am->prev_msr = 0; + } - return 0; + return ret; } static int __cntr_id_read(u32 cntr_id, u64 *val)

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] KEYS: trusted_tpm1: Compare HMAC values in constant time" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x eed0e3d305530066b4fc5370107cff8ef1a0d229 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101624-attitude-destruct-3559@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eed0e3d305530066b4fc5370107cff8ef1a0d229 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Sat, 9 Aug 2025 10:19:39 -0700 Subject: [PATCH] KEYS: trusted_tpm1: Compare HMAC values in constant time To prevent timing attacks, HMAC value comparison needs to be constant time. Replace the memcmp() with the correct function, crypto_memneq(). [For the Fixes commit I used the commit that introduced the memcmp(). It predates the introduction of crypto_memneq(), but it was still a bug at the time even though a helper function didn't exist yet.] Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 89c9798d1800..e73f2c6c817a 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -7,6 +7,7 @@ */ #include <crypto/hash_info.h> +#include <crypto/utils.h> #include <linux/init.h> #include <linux/slab.h> #include <linux/parser.h> @@ -241,7 +242,7 @@ int TSS_checkhmac1(unsigned char *buffer, if (ret < 0) goto out; - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); @@ -334,7 +335,7 @@ static int TSS_checkhmac2(unsigned char *buffer, TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ret = -EINVAL; goto out; } @@ -343,7 +344,7 @@ static int TSS_checkhmac2(unsigned char *buffer, TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] KEYS: trusted_tpm1: Compare HMAC values in constant time" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x eed0e3d305530066b4fc5370107cff8ef1a0d229 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101623-bleep-cold-406b@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From eed0e3d305530066b4fc5370107cff8ef1a0d229 Mon Sep 17 00:00:00 2001 From: Eric Biggers <ebiggers(a)kernel.org> Date: Sat, 9 Aug 2025 10:19:39 -0700 Subject: [PATCH] KEYS: trusted_tpm1: Compare HMAC values in constant time To prevent timing attacks, HMAC value comparison needs to be constant time. Replace the memcmp() with the correct function, crypto_memneq(). [For the Fixes commit I used the commit that introduced the memcmp(). It predates the introduction of crypto_memneq(), but it was still a bug at the time even though a helper function didn't exist yet.] Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 89c9798d1800..e73f2c6c817a 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -7,6 +7,7 @@ */ #include <crypto/hash_info.h> +#include <crypto/utils.h> #include <linux/init.h> #include <linux/slab.h> #include <linux/parser.h> @@ -241,7 +242,7 @@ int TSS_checkhmac1(unsigned char *buffer, if (ret < 0) goto out; - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); @@ -334,7 +335,7 @@ static int TSS_checkhmac2(unsigned char *buffer, TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ret = -EINVAL; goto out; } @@ -343,7 +344,7 @@ static int TSS_checkhmac2(unsigned char *buffer, TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] mptcp: reset blackhole on success with non-loopback ifaces" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 833d4313bc1e9e194814917d23e8874d6b651649 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101604-chamber-playhouse-5278@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 833d4313bc1e9e194814917d23e8874d6b651649 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Thu, 18 Sep 2025 10:50:18 +0200 Subject: [PATCH] mptcp: reset blackhole on success with non-loopback ifaces When a first MPTCP connection gets successfully established after a blackhole period, 'active_disable_times' was supposed to be reset when this connection was done via any non-loopback interfaces. Unfortunately, the opposite condition was checked: only reset when the connection was established via a loopback interface. Fixing this by simply looking at the opposite. This is similar to what is done with TCP FastOpen, see tcp_fastopen_active_disable_ofo_check(). This patch is a follow-up of a previous discussion linked to commit 893c49a78d9f ("mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable()."), see [1]. Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/4209a283-8822-47bd-95b7-87e96d9b7ea3@kernel.org [1] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)google.com> Link: https://patch.msgid.link/20250918-net-next-mptcp-blackhole-reset-loopback-v… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c index e8ffa62ec183..d96130e49942 100644 --- a/net/mptcp/ctrl.c +++ b/net/mptcp/ctrl.c @@ -507,7 +507,7 @@ void mptcp_active_enable(struct sock *sk) rcu_read_lock(); dst = __sk_dst_get(sk); dev = dst ? dst_dev_rcu(dst) : NULL; - if (dev && (dev->flags & IFF_LOOPBACK)) + if (!(dev && (dev->flags & IFF_LOOPBACK))) atomic_set(&pernet->active_disable_times, 0); rcu_read_unlock(); }

1 month, 1 week

3
9
0 0

FAILED: patch "[PATCH] PCI/sysfs: Ensure devices are powered for config reads" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 48991e4935078b05f80616c75d1ee2ea3ae18e58 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101636-tartar-brethren-067c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 48991e4935078b05f80616c75d1ee2ea3ae18e58 Mon Sep 17 00:00:00 2001 From: Brian Norris <briannorris(a)google.com> Date: Wed, 24 Sep 2025 09:57:11 -0700 Subject: [PATCH] PCI/sysfs: Ensure devices are powered for config reads The "max_link_width", "current_link_speed", "current_link_width", "secondary_bus_number", and "subordinate_bus_number" sysfs files all access config registers, but they don't check the runtime PM state. If the device is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus values, or worse, depending on implementation details. Wrap these access in pci_config_pm_runtime_{get,put}() like most of the rest of the similar sysfs attributes. Notably, "max_link_speed" does not access config registers; it returns a cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link Speeds"). Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a… diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 5eea14c1f7f5..2b231ef1dac9 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -201,8 +201,14 @@ static ssize_t max_link_width_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; - return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ + pci_config_pm_runtime_get(pdev); + ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_width); @@ -214,7 +220,10 @@ static ssize_t current_link_speed_show(struct device *dev, int err; enum pci_bus_speed speed; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -231,7 +240,10 @@ static ssize_t current_link_width_show(struct device *dev, u16 linkstat; int err; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -247,7 +259,10 @@ static ssize_t secondary_bus_number_show(struct device *dev, u8 sec_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -263,7 +278,10 @@ static ssize_t subordinate_bus_number_show(struct device *dev, u8 sub_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL;

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] crypto: rockchip - Fix dma_unmap_sg() nents value" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 21140e5caf019e4a24e1ceabcaaa16bd693b393f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101647-olive-sheet-88ec@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 21140e5caf019e4a24e1ceabcaaa16bd693b393f Mon Sep 17 00:00:00 2001 From: Thomas Fourier <fourier.thomas(a)gmail.com> Date: Wed, 3 Sep 2025 10:06:46 +0200 Subject: [PATCH] crypto: rockchip - Fix dma_unmap_sg() nents value The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. Fixes: 57d67c6e8219 ("crypto: rockchip - rework by using crypto_engine") Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c index d6928ebe9526..b9f5a8b42e66 100644 --- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c +++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c @@ -254,7 +254,7 @@ static void rk_hash_unprepare(struct crypto_engine *engine, void *breq) struct rk_ahash_rctx *rctx = ahash_request_ctx(areq); struct rk_crypto_info *rkc = rctx->dev; - dma_unmap_sg(rkc->dev, areq->src, rctx->nrsg, DMA_TO_DEVICE); + dma_unmap_sg(rkc->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE); } static int rk_hash_run(struct crypto_engine *engine, void *breq)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] PCI: tegra194: Handle errors in BPMP response" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f8c9ad46b00453a8c075453f3745f8d263f44834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101628-deflected-bruising-7def@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f8c9ad46b00453a8c075453f3745f8d263f44834 Mon Sep 17 00:00:00 2001 From: Vidya Sagar <vidyas(a)nvidia.com> Date: Mon, 22 Sep 2025 16:08:26 +0200 Subject: [PATCH] PCI: tegra194: Handle errors in BPMP response The return value from tegra_bpmp_transfer() indicates the success or failure of the IPC transaction with BPMP. If the transaction succeeded, we also need to check the actual command's result code. If we don't have error handling for tegra_bpmp_transfer(), we will set the pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer() command fails. Thus, the pcie->ep_state will get out of sync with reality, and any further PERST# assert + deassert will be a no-op and will not trigger the hardware initialization sequence. This is because pex_ep_event_pex_rst_deassert() checks the current pcie->ep_state, and does nothing if the current state is already EP_STATE_ENABLED. Thus, it is important to have error handling for tegra_bpmp_transfer(), such that the pcie->ep_state can not get out of sync with reality, so that we will try to initialize the hardware not only during the first PERST# assert + deassert, but also during any succeeding PERST# assert + deassert. One example where this fix is needed is when using a rock5b as host. During the initial PERST# assert + deassert (triggered by the bootloader on the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. Once Linux has been loaded on the rock5b, the PCIe driver will once again assert + deassert PERST#. However, without tegra_bpmp_transfer() error handling, this second PERST# assert + deassert will not trigger the hardware initialization sequence. With tegra_bpmp_transfer() error handling, the second PERST# assert + deassert will once again trigger the hardware to be initialized and this time the tegra_bpmp_transfer() succeeds. Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Vidya Sagar <vidyas(a)nvidia.com> [cassel: improve commit log] Signed-off-by: Niklas Cassel <cassel(a)kernel.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Reviewed-by: Jon Hunter <jonathanh(a)nvidia.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 359d92dca86a..d71053fa4365 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1214,6 +1214,7 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; /* * Controller-5 doesn't need to have its state set by BPMP-FW in @@ -1236,7 +1237,13 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, @@ -1245,6 +1252,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; memset(&req, 0, sizeof(req)); memset(&resp, 0, sizeof(resp)); @@ -1264,7 +1272,13 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] PCI: tegra194: Handle errors in BPMP response" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f8c9ad46b00453a8c075453f3745f8d263f44834 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101627-backwash-capably-abbe@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f8c9ad46b00453a8c075453f3745f8d263f44834 Mon Sep 17 00:00:00 2001 From: Vidya Sagar <vidyas(a)nvidia.com> Date: Mon, 22 Sep 2025 16:08:26 +0200 Subject: [PATCH] PCI: tegra194: Handle errors in BPMP response The return value from tegra_bpmp_transfer() indicates the success or failure of the IPC transaction with BPMP. If the transaction succeeded, we also need to check the actual command's result code. If we don't have error handling for tegra_bpmp_transfer(), we will set the pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer() command fails. Thus, the pcie->ep_state will get out of sync with reality, and any further PERST# assert + deassert will be a no-op and will not trigger the hardware initialization sequence. This is because pex_ep_event_pex_rst_deassert() checks the current pcie->ep_state, and does nothing if the current state is already EP_STATE_ENABLED. Thus, it is important to have error handling for tegra_bpmp_transfer(), such that the pcie->ep_state can not get out of sync with reality, so that we will try to initialize the hardware not only during the first PERST# assert + deassert, but also during any succeeding PERST# assert + deassert. One example where this fix is needed is when using a rock5b as host. During the initial PERST# assert + deassert (triggered by the bootloader on the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails. Once Linux has been loaded on the rock5b, the PCIe driver will once again assert + deassert PERST#. However, without tegra_bpmp_transfer() error handling, this second PERST# assert + deassert will not trigger the hardware initialization sequence. With tegra_bpmp_transfer() error handling, the second PERST# assert + deassert will once again trigger the hardware to be initialized and this time the tegra_bpmp_transfer() succeeds. Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Vidya Sagar <vidyas(a)nvidia.com> [cassel: improve commit log] Signed-off-by: Niklas Cassel <cassel(a)kernel.org> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas(a)google.com> Reviewed-by: Jon Hunter <jonathanh(a)nvidia.com> Acked-by: Thierry Reding <treding(a)nvidia.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 359d92dca86a..d71053fa4365 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1214,6 +1214,7 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; /* * Controller-5 doesn't need to have its state set by BPMP-FW in @@ -1236,7 +1237,13 @@ static int tegra_pcie_bpmp_set_ctrl_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, @@ -1245,6 +1252,7 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, struct mrq_uphy_response resp; struct tegra_bpmp_message msg; struct mrq_uphy_request req; + int err; memset(&req, 0, sizeof(req)); memset(&resp, 0, sizeof(resp)); @@ -1264,7 +1272,13 @@ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie, msg.rx.data = &resp; msg.rx.size = sizeof(resp); - return tegra_bpmp_transfer(pcie->bpmp, &msg); + err = tegra_bpmp_transfer(pcie->bpmp, &msg); + if (err) + return err; + if (msg.rx.ret) + return -EINVAL; + + return 0; } static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] usb: gadget: f_ncm: Refactor bind path to use __free()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101658-ajar-suggest-f20a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Tue, 16 Sep 2025 16:21:34 +0800 Subject: [PATCH] usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20 Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") Cc: stable(a)kernel.org Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index 58b0dd575af3..0148d60926dc 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -11,6 +11,7 @@ * Copyright (C) 2008 Nokia Corporation */ +#include <linux/cleanup.h> #include <linux/kernel.h> #include <linux/interrupt.h> #include <linux/module.h> @@ -20,6 +21,7 @@ #include <linux/string_choices.h> #include <linux/usb/cdc.h> +#include <linux/usb/gadget.h> #include "u_ether.h" #include "u_ether_configfs.h" @@ -1436,18 +1438,18 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) struct usb_ep *ep; struct f_ncm_opts *ncm_opts; + struct usb_os_desc_table *os_desc_table __free(kfree) = NULL; + struct usb_request *request __free(free_usb_request) = NULL; + if (!can_support_ecm(cdev->gadget)) return -EINVAL; ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst); if (cdev->use_os_string) { - f->os_desc_table = kzalloc(sizeof(*f->os_desc_table), - GFP_KERNEL); - if (!f->os_desc_table) + os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL); + if (!os_desc_table) return -ENOMEM; - f->os_desc_n = 1; - f->os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; } mutex_lock(&ncm_opts->lock); @@ -1459,16 +1461,15 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) mutex_unlock(&ncm_opts->lock); if (status) - goto fail; + return status; ncm_opts->bound = true; us = usb_gstrings_attach(cdev, ncm_strings, ARRAY_SIZE(ncm_string_defs)); - if (IS_ERR(us)) { - status = PTR_ERR(us); - goto fail; - } + if (IS_ERR(us)) + return PTR_ERR(us); + ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id; ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id; ncm_data_intf.iInterface = us[STRING_DATA_IDX].id; @@ -1478,20 +1479,16 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) /* allocate instance-specific interface IDs */ status = usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ncm->ctrl_id = status; ncm_iad_desc.bFirstInterface = status; ncm_control_intf.bInterfaceNumber = status; ncm_union_desc.bMasterInterface0 = status; - if (cdev->use_os_string) - f->os_desc_table[0].if_id = - ncm_iad_desc.bFirstInterface; - status = usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ncm->data_id = status; ncm_data_nop_intf.bInterfaceNumber = status; @@ -1500,35 +1497,31 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) ecm_desc.wMaxSegmentSize = cpu_to_le16(ncm_opts->max_segment_size); - status = -ENODEV; - /* allocate instance-specific endpoints */ ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc); if (!ep) - goto fail; + return -ENODEV; ncm->port.in_ep = ep; ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc); if (!ep) - goto fail; + return -ENODEV; ncm->port.out_ep = ep; ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc); if (!ep) - goto fail; + return -ENODEV; ncm->notify = ep; - status = -ENOMEM; - /* allocate notification request and buffer */ - ncm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL); - if (!ncm->notify_req) - goto fail; - ncm->notify_req->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); - if (!ncm->notify_req->buf) - goto fail; - ncm->notify_req->context = ncm; - ncm->notify_req->complete = ncm_notify_complete; + request = usb_ep_alloc_request(ep, GFP_KERNEL); + if (!request) + return -ENOMEM; + request->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); + if (!request->buf) + return -ENOMEM; + request->context = ncm; + request->complete = ncm_notify_complete; /* * support all relevant hardware speeds... we expect that when @@ -1548,7 +1541,7 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) status = usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function, ncm_ss_function, ncm_ss_function); if (status) - goto fail; + return status; /* * NOTE: all that is done without knowing or caring about @@ -1561,23 +1554,18 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) hrtimer_setup(&ncm->task_timer, ncm_tx_timeout, CLOCK_MONOTONIC, HRTIMER_MODE_REL_SOFT); + if (cdev->use_os_string) { + os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; + os_desc_table[0].if_id = ncm_iad_desc.bFirstInterface; + f->os_desc_table = no_free_ptr(os_desc_table); + f->os_desc_n = 1; + } + ncm->notify_req = no_free_ptr(request); + DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n", ncm->port.in_ep->name, ncm->port.out_ep->name, ncm->notify->name); return 0; - -fail: - kfree(f->os_desc_table); - f->os_desc_n = 0; - - if (ncm->notify_req) { - kfree(ncm->notify_req->buf); - usb_ep_free_request(ncm->notify, ncm->notify_req); - } - - ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); - - return status; } static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item)

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] usb: gadget: f_acm: Refactor bind path to use __free()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 47b2116e54b4a854600341487e8b55249e926324 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101616-unhappily-flatware-0bd2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 47b2116e54b4a854600341487e8b55249e926324 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Tue, 16 Sep 2025 16:21:35 +0800 Subject: [PATCH] usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20 Fixes: 1f1ba11b6494 ("usb gadget: issue notifications from ACM function") Cc: stable(a)kernel.org Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com diff --git a/drivers/usb/gadget/function/f_acm.c b/drivers/usb/gadget/function/f_acm.c index 7061720b9732..106046e17c4e 100644 --- a/drivers/usb/gadget/function/f_acm.c +++ b/drivers/usb/gadget/function/f_acm.c @@ -11,12 +11,15 @@ /* #define VERBOSE_DEBUG */ +#include <linux/cleanup.h> #include <linux/slab.h> #include <linux/kernel.h> #include <linux/module.h> #include <linux/device.h> #include <linux/err.h> +#include <linux/usb/gadget.h> + #include "u_serial.h" @@ -613,6 +616,7 @@ acm_bind(struct usb_configuration *c, struct usb_function *f) struct usb_string *us; int status; struct usb_ep *ep; + struct usb_request *request __free(free_usb_request) = NULL; /* REVISIT might want instance-specific strings to help * distinguish instances ... @@ -630,7 +634,7 @@ acm_bind(struct usb_configuration *c, struct usb_function *f) /* allocate instance-specific interface IDs, and patch descriptors */ status = usb_interface_id(c, f); if (status < 0) - goto fail; + return status; acm->ctrl_id = status; acm_iad_descriptor.bFirstInterface = status; @@ -639,43 +643,41 @@ acm_bind(struct usb_configuration *c, struct usb_function *f) status = usb_interface_id(c, f); if (status < 0) - goto fail; + return status; acm->data_id = status; acm_data_interface_desc.bInterfaceNumber = status; acm_union_desc.bSlaveInterface0 = status; acm_call_mgmt_descriptor.bDataInterface = status; - status = -ENODEV; - /* allocate instance-specific endpoints */ ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_in_desc); if (!ep) - goto fail; + return -ENODEV; acm->port.in = ep; ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_out_desc); if (!ep) - goto fail; + return -ENODEV; acm->port.out = ep; ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_notify_desc); if (!ep) - goto fail; + return -ENODEV; acm->notify = ep; acm_iad_descriptor.bFunctionProtocol = acm->bInterfaceProtocol; acm_control_interface_desc.bInterfaceProtocol = acm->bInterfaceProtocol; /* allocate notification */ - acm->notify_req = gs_alloc_req(ep, - sizeof(struct usb_cdc_notification) + 2, - GFP_KERNEL); - if (!acm->notify_req) - goto fail; + request = gs_alloc_req(ep, + sizeof(struct usb_cdc_notification) + 2, + GFP_KERNEL); + if (!request) + return -ENODEV; - acm->notify_req->complete = acm_cdc_notify_complete; - acm->notify_req->context = acm; + request->complete = acm_cdc_notify_complete; + request->context = acm; /* support all relevant hardware speeds... we expect that when * hardware is dual speed, all bulk-capable endpoints work at @@ -692,7 +694,9 @@ acm_bind(struct usb_configuration *c, struct usb_function *f) status = usb_assign_descriptors(f, acm_fs_function, acm_hs_function, acm_ss_function, acm_ss_function); if (status) - goto fail; + return status; + + acm->notify_req = no_free_ptr(request); dev_dbg(&cdev->gadget->dev, "acm ttyGS%d: IN/%s OUT/%s NOTIFY/%s\n", @@ -700,14 +704,6 @@ acm_bind(struct usb_configuration *c, struct usb_function *f) acm->port.in->name, acm->port.out->name, acm->notify->name); return 0; - -fail: - if (acm->notify_req) - gs_free_req(acm->notify, acm->notify_req); - - ERROR(cdev, "%s/%p: can't bind, err %d\n", f->name, f, status); - - return status; } static void acm_unbind(struct usb_configuration *c, struct usb_function *f)

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101626-library-underfoot-da02@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 Mon Sep 17 00:00:00 2001 From: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Date: Tue, 22 Jul 2025 10:31:21 +0500 Subject: [PATCH] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Link: https://patch.msgid.link/20250722053121.1145001-1-usama.anjum@collabora.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index d49353b6b2e7..2810752260f2 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2215,14 +2215,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index 0c3ce7509ab8..0c797b8d0a27 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1386,6 +1386,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared in ath11k_hal_srng_src_hw_init() + * and ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c75..839095af9267 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101625-phonebook-salt-0964@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 32be3ca4cf78b309dfe7ba52fe2d7cc3c23c5634 Mon Sep 17 00:00:00 2001 From: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Date: Tue, 22 Jul 2025 10:31:21 +0500 Subject: [PATCH] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Link: https://patch.msgid.link/20250722053121.1145001-1-usama.anjum@collabora.com Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index d49353b6b2e7..2810752260f2 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2215,14 +2215,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index 0c3ce7509ab8..0c797b8d0a27 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1386,6 +1386,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared in ath11k_hal_srng_src_hw_init() + * and ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c75..839095af9267 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] fs: quota: create dedicated workqueue for quota_release_work" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 72b7ceca857f38a8ca7c5629feffc63769638974 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101650-tighten-fleshed-6fe0@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72b7ceca857f38a8ca7c5629feffc63769638974 Mon Sep 17 00:00:00 2001 From: Shashank A P <shashank.ap(a)samsung.com> Date: Mon, 1 Sep 2025 14:59:00 +0530 Subject: [PATCH] fs: quota: create dedicated workqueue for quota_release_work There is a kernel panic due to WARN_ONCE when panic_on_warn is set. This issue occurs when writeback is triggered due to sync call for an opened file(ie, writeback reason is WB_REASON_SYNC). When f2fs balance is needed at sync path, flush for quota_release_work is triggered. By default quota_release_work is queued to "events_unbound" queue which does not have WQ_MEM_RECLAIM flag. During f2fs balance "writeback" workqueue tries to flush quota_release_work causing kernel panic due to MEM_RECLAIM flag mismatch errors. This patch creates dedicated workqueue with WQ_MEM_RECLAIM flag for work quota_release_work. ------------[ cut here ]------------ WARNING: CPU: 4 PID: 14867 at kernel/workqueue.c:3721 check_flush_dependency+0x13c/0x148 Call trace: check_flush_dependency+0x13c/0x148 __flush_work+0xd0/0x398 flush_delayed_work+0x44/0x5c dquot_writeback_dquots+0x54/0x318 f2fs_do_quota_sync+0xb8/0x1a8 f2fs_write_checkpoint+0x3cc/0x99c f2fs_gc+0x190/0x750 f2fs_balance_fs+0x110/0x168 f2fs_write_single_data_page+0x474/0x7dc f2fs_write_data_pages+0x7d0/0xd0c do_writepages+0xe0/0x2f4 __writeback_single_inode+0x44/0x4ac writeback_sb_inodes+0x30c/0x538 wb_writeback+0xf4/0x440 wb_workfn+0x128/0x5d4 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1b0 ret_from_fork+0x10/0x20 Kernel panic - not syncing: kernel: panic_on_warn set ... Fixes: ac6f420291b3 ("quota: flush quota_release_work upon quota writeback") CC: stable(a)vger.kernel.org Signed-off-by: Shashank A P <shashank.ap(a)samsung.com> Link: https://patch.msgid.link/20250901092905.2115-1-shashank.ap@samsung.com Signed-off-by: Jan Kara <jack(a)suse.cz> diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index df4a9b348769..6c4a6ee1fa2b 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -162,6 +162,9 @@ static struct quota_module_name module_names[] = INIT_QUOTA_MODULE_NAMES; /* SLAB cache for dquot structures */ static struct kmem_cache *dquot_cachep; +/* workqueue for work quota_release_work*/ +static struct workqueue_struct *quota_unbound_wq; + void register_quota_format(struct quota_format_type *fmt) { spin_lock(&dq_list_lock); @@ -881,7 +884,7 @@ void dqput(struct dquot *dquot) put_releasing_dquots(dquot); atomic_dec(&dquot->dq_count); spin_unlock(&dq_list_lock); - queue_delayed_work(system_unbound_wq, &quota_release_work, 1); + queue_delayed_work(quota_unbound_wq, &quota_release_work, 1); } EXPORT_SYMBOL(dqput); @@ -3041,6 +3044,11 @@ static int __init dquot_init(void) shrinker_register(dqcache_shrinker); + quota_unbound_wq = alloc_workqueue("quota_events_unbound", + WQ_UNBOUND | WQ_MEM_RECLAIM, WQ_MAX_ACTIVE); + if (!quota_unbound_wq) + panic("Cannot create quota_unbound_wq\n"); + return 0; } fs_initcall(dquot_init);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] PCI: j721e: Fix programming sequence of "strap" settings" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f842d3313ba179d4005096357289c7ad09cec575 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101617-matching-native-d141@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f842d3313ba179d4005096357289c7ad09cec575 Mon Sep 17 00:00:00 2001 From: Siddharth Vadapalli <s-vadapalli(a)ti.com> Date: Mon, 8 Sep 2025 17:38:27 +0530 Subject: [PATCH] PCI: j721e: Fix programming sequence of "strap" settings The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the Mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. The "reset-values" of the registers are also different depending on the mode of operation. Since the PCIe Controller latches onto the "reset-values" immediately after being powered on, if the Glue Layer configuration is not done while the PCIe Controller is off, it will result in the PCIe Controller latching onto the wrong "reset-values". In practice, this will show up as a wrong representation of the PCIe Controller's capability structures in the PCIe Configuration Space. Some such capabilities which are supported by the PCIe Controller in the Root-Complex mode but are incorrectly latched onto as being unsupported are: - Link Bandwidth Notification - Alternate Routing ID (ARI) Forwarding Support - Next capability offset within Advanced Error Reporting (AER) capability Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. The runtime PM APIs namely pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and increment the usage counter respectively, causing GENPD to power off and power on the PCIe Controller. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index cfca13a4c840..5a9ae33e2b93 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; + /* + * The PCIe Controller's registers have different "reset-values" + * depending on the "strap" settings programmed into the PCIEn_CTRL + * register within the CTRL_MMR memory-mapped register space. + * The registers latch onto a "reset-value" based on the "strap" + * settings sampled after the PCIe Controller is powered on. + * To ensure that the "reset-values" are sampled accurately, power + * off the PCIe Controller before programming the "strap" settings + * and power it on after that. The runtime PM APIs namely + * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and + * increment the usage counter respectively, causing GENPD to power off + * and power on the PCIe Controller. + */ + ret = pm_runtime_put_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power off PCIe Controller\n"); + return ret; + } + ret = j721e_pcie_set_mode(pcie, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); @@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) return ret; } + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power on PCIe Controller\n"); + return ret; + } + /* Enable ACSPCIE refclk output if the optional property exists */ syscon = syscon_regmap_lookup_by_phandle_optional(node, "ti,syscon-acspcie-proxy-ctrl");

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] PCI: j721e: Fix programming sequence of "strap" settings" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f842d3313ba179d4005096357289c7ad09cec575 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101616-unopposed-carat-7cf4@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f842d3313ba179d4005096357289c7ad09cec575 Mon Sep 17 00:00:00 2001 From: Siddharth Vadapalli <s-vadapalli(a)ti.com> Date: Mon, 8 Sep 2025 17:38:27 +0530 Subject: [PATCH] PCI: j721e: Fix programming sequence of "strap" settings The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the Mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. The "reset-values" of the registers are also different depending on the mode of operation. Since the PCIe Controller latches onto the "reset-values" immediately after being powered on, if the Glue Layer configuration is not done while the PCIe Controller is off, it will result in the PCIe Controller latching onto the wrong "reset-values". In practice, this will show up as a wrong representation of the PCIe Controller's capability structures in the PCIe Configuration Space. Some such capabilities which are supported by the PCIe Controller in the Root-Complex mode but are incorrectly latched onto as being unsupported are: - Link Bandwidth Notification - Alternate Routing ID (ARI) Forwarding Support - Next capability offset within Advanced Error Reporting (AER) capability Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. The runtime PM APIs namely pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and increment the usage counter respectively, causing GENPD to power off and power on the PCIe Controller. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index cfca13a4c840..5a9ae33e2b93 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; + /* + * The PCIe Controller's registers have different "reset-values" + * depending on the "strap" settings programmed into the PCIEn_CTRL + * register within the CTRL_MMR memory-mapped register space. + * The registers latch onto a "reset-value" based on the "strap" + * settings sampled after the PCIe Controller is powered on. + * To ensure that the "reset-values" are sampled accurately, power + * off the PCIe Controller before programming the "strap" settings + * and power it on after that. The runtime PM APIs namely + * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and + * increment the usage counter respectively, causing GENPD to power off + * and power on the PCIe Controller. + */ + ret = pm_runtime_put_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power off PCIe Controller\n"); + return ret; + } + ret = j721e_pcie_set_mode(pcie, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); @@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) return ret; } + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power on PCIe Controller\n"); + return ret; + } + /* Enable ACSPCIE refclk output if the optional property exists */ syscon = syscon_regmap_lookup_by_phandle_optional(node, "ti,syscon-acspcie-proxy-ctrl");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] PCI: j721e: Fix programming sequence of "strap" settings" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f842d3313ba179d4005096357289c7ad09cec575 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101615-busload-bright-ced9@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f842d3313ba179d4005096357289c7ad09cec575 Mon Sep 17 00:00:00 2001 From: Siddharth Vadapalli <s-vadapalli(a)ti.com> Date: Mon, 8 Sep 2025 17:38:27 +0530 Subject: [PATCH] PCI: j721e: Fix programming sequence of "strap" settings The Cadence PCIe Controller integrated in the TI K3 SoCs supports both Root-Complex and Endpoint modes of operation. The Glue Layer allows "strapping" the Mode of operation of the Controller, the Link Speed and the Link Width. This is enabled by programming the "PCIEn_CTRL" register (n corresponds to the PCIe instance) within the CTRL_MMR memory-mapped register space. The "reset-values" of the registers are also different depending on the mode of operation. Since the PCIe Controller latches onto the "reset-values" immediately after being powered on, if the Glue Layer configuration is not done while the PCIe Controller is off, it will result in the PCIe Controller latching onto the wrong "reset-values". In practice, this will show up as a wrong representation of the PCIe Controller's capability structures in the PCIe Configuration Space. Some such capabilities which are supported by the PCIe Controller in the Root-Complex mode but are incorrectly latched onto as being unsupported are: - Link Bandwidth Notification - Alternate Routing ID (ARI) Forwarding Support - Next capability offset within Advanced Error Reporting (AER) capability Fix this by powering off the PCIe Controller before programming the "strap" settings and powering it on after that. The runtime PM APIs namely pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and increment the usage counter respectively, causing GENPD to power off and power on the PCIe Controller. Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver") Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c index cfca13a4c840..5a9ae33e2b93 100644 --- a/drivers/pci/controller/cadence/pci-j721e.c +++ b/drivers/pci/controller/cadence/pci-j721e.c @@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) if (!ret) offset = args.args[0]; + /* + * The PCIe Controller's registers have different "reset-values" + * depending on the "strap" settings programmed into the PCIEn_CTRL + * register within the CTRL_MMR memory-mapped register space. + * The registers latch onto a "reset-value" based on the "strap" + * settings sampled after the PCIe Controller is powered on. + * To ensure that the "reset-values" are sampled accurately, power + * off the PCIe Controller before programming the "strap" settings + * and power it on after that. The runtime PM APIs namely + * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and + * increment the usage counter respectively, causing GENPD to power off + * and power on the PCIe Controller. + */ + ret = pm_runtime_put_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power off PCIe Controller\n"); + return ret; + } + ret = j721e_pcie_set_mode(pcie, syscon, offset); if (ret < 0) { dev_err(dev, "Failed to set pci mode\n"); @@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j721e_pcie *pcie) return ret; } + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "Failed to power on PCIe Controller\n"); + return ret; + } + /* Enable ACSPCIE refclk output if the optional property exists */ syscon = syscon_regmap_lookup_by_phandle_optional(node, "ti,syscon-acspcie-proxy-ctrl");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] arm64: mte: Do not flag the zero page as PG_mte_tagged" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f620d66af3165838bfa845dcf9f5f9b4089bf508 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101646-headroom-why-f582@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f620d66af3165838bfa845dcf9f5f9b4089bf508 Mon Sep 17 00:00:00 2001 From: Catalin Marinas <catalin.marinas(a)arm.com> Date: Wed, 24 Sep 2025 13:31:22 +0100 Subject: [PATCH] arm64: mte: Do not flag the zero page as PG_mte_tagged Commit 68d54ceeec0e ("arm64: mte: Allow PTRACE_PEEKMTETAGS access to the zero page") attempted to fix ptrace() reading of tags from the zero page by marking it as PG_mte_tagged during cpu_enable_mte(). The same commit also changed the ptrace() tag access permission check to the VM_MTE vma flag while turning the page flag test into a WARN_ON_ONCE(). Attempting to set the PG_mte_tagged flag early with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled may either hang (after commit d77e59a8fccd "arm64: mte: Lock a page for MTE tag initialisation") or have the flags cleared later during page_alloc_init_late(). In addition, pages_identical() -> memcmp_pages() will reject any comparison with the zero page as it is marked as tagged. Partially revert the above commit to avoid setting PG_mte_tagged on the zero page. Update the __access_remote_tags() warning on untagged pages to ignore the zero page since it is known to have the tags initialised. Note that all user mapping of the zero page are marked as pte_special(). The arm64 set_pte_at() will not call mte_sync_tags() on such pages, so PG_mte_tagged will remain cleared. Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Fixes: 68d54ceeec0e ("arm64: mte: Allow PTRACE_PEEKMTETAGS access to the zero page") Reported-by: Gergely Kovacs <Gergely.Kovacs2(a)arm.com> Cc: stable(a)vger.kernel.org # 5.10.x Cc: Will Deacon <will(a)kernel.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Lance Yang <lance.yang(a)linux.dev> Acked-by: Lance Yang <lance.yang(a)linux.dev> Reviewed-by: David Hildenbrand <david(a)redhat.com> Tested-by: Lance Yang <lance.yang(a)linux.dev> Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index ecb83ab0700e..7345987a50a0 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2303,17 +2303,21 @@ static void bti_enable(const struct arm64_cpu_capabilities *__unused) #ifdef CONFIG_ARM64_MTE static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap) { + static bool cleared_zero_page = false; + sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ATA | SCTLR_EL1_ATA0); mte_cpu_setup(); /* * Clear the tags in the zero page. This needs to be done via the - * linear map which has the Tagged attribute. + * linear map which has the Tagged attribute. Since this page is + * always mapped as pte_special(), set_pte_at() will not attempt to + * clear the tags or set PG_mte_tagged. */ - if (try_page_mte_tagging(ZERO_PAGE(0))) { + if (!cleared_zero_page) { + cleared_zero_page = true; mte_clear_page_tags(lm_alias(empty_zero_page)); - set_page_mte_tagged(ZERO_PAGE(0)); } kasan_init_hw_tags_cpu(); diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c index e5e773844889..63aed49ac181 100644 --- a/arch/arm64/kernel/mte.c +++ b/arch/arm64/kernel/mte.c @@ -460,7 +460,7 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr, if (folio_test_hugetlb(folio)) WARN_ON_ONCE(!folio_test_hugetlb_mte_tagged(folio)); else - WARN_ON_ONCE(!page_mte_tagged(page)); + WARN_ON_ONCE(!page_mte_tagged(page) && !is_zero_page(page)); /* limit access to the end of the page */ offset = offset_in_page(addr);

1 month, 1 week

2
1
0 0

[PATCH] media: videobuf2: forbid create_bufs/remove_bufs when legacy fileio is active

by Marek Szyprowski

create_bufs and remove_bufs ioctl calls manipulate queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Simply forbid those calls when fileio is active to protect internal queue state between subsequent read/write calls. CC: stable(a)vger.kernel.org Fixes: 2d86401c2cbf ("[media] V4L: vb2: add support for buffers of different sizes on a single queue") Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> --- drivers/media/common/videobuf2/videobuf2-v4l2.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..f4104d5971dd 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -751,6 +751,11 @@ int vb2_create_bufs(struct vb2_queue *q, struct v4l2_create_buffers *create) int ret = vb2_verify_memory_type(q, create->memory, f->type); unsigned i; + if (vb2_fileio_is_active(q)) { + dprintk(q, 1, "file io in progress\n"); + return -EBUSY; + } + create->index = vb2_get_num_buffers(q); vb2_set_flags_and_caps(q, create->memory, &create->flags, &create->capabilities, &create->max_num_buffers); @@ -1010,6 +1015,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, if (vb2_queue_is_busy(vdev->queue, file)) return -EBUSY; + if (vb2_fileio_is_active(vdev->queue)) { + dprintk(vdev->queue, 1, "file io in progress\n"); + return -EBUSY; + } + return vb2_core_remove_bufs(vdev->queue, d->index, d->count); } EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs); -- 2.34.1

1 month, 1 week

3
8
0 0

FAILED: patch "[PATCH] fuse: fix livelock in synchronous file put from fuseblk" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101629-privacy-morally-5172@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Mon, 15 Sep 2025 17:24:17 -0700 Subject: [PATCH] fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. Cc: stable(a)vger.kernel.org # v2.6.38 Fixes: 5a18ec176c934c ("fuse: fix hang of single threaded fuseblk filesystem") Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 54786f62a9d8..f1ef77a0be05 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -356,8 +356,14 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff, * Make the release synchronous if this is a fuseblk mount, * synchronous RELEASE is allowed (and desirable) in this case * because the server can be trusted not to screw up. + * + * Always use the asynchronous file put because the current thread + * might be the fuse server. This can happen if a process starts some + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. */ - fuse_file_put(ff, ff->fm->fc->destroy); + fuse_file_put(ff, false); } void fuse_release_common(struct file *file, bool isdir)

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] fuse: fix livelock in synchronous file put from fuseblk" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101628-exclude-hamstring-8d43@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Mon, 15 Sep 2025 17:24:17 -0700 Subject: [PATCH] fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. Cc: stable(a)vger.kernel.org # v2.6.38 Fixes: 5a18ec176c934c ("fuse: fix hang of single threaded fuseblk filesystem") Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 54786f62a9d8..f1ef77a0be05 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -356,8 +356,14 @@ void fuse_file_release(struct inode *inode, struct fuse_file *ff, * Make the release synchronous if this is a fuseblk mount, * synchronous RELEASE is allowed (and desirable) in this case * because the server can be trusted not to screw up. + * + * Always use the asynchronous file put because the current thread + * might be the fuse server. This can happen if a process starts some + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. */ - fuse_file_put(ff, ff->fm->fc->destroy); + fuse_file_put(ff, false); } void fuse_release_common(struct file *file, bool isdir)

1 month, 1 week

2
2
0 0

[PATCH 5.4.y 0/5] v5.4: fix build with GCC 15

by Matthieu Baerts (NGI0)

Two backports linked to build issues with GCC 15 have failed in this version: - ee2ab467bddf ("x86/boot: Use '-std=gnu11' to fix build with GCC 15") - 8ba14d9f490a ("efi: libstub: Use '-std=gnu11' to fix build with GCC 15") Conflicts have been solved, and described. After that, this kernel version still didn't build with GCC 15: In file included from include/uapi/linux/posix_types.h:5, from include/uapi/linux/types.h:14, from include/linux/types.h:6, from arch/x86/realmode/rm/wakeup.h:11, from arch/x86/realmode/rm/wakemain.c:2: include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant 11 | false = 0, | ^~~~~ include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards include/linux/types.h:30:33: error: 'bool' cannot be defined via 'typedef' 30 | typedef _Bool bool; | ^~~~ include/linux/types.h:30:33: note: 'bool' is a keyword with '-std=c23' onwards include/linux/types.h:30:1: warning: useless type name in empty declaration 30 | typedef _Bool bool; | ^~~~~~~ I initially fixed this by adding -std=gnu11 in arch/x86/Makefile, then I realised this fix was already done in an upstream commit, created before the GCC 15 release and not mentioning the error I had. This is patch 3. When I was investigating my error, I noticed other commits were already backported to stable versions. They were all adding -std=gnu11 in different Makefiles. In their commit message, they were mentioning 'gnu11' was picked to use the same as the one from the main Makefile. But this is not the case in this kernel version. Patch 4 fixes that. Finally, I noticed extra warnings I didn't have in v5.10. Patch 5 fixes that. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Alexey Dobriyan (1): x86/boot: Compile boot code with -std=gnu11 too Matthieu Baerts (NGI0) (1): arch: back to -std=gnu89 in < v5.18 Nathan Chancellor (3): x86/boot: Use '-std=gnu11' to fix build with GCC 15 efi: libstub: Use '-std=gnu11' to fix build with GCC 15 kernel/profile.c: use cpumask_available to check for NULL cpumask arch/parisc/boot/compressed/Makefile | 2 +- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- arch/x86/Makefile | 2 +- arch/x86/boot/compressed/Makefile | 1 + drivers/firmware/efi/libstub/Makefile | 2 +- kernel/profile.c | 6 +++--- 7 files changed, 9 insertions(+), 8 deletions(-) --- base-commit: cda7d335d88aa30485536aee3027540f41bf4f10 change-id: 20251017-v5-4-gcc-15-2d2ccb30432c Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month, 1 week

3
7
0 0

FAILED: patch "[PATCH] xfs: use deferred intent items for reaping crosslinked blocks" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x cd32a0c0dcdf634f2e0e71f41c272e19dece6264 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101603-baggage-humming-330b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From cd32a0c0dcdf634f2e0e71f41c272e19dece6264 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <djwong(a)kernel.org> Date: Tue, 8 Apr 2025 16:14:32 -0700 Subject: [PATCH] xfs: use deferred intent items for reaping crosslinked blocks When we're removing rmap records for crosslinked blocks, use deferred intent items so that we can try to free/unmap as many of the old data structure's blocks as we can in the same transaction as the commit. Cc: <stable(a)vger.kernel.org> # v6.6 Fixes: 1c7ce115e52106 ("xfs: reap large AG metadata extents when possible") Signed-off-by: "Darrick J. Wong" <djwong(a)kernel.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> diff --git a/fs/xfs/scrub/reap.c b/fs/xfs/scrub/reap.c index 8703897c0a9c..86d3d104b8d9 100644 --- a/fs/xfs/scrub/reap.c +++ b/fs/xfs/scrub/reap.c @@ -416,8 +416,6 @@ xreap_agextent_iter( trace_xreap_dispose_unmap_extent(pag_group(sc->sa.pag), agbno, *aglenp); - rs->force_roll = true; - if (rs->oinfo == &XFS_RMAP_OINFO_COW) { /* * If we're unmapping CoW staging extents, remove the @@ -426,11 +424,14 @@ xreap_agextent_iter( */ xfs_refcount_free_cow_extent(sc->tp, false, fsbno, *aglenp); + rs->force_roll = true; return 0; } - return xfs_rmap_free(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno, - *aglenp, rs->oinfo); + xfs_rmap_free_extent(sc->tp, false, fsbno, *aglenp, + rs->oinfo->oi_owner); + rs->deferred++; + return 0; } trace_xreap_dispose_free_extent(pag_group(sc->sa.pag), agbno, *aglenp);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] wifi: rtw89: avoid possible TX wait initialization race" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x c24248ed78f33ea299ea61d105355ba47157d49f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101643-jolt-creole-6a13@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c24248ed78f33ea299ea61d105355ba47157d49f Mon Sep 17 00:00:00 2001 From: Fedor Pchelkin <pchelkin(a)ispras.ru> Date: Sat, 20 Sep 2025 00:08:48 +0300 Subject: [PATCH] wifi: rtw89: avoid possible TX wait initialization race The value of skb_data->wait indicates whether skb is passed on to the core mac80211 stack or released by the driver itself. Make sure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated and initialized TX wait related data (in case it's needed). This is found by code review and addresses a possible race scenario described below: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */ rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Acked-by: Ping-Ke Shih <pkshih(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://patch.msgid.link/20250919210852.823912-3-pchelkin@ispras.ru diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index ec467ae0e9e6..1f44c7fc1c5e 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1153,25 +1153,14 @@ void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) } int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout) + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout) { - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - wait->skb = skb; - rcu_assign_pointer(skb_data->wait, wait); - rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1234,10 +1223,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1254,6 +1245,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1290,7 +1283,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3928,6 +3922,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3937,6 +3932,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3951,6 +3952,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } + wait->skb = skb; + hdr = (struct ieee80211_hdr *)skb->data; if (ps) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -3961,7 +3964,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3970,10 +3974,11 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt rcu_read_unlock(); - return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel, + return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, wait, qsel, timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index d15fa70eb4dc..928c8c84c964 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -7476,7 +7476,8 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, struct sk_buff *skb, bool fwdl); void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel); int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout); + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout); void rtw89_core_fill_txdesc(struct rtw89_dev *rtwdev, struct rtw89_tx_desc_info *desc_info, void *txdesc); diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 8dd91d867ea6..0ee5f8579447 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1494,7 +1494,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1510,7 +1509,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] padata: Reset next CPU when reorder sequence wraps around" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101651-kerosene-quartered-684e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 From: Xiao Liang <shaw.leon(a)gmail.com> Date: Sun, 17 Aug 2025 00:30:15 +0800 Subject: [PATCH] padata: Reset next CPU when reorder sequence wraps around When seq_nr wraps around, the next reorder job with seq 0 is hashed to the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu to the first one when pd->processed wraps around. Otherwise, if the number of used CPUs is not a power of 2, padata_find_next() will be checking a wrong list, hence deadlock. Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") Cc: <stable(a)vger.kernel.org> Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/kernel/padata.c b/kernel/padata.c index f85f8bd788d0..833740d75483 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -291,8 +291,12 @@ static void padata_reorder(struct padata_priv *padata) struct padata_serial_queue *squeue; int cb_cpu; - cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); processed++; + /* When sequence wraps around, reset to the first CPU. */ + if (unlikely(processed == 0)) + cpu = cpumask_first(pd->cpumask.pcpu); + else + cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); cb_cpu = padata->cb_cpu; squeue = per_cpu_ptr(pd->squeue, cb_cpu);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] padata: Reset next CPU when reorder sequence wraps around" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101651-sizing-subfloor-8c1d@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 From: Xiao Liang <shaw.leon(a)gmail.com> Date: Sun, 17 Aug 2025 00:30:15 +0800 Subject: [PATCH] padata: Reset next CPU when reorder sequence wraps around When seq_nr wraps around, the next reorder job with seq 0 is hashed to the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu to the first one when pd->processed wraps around. Otherwise, if the number of used CPUs is not a power of 2, padata_find_next() will be checking a wrong list, hence deadlock. Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") Cc: <stable(a)vger.kernel.org> Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/kernel/padata.c b/kernel/padata.c index f85f8bd788d0..833740d75483 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -291,8 +291,12 @@ static void padata_reorder(struct padata_priv *padata) struct padata_serial_queue *squeue; int cb_cpu; - cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); processed++; + /* When sequence wraps around, reset to the first CPU. */ + if (unlikely(processed == 0)) + cpu = cpumask_first(pd->cpumask.pcpu); + else + cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); cb_cpu = padata->cb_cpu; squeue = per_cpu_ptr(pd->squeue, cb_cpu);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] padata: Reset next CPU when reorder sequence wraps around" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101651-unlimited-rippling-daa6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 From: Xiao Liang <shaw.leon(a)gmail.com> Date: Sun, 17 Aug 2025 00:30:15 +0800 Subject: [PATCH] padata: Reset next CPU when reorder sequence wraps around When seq_nr wraps around, the next reorder job with seq 0 is hashed to the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu to the first one when pd->processed wraps around. Otherwise, if the number of used CPUs is not a power of 2, padata_find_next() will be checking a wrong list, hence deadlock. Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") Cc: <stable(a)vger.kernel.org> Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/kernel/padata.c b/kernel/padata.c index f85f8bd788d0..833740d75483 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -291,8 +291,12 @@ static void padata_reorder(struct padata_priv *padata) struct padata_serial_queue *squeue; int cb_cpu; - cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); processed++; + /* When sequence wraps around, reset to the first CPU. */ + if (unlikely(processed == 0)) + cpu = cpumask_first(pd->cpumask.pcpu); + else + cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); cb_cpu = padata->cb_cpu; squeue = per_cpu_ptr(pd->squeue, cb_cpu);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] padata: Reset next CPU when reorder sequence wraps around" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101650-dreamless-dry-49d5@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 From: Xiao Liang <shaw.leon(a)gmail.com> Date: Sun, 17 Aug 2025 00:30:15 +0800 Subject: [PATCH] padata: Reset next CPU when reorder sequence wraps around When seq_nr wraps around, the next reorder job with seq 0 is hashed to the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu to the first one when pd->processed wraps around. Otherwise, if the number of used CPUs is not a power of 2, padata_find_next() will be checking a wrong list, hence deadlock. Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") Cc: <stable(a)vger.kernel.org> Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/kernel/padata.c b/kernel/padata.c index f85f8bd788d0..833740d75483 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -291,8 +291,12 @@ static void padata_reorder(struct padata_priv *padata) struct padata_serial_queue *squeue; int cb_cpu; - cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); processed++; + /* When sequence wraps around, reset to the first CPU. */ + if (unlikely(processed == 0)) + cpu = cpumask_first(pd->cpumask.pcpu); + else + cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); cb_cpu = padata->cb_cpu; squeue = per_cpu_ptr(pd->squeue, cb_cpu);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] padata: Reset next CPU when reorder sequence wraps around" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101650-feline-ellipse-6256@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 From: Xiao Liang <shaw.leon(a)gmail.com> Date: Sun, 17 Aug 2025 00:30:15 +0800 Subject: [PATCH] padata: Reset next CPU when reorder sequence wraps around When seq_nr wraps around, the next reorder job with seq 0 is hashed to the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu to the first one when pd->processed wraps around. Otherwise, if the number of used CPUs is not a power of 2, padata_find_next() will be checking a wrong list, hence deadlock. Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") Cc: <stable(a)vger.kernel.org> Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/kernel/padata.c b/kernel/padata.c index f85f8bd788d0..833740d75483 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -291,8 +291,12 @@ static void padata_reorder(struct padata_priv *padata) struct padata_serial_queue *squeue; int cb_cpu; - cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); processed++; + /* When sequence wraps around, reset to the first CPU. */ + if (unlikely(processed == 0)) + cpu = cpumask_first(pd->cpumask.pcpu); + else + cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); cb_cpu = padata->cb_cpu; squeue = per_cpu_ptr(pd->squeue, cb_cpu);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] padata: Reset next CPU when reorder sequence wraps around" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101649-sector-ruined-1f7a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001 From: Xiao Liang <shaw.leon(a)gmail.com> Date: Sun, 17 Aug 2025 00:30:15 +0800 Subject: [PATCH] padata: Reset next CPU when reorder sequence wraps around When seq_nr wraps around, the next reorder job with seq 0 is hashed to the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu to the first one when pd->processed wraps around. Otherwise, if the number of used CPUs is not a power of 2, padata_find_next() will be checking a wrong list, hence deadlock. Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder") Cc: <stable(a)vger.kernel.org> Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/kernel/padata.c b/kernel/padata.c index f85f8bd788d0..833740d75483 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -291,8 +291,12 @@ static void padata_reorder(struct padata_priv *padata) struct padata_serial_queue *squeue; int cb_cpu; - cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); processed++; + /* When sequence wraps around, reset to the first CPU. */ + if (unlikely(processed == 0)) + cpu = cpumask_first(pd->cpumask.pcpu); + else + cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu); cb_cpu = padata->cb_cpu; squeue = per_cpu_ptr(pd->squeue, cb_cpu);

1 month, 1 week

2
1
0 0

[PATCH can] can: netlink: can_changelink(): allow disabling of automatic restart

by Marc Kleine-Budde

Since the commit c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode"), the automatic restart delay can only be set for devices that implement the restart handler struct can_priv::do_set_mode. As it makes no sense to configure a automatic restart for devices that doesn't support it. However, since systemd commit 13ce5d4632e3 ("network/can: properly handle CAN.RestartSec=0") [1], systemd-networkd correctly handles a restart delay of "0" (i.e. the restart is disabled). Which means that a disabled restart is always configured in the kernel. On systems with both changes active this causes that CAN interfaces that don't implement a restart handler cannot be brought up by systemd-networkd. Solve this problem by allowing a delay of "0" to be configured, even if the device does not implement a restart handler. [1] https://github.com/systemd/systemd/commit/13ce5d4632e395521e6205c954493c7fc… Cc: stable(a)vger.kernel.org Cc: Andrei Lalaev <andrey.lalaev(a)gmail.com> Reported-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Closes: https://lore.kernel.org/all/20251020-certain-arrogant-vole-of-sunshine-1418… Fixes: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode") Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/dev/netlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c index 0591406b6f32..6f83b87d54fc 100644 --- a/drivers/net/can/dev/netlink.c +++ b/drivers/net/can/dev/netlink.c @@ -452,7 +452,9 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], } if (data[IFLA_CAN_RESTART_MS]) { - if (!priv->do_set_mode) { + unsigned int restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); + + if (restart_ms != 0 && !priv->do_set_mode) { NL_SET_ERR_MSG(extack, "Device doesn't support restart from Bus Off"); return -EOPNOTSUPP; @@ -461,7 +463,7 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], /* Do not allow changing restart delay while running */ if (dev->flags & IFF_UP) return -EBUSY; - priv->restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); + priv->restart_ms = restart_ms; } if (data[IFLA_CAN_RESTART]) { --- base-commit: ffff5c8fc2af2218a3332b3d5b97654599d50cde change-id: 20251020-netlink-fix-restart-6016f4d93e38 Best regards, -- Marc Kleine-Budde <mkl(a)pengutronix.de>

1 month, 1 week

1
1
0 0

[PATCH net 4/4] can: netlink: can_changelink(): allow disabling of automatic restart

by Marc Kleine-Budde

Since the commit c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode"), the automatic restart delay can only be set for devices that implement the restart handler struct can_priv::do_set_mode. As it makes no sense to configure a automatic restart for devices that doesn't support it. However, since systemd commit 13ce5d4632e3 ("network/can: properly handle CAN.RestartSec=0") [1], systemd-networkd correctly handles a restart delay of "0" (i.e. the restart is disabled). Which means that a disabled restart is always configured in the kernel. On systems with both changes active this causes that CAN interfaces that don't implement a restart handler cannot be brought up by systemd-networkd. Solve this problem by allowing a delay of "0" to be configured, even if the device does not implement a restart handler. [1] https://github.com/systemd/systemd/commit/13ce5d4632e395521e6205c954493c7fc… Cc: stable(a)vger.kernel.org Cc: Andrei Lalaev <andrey.lalaev(a)gmail.com> Reported-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Closes: https://lore.kernel.org/all/20251020-certain-arrogant-vole-of-sunshine-1418… Fixes: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode") Link: https://patch.msgid.link/20251020-netlink-fix-restart-v1-1-3f53c7f8520b@pen… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/dev/netlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c index 0591406b6f32..6f83b87d54fc 100644 --- a/drivers/net/can/dev/netlink.c +++ b/drivers/net/can/dev/netlink.c @@ -452,7 +452,9 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], } if (data[IFLA_CAN_RESTART_MS]) { - if (!priv->do_set_mode) { + unsigned int restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); + + if (restart_ms != 0 && !priv->do_set_mode) { NL_SET_ERR_MSG(extack, "Device doesn't support restart from Bus Off"); return -EOPNOTSUPP; @@ -461,7 +463,7 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[], /* Do not allow changing restart delay while running */ if (dev->flags & IFF_UP) return -EBUSY; - priv->restart_ms = nla_get_u32(data[IFLA_CAN_RESTART_MS]); + priv->restart_ms = restart_ms; } if (data[IFLA_CAN_RESTART]) { -- 2.51.0

1 month, 1 week

1
0
0 0

[PATCH] regmap: slimbus: fix bus_context pointer in __devm_regmap_init_slimbus

by Alexey Klimov

Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000a1360000 [ffff8000847cbad4] pgd=0000000000000000, p4d=100000010003e403, pud=100000010003f403, pmd=10000001025cf403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: (long list of modules...) CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : slim_xfer_msg+0x24/0x1ac [slimbus] lr : slim_read+0x48/0x74 [slimbus] sp : ffff800089113330 x29: ffff800089113350 x28: 00000000000000c0 x27: 0000000000000268 x26: 0000000000000198 x25: 0000000000000001 x24: 0000000000000000 x23: 0000000000000000 x22: ffff800089113454 x21: ffff00008488e800 x20: ffff000084b4760a x19: 0000000000000001 x18: 0000000000000be2 x17: 0000000000000c19 x16: ffffbcef364cd260 x15: ffffbcef36dafb10 x14: 0000000000000d38 x13: 0000000000000cb4 x12: 0000000000000c91 x11: 1fffe0001161b6e1 x10: ffff800089113470 x9 : ffff00008b0db70c x8 : ffff000081479ee0 x7 : 0000000000000000 x6 : 0000000000000800 x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff00008263c200 x2 : 0000000000000060 x1 : ffff800089113368 x0 : ffff8000847cb7c8 Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c Code: 910083fd f9423464 f9000fe4 d2800004 (394c3003) ---[ end trace 0000000000000000 ]--- The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be &slimbus->dev. Correct it. The wcd934x codec seems to be the only (or the first) user of devm_regmap_init_slimbus() but we should fix till the point where __devm_regmap_init_slimbus() was introduced therefore two "Fixes" tags. Fixes: 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") Fixes: 7d6f7fb053ad ("regmap: add SLIMbus support") Cc: stable(a)vger.kernel.org Cc: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Cc: Ma Ke <make24(a)iscas.ac.cn> Cc: Steev Klimaszewski <steev(a)kali.org> Cc: Srinivas Kandagatla <srini(a)kernel.org> Signed-off-by: Alexey Klimov <alexey.klimov(a)linaro.org> --- The patch/fix is for the current 6.18 development cycle since it is fixes the regression introduced in 6.18.0-rc1. drivers/base/regmap/regmap-slimbus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/regmap/regmap-slimbus.c b/drivers/base/regmap/regmap-slimbus.c index 54eb7d227cf4..edfee18fbea1 100644 --- a/drivers/base/regmap/regmap-slimbus.c +++ b/drivers/base/regmap/regmap-slimbus.c @@ -63,7 +63,7 @@ struct regmap *__devm_regmap_init_slimbus(struct slim_device *slimbus, if (IS_ERR(bus)) return ERR_CAST(bus); - return __devm_regmap_init(&slimbus->dev, bus, &slimbus, config, + return __devm_regmap_init(&slimbus->dev, bus, &slimbus->dev, config, lock_key, lock_name); } EXPORT_SYMBOL_GPL(__devm_regmap_init_slimbus); -- 2.47.3

1 month, 1 week

5
4
0 0

[PATCH 2/9] ASoC: qcom: q6adm: the the copp device only during last instance

by Srinivas Kandagatla

A matching Common object post processing instance is normally resused across multiple streams. However currently we close this on DSP eventhough there is a refcount on this copp object, this can result in below error. q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0 qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2 q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2] q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0 qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2 q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2] qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2 qcom-q6adm aprsvc:service:4:8: DSP returned error[2] qcom-q6adm aprsvc:service:4:8: Failed to close copp -22 qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2 qcom-q6adm aprsvc:service:4:8: DSP returned error[2] qcom-q6adm aprsvc:service:4:8: Failed to close copp -22 Fix this by addressing moving the adm_close to copp_kref destructor callback. Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver") Cc: <Stable(a)vger.kernel.org> Reported-by: Martino Facchin <m.facchin(a)arduino.cc> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/qcom/qdsp6/q6adm.c | 146 +++++++++++++++++------------------ 1 file changed, 71 insertions(+), 75 deletions(-) diff --git a/sound/soc/qcom/qdsp6/q6adm.c b/sound/soc/qcom/qdsp6/q6adm.c index 1530e98df165..75a029a696ac 100644 --- a/sound/soc/qcom/qdsp6/q6adm.c +++ b/sound/soc/qcom/qdsp6/q6adm.c @@ -109,11 +109,75 @@ static struct q6copp *q6adm_find_copp(struct q6adm *adm, int port_idx, } +static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp, + struct apr_pkt *pkt, uint32_t rsp_opcode) +{ + struct device *dev = adm->dev; + uint32_t opcode = pkt->hdr.opcode; + int ret; + + mutex_lock(&adm->lock); + copp->result.opcode = 0; + copp->result.status = 0; + ret = apr_send_pkt(adm->apr, pkt); + if (ret < 0) { + dev_err(dev, "Failed to send APR packet\n"); + ret = -EINVAL; + goto err; + } + + /* Wait for the callback with copp id */ + if (rsp_opcode) + ret = wait_event_timeout(copp->wait, + (copp->result.opcode == opcode) || + (copp->result.opcode == rsp_opcode), + msecs_to_jiffies(TIMEOUT_MS)); + else + ret = wait_event_timeout(copp->wait, + (copp->result.opcode == opcode), + msecs_to_jiffies(TIMEOUT_MS)); + + if (!ret) { + dev_err(dev, "ADM copp cmd timedout\n"); + ret = -ETIMEDOUT; + } else if (copp->result.status > 0) { + dev_err(dev, "DSP returned error[%d]\n", + copp->result.status); + ret = -EINVAL; + } + +err: + mutex_unlock(&adm->lock); + return ret; +} + +static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp, + int port_id, int copp_idx) +{ + struct apr_pkt close; + + close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD, + APR_HDR_LEN(APR_HDR_SIZE), + APR_PKT_VER); + close.hdr.pkt_size = sizeof(close); + close.hdr.src_port = port_id; + close.hdr.dest_port = copp->id; + close.hdr.token = port_id << 16 | copp_idx; + close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5; + + return q6adm_apr_send_copp_pkt(adm, copp, &close, 0); +} + static void q6adm_free_copp(struct kref *ref) { struct q6copp *c = container_of(ref, struct q6copp, refcount); struct q6adm *adm = c->adm; unsigned long flags; + int ret; + + ret = q6adm_device_close(adm, c, c->afe_port, c->copp_idx); + if (ret < 0) + dev_err(adm->dev, "Failed to close copp %d\n", ret); spin_lock_irqsave(&adm->copps_list_lock, flags); clear_bit(c->copp_idx, &adm->copp_bitmap[c->afe_port]); @@ -155,13 +219,13 @@ static int q6adm_callback(struct apr_device *adev, struct apr_resp_pkt *data) switch (result->opcode) { case ADM_CMD_DEVICE_OPEN_V5: case ADM_CMD_DEVICE_CLOSE_V5: - copp = q6adm_find_copp(adm, port_idx, copp_idx); - if (!copp) - return 0; - - copp->result = *result; - wake_up(&copp->wait); - kref_put(&copp->refcount, q6adm_free_copp); + list_for_each_entry(copp, &adm->copps_list, node) { + if ((port_idx == copp->afe_port) && (copp_idx == copp->copp_idx)) { + copp->result = *result; + wake_up(&copp->wait); + break; + } + } break; case ADM_CMD_MATRIX_MAP_ROUTINGS_V5: adm->result = *result; @@ -234,65 +298,6 @@ static struct q6copp *q6adm_alloc_copp(struct q6adm *adm, int port_idx) return c; } -static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp, - struct apr_pkt *pkt, uint32_t rsp_opcode) -{ - struct device *dev = adm->dev; - uint32_t opcode = pkt->hdr.opcode; - int ret; - - mutex_lock(&adm->lock); - copp->result.opcode = 0; - copp->result.status = 0; - ret = apr_send_pkt(adm->apr, pkt); - if (ret < 0) { - dev_err(dev, "Failed to send APR packet\n"); - ret = -EINVAL; - goto err; - } - - /* Wait for the callback with copp id */ - if (rsp_opcode) - ret = wait_event_timeout(copp->wait, - (copp->result.opcode == opcode) || - (copp->result.opcode == rsp_opcode), - msecs_to_jiffies(TIMEOUT_MS)); - else - ret = wait_event_timeout(copp->wait, - (copp->result.opcode == opcode), - msecs_to_jiffies(TIMEOUT_MS)); - - if (!ret) { - dev_err(dev, "ADM copp cmd timedout\n"); - ret = -ETIMEDOUT; - } else if (copp->result.status > 0) { - dev_err(dev, "DSP returned error[%d]\n", - copp->result.status); - ret = -EINVAL; - } - -err: - mutex_unlock(&adm->lock); - return ret; -} - -static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp, - int port_id, int copp_idx) -{ - struct apr_pkt close; - - close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD, - APR_HDR_LEN(APR_HDR_SIZE), - APR_PKT_VER); - close.hdr.pkt_size = sizeof(close); - close.hdr.src_port = port_id; - close.hdr.dest_port = copp->id; - close.hdr.token = port_id << 16 | copp_idx; - close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5; - - return q6adm_apr_send_copp_pkt(adm, copp, &close, 0); -} - static struct q6copp *q6adm_find_matching_copp(struct q6adm *adm, int port_id, int topology, int mode, int rate, @@ -567,15 +572,6 @@ EXPORT_SYMBOL_GPL(q6adm_matrix_map); */ int q6adm_close(struct device *dev, struct q6copp *copp) { - struct q6adm *adm = dev_get_drvdata(dev->parent); - int ret = 0; - - ret = q6adm_device_close(adm, copp, copp->afe_port, copp->copp_idx); - if (ret < 0) { - dev_err(adm->dev, "Failed to close copp %d\n", ret); - return ret; - } - kref_put(&copp->refcount, q6adm_free_copp); return 0; -- 2.51.0

1 month, 1 week

2
1
0 0

[PATCH 1/2] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime

by Srinivas Kandagatla

For some reason we endedup allocating sdw_stream_runtime for every cpu dai, this has two issues. 1. we never set snd_soc_dai_set_stream for non soundwire dai, which means there is no way that we can free this, resulting in memory leak 2. startup and shutdown callbacks can be called without hw_params callback called. This combination results in memory leak because machine driver sruntime array pointer is only set in hw_params callback. Fix this by 1. adding a helper function to get sdw_runtime for substream which can be used by shutdown callback to get hold of sruntime to free. 2. only allocate sdw_runtime for soundwire dais. Fixes: d32bac9cb09c ("ASoC: qcom: Add helper for allocating Soundwire stream runtime") Cc: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/qcom/sc7280.c | 2 +- sound/soc/qcom/sc8280xp.c | 2 +- sound/soc/qcom/sdw.c | 104 +++++++++++++++++++++----------------- sound/soc/qcom/sdw.h | 1 + sound/soc/qcom/sm8250.c | 2 +- sound/soc/qcom/x1e80100.c | 2 +- 6 files changed, 63 insertions(+), 50 deletions(-) diff --git a/sound/soc/qcom/sc7280.c b/sound/soc/qcom/sc7280.c index af412bd0c89f..c444dae563c7 100644 --- a/sound/soc/qcom/sc7280.c +++ b/sound/soc/qcom/sc7280.c @@ -317,7 +317,7 @@ static void sc7280_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_card *card = rtd->card; struct sc7280_snd_data *data = snd_soc_card_get_drvdata(card); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); switch (cpu_dai->id) { case MI2S_PRIMARY: diff --git a/sound/soc/qcom/sc8280xp.c b/sound/soc/qcom/sc8280xp.c index 78e327bc2f07..9ba536dff667 100644 --- a/sound/soc/qcom/sc8280xp.c +++ b/sound/soc/qcom/sc8280xp.c @@ -73,7 +73,7 @@ static void sc8280xp_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct sc8280xp_snd_data *pdata = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = pdata->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); pdata->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); diff --git a/sound/soc/qcom/sdw.c b/sound/soc/qcom/sdw.c index 7d7981d4295b..d866fad04131 100644 --- a/sound/soc/qcom/sdw.c +++ b/sound/soc/qcom/sdw.c @@ -7,6 +7,36 @@ #include <sound/soc.h> #include "sdw.h" +static bool qcom_snd_is_sdw_dai(int id) +{ + switch (id) { + case WSA_CODEC_DMA_RX_0: + case WSA_CODEC_DMA_TX_0: + case WSA_CODEC_DMA_RX_1: + case WSA_CODEC_DMA_TX_1: + case WSA_CODEC_DMA_TX_2: + case RX_CODEC_DMA_RX_0: + case TX_CODEC_DMA_TX_0: + case RX_CODEC_DMA_RX_1: + case TX_CODEC_DMA_TX_1: + case RX_CODEC_DMA_RX_2: + case TX_CODEC_DMA_TX_2: + case RX_CODEC_DMA_RX_3: + case TX_CODEC_DMA_TX_3: + case RX_CODEC_DMA_RX_4: + case TX_CODEC_DMA_TX_4: + case RX_CODEC_DMA_RX_5: + case TX_CODEC_DMA_TX_5: + case RX_CODEC_DMA_RX_6: + case RX_CODEC_DMA_RX_7: + return true; + default: + break; + } + + return false; +} + /** * qcom_snd_sdw_startup() - Helper to start Soundwire stream for SoC audio card * @substream: The PCM substream from audio, as passed to snd_soc_ops->startup() @@ -29,6 +59,9 @@ int qcom_snd_sdw_startup(struct snd_pcm_substream *substream) u32 rx_ch_cnt = 0, tx_ch_cnt = 0; int ret, i, j; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return 0; + sruntime = sdw_alloc_stream(cpu_dai->name, SDW_STREAM_PCM); if (!sruntime) return -ENOMEM; @@ -89,19 +122,8 @@ int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, if (!sruntime) return 0; - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case WSA_CODEC_DMA_RX_1: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - break; - default: + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) return 0; - } if (*stream_prepared) return 0; @@ -129,9 +151,7 @@ int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, } EXPORT_SYMBOL_GPL(qcom_snd_sdw_prepare); -int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, - struct snd_pcm_hw_params *params, - struct sdw_stream_runtime **psruntime) +struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *substream) { struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *codec_dai; @@ -139,21 +159,23 @@ int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, struct sdw_stream_runtime *sruntime; int i; - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - for_each_rtd_codec_dais(rtd, i, codec_dai) { - sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream); - if (sruntime != ERR_PTR(-ENOTSUPP)) - *psruntime = sruntime; - } - break; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return NULL; + + for_each_rtd_codec_dais(rtd, i, codec_dai) { + sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream); + if (sruntime != ERR_PTR(-ENOTSUPP)) + return sruntime; } + return NULL; +} +EXPORT_SYMBOL_GPL(qcom_snd_sdw_get_stream); + +int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, + struct snd_pcm_hw_params *params, + struct sdw_stream_runtime **psruntime) +{ + *psruntime = qcom_snd_sdw_get_stream(substream); return 0; @@ -166,23 +188,13 @@ int qcom_snd_sdw_hw_free(struct snd_pcm_substream *substream, struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); - switch (cpu_dai->id) { - case WSA_CODEC_DMA_RX_0: - case WSA_CODEC_DMA_RX_1: - case RX_CODEC_DMA_RX_0: - case RX_CODEC_DMA_RX_1: - case TX_CODEC_DMA_TX_0: - case TX_CODEC_DMA_TX_1: - case TX_CODEC_DMA_TX_2: - case TX_CODEC_DMA_TX_3: - if (sruntime && *stream_prepared) { - sdw_disable_stream(sruntime); - sdw_deprepare_stream(sruntime); - *stream_prepared = false; - } - break; - default: - break; + if (!qcom_snd_is_sdw_dai(cpu_dai->id)) + return 0; + + if (sruntime && *stream_prepared) { + sdw_disable_stream(sruntime); + sdw_deprepare_stream(sruntime); + *stream_prepared = false; } return 0; diff --git a/sound/soc/qcom/sdw.h b/sound/soc/qcom/sdw.h index 392e3455f1b1..b8bc5beb0522 100644 --- a/sound/soc/qcom/sdw.h +++ b/sound/soc/qcom/sdw.h @@ -10,6 +10,7 @@ int qcom_snd_sdw_startup(struct snd_pcm_substream *substream); int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream, struct sdw_stream_runtime *runtime, bool *stream_prepared); +struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *stream); int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params, struct sdw_stream_runtime **psruntime); diff --git a/sound/soc/qcom/sm8250.c b/sound/soc/qcom/sm8250.c index f5b75a06e5bd..ce5b0059207f 100644 --- a/sound/soc/qcom/sm8250.c +++ b/sound/soc/qcom/sm8250.c @@ -117,7 +117,7 @@ static void sm8250_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct sm8250_snd_data *data = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); data->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); diff --git a/sound/soc/qcom/x1e80100.c b/sound/soc/qcom/x1e80100.c index 444f2162889f..2e3599516aa2 100644 --- a/sound/soc/qcom/x1e80100.c +++ b/sound/soc/qcom/x1e80100.c @@ -55,7 +55,7 @@ static void x1e80100_snd_shutdown(struct snd_pcm_substream *substream) struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream); struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0); struct x1e80100_snd_data *data = snd_soc_card_get_drvdata(rtd->card); - struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id]; + struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream); data->sruntime[cpu_dai->id] = NULL; sdw_release_stream(sruntime); -- 2.51.0

1 month, 1 week

1
1
0 0

[syzbot ci] Re: Fix stale IOTLB entries for kernel address space

by syzbot ci

syzbot ci has tested the following series [v6] Fix stale IOTLB entries for kernel address space https://lore.kernel.org/all/20251014130437.1090448-1-baolu.lu@linux.intel.c… * [PATCH v6 1/7] mm: Add a ptdesc flag to mark kernel page tables * [PATCH v6 2/7] mm: Actually mark kernel page table pages * [PATCH v6 3/7] x86/mm: Use 'ptdesc' when freeing PMD pages * [PATCH v6 4/7] mm: Introduce pure page table freeing function * [PATCH v6 5/7] x86/mm: Use pagetable_free() * [PATCH v6 6/7] mm: Introduce deferred freeing for kernel page tables * [PATCH v6 7/7] iommu/sva: Invalidate stale IOTLB entries for kernel address space and found the following issues: * KASAN: use-after-free Read in pmd_set_huge * KASAN: use-after-free Read in vmap_range_noflush * PANIC: double fault in search_extable Full report is available here: https://ci.syzbot.org/series/9d75a765-d6b2-4839-8db9-2f2e64e78cdd *** KASAN: use-after-free Read in pmd_set_huge tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 0d97f2067c166eb495771fede9f7b73999c67f66 arch: amd64 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 config: https://ci.syzbot.org/builds/68e38247-432a-45b2-b187-a533b7040841/config syz repro: https://ci.syzbot.org/findings/ce54ec93-1f21-4deb-b2f8-d34917bd1be2/syz_rep… ================================================================== BUG: KASAN: use-after-free in pmd_set_huge+0xd8/0x340 arch/x86/mm/pgtable.c:676 Read of size 8 at addr ffff888100efa960 by task syz.0.20/5965 CPU: 1 UID: 0 PID: 5965 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 pmd_set_huge+0xd8/0x340 arch/x86/mm/pgtable.c:676 vmap_try_huge_pmd mm/vmalloc.c:161 [inline] vmap_pmd_range mm/vmalloc.c:177 [inline] vmap_pud_range mm/vmalloc.c:233 [inline] vmap_p4d_range mm/vmalloc.c:284 [inline] vmap_range_noflush+0x7b3/0xf80 mm/vmalloc.c:308 __vmap_pages_range_noflush+0xd31/0xf30 mm/vmalloc.c:661 vmap_pages_range_noflush mm/vmalloc.c:681 [inline] vmap_pages_range mm/vmalloc.c:701 [inline] __vmalloc_area_node mm/vmalloc.c:3766 [inline] __vmalloc_node_range_noprof+0xe8c/0x12d0 mm/vmalloc.c:3897 __kvmalloc_node_noprof+0x674/0x910 mm/slub.c:7058 nf_tables_newset+0x1330/0x2540 net/netfilter/nf_tables_api.c:5548 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:526 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:649 [inline] nfnetlink_rcv+0x11d9/0x2590 net/netfilter/nfnetlink.c:667 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x830 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc5fff8eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc600ecb038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6001e5fa0 RCX: 00007fc5fff8eec9 RDX: 0000000004008100 RSI: 00002000000000c0 RDI: 0000000000000003 RBP: 00007fc600011f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fc6001e6038 R14: 00007fc6001e5fa0 R15: 00007ffed63a0428 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100efa flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 017ff00000000000 ffffea0004772f88 ffff88823c6403a0 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40100(__GFP_ZERO|__GFP_COMP), pid 0, tgid 0 (swapper/0), ts 1659724794, free_ts 71235002142 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850 prep_new_page mm/page_alloc.c:1858 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline] alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507 pagetable_alloc_noprof include/linux/mm.h:3016 [inline] pmd_alloc_one_noprof include/asm-generic/pgalloc.h:144 [inline] __pmd_alloc+0x3a/0x5d0 mm/memory.c:6573 pmd_alloc_track mm/pgalloc-track.h:37 [inline] vmap_pages_pmd_range mm/vmalloc.c:564 [inline] vmap_pages_pud_range mm/vmalloc.c:587 [inline] vmap_pages_p4d_range mm/vmalloc.c:605 [inline] vmap_small_pages_range_noflush mm/vmalloc.c:627 [inline] __vmap_pages_range_noflush+0x9cc/0xf30 mm/vmalloc.c:656 vmap_pages_range_noflush mm/vmalloc.c:681 [inline] vmap_pages_range mm/vmalloc.c:701 [inline] vmap+0x1ca/0x310 mm/vmalloc.c:3521 map_irq_stack arch/x86/kernel/irq_64.c:49 [inline] irq_init_percpu_irqstack+0x342/0x4a0 arch/x86/kernel/irq_64.c:76 init_IRQ+0x15c/0x1c0 arch/x86/kernel/irqinit.c:90 start_kernel+0x1cd/0x410 init/main.c:1016 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291 common_startup_64+0x13e/0x147 page last free pid 5965 tgid 5964 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906 pmd_free_pte_page+0xa1/0xc0 arch/x86/mm/pgtable.c:783 vmap_try_huge_pmd mm/vmalloc.c:158 [inline] vmap_pmd_range mm/vmalloc.c:177 [inline] vmap_pud_range mm/vmalloc.c:233 [inline] vmap_p4d_range mm/vmalloc.c:284 [inline] vmap_range_noflush+0x774/0xf80 mm/vmalloc.c:308 __vmap_pages_range_noflush+0xd31/0xf30 mm/vmalloc.c:661 vmap_pages_range_noflush mm/vmalloc.c:681 [inline] vmap_pages_range mm/vmalloc.c:701 [inline] __vmalloc_area_node mm/vmalloc.c:3766 [inline] __vmalloc_node_range_noprof+0xe8c/0x12d0 mm/vmalloc.c:3897 __kvmalloc_node_noprof+0x674/0x910 mm/slub.c:7058 nf_tables_newset+0x1330/0x2540 net/netfilter/nf_tables_api.c:5548 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:526 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:649 [inline] nfnetlink_rcv+0x11d9/0x2590 net/netfilter/nfnetlink.c:667 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x830 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888100efa800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888100efa880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888100efa900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888100efa980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888100efaa00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== *** KASAN: use-after-free Read in vmap_range_noflush tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 0d97f2067c166eb495771fede9f7b73999c67f66 arch: amd64 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 config: https://ci.syzbot.org/builds/68e38247-432a-45b2-b187-a533b7040841/config C repro: https://ci.syzbot.org/findings/b676cfe4-8c9a-435c-aa8f-7315912fa378/c_repro syz repro: https://ci.syzbot.org/findings/b676cfe4-8c9a-435c-aa8f-7315912fa378/syz_rep… ================================================================== BUG: KASAN: use-after-free in vmap_try_huge_pmd mm/vmalloc.c:158 [inline] BUG: KASAN: use-after-free in vmap_pmd_range mm/vmalloc.c:177 [inline] BUG: KASAN: use-after-free in vmap_pud_range mm/vmalloc.c:233 [inline] BUG: KASAN: use-after-free in vmap_p4d_range mm/vmalloc.c:284 [inline] BUG: KASAN: use-after-free in vmap_range_noflush+0x743/0xf80 mm/vmalloc.c:308 Read of size 8 at addr ffff888100efa128 by task syz.0.17/5955 CPU: 1 UID: 0 PID: 5955 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 vmap_try_huge_pmd mm/vmalloc.c:158 [inline] vmap_pmd_range mm/vmalloc.c:177 [inline] vmap_pud_range mm/vmalloc.c:233 [inline] vmap_p4d_range mm/vmalloc.c:284 [inline] vmap_range_noflush+0x743/0xf80 mm/vmalloc.c:308 __vmap_pages_range_noflush+0xd31/0xf30 mm/vmalloc.c:661 vmap_pages_range_noflush mm/vmalloc.c:681 [inline] vmap_pages_range mm/vmalloc.c:701 [inline] __vmalloc_area_node mm/vmalloc.c:3766 [inline] __vmalloc_node_range_noprof+0xe8c/0x12d0 mm/vmalloc.c:3897 __kvmalloc_node_noprof+0x674/0x910 mm/slub.c:7058 kvmalloc_array_node_noprof include/linux/slab.h:1122 [inline] bpf_uprobe_multi_link_attach+0x54b/0xee0 kernel/trace/bpf_trace.c:3228 link_create+0x673/0x850 kernel/bpf/syscall.c:5721 __sys_bpf+0x6be/0x860 kernel/bpf/syscall.c:6204 __do_sys_bpf kernel/bpf/syscall.c:6244 [inline] __se_sys_bpf kernel/bpf/syscall.c:6242 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6242 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3d8e78eec9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3d8f64c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f3d8e9e5fa0 RCX: 00007f3d8e78eec9 RDX: 0000000000000040 RSI: 00002000000005c0 RDI: 000000000000001c RBP: 00007f3d8e811f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f3d8e9e6038 R14: 00007f3d8e9e5fa0 R15: 00007ffe8caa72c8 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100efa flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 017ff00000000000 ffffea00044109c8 ffff88823c6403a0 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40100(__GFP_ZERO|__GFP_COMP), pid 0, tgid 0 (swapper/0), ts 1684936790, free_ts 91274246476 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850 prep_new_page mm/page_alloc.c:1858 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_frozen_pages_noprof mm/mempolicy.c:2487 [inline] alloc_pages_noprof+0xa9/0x190 mm/mempolicy.c:2507 pagetable_alloc_noprof include/linux/mm.h:3016 [inline] pmd_alloc_one_noprof include/asm-generic/pgalloc.h:144 [inline] __pmd_alloc+0x3a/0x5d0 mm/memory.c:6573 pmd_alloc_track mm/pgalloc-track.h:37 [inline] vmap_pages_pmd_range mm/vmalloc.c:564 [inline] vmap_pages_pud_range mm/vmalloc.c:587 [inline] vmap_pages_p4d_range mm/vmalloc.c:605 [inline] vmap_small_pages_range_noflush mm/vmalloc.c:627 [inline] __vmap_pages_range_noflush+0x9cc/0xf30 mm/vmalloc.c:656 vmap_pages_range_noflush mm/vmalloc.c:681 [inline] vmap_pages_range mm/vmalloc.c:701 [inline] vmap+0x1ca/0x310 mm/vmalloc.c:3521 map_irq_stack arch/x86/kernel/irq_64.c:49 [inline] irq_init_percpu_irqstack+0x342/0x4a0 arch/x86/kernel/irq_64.c:76 init_IRQ+0x15c/0x1c0 arch/x86/kernel/irqinit.c:90 start_kernel+0x1cd/0x410 init/main.c:1016 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291 common_startup_64+0x13e/0x147 page last free pid 5892 tgid 5892 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2906 __pagetable_free include/linux/mm.h:3026 [inline] kernel_pgtable_work_func+0x276/0x2e0 mm/pgtable-generic.c:436 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Memory state around the buggy address: ffff888100efa000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888100efa080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888100efa100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888100efa180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888100efa200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== *** PANIC: double fault in search_extable tree: torvalds URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux base: 0d97f2067c166eb495771fede9f7b73999c67f66 arch: amd64 compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 config: https://ci.syzbot.org/builds/68e38247-432a-45b2-b187-a533b7040841/config syz repro: https://ci.syzbot.org/findings/967ed946-aab2-484a-8267-954586f5962b/syz_rep… traps: PANIC: double fault, error_code: 0x0 Oops: double fault: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 5921 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:search_extable+0x69/0xd0 lib/extable.c:115 Code: 8d 48 c7 44 24 10 20 50 40 8b 49 89 e5 49 c1 ed 03 48 b8 f1 f1 f1 f1 00 f3 f3 f3 49 bc 00 00 00 00 00 fc ff df 4b 89 44 25 00 <e8> 12 45 7f f6 48 89 5c 24 20 b9 0c 00 00 00 48 8d 7c 24 20 4c 89 RSP: 0018:ffffc90003e5f000 EFLAGS: 00010806 RAX: f3f3f300f1f1f1f1 RBX: ffffffff8b4b123e RCX: 0000000000001c56 RDX: ffffffff8b4b123e RSI: 0000000000000972 RDI: ffffffff8dc137d0 RBP: ffffc90003e5f0a0 R08: 0000000000000001 R09: 0000000000000002 R10: 0000000000000011 R11: 0000000000000000 R12: dffffc0000000000 R13: 1ffff920007cbe00 R14: 0000000000000972 R15: ffffffff8dc137d0 FS: 000055558b2ef500(0000) GS:ffff8882a9d0f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90003e5eff8 CR3: 00000001ba5ea000 CR4: 00000000000006f0 Call Trace: <TASK> search_kernel_exception_table kernel/extable.c:49 [inline] search_exception_tables+0x3a/0x60 kernel/extable.c:58 fixup_exception+0xb1/0x20b0 arch/x86/mm/extable.c:319 kernelmode_fixup_or_oops+0x68/0xf0 arch/x86/mm/fault.c:726 __bad_area_nosemaphore+0x11a/0x780 arch/x86/mm/fault.c:783 handle_page_fault arch/x86/mm/fault.c:1474 [inline] exc_page_fault+0xcf/0x100 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:in_irq_stack arch/x86/kernel/dumpstack_64.c:165 [inline] RIP: 0010:get_stack_info_noinstr+0xee/0x130 arch/x86/kernel/dumpstack_64.c:182 Code: 08 48 8d 90 08 80 ff ff 49 39 d7 40 0f 92 c6 49 39 cf 40 0f 93 c7 40 08 f7 75 27 41 c7 06 02 00 00 00 49 89 56 08 49 89 4e 10 <48> 8b 00 49 89 46 18 89 d8 5b 41 5c 41 5d 41 5e 41 5f e9 8b 12 03 RSP: 0018:ffffc90003e5f470 EFLAGS: 00010046 RAX: ffffc90000a08ff8 RBX: ffff88816ac1ba01 RCX: ffffc90000a09000 RDX: ffffc90000a01000 RSI: ffffffff8d837700 RDI: ffffffff8bc07500 RBP: ffffc90003e5f630 R08: ffffc90003e5f500 R09: 0000000000000000 R10: ffffc90003e5f5a0 R11: fffff520007cbeb8 R12: ffff88816ac1ba00 R13: fffffe000004f000 R14: ffffc90003e5f5a0 R15: ffffc90000a08ff8 get_stack_guard_info arch/x86/include/asm/stacktrace.h:45 [inline] page_fault_oops+0x12a/0xa10 arch/x86/mm/fault.c:663 __bad_area_nosemaphore+0x11a/0x780 arch/x86/mm/fault.c:783 handle_page_fault arch/x86/mm/fault.c:1474 [inline] exc_page_fault+0xcf/0x100 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline] RIP: 0010:sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1052 Code: 00 00 48 c7 c7 c0 b4 67 8b e8 ae 23 00 00 65 c6 05 50 d7 45 07 01 48 c7 c7 a0 b4 67 8b e8 9a 23 00 00 65 4c 8b 1d 02 d7 45 07 <49> 89 23 4c 89 dc e8 77 23 39 f6 48 89 df e8 4f 2f 25 f6 e8 8a 24 RSP: 0018:ffffc90003e5f830 EFLAGS: 00010082 RAX: 0000000000000001 RBX: ffffc90003e5f848 RCX: 4d01a0d08cb75600 RDX: 0000000000000000 RSI: ffffffff8b67b4a0 RDI: ffffffff8bc07560 RBP: 0000000000000000 R08: ffffffff8f9e1177 R09: 1ffffffff1f3c22e R10: dffffc0000000000 R11: ffffc90000a08ff8 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:check_preemption_disabled+0x0/0x120 lib/smp_processor_id.c:13 Code: c7 00 75 c0 8b 48 c7 c6 40 75 c0 8b eb 1c 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <55> 41 57 41 56 53 48 83 ec 10 65 48 8b 05 ae b4 45 07 48 89 44 24 RSP: 0018:ffffc90003e5f8f0 EFLAGS: 00000282 RAX: 0000000000000000 RBX: 00007f5f1858e627 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffffffff8bc07540 RDI: ffffffff8bc07500 RBP: 0000000000000001 R08: 0000000000000022 R09: ffffffff81731d25 R10: ffffc90003e5f9b8 R11: ffffffff81abbe80 R12: ffff88816ac1ba00 R13: dffffc0000000000 R14: dffffc0000000000 R15: 1ffff920007cbf36 rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline] rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:751 kernel_text_address+0x80/0xe0 kernel/extable.c:113 __kernel_text_address+0xd/0x40 kernel/extable.c:79 unwind_get_return_address+0x4d/0x90 arch/x86/kernel/unwind_orc.c:369 arch_stack_walk+0xfc/0x150 arch/x86/kernel/stacktrace.c:26 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122 ref_tracker_free+0xef/0x7d0 lib/ref_tracker.c:307 __netns_tracker_free include/net/net_namespace.h:379 [inline] put_net_track include/net/net_namespace.h:394 [inline] __sk_destruct+0x3c3/0x660 net/core/sock.c:2368 sock_put include/net/sock.h:1972 [inline] unix_release_sock+0xa7b/0xd50 net/unix/af_unix.c:732 unix_release+0x92/0xd0 net/unix/af_unix.c:1196 __sock_release net/socket.c:662 [inline] sock_close+0xc3/0x240 net/socket.c:1455 __fput+0x44c/0xa70 fs/file_table.c:468 fput_close_sync+0x119/0x200 fs/file_table.c:573 __do_sys_close fs/open.c:1589 [inline] __se_sys_close fs/open.c:1574 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1574 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f1858e627 Code: 44 00 00 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb bc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8 RSP: 002b:00007ffec60e5be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f5f1858e627 RDX: 0000000000000000 RSI: 0000000000008933 RDI: 0000000000000005 RBP: 00007ffec60e5bf0 R08: 000000000000000a R09: 0000000000000001 R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000024 R13: 000000000000002d R14: 00007f5f19314620 R15: 0000000000000024 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:search_extable+0x69/0xd0 lib/extable.c:115 Code: 8d 48 c7 44 24 10 20 50 40 8b 49 89 e5 49 c1 ed 03 48 b8 f1 f1 f1 f1 00 f3 f3 f3 49 bc 00 00 00 00 00 fc ff df 4b 89 44 25 00 <e8> 12 45 7f f6 48 89 5c 24 20 b9 0c 00 00 00 48 8d 7c 24 20 4c 89 RSP: 0018:ffffc90003e5f000 EFLAGS: 00010806 RAX: f3f3f300f1f1f1f1 RBX: ffffffff8b4b123e RCX: 0000000000001c56 RDX: ffffffff8b4b123e RSI: 0000000000000972 RDI: ffffffff8dc137d0 RBP: ffffc90003e5f0a0 R08: 0000000000000001 R09: 0000000000000002 R10: 0000000000000011 R11: 0000000000000000 R12: dffffc0000000000 R13: 1ffff920007cbe00 R14: 0000000000000972 R15: ffffffff8dc137d0 FS: 000055558b2ef500(0000) GS:ffff8882a9d0f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90003e5eff8 CR3: 00000001ba5ea000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 8d 48 c7 lea -0x39(%rax),%ecx 3: 44 24 10 rex.R and $0x10,%al 6: 20 50 40 and %dl,0x40(%rax) 9: 8b 49 89 mov -0x77(%rcx),%ecx c: e5 49 in $0x49,%eax e: c1 ed 03 shr $0x3,%ebp 11: 48 b8 f1 f1 f1 f1 00 movabs $0xf3f3f300f1f1f1f1,%rax 18: f3 f3 f3 1b: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12 22: fc ff df 25: 4b 89 44 25 00 mov %rax,0x0(%r13,%r12,1) * 2a: e8 12 45 7f f6 call 0xf67f4541 <-- trapping instruction 2f: 48 89 5c 24 20 mov %rbx,0x20(%rsp) 34: b9 0c 00 00 00 mov $0xc,%ecx 39: 48 8d 7c 24 20 lea 0x20(%rsp),%rdi 3e: 4c rex.WR 3f: 89 .byte 0x89 *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot(a)syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller(a)googlegroups.com.

1 month, 1 week

4
6
0 0

[DISCUSSION] Fixing bad pmd due to a race condition between change_prot_numa() and THP migration in pre-6.5 kernels.

by Harry Yoo

Hi. This is supposed to be a patch, but I think it's worth discussing how it should be backported to -stable, so I've labeled it as [DISCUSSION]. The bug described below was unintentionally fixed in v6.5 and not backported to -stable. So technically I would need to use "Option 3" [A], but since the original patch [B] did not intend to fix a bug (and it's also part of a larger patch series), it looks quite different from the patch below, and I'm not sure what the backport should look like. I think there are probably two options: 1. Provide the description of the original patch along with a very long, detailed explanation of why the patch deviates from the upstream version, or 2. Post the patch below with a clarification that it was fixed upstream by commit 670ddd8cdcbd1. Any thoughts? [A] https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opt… [B] https://lkml.kernel.org/r/725a42a9-91e9-c868-925-e3a5fd40bb4f@google.com (Upstream commit 670ddd8cdcbd1) In any case, no matter how we backport this, it needs some review and feedback would be appreciated. The patch applies to v6.1 and v5.15, and v5.10 but not v5.4. From cf45867ab8e48b42160b7253390db7bdecef1455 Mon Sep 17 00:00:00 2001 From: Harry Yoo <harry.yoo(a)oracle.com> Date: Thu, 11 Sep 2025 20:05:40 +0900 Subject: [PATCH] mm, numa: fix bad pmd by atomically checking is_swap_pmd() in change_prot_numa() It was observed that a bad pmd is seen when automatic NUMA balancing is marking page table entries as prot_numa: [2437548.196018] mm/pgtable-generic.c:50: bad pmd 00000000af22fc02(dffffffe71fbfe02) With some kernel modification, the call stack was dumped: [2437548.235022] Call Trace: [2437548.238234] <TASK> [2437548.241060] dump_stack_lvl+0x46/0x61 [2437548.245689] panic+0x106/0x2e5 [2437548.249497] pmd_clear_bad+0x3c/0x3c [2437548.253967] change_pmd_range.isra.0+0x34d/0x3a7 [2437548.259537] change_p4d_range+0x156/0x20e [2437548.264392] change_protection_range+0x116/0x1a9 [2437548.269976] change_prot_numa+0x15/0x37 [2437548.274774] task_numa_work+0x1b8/0x302 [2437548.279512] task_work_run+0x62/0x95 [2437548.283882] exit_to_user_mode_loop+0x1a4/0x1a9 [2437548.289277] exit_to_user_mode_prepare+0xf4/0xfc [2437548.294751] ? sysvec_apic_timer_interrupt+0x34/0x81 [2437548.300677] irqentry_exit_to_user_mode+0x5/0x25 [2437548.306153] asm_sysvec_apic_timer_interrupt+0x16/0x1b This is due to a race condition between change_prot_numa() and THP migration because the kernel doesn't check is_swap_pmd() and pmd_trans_huge() atomically: change_prot_numa() THP migration ====================================================================== - change_pmd_range() -> is_swap_pmd() returns false, meaning it's not a PMD migration entry. - do_huge_pmd_numa_page() -> migrate_misplaced_page() sets migration entries for the THP. - change_pmd_range() -> pmd_none_or_clear_bad_unless_trans_huge() -> pmd_none() and pmd_trans_huge() returns false - pmd_none_or_clear_bad_unless_trans_huge() -> pmd_bad() returns true for the migration entry! For the race condition described above to occur: 1) AutoNUMA must be unmapping a range of pages, with at least part of the range already unmapped by AutoNUMA. 2) While AutoNUMA is in the process of unmapping, a NUMA hinting fault occurs within that range, specifically when we are about to unmap the PMD entry, between the is_swap_pmd() and pmd_trans_huge() checks. So this is a really rare race condition and it's observed that it takes usually a few days of autonuma-intensive testing to trigger. A bit of history on a similar race condition in the past: In fact, a similar race condition caused by not checking pmd_trans_huge() atomically was reported [1] in 2017. However, instead of the patch [1], another patch series [3] fixed the problem [2] by not clearing the pmd entry but invaliding it instead (so that pmd_trans_huge() would still return true). Despite patch series [3], the bad pmd error continued to be reported in mainline. As a result, [1] was resurrected [4] and it landed mainline in 2020 in a hope that it would resolve the issue. However, now it turns out that [3] was not sufficient. Fix this race condition by checking is_swap_pmd() and pmd_trans_huge() atomically. With that, the kernel should see either pmd_trans_huge() == true, or is_swap_pmd() == true when another task is migrating the page concurrently. This bug was introduced when THP migration support was added. More specifically, by commit 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path")). It is unintentionally fixed since v6.5 by commit 670ddd8cdcbd1 ("mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge()") while removing pmd_none_or_clear_bad_unless_trans_huge() function. But it's not backported to -stable because it was fixed unintentionally. Link: https://lore.kernel.org/linux-mm/20170410094825.2yfo5zehn7pchg6a@techsingul… [1] Link: https://lore.kernel.org/linux-mm/8A6309F4-DB76-48FA-BE7F-BF9536A4C4E5@cs.ru… [2] Link: https://lore.kernel.org/linux-mm/20170302151034.27829-1-kirill.shutemov@lin… [3] Link: https://lore.kernel.org/linux-mm/20200216191800.22423-1-aquini@redhat.com [4] Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- mm/mprotect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/mprotect.c b/mm/mprotect.c index 668bfaa6ed2a..c0e796c0f9b0 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -303,7 +303,7 @@ static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd) if (pmd_none(pmdval)) return 1; - if (pmd_trans_huge(pmdval)) + if (is_swap_pmd(pmdval) || pmd_trans_huge(pmdval)) return 0; if (unlikely(pmd_bad(pmdval))) { pmd_clear_bad(pmd); @@ -373,7 +373,7 @@ static inline unsigned long change_pmd_range(struct mmu_gather *tlb, * Hence, it's necessary to atomically read the PMD value * for all the checks. */ - if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) && + if (!pmd_devmap(*pmd) && pmd_none_or_clear_bad_unless_trans_huge(pmd)) goto next; -- 2.43.0

1 month, 1 week

2
9
0 0

[PATCH 6.12.y] drm/amd/display: fix dmub access race condition

by Timothy Pearson

From: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Justificiation: This fixes DisplayPort lockups on Polaris GPUs during DPMS transitions, which have been a major headache on our POWER9 platforms. Backport to Debian stable kernel version. [ Upstream commit c210b757b400959577a5a17b783b5959b82baed8 ] Accessing DC from amdgpu_dm is usually preceded by acquisition of dc_lock mutex. Most of the DC API that DM calls are under a DC lock. However, there are a few that are not. Some DC API called from interrupt context end up sending DMUB commands via a DC API, while other threads were using DMUB. This was apparent from a race between calls for setting idle optimization enable/disable and the DC API to set vmin/vmax. Offload the call to dc_stream_adjust_vmin_vmax() to a thread instead of directly calling them from the interrupt handler such that it waits for dc_lock. [Timothy Pearson] Modified header file patch to apply to 6.12 Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Roman Li <roman.li(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Timothy Pearson <tpearson(a)raptorengineering.com> --- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 55 +++++++++++++++++-- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 14 +++++ 2 files changed, 63 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index b02ff92bae0b..fd6d66832ccf 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -533,6 +533,50 @@ static void dm_pflip_high_irq(void *interrupt_params) amdgpu_crtc->crtc_id, amdgpu_crtc, vrr_active, (int)!e); } +static void dm_handle_vmin_vmax_update(struct work_struct *offload_work) +{ + struct vupdate_offload_work *work = container_of(offload_work, struct vupdate_offload_work, work); + struct amdgpu_device *adev = work->adev; + struct dc_stream_state *stream = work->stream; + struct dc_crtc_timing_adjust *adjust = work->adjust; + + mutex_lock(&adev->dm.dc_lock); + dc_stream_adjust_vmin_vmax(adev->dm.dc, stream, adjust); + mutex_unlock(&adev->dm.dc_lock); + + dc_stream_release(stream); + kfree(work->adjust); + kfree(work); +} + +static void schedule_dc_vmin_vmax(struct amdgpu_device *adev, + struct dc_stream_state *stream, + struct dc_crtc_timing_adjust *adjust) +{ + struct vupdate_offload_work *offload_work = kzalloc(sizeof(*offload_work), GFP_KERNEL); + if (!offload_work) { + drm_dbg_driver(adev_to_drm(adev), "Failed to allocate vupdate_offload_work\n"); + return; + } + + struct dc_crtc_timing_adjust *adjust_copy = kzalloc(sizeof(*adjust_copy), GFP_KERNEL); + if (!adjust_copy) { + drm_dbg_driver(adev_to_drm(adev), "Failed to allocate adjust_copy\n"); + kfree(offload_work); + return; + } + + dc_stream_retain(stream); + memcpy(adjust_copy, adjust, sizeof(*adjust_copy)); + + INIT_WORK(&offload_work->work, dm_handle_vmin_vmax_update); + offload_work->adev = adev; + offload_work->stream = stream; + offload_work->adjust = adjust_copy; + + queue_work(system_wq, &offload_work->work); +} + static void dm_vupdate_high_irq(void *interrupt_params) { struct common_irq_params *irq_params = interrupt_params; @@ -582,10 +626,9 @@ static void dm_vupdate_high_irq(void *interrupt_params) acrtc->dm_irq_params.stream, &acrtc->dm_irq_params.vrr_params); - dc_stream_adjust_vmin_vmax( - adev->dm.dc, - acrtc->dm_irq_params.stream, - &acrtc->dm_irq_params.vrr_params.adjust); + schedule_dc_vmin_vmax(adev, + acrtc->dm_irq_params.stream, + &acrtc->dm_irq_params.vrr_params.adjust); spin_unlock_irqrestore(&adev_to_drm(adev)->event_lock, flags); } } @@ -675,8 +718,8 @@ static void dm_crtc_high_irq(void *interrupt_params) acrtc->dm_irq_params.stream, &acrtc->dm_irq_params.vrr_params); - dc_stream_adjust_vmin_vmax(adev->dm.dc, acrtc->dm_irq_params.stream, - &acrtc->dm_irq_params.vrr_params.adjust); + schedule_dc_vmin_vmax(adev, acrtc->dm_irq_params.stream, + &acrtc->dm_irq_params.vrr_params.adjust); } /* diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h index 9603352ee094..aa99e226a381 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h @@ -1012,4 +1012,18 @@ void dm_free_gpu_mem(struct amdgpu_device *adev, bool amdgpu_dm_is_headless(struct amdgpu_device *adev); +/** + * struct dm_vupdate_work - Work data for periodic action in idle + * @work: Kernel work data for the work event + * @adev: amdgpu_device back pointer + * @stream: DC stream associated with the crtc + * @adjust: DC CRTC timing adjust to be applied to the crtc + */ +struct vupdate_offload_work { + struct work_struct work; + struct amdgpu_device *adev; + struct dc_stream_state *stream; + struct dc_crtc_timing_adjust *adjust; +}; + #endif /* __AMDGPU_DM_H__ */ -- 2.47.2

1 month, 1 week

2
2
0 0

[PATCH 0/3] gpio: idio-16: Fix regmap initialization errors

by William Breathitt Gray

The migration of IDIO-16 GPIO drivers to the regmap API resulted in some regressions to the gpio-104-idio-16, gpio-pci-idio-16, and gpio-idio-16 modules. Specifically, the 104-idio-16 and pci-idio-16 GPIO drivers utilize regmap caching and thus must set max_register for their regmap_config, while gpio-idio-16 requires fixed_direction_output to represent the fixed direction of the IDIO-16 GPIO lines. Fixes for these regressions are provided by this series. Link: https://lore.kernel.org/r/cover.1680618405.git.william.gray@linaro.org Link: https://lore.kernel.org/r/9b0375fd-235f-4ee1-a7fa-daca296ef6bf@nutanix.com Signed-off-by: William Breathitt Gray <wbg(a)kernel.org> --- William Breathitt Gray (3): gpio: 104-idio-16: Define maximum valid register address offset gpio: pci-idio-16: Define maximum valid register address offset gpio: idio-16: Define fixed direction of the GPIO lines drivers/gpio/gpio-104-idio-16.c | 1 + drivers/gpio/gpio-idio-16.c | 5 +++++ drivers/gpio/gpio-pci-idio-16.c | 1 + 3 files changed, 7 insertions(+) --- base-commit: eba11116f39533d2e38cc5898014f2c95f32d23a change-id: 20251017-fix-gpio-idio-16-regmap-1282cdc56a19 Best regards, -- William Breathitt Gray <wbg(a)kernel.org>

1 month, 1 week

4
10
0 0

FAILED: patch "[PATCH] HID: multitouch: fix sticky fingers" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 46f781e0d151844589dc2125c8cce3300546f92a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025102008-likewise-rubbing-d48b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 46f781e0d151844589dc2125c8cce3300546f92a Mon Sep 17 00:00:00 2001 From: Benjamin Tissoires <bentiss(a)kernel.org> Date: Wed, 8 Oct 2025 16:06:58 +0200 Subject: [PATCH] HID: multitouch: fix sticky fingers The sticky fingers quirk (MT_QUIRK_STICKY_FINGERS) was only considering the case when slots were not released during the last report. This can be problematic if the firmware forgets to release a finger while others are still present. This was observed on the Synaptics DLL0945 touchpad found on the Dell XPS 9310 and the Dell Inspiron 5406. Fixes: 4f4001bc76fd ("HID: multitouch: fix rare Win 8 cases when the touch up event gets missing") Cc: stable(a)vger.kernel.org Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 513b8673ad8d..179dc316b4b5 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -94,9 +94,8 @@ enum report_mode { TOUCHPAD_REPORT_ALL = TOUCHPAD_REPORT_BUTTONS | TOUCHPAD_REPORT_CONTACTS, }; -#define MT_IO_FLAGS_RUNNING 0 -#define MT_IO_FLAGS_ACTIVE_SLOTS 1 -#define MT_IO_FLAGS_PENDING_SLOTS 2 +#define MT_IO_SLOTS_MASK GENMASK(7, 0) /* reserve first 8 bits for slot tracking */ +#define MT_IO_FLAGS_RUNNING 32 static const bool mtrue = true; /* default for true */ static const bool mfalse; /* default for false */ @@ -172,7 +171,11 @@ struct mt_device { struct timer_list release_timer; /* to release sticky fingers */ struct hid_haptic_device *haptic; /* haptic related configuration */ struct hid_device *hdev; /* hid_device we're attached to */ - unsigned long mt_io_flags; /* mt flags (MT_IO_FLAGS_*) */ + unsigned long mt_io_flags; /* mt flags (MT_IO_FLAGS_RUNNING) + * first 8 bits are reserved for keeping the slot + * states, this is fine because we only support up + * to 250 slots (MT_MAX_MAXCONTACT) + */ __u8 inputmode_value; /* InputMode HID feature value */ __u8 maxcontacts; bool is_buttonpad; /* is this device a button pad? */ @@ -986,6 +989,7 @@ static void mt_release_pending_palms(struct mt_device *td, for_each_set_bit(slotnum, app->pending_palm_slots, td->maxcontacts) { clear_bit(slotnum, app->pending_palm_slots); + clear_bit(slotnum, &td->mt_io_flags); input_mt_slot(input, slotnum); input_mt_report_slot_inactive(input); @@ -1019,12 +1023,6 @@ static void mt_sync_frame(struct mt_device *td, struct mt_application *app, app->left_button_state = 0; if (td->is_haptic_touchpad) hid_haptic_pressure_reset(td->haptic); - - if (test_bit(MT_IO_FLAGS_ACTIVE_SLOTS, &td->mt_io_flags)) - set_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags); - else - clear_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags); - clear_bit(MT_IO_FLAGS_ACTIVE_SLOTS, &td->mt_io_flags); } static int mt_compute_timestamp(struct mt_application *app, __s32 value) @@ -1202,7 +1200,9 @@ static int mt_process_slot(struct mt_device *td, struct input_dev *input, input_event(input, EV_ABS, ABS_MT_TOUCH_MAJOR, major); input_event(input, EV_ABS, ABS_MT_TOUCH_MINOR, minor); - set_bit(MT_IO_FLAGS_ACTIVE_SLOTS, &td->mt_io_flags); + set_bit(slotnum, &td->mt_io_flags); + } else { + clear_bit(slotnum, &td->mt_io_flags); } return 0; @@ -1337,7 +1337,7 @@ static void mt_touch_report(struct hid_device *hid, * defect. */ if (app->quirks & MT_QUIRK_STICKY_FINGERS) { - if (test_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags)) + if (td->mt_io_flags & MT_IO_SLOTS_MASK) mod_timer(&td->release_timer, jiffies + msecs_to_jiffies(100)); else @@ -1814,6 +1814,7 @@ static void mt_release_contacts(struct hid_device *hid) for (i = 0; i < mt->num_slots; i++) { input_mt_slot(input_dev, i); input_mt_report_slot_inactive(input_dev); + clear_bit(i, &td->mt_io_flags); } input_mt_sync_frame(input_dev); input_sync(input_dev); @@ -1836,7 +1837,7 @@ static void mt_expired_timeout(struct timer_list *t) */ if (test_and_set_bit_lock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags)) return; - if (test_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags)) + if (td->mt_io_flags & MT_IO_SLOTS_MASK) mt_release_contacts(hdev); clear_bit_unlock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags); }

1 month, 1 week

4
3
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Avoid configuring if already" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101624-legacy-gab-3e94@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Avoid configuring if already" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101624-blazing-sharpener-111d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Avoid configuring if already" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101623-clarify-manhood-adaa@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Avoid configuring if already" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101623-dry-crummiest-15b3@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev);

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Avoid configuring if already" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101623-attractor-shopper-b67e@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 466f7a2fef2a4e426f809f79845a1ec1aeb558f4 Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:15 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended Do as in suspend, skip resume configuration steps if the device is already pm_runtime suspended. This avoids reconfiguring a device that is already in the correct low-power state and ensures that pm_runtime handles the power state transitions properly. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-3-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 41b275ecc7e2..ee780f530dc8 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -837,17 +837,15 @@ static int inv_icm42600_suspend(struct device *dev) struct device *accel_dev; bool wakeup; int accel_conf; - int ret; + int ret = 0; mutex_lock(&st->lock); st->suspended.gyro = st->conf.gyro.mode; st->suspended.accel = st->conf.accel.mode; st->suspended.temp = st->conf.temp_en; - if (pm_runtime_suspended(dev)) { - ret = 0; + if (pm_runtime_suspended(dev)) goto out_unlock; - } /* disable FIFO data streaming */ if (st->fifo.on) { @@ -900,10 +898,13 @@ static int inv_icm42600_resume(struct device *dev) struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); struct device *accel_dev; bool wakeup; - int ret; + int ret = 0; mutex_lock(&st->lock); + if (pm_runtime_suspended(dev)) + goto out_unlock; + /* check wakeup capability */ accel_dev = &st->indio_accel->dev; wakeup = st->apex.on && device_may_wakeup(accel_dev);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] md: fix mssing blktrace bio split events" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 22f166218f7313e8fe2d19213b5f4b3265f8c39e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101606-eggshell-static-9bca@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 22f166218f7313e8fe2d19213b5f4b3265f8c39e Mon Sep 17 00:00:00 2001 From: Yu Kuai <yukuai3(a)huawei.com> Date: Wed, 10 Sep 2025 14:30:44 +0800 Subject: [PATCH] md: fix mssing blktrace bio split events If bio is split by internal handling like chunksize or badblocks, the corresponding trace_block_split() is missing, resulting in blktrace inability to catch BIO split events and making it harder to analyze the BIO sequence. Cc: stable(a)vger.kernel.org Fixes: 4b1faf931650 ("block: Kill bio_pair_split()") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/drivers/md/md-linear.c b/drivers/md/md-linear.c index 5d9b08115375..59d7963c7843 100644 --- a/drivers/md/md-linear.c +++ b/drivers/md/md-linear.c @@ -266,6 +266,7 @@ static bool linear_make_request(struct mddev *mddev, struct bio *bio) } bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); submit_bio_noacct(bio); bio = split; } diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c index f1d8811a542a..1ba7d0c090f7 100644 --- a/drivers/md/raid0.c +++ b/drivers/md/raid0.c @@ -472,7 +472,9 @@ static void raid0_handle_discard(struct mddev *mddev, struct bio *bio) bio_endio(bio); return; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); submit_bio_noacct(bio); bio = split; end = zone->zone_end; @@ -620,7 +622,9 @@ static bool raid0_make_request(struct mddev *mddev, struct bio *bio) bio_endio(bio); return true; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); raid0_map_submit_bio(mddev, bio); bio = split; } diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c index f096f4d0fca7..64a1e0b47e87 100644 --- a/drivers/md/raid1.c +++ b/drivers/md/raid1.c @@ -1384,7 +1384,9 @@ static void raid1_read_request(struct mddev *mddev, struct bio *bio, error = PTR_ERR(split); goto err_handle; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); submit_bio_noacct(bio); bio = split; r1_bio->master_bio = bio; @@ -1616,7 +1618,9 @@ static void raid1_write_request(struct mddev *mddev, struct bio *bio, error = PTR_ERR(split); goto err_handle; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); submit_bio_noacct(bio); bio = split; r1_bio->master_bio = bio; diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 312e8a0e93e7..3d7b24d6b4eb 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1209,7 +1209,9 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio, error = PTR_ERR(split); goto err_handle; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); allow_barrier(conf); submit_bio_noacct(bio); wait_barrier(conf, false); @@ -1495,7 +1497,9 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, error = PTR_ERR(split); goto err_handle; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); allow_barrier(conf); submit_bio_noacct(bio); wait_barrier(conf, false); @@ -1679,7 +1683,9 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio) bio_endio(bio); return 0; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); allow_barrier(conf); /* Resend the fist split part */ submit_bio_noacct(split); @@ -1694,7 +1700,9 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio) bio_endio(bio); return 0; } + bio_chain(split, bio); + trace_block_split(split, bio->bi_iter.bi_sector); allow_barrier(conf); /* Resend the second split part */ submit_bio_noacct(bio); diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index 5112658ef5f6..96a6d63b3d62 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -5493,8 +5493,10 @@ static struct bio *chunk_aligned_read(struct mddev *mddev, struct bio *raid_bio) if (sectors < bio_sectors(raid_bio)) { struct r5conf *conf = mddev->private; + split = bio_split(raid_bio, sectors, GFP_NOIO, &conf->bio_split); bio_chain(split, raid_bio); + trace_block_split(split, raid_bio->bi_iter.bi_sector); submit_bio_noacct(raid_bio); raid_bio = split; }

1 month, 1 week

2
4
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0792c1984a45ccd7a296d6b8cb78088bc99a212e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101603-magnetism-bonded-4bc7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0792c1984a45ccd7a296d6b8cb78088bc99a212e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101603-foster-panning-5b9a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0792c1984a45ccd7a296d6b8cb78088bc99a212e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101602-monogram-ferry-a69a@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0792c1984a45ccd7a296d6b8cb78088bc99a212e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101601-document-unwound-ffc9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 0792c1984a45ccd7a296d6b8cb78088bc99a212e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101601-manicure-opposite-4330@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0792c1984a45ccd7a296d6b8cb78088bc99a212e Mon Sep 17 00:00:00 2001 From: Sean Nyekjaer <sean(a)geanix.com> Date: Mon, 1 Sep 2025 09:49:13 +0200 Subject: [PATCH] iio: imu: inv_icm42600: Simplify pm_runtime setup Rework the power management in inv_icm42600_core_probe() to use devm_pm_runtime_set_active_enabled(), which simplifies the runtime PM setup by handling activation and enabling in one step. Remove the separate inv_icm42600_disable_pm callback, as it's no longer needed with the devm-managed approach. Using devm_pm_runtime_enable() also fixes the missing disable of autosuspend. Update inv_icm42600_disable_vddio_reg() to only disable the regulator if the device is not suspended i.e. powered-down, preventing unbalanced disables. Also remove redundant error msg on regulator_disable(), the regulator framework already emits an error message when regulator_disable() fails. This simplifies the PM setup and avoids manipulating the usage counter unnecessarily. Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") Signed-off-by: Sean Nyekjaer <sean(a)geanix.com> Link: https://patch.msgid.link/20250901-icm42pmreg-v3-1-ef1336246960@geanix.com Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index a4d42e7e2180..76d8e4f14d87 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -711,20 +711,12 @@ static void inv_icm42600_disable_vdd_reg(void *_data) static void inv_icm42600_disable_vddio_reg(void *_data) { struct inv_icm42600_state *st = _data; - const struct device *dev = regmap_get_device(st->map); - int ret; + struct device *dev = regmap_get_device(st->map); - ret = regulator_disable(st->vddio_supply); - if (ret) - dev_err(dev, "failed to disable vddio error %d\n", ret); -} + if (pm_runtime_status_suspended(dev)) + return; -static void inv_icm42600_disable_pm(void *_data) -{ - struct device *dev = _data; - - pm_runtime_put_sync(dev); - pm_runtime_disable(dev); + regulator_disable(st->vddio_supply); } int inv_icm42600_core_probe(struct regmap *regmap, int chip, @@ -824,16 +816,14 @@ int inv_icm42600_core_probe(struct regmap *regmap, int chip, return ret; /* setup runtime power management */ - ret = pm_runtime_set_active(dev); + ret = devm_pm_runtime_set_active_enabled(dev); if (ret) return ret; - pm_runtime_get_noresume(dev); - pm_runtime_enable(dev); + pm_runtime_set_autosuspend_delay(dev, INV_ICM42600_SUSPEND_DELAY_MS); pm_runtime_use_autosuspend(dev); - pm_runtime_put(dev); - return devm_add_action_or_reset(dev, inv_icm42600_disable_pm, dev); + return ret; } EXPORT_SYMBOL_NS_GPL(inv_icm42600_core_probe, "IIO_ICM42600");

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 284fb19a3ffb1083c3ad9c00d29749d09dddb99c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101614-sphere-flagman-052d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 284fb19a3ffb1083c3ad9c00d29749d09dddb99c Mon Sep 17 00:00:00 2001 From: Devarsh Thakkar <devarsht(a)ti.com> Date: Fri, 4 Jul 2025 18:29:14 +0530 Subject: [PATCH] phy: cadence: cdns-dphy: Fix PLL lock and O_CMN_READY polling PLL lockup and O_CMN_READY assertion can only happen after common state machine gets enabled by programming DPHY_CMN_SSM register, but driver was polling them before the common state machine was enabled which is incorrect. This is as per the DPHY initialization sequence as mentioned in J721E TRM [1] at section "12.7.2.4.1.2.1 Start-up Sequence Timing Diagram". It shows O_CMN_READY polling at the end after common configuration pin setup where the common configuration pin setup step enables state machine as referenced in "Table 12-1533. Common Configuration-Related Setup mentions state machine" To fix this : - Add new function callbacks for polling on PLL lock and O_CMN_READY assertion. - As state machine and clocks get enabled in power_on callback only, move the clock related programming part from configure callback to power_on callback and poll for the PLL lockup and O_CMN_READY assertion after state machine gets enabled. - The configure callback only saves the PLL configuration received from the client driver which will be applied later on in power_on callback. - Add checks to ensure configure is called before power_on and state machine is in disabled state before power_on callback is called. - Disable state machine in power_off so that client driver can re-configure the PLL by following up a power_off, configure, power_on sequence. [1]: https://www.ti.com/lit/zip/spruil1 Cc: stable(a)vger.kernel.org Fixes: 7a343c8bf4b5 ("phy: Add Cadence D-PHY support") Signed-off-by: Devarsh Thakkar <devarsht(a)ti.com> Tested-by: Harikrishna Shenoy <h-shenoy(a)ti.com> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://lore.kernel.org/r/20250704125915.1224738-2-devarsht@ti.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/cadence/cdns-dphy.c b/drivers/phy/cadence/cdns-dphy.c index 33a42e72362e..da8de0a9d086 100644 --- a/drivers/phy/cadence/cdns-dphy.c +++ b/drivers/phy/cadence/cdns-dphy.c @@ -92,6 +92,8 @@ struct cdns_dphy_ops { void (*set_pll_cfg)(struct cdns_dphy *dphy, const struct cdns_dphy_cfg *cfg); unsigned long (*get_wakeup_time_ns)(struct cdns_dphy *dphy); + int (*wait_for_pll_lock)(struct cdns_dphy *dphy); + int (*wait_for_cmn_ready)(struct cdns_dphy *dphy); }; struct cdns_dphy { @@ -101,6 +103,8 @@ struct cdns_dphy { struct clk *pll_ref_clk; const struct cdns_dphy_ops *ops; struct phy *phy; + bool is_configured; + bool is_powered; }; /* Order of bands is important since the index is the band number. */ @@ -186,6 +190,16 @@ static unsigned long cdns_dphy_get_wakeup_time_ns(struct cdns_dphy *dphy) return dphy->ops->get_wakeup_time_ns(dphy); } +static int cdns_dphy_wait_for_pll_lock(struct cdns_dphy *dphy) +{ + return dphy->ops->wait_for_pll_lock ? dphy->ops->wait_for_pll_lock(dphy) : 0; +} + +static int cdns_dphy_wait_for_cmn_ready(struct cdns_dphy *dphy) +{ + return dphy->ops->wait_for_cmn_ready ? dphy->ops->wait_for_cmn_ready(dphy) : 0; +} + static unsigned long cdns_dphy_ref_get_wakeup_time_ns(struct cdns_dphy *dphy) { /* Default wakeup time is 800 ns (in a simulated environment). */ @@ -227,7 +241,6 @@ static unsigned long cdns_dphy_j721e_get_wakeup_time_ns(struct cdns_dphy *dphy) static void cdns_dphy_j721e_set_pll_cfg(struct cdns_dphy *dphy, const struct cdns_dphy_cfg *cfg) { - u32 status; /* * set the PWM and PLL Byteclk divider settings to recommended values @@ -244,13 +257,6 @@ static void cdns_dphy_j721e_set_pll_cfg(struct cdns_dphy *dphy, writel(DPHY_TX_J721E_WIZ_LANE_RSTB, dphy->regs + DPHY_TX_J721E_WIZ_RST_CTRL); - - readl_poll_timeout(dphy->regs + DPHY_TX_J721E_WIZ_PLL_CTRL, status, - (status & DPHY_TX_WIZ_PLL_LOCK), 0, POLL_TIMEOUT_US); - - readl_poll_timeout(dphy->regs + DPHY_TX_J721E_WIZ_STATUS, status, - (status & DPHY_TX_WIZ_O_CMN_READY), 0, - POLL_TIMEOUT_US); } static void cdns_dphy_j721e_set_psm_div(struct cdns_dphy *dphy, u8 div) @@ -258,6 +264,23 @@ static void cdns_dphy_j721e_set_psm_div(struct cdns_dphy *dphy, u8 div) writel(div, dphy->regs + DPHY_TX_J721E_WIZ_PSM_FREQ); } +static int cdns_dphy_j721e_wait_for_pll_lock(struct cdns_dphy *dphy) +{ + u32 status; + + return readl_poll_timeout(dphy->regs + DPHY_TX_J721E_WIZ_PLL_CTRL, status, + status & DPHY_TX_WIZ_PLL_LOCK, 0, POLL_TIMEOUT_US); +} + +static int cdns_dphy_j721e_wait_for_cmn_ready(struct cdns_dphy *dphy) +{ + u32 status; + + return readl_poll_timeout(dphy->regs + DPHY_TX_J721E_WIZ_STATUS, status, + status & DPHY_TX_WIZ_O_CMN_READY, 0, + POLL_TIMEOUT_US); +} + /* * This is the reference implementation of DPHY hooks. Specific integration of * this IP may have to re-implement some of them depending on how they decided @@ -273,6 +296,8 @@ static const struct cdns_dphy_ops j721e_dphy_ops = { .get_wakeup_time_ns = cdns_dphy_j721e_get_wakeup_time_ns, .set_pll_cfg = cdns_dphy_j721e_set_pll_cfg, .set_psm_div = cdns_dphy_j721e_set_psm_div, + .wait_for_pll_lock = cdns_dphy_j721e_wait_for_pll_lock, + .wait_for_cmn_ready = cdns_dphy_j721e_wait_for_cmn_ready, }; static int cdns_dphy_config_from_opts(struct phy *phy, @@ -328,21 +353,36 @@ static int cdns_dphy_validate(struct phy *phy, enum phy_mode mode, int submode, static int cdns_dphy_configure(struct phy *phy, union phy_configure_opts *opts) { struct cdns_dphy *dphy = phy_get_drvdata(phy); - struct cdns_dphy_cfg cfg = { 0 }; - int ret, band_ctrl; - unsigned int reg; + int ret; - ret = cdns_dphy_config_from_opts(phy, &opts->mipi_dphy, &cfg); - if (ret) - return ret; + ret = cdns_dphy_config_from_opts(phy, &opts->mipi_dphy, &dphy->cfg); + if (!ret) + dphy->is_configured = true; + + return ret; +} + +static int cdns_dphy_power_on(struct phy *phy) +{ + struct cdns_dphy *dphy = phy_get_drvdata(phy); + int ret; + u32 reg; + + if (!dphy->is_configured || dphy->is_powered) + return -EINVAL; + + clk_prepare_enable(dphy->psm_clk); + clk_prepare_enable(dphy->pll_ref_clk); /* * Configure the internal PSM clk divider so that the DPHY has a * 1MHz clk (or something close). */ ret = cdns_dphy_setup_psm(dphy); - if (ret) - return ret; + if (ret) { + dev_err(&dphy->phy->dev, "Failed to setup PSM with error %d\n", ret); + goto err_power_on; + } /* * Configure attach clk lanes to data lanes: the DPHY has 2 clk lanes @@ -357,40 +397,60 @@ static int cdns_dphy_configure(struct phy *phy, union phy_configure_opts *opts) * Configure the DPHY PLL that will be used to generate the TX byte * clk. */ - cdns_dphy_set_pll_cfg(dphy, &cfg); + cdns_dphy_set_pll_cfg(dphy, &dphy->cfg); - band_ctrl = cdns_dphy_tx_get_band_ctrl(opts->mipi_dphy.hs_clk_rate); - if (band_ctrl < 0) - return band_ctrl; + ret = cdns_dphy_tx_get_band_ctrl(dphy->cfg.hs_clk_rate); + if (ret < 0) { + dev_err(&dphy->phy->dev, "Failed to get band control value with error %d\n", ret); + goto err_power_on; + } - reg = FIELD_PREP(DPHY_BAND_CFG_LEFT_BAND, band_ctrl) | - FIELD_PREP(DPHY_BAND_CFG_RIGHT_BAND, band_ctrl); + reg = FIELD_PREP(DPHY_BAND_CFG_LEFT_BAND, ret) | + FIELD_PREP(DPHY_BAND_CFG_RIGHT_BAND, ret); writel(reg, dphy->regs + DPHY_BAND_CFG); - return 0; -} - -static int cdns_dphy_power_on(struct phy *phy) -{ - struct cdns_dphy *dphy = phy_get_drvdata(phy); - - clk_prepare_enable(dphy->psm_clk); - clk_prepare_enable(dphy->pll_ref_clk); - /* Start TX state machine. */ writel(DPHY_CMN_SSM_EN | DPHY_CMN_TX_MODE_EN, dphy->regs + DPHY_CMN_SSM); + ret = cdns_dphy_wait_for_pll_lock(dphy); + if (ret) { + dev_err(&dphy->phy->dev, "Failed to lock PLL with error %d\n", ret); + goto err_power_on; + } + + ret = cdns_dphy_wait_for_cmn_ready(dphy); + if (ret) { + dev_err(&dphy->phy->dev, "O_CMN_READY signal failed to assert with error %d\n", + ret); + goto err_power_on; + } + + dphy->is_powered = true; + return 0; + +err_power_on: + clk_disable_unprepare(dphy->pll_ref_clk); + clk_disable_unprepare(dphy->psm_clk); + + return ret; } static int cdns_dphy_power_off(struct phy *phy) { struct cdns_dphy *dphy = phy_get_drvdata(phy); + u32 reg; clk_disable_unprepare(dphy->pll_ref_clk); clk_disable_unprepare(dphy->psm_clk); + /* Stop TX state machine. */ + reg = readl(dphy->regs + DPHY_CMN_SSM); + writel(reg & ~DPHY_CMN_SSM_EN, dphy->regs + DPHY_CMN_SSM); + + dphy->is_powered = false; + return 0; }

1 month, 1 week

2
2
0 0